User Account Shopping Cart
Practice Exams:
View All

AZ-104 Microsoft Practice Test Questions and Exam Dumps


Question No 1:

Your company operates multiple departments, each utilizing several virtual machines (VMs) to support their specific workloads.
 Currently, all the VMs are deployed within a single Azure subscription and are organized under a single resource group named RG1.

As part of a new initiative to improve cost tracking, resource management, and reporting, you need a method to associate each VM with its respective department without significantly changing the existing structure of RG1.

Which solution should you implement to efficiently link each VM to its corresponding department while maintaining the current resource group structure?

  • A. Create Azure Management Groups for each department.

  • B. Create a separate resource group for each department.

  • C. Assign tags to each virtual machine.

  • D. Modify the settings of each virtual machine.

Correct Answer: C. Assign tags to each virtual machine.

Explanation:

In this scenario, the best and most efficient approach is to assign tags to the virtual machines.

Tags in Azure are metadata elements that consist of key-value pairs. They allow you to logically organize resources without moving them into different resource groups or subscriptions. For example, you could create a tag named Department with values like Finance, HR, or IT to represent each department.

Using tags provides multiple benefits:

  • Cost Management: Azure Cost Management can group and analyze resource costs based on tags, helping departments track spending easily.

  • Resource Organization: Tags allow you to categorize and find resources quickly without restructuring your environment.

  • Automation and Policy Enforcement: Tags can be used with Azure Policies to enforce rules based on departmental needs.

  • No Downtime: Applying tags does not require stopping or redeploying VMs.

Why not the other options?

  • A. Azure Management Groups are used for governance across subscriptions, not individual resource categorization.

  • B. Creating new resource groups would require moving VMs, which could disrupt operations and is unnecessary for simple categorization.

  • D. Modifying VM settings could involve risky configuration changes and wouldn't directly help with departmental identification.

Thus, tagging is the simplest, safest, and most scalable solution for associating each VM with a department while keeping all VMs inside the existing resource group (RG1).

Question No 2:

Your company has an active Azure Active Directory (Azure AD) subscription.
 As part of enhancing security measures, you are tasked with implementing an Azure AD Conditional Access policy.The goal of the policy is to ensure that members of the Global Administrators group must:

  • Use Multi-Factor Authentication (MFA), and

  • Connect using an Azure AD-joined device,
     whenever they attempt to access Azure AD from untrusted locations (e.g., public networks).

To meet this requirement, you navigate to the Multi-Factor Authentication (MFA) page within Azure AD and modify the user settings for the Global Administrators.

Does this solution fulfill the stated objective?

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

The provided solution does not meet the stated goal.

Here's why:
While navigating to the Multi-Factor Authentication page and modifying user settings allows you to enforce MFA at a basic user level, it does not enable you to configure comprehensive Conditional Access policies.

Conditional Access is a policy-based approach in Azure AD that evaluates multiple conditions (like user role, device compliance, location, etc.) and applies access controls such as requiring MFA or device requirements.
To achieve the goal — enforcing MFA and ensuring an Azure AD-joined device when accessing from untrusted locations — you must create and configure a Conditional Access policy in the Conditional Access blade within Azure AD, not merely adjust user MFA settings.

Specifically, you would:

  • Define the Global Administrators group as the target.

  • Set location conditions to specify "untrusted locations."

  • Require MFA and compliant or Azure AD-joined devices as access controls.

Thus, modifying MFA user settings alone cannot apply location-based or device-based conditions. It also lacks the fine-grained control that Conditional Access policies provide.

Summary:

  • MFA page: Only basic per-user MFA enforcement; no Conditional Access logic.

  • Conditional Access policies: Full conditional logic based on roles, location, device compliance, and more.

Therefore, the solution described does not satisfy the requirement.

Question No 3:

Your company maintains an Azure Active Directory (Azure AD) subscription.
 You are assigned the task of improving the security posture for administrative accounts by implementing a Conditional Access policy within Azure AD.

The specific requirement is to create a policy that enforces the following when Global Administrators attempt to access Azure AD from untrusted locations:

  • Require Multi-Factor Authentication (MFA), and

  • Ensure access is only allowed from an Azure AD-joined device.

As part of your approach, you access the Azure portal and modify the session control settings of an Azure AD Conditional Access policy.

Does this solution meet the stated requirement?

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

The solution provided does not meet the requirement.

Session controls in a Conditional Access policy mainly focus on controlling session behavior after access is granted. Examples include:

  • Enforcing sign-in frequency (how often authentication is required),

  • Limiting user experiences (like requiring read-only access),

  • Applying continuous access evaluation (re-evaluating conditions during a session).

