For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
✅
- The commands will create four new resources.
Yes ❌
- The commands will create storage accounts in the West US Azure region.
No ✅
- The first storage account that is created will have a prefix of 0.
Yes
Explanation (Why this is correct):
- “Four new resources” = 3 storage accounts (because the template uses a copy loop with count 3) **plus** the deployment record resource created when you run `New-AzResourceGroupDeployment` (deployments are tracked as `Microsoft.Resources/deployments` in the resource group’s deployment history).
- The storage accounts **are not guaranteed** to be in West US because the template sets the storage account location to `resourceGroup().location`, which is the location of **RG1**, not necessarily `westus` (even though there’s a `location` parameter with a default value).
- The first storage account name will start with `0` because `copyIndex(0)` returns `0` for the first iteration in the copy loop.
Explanation (Why the other options are incorrect):
- “West US region” is incorrