Azure Administrator (AZ-104) Exam Review

25 question-and-answer style flashcards covering key Azure Administrator (AZ-104) concepts, including Conditional Access, networking, backup, migration, authentication, and monitoring.

Which Azure AD feature should you combine with dynamic groups to enforce MFA for finance users only?

Conditional Access policies targeted to the finance dynamic group.

To connect an on-premises office to an Azure VNet over the Internet with encryption, which two gateway resources must you create?

A Virtual Network Gateway in Azure and a Local Network Gateway representing the on-prem VPN device, then configure a site-to-site VPN connection.

What are the first two steps when migrating on-premises Hyper-V VMs to Azure using Azure Site Recovery?

1) Create a Recovery Services vault. 2) Install the Azure Site Recovery Provider (or Mobility service) on the Hyper-V host.

For Seamless SSO with Pass-through Authentication, which URL must be added to clients’ Intranet Zone?

https://autologon.microsoftazuread-sso.com

Which Microsoft tool is used to discover and remediate invalid on-premises UPNs before syncing to Azure AD?

IdFix (idfix.exe).

When adding an extra NIC to an existing VM, where must the NIC be created?

In the same region and resource group as both the virtual machine and its virtual network.

After an Azure AD join, which users become local administrators on the Windows 10 device by default?

The device owner and any Azure AD Global Administrators.

In an Azure Import/Export job, which storage type can receive the imported data?

Azure Blob Storage (or Azure Files).

How many Azure Backup policies are minimally required to back up 100 VMs, 20 SQL databases, and 50 file shares daily?

Three—one policy each for VMs, Azure SQL databases, and Azure File shares.

To alert on Windows event logs from an Azure VM, which resource type should the Azure Monitor alert target?

The Log Analytics virtual machine extension (i.e., use the VM extension data source).

True or False: Adding an office phone number for a cloud-only user is sufficient to enable MFA for that user.

False – the user must also exist in Azure AD and have MFA enabled; additional factors may still be required.

What prerequisite must virtual networks meet before they can be peered?

Their address spaces must not overlap.

Who can add users to a newly created Azure AD tenant?

Only a user with the Global Administrator role in that tenant.

After restoring a VM using the "Replace existing" disks option, which post-backup change must be redone: VM size change, added data disk, admin password reset, or copying a new file?

Copying the new file; disk-level restore overwrites data disks with the backed-up version.

Before protecting a VM with a different Recovery Services vault, what must you do in the current vault?

Stop (disable) backup for that VM in the existing vault.

When configuring Azure Backup reports, where can diagnostic logs be sent?

Only to Storage accounts and Log Analytics workspaces located in the same Azure region as the Recovery Services vault.

Which on-premises objects are synchronized to Azure AD by Azure AD Connect: user accounts, security groups, distribution groups, computers?

User accounts and security groups (distribution groups) are synced; computers are not unless Azure AD DS is enabled.

Which two authentication methods are NOT allowed for resetting passwords of on-premises domain administrators through SSPR?

Secret questions & answers and any cloud-based reset; these admins must change passwords on-premises.

What Azure AD role grants the right to join unlimited devices to Azure AD?

Global Administrator (also Device Administrator or explicit permission in "Users may join devices to Azure AD").

Which two actions prepare a network for Azure AD Pass-through Authentication with Seamless SSO?

Add the autologon URL to the Intranet zone and install Azure AD Connect with Pass-through Authentication enabled.

What is the purpose of a Local Network Gateway in Azure networking?

It represents the on-premises VPN device and its public IP address for a site-to-site connection.

Name one limitation of placing more than 100 VMs under a single Azure Backup policy through the portal.

Only 100 VMs can be associated with a backup policy from the portal; larger numbers require multiple policies or scripting.

Which Azure service enforces MFA based on user and application conditions?

Azure AD Conditional Access.

What happens if two peered VNets have overlapping IP ranges?

Peering cannot be created; address spaces must be unique.

Which tool should be installed on Azure VMs to send guest OS events to Azure Monitor Logs?

The Log Analytics agent (formerly OMS/MMA) via the VM extension.