However, session controls do not define access requirements at the sign-in point, such as:

  • Requiring a device to be Azure AD-joined, or

  • Enforcing Multi-Factor Authentication based on connection location.

To achieve the desired outcome — requiring MFA and ensuring Azure AD-joined devices when connecting from untrusted locations — you must configure "Grant controls" within the Conditional Access policy, not session controls.
 Grant controls allow you to:

  • Require MFA,

  • Require device compliance or Azure AD join status.

The correct procedure would involve:

  1. Targeting the Global Administrators group.

  2. Setting a location condition to detect untrusted locations.

  3. Using Grant controls to require MFA and Azure AD-joined device compliance.

Thus, merely altering the session controls falls short of enforcing the initial access requirements, making the solution inadequate.

Question No 4:

Your company manages an Azure Active Directory (Azure AD) subscription.
You have been tasked with strengthening the security for privileged accounts by implementing a Conditional Access policy in Azure AD.

The specific requirement is that members of the Global Administrators group must:

  • Use Multi-Factor Authentication (MFA), and

  • Access Azure AD only from an Azure AD-joined device,
     whenever they attempt to sign in from untrusted locations (such as public Wi-Fi or unknown IP addresses).

To implement this, you navigate to the Azure portal and modify the Grant controls of an Azure AD Conditional Access policy.

Does this solution meet the stated objective?

  • A. Yes

  • B. No

Correct Answer: A. Yes

Explanation:

The solution described does meet the requirement.

Here’s why:
Grant controls within an Azure AD Conditional Access policy are used to define the conditions that must be satisfied before access is granted.
 By modifying the Grant controls, you can enforce:

  • Multi-Factor Authentication (MFA), and

  • Device compliance requirements, such as allowing access only from Azure AD-joined devices.

To meet the security goal for the Global Administrators group, you would configure the Conditional Access policy as follows:

  1. Select Users: Target the Global Administrators group.

  2. Set Conditions: Define the location condition to specify untrusted locations.

  3. Configure Grant Controls:

    • Require the user to perform Multi-Factor Authentication.

    • Require the device to be marked as compliant or Azure AD-joined.

By applying these controls, you ensure that only trusted, managed devices and properly authenticated users can access Azure AD resources from potentially insecure locations.

Important note:
Grant controls directly impact whether access is permitted based on the enforced conditions. They are different from Session controls, which manage the behavior after access is granted.

Summary:

  • Grant controls = enforce security requirements (MFA, device join).

  • The solution described correctly uses grant controls = Goal achieved.

Thus, the correct answer is Yes.

Question No 5:

You are preparing to deploy a new Ubuntu Server virtual machine (VM) into your company's Azure subscription.
 As part of the deployment, you must implement a customized configuration that includes installing a specific trusted root Certification Authority (CA) into the Ubuntu system during provisioning.

You want a method that supports custom setup scripts or configuration injection during the creation of the virtual machine, minimizing the need for manual post-deployment steps.

Which of the following options should you use to create the VM and meet these deployment requirements?

Options:

  • A. Use the New-AzureRmVm cmdlet.

  • B. Use the New-AzVM cmdlet.

  • C. Use the Create-AzVM cmdlet.

  • D. Use the az vm create command.

Correct Answer: D. Use the az vm create command.

Explanation:

The best choice for this scenario is the az vm create command, which is part of the Azure CLI toolset.

Here’s why:
When deploying Linux VMs such as Ubuntu in Azure, customization at the time of creation is often required. Azure supports cloud-init, a standard for initializing Linux systems.
 The az vm create command allows you to attach a cloud-init configuration file or provide custom initialization scripts using the --custom-data parameter. This is exactly what you need to:

  • Automatically install certificates,

  • Configure system settings,

  • Install software, and

  • Modify system behaviors during the VM’s initial boot.

Using cloud-init with a vm create, you can easily add your trusted root CA without needing any manual configuration after the VM is deployed.

Why not the other options?

  • A. New-AzureRmVm: Belongs to the deprecated AzureRM module and is not recommended for use.

  • B. New-AzVM: Although it is part of the newer Az module for PowerShell, using it for cloud-init and custom Linux configurations is more complex compared to Azure CLI.

  • C. Create-AzVM: This cmdlet does not exist; it’s an incorrect option.

Thus, az vm create is the most appropriate, efficient, and modern method for performing a custom Ubuntu Server deployment that requires additional configuration like importing a trusted CA certificate.

