Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. AZ-104

Microsoft AZ-104 Exam (page: 8)
Microsoft Azure Administrator
Updated on: 02-Jan-2026

Viewing Page 8 of 69
AZ-104 PDF 553 Questions

You have an Azure subscription that has Traffic Analytics configured.
You deploy a new virtual machine named VM1 that has the following settings: Region: East US
Virtual network: VNet1
NIC network security group: NSG1
You need to monitor VM1 traffic by using Traffic Analytics. Which settings should you configure?

  1. Diagnostic settings for VM1
  2. NSG flow logs for NSG1
  3. Diagnostic settings for NSG1
  4. Insights for VM1

Answer(s): B

Explanation:

Traffic analytics Prerequisites Traffic analytics requires:
A Network Watcher enabled subscription.
*-> NSG flow logs enabled for the network security groups you want to monitor. An Azure Log Analytics workspace with read and write access.


Reference:

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains two storage accounts named contoso101 and contoso102. The subscription contains the virtual machines shown in the following table.


VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.)


The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.)


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
VM1 is connected to VNet1/Subnet1, and has Basic Public IP address SKU. Subnet1 contains one Microsoft.Storage Service Endpoint.
The service endpoint policy contains the contoso1 Storage account.
Note: Service endpoints include:
Azure Storage (Microsoft.Storage): Generally available in all Azure regions. Grant access from a virtual network
You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Microsoft Entra tenant. With cross-region service endpoints, the allowed subnets can also be in different regions from the storage account.
Etc.
Box 2: No
VM2 is connected to VNet1/Subnet2, and has Standard Public IP address SKU. Subnet2 contains one Microsoft.AzureActiveDirectory Service Endpoint.
Box 3: No
VM2 is connected to VNet1/Subnet2, and has Standard Public IP address SKU. Subnet2 contains one Microsoft.AzureActiveDirectory Service Endpoint.
Data Lake Storage public IP address – Use the public IP address for your target Data Lake Storage Gen1 accounts (see note 2 below).
Note: Service endpoints include:
Azure Data Lake Store Gen 1 (Microsoft.AzureActiveDirectory): Generally available in all Azure regions where ADLS Gen1 is available.
Virtual network integration for Data Lake Storage Gen1 makes use of the virtual network service endpoint security between your virtual network and Microsoft Entra ID to generate additional security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access.
Note 2:
Optimal routing with Data Lake Storage Gen1 virtual network integration
A key benefit of virtual network service endpoints is optimal routing from your virtual network. You can perform
the same route optimization to Data Lake Storage Gen1 accounts. Use the following user-defined routes from your virtual network to your Data Lake Storage Gen1 account.
Data Lake Storage public IP address – Use the public IP address for your target Data Lake Storage Gen1 accounts.


Reference:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-network-security



You have an Azure subscription that contains multiple virtual machines in the West US Azure region. You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic.
Which two resources should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. a Log Analytics workspace
  2. an Azure Monitor workbook
  3. a storage account
  4. a Microsoft Sentinel workspace
  5. a Data Collection Rule (DCR) in Azure Monitor

Answer(s): A,C

Explanation:

To use traffic analytics, you need the following components:
Network Watcher: A regional service that you can use to monitor and diagnose conditions at a network- scenario level in Azure. You can use Network Watcher to turn NSG flow logs on and off.
Log Analytics: A tool in the Azure portal that you use to work with Azure Monitor Logs data. Azure Monitor Logs is an Azure service that collects monitoring data and stores the data in a central repository. This data can include events, performance data, or custom data that's provided through the Azure API. After this data is collected, it's available for alerting, analysis, and export. Monitoring applications such as network performance monitor and traffic analytics use Azure Monitor Logs as a foundation.
(A, C) Log Analytics workspace: The environment that stores Azure Monitor log data that pertains to an Azure account.


Reference:

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics



You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2. What should you create for Azure Monitor?

  1. an action group
  2. a mail-enabled security group
  3. a distribution group
  4. a Microsoft 365 group

Answer(s): A

Explanation:

Azure Monitor alerts Alerts consist of:
Action groups: These groups can trigger notifications or an automated workflow to let users know that an alert has been triggered. Action groups can include:
Notification methods, such as email, SMS, and push notifications. Automation runbooks.
Azure functions. ITSM incidents. Logic apps.
Secure webhooks. Webhooks.
Event hubs.
* Alert conditions
* Etc.


Reference:

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains an Azure Backup vault named Backup1, a Recovery Services vault named Recovery1, and the resources shown in the following table.


You plan to back up the resources.
Which resource can be backed up to Backup1, and which resource can be backed up to Recovery1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Disk1
Backup1 - Azure Backup vault
If you create a new Vault in Azure Backup Center there is a screen that is showing the different available datasources of each vault type:


Box 2: VM1
Recovery1 - Recovery Services vault


Reference:

https://learn.microsoft.com/en-us/answers/questions/405915/what-is-difference-between-recovery-services- vault



You have an Azure subscription that contains two resource groups named RG1 and RG2. RG1 contains the resources shown in the following table.


You move VM1 to RG2.
Which resources are in RG2 after the move?

  1. VM1 only
  2. VM1 and Disk1 only
  3. VM1, NIC1, and Disk1 only
  4. VM1, VNet1, NIC1, and Disk1

Answer(s): C



You create an App Service plan named Plan1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1. What should you do first?

  1. From Plan1, scale up the App Service plan
  2. From webapp1, add a custom domain.
  3. From Plan1, scale out the App Service plan.
  4. From webapp1, modify the Application stings.

Answer(s): A



You have an Azure subscription. The subscription contains 10 virtual machines that run Windows Server. Each virtual machine hosts a website in IIS and has the Azure Monitor Agent installed.
You need to collect the IIS logs from each virtual machine and store them in a Log Analytics workspace. What should you configure first?

  1. a private endpoint
  2. VM insights
  3. a data collection endpoint
  4. Diagnostic settings
  5. an Azure Monitor Private Link Scope (AMPLS)

Answer(s): E

Explanation:

With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor private links are structured differently from private links to other services.
Instead of creating a private link for each resource the virtual network connects to, Azure Monitor uses a single private link connection using a private endpoint from the virtual network to an Azure Monitor Private Link Scope (AMPLS). The AMPLS is a set of Azure Monitor resources that define the boundaries of your monitoring network.


Note: Note: Collect IIS logs from virtual machine with Azure Monitor
Internet Information Services (IIS) stores user activity in log files that can be collected by Azure Monitor agent using a data collection rule (DCR) with a IIS Logs data source.
Incorrect:
Not C:
Add resources
On the Resources pane, select Add resources to add VMs that will use the DCR. You don't need to add any VMs yet since you can update the DCR after creation and add/remove any resources. If you select Enable Data Collection Endpoints on the Resources tab, you can select a DCE for each VM. *This is only required if you're using Azure Monitor Private Links*. Otherwise, don't select this option.


Reference:

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security https://learn.microsoft.com/en-us/azure/azure-monitor/vm/data-collection-iis https://learn.microsoft.com/en-us/azure/azure-monitor/vm/data-collection



Viewing Page 8 of 69



Share your comments for Microsoft AZ-104 exam with other users:

Alex 5/24/2025 12:54:15 AM

Can I trust to this source?
Anonymous