Question No 6:

Your company currently uses Multi-Factor Authentication (MFA) for employees who are accessing company resources outside of the office.
At present, the Per Authentication usage model is configured, meaning users are prompted for MFA based on access scenarios rather than user status.

Recently, your company acquired a smaller business and integrated their staff into your organization's Azure Active Directory (Azure AD).
 Management has now requested that the new employees must also use Multi-Factor Authentication, but instead of relying on authentication events, you are instructed to assign MFA directly per user.

You determine that you need to switch the MFA usage model to Per Enabled User, where MFA is enforced individually for selected users.

Solution Proposed:
You attempt to reconfigure the existing usage model directly through the Azure portal.

Does this solution meet the objective?

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

In Azure Active Directory, once you have configured the Multi-Factor Authentication (MFA) usage model (whether Per Authentication or Per Enabled User), you cannot simply switch between usage models through the Azure portal.
 The MFA usage model becomes tied to the original setup unless you completely reconfigure your MFA implementation.

To enforce MFA on a per-user basis, you would need to manually enable MFA for each user by navigating to the Azure Active Directory → Users → Multi-Factor Authentication settings page and enabling MFA individually for the newly added employees.

Changing the MFA usage model itself (from Per Authentication to Per Enabled User) is not a configurable toggle in the Azure portal.
 This would typically require significant changes or even re-deployment of MFA, especially if Conditional Access policies or legacy per-user MFA settings are involved.

Thus, simply "reconfiguring the existing model" via the portal does not achieve the requirement as described.

Summary:

  • Switching usage models directly is not possible via portal settings.

  • Manual per-user MFA configuration is needed for new users.

Therefore, the correct answer is No.

Question No 7:

Your company has an Azure solution in place that requires Multi-Factor Authentication (MFA) for users accessing resources when they are not in the office. Currently, the Per Authentication usage model is set, meaning MFA is triggered only during authentication events rather than being consistently required for each user.

After acquiring a smaller business and integrating their employees into your company’s Azure Active Directory (Azure AD), you are informed that these new employees must also use Multi-Factor Authentication.

To meet this requirement, you must change the MFA usage model to Per Enabled User, where MFA is required for specific users and is no longer triggered by individual authentication events.

Solution:
You decide to reconfigure the existing MFA usage model using the Azure CLI tool.

Does this solution meet the goal?

Options:

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

In Azure Active Directory (Azure AD), the Multi-Factor Authentication (MFA) usage model—whether Per Authentication or Per Enabled User—is established when MFA is initially configured. Once set, the usage model cannot be changed simply through administrative commands in the Azure CLI or Azure portal.

The Per Authentication model triggers MFA on a case-by-case basis depending on the authentication attempt. The Per Enabled User model, on the other hand, requires MFA to be enabled for specific users, ensuring that MFA is always enforced for those users, regardless of their authentication context.

However, the Azure CLI does not have the capability to directly alter the MFA usage model itself. Instead, it allows you to manage MFA settings such as enabling MFA for individual users or applying Conditional Access policies, but it cannot switch the MFA usage model between "Per Authentication" and "Per Enabled User."

To meet the goal, you would need to enable MFA individually for each user either manually or through bulk operations using PowerShell scripts or the Azure portal, and not by reconfiguring the usage model through the CLI.

Summary:

  • The Azure CLI is used to manage MFA assignments and user settings but does not support changing the MFA usage model.

  • The correct method to meet the requirements is to enable MFA per user rather than changing the usage model.

Thus, the correct answer is B. No.

Question No 8:

Your company has an Azure solution in place that uses Multi-Factor Authentication (MFA) for users who access resources while outside the office. Currently, the Per Authentication usage model is configured, meaning MFA is required only when specific authentication events occur rather than being enforced consistently for every user.

After acquiring a smaller business and adding their employees to your Azure Active Directory (Azure AD), you are told that the new employees should also be required to use Multi-Factor Authentication.
To meet this requirement, the Per Enabled User usage model needs to be set, where MFA is consistently enforced for specific users.

Solution Proposed:
You create a new Multi-Factor Authentication provider and restore the configuration using a backup from the existing MFA provider data.

Does this solution satisfy the goal?

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

The proposed solution does not meet the goal.

Here’s why:
Creating a new Multi-Factor Authentication (MFA) provider and restoring data from an existing MFA provider does not address the requirement of changing the MFA usage model from Per Authentication to Per Enabled User. The usage model in Azure AD dictates how MFA is triggered, either on an individual authentication event or on a per-user basis.

The Per Authentication model prompts MFA only when required (e.g., when accessing from untrusted locations or with risky sign-ins), while the Per Enabled User model forces MFA to be enabled for specific users regardless of the authentication context.

The creation of a new MFA provider and restoring backup data does not alter the MFA usage model itself. Instead, it simply transfers the previous MFA configuration to a new provider without modifying how MFA is applied to users. Therefore, the process does not achieve the goal of enforcing Per Enabled User MFA for the new staff.

To achieve the goal, you would need to manually enable MFA for each user, either via the Azure portal, PowerShell, or bulk user operations. This is the only way to ensure that the new employees are consistently required to use MFA, as the usage model needs to be enforced per user, not by altering the MFA provider.

Summary:

  • Changing the MFA provider does not change the usage model from "Per Authentication" to "Per Enabled User."

  • The correct solution involves enabling MFA for each user individually.

Thus, the correct answer is B. No.

Question No 9:

Your company’s Azure Active Directory (Azure AD) tenant, named weyland.com, is configured for hybrid coexistence with your on-premises Active Directory domain. The hybrid setup allows synchronization between your on-premises directory and Azure AD.You have a server named DirSync1, which is configured as the DirSync server to manage this synchronization process.

After creating a new user account in the on-premises Active Directory, you need to immediately replicate the user information to Azure AD to make the user available for cloud-based services.

Solution Proposed:
You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet to initiate the synchronization.

Does this solution meet the goal?

  • A. Yes

  • B. No

Correct Answer: A. Yes

Explanation:

The Start-ADSyncSyncCycle cmdlet is part of the Azure AD Connect tool that is used to synchronize on-premises Active Directory (AD) with Azure AD. This cmdlet allows you to manually trigger a synchronization cycle between the on-premises AD and Azure AD.

The -PolicyType Initial parameter of the cmdlet specifically triggers a full synchronization of all directory objects, including newly created users, ensuring that all information is replicated to Azure AD immediately. This action forces the system to sync all data between the on-premises AD and Azure AD, making the new user account available in Azure AD for use with cloud services.

This solution is particularly useful when you need to replicate changes (like newly created users) immediately, without waiting for the next scheduled synchronization.

There are other types of sync cycles, such as Delta sync, which synchronize only the changes since the last sync. However, the Initial sync (full sync) is the most appropriate when you need to ensure that all changes, including the newly created user, are immediately replicated.

Summary:

  • The Start-ADSyncSyncCycle -PolicyType Initial cmdlet is the correct way to immediately replicate new user accounts from on-premises AD to Azure AD.

  • This solution achieves the desired goal of making the new user available in Azure AD immediately.

Thus, the correct answer is A. Yes.

Question No 10:

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com, which is configured for hybrid coexistence with your on-premises Active Directory (AD) domain. The hybrid setup allows synchronization of user accounts and other objects between the on-premises AD and Azure AD.

You have a server named DirSync1, which is configured as the DirSync server to manage the synchronization between the on-premises Active Directory and Azure AD.

After creating a new user account in the on-premises Active Directory, you need to immediately replicate this user information to Azure AD to make the user available for cloud-based services.

Solution Proposed:
You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.

Does this solution meet the goal?

  • A. Yes

  • B. No

Correct Answer: B. No

Explanation:

While using Active Directory Sites and Services to force replication of the Global Catalog on a domain controller can trigger replication within the on-premises Active Directory environment, it does not directly address the need to sync the data to Azure AD. This action is related to on-premises replication between domain controllers in the Active Directory environment.

In a hybrid Azure AD setup, synchronization between the on-premises Active Directory and Azure AD is managed by Azure AD Connect, not by manual replication of the Global Catalog. The DirSync server (or Azure AD Connect in modern setups) is responsible for pushing changes, including user accounts, from the on-premises AD to Azure AD.

The correct solution would be to use the Start-ADSyncSyncCycle PowerShell cmdlet to manually trigger a synchronization cycle. Specifically, the Delta Sync (or Initial Sync for full synchronization) command is used to push changes from the on-premises AD to Azure AD. This ensures that new users and other objects are replicated to Azure AD without relying on domain controller replication alone.

Summary:

  • Forcing replication in Active Directory Sites and Services only affects on-premises replication and does not trigger synchronization to Azure AD.

  • Azure AD Connect and the Start-ADSyncSyncCycle cmdlet are the proper tools for syncing on-premises AD changes to Azure AD.

Thus, the correct answer is B. No.


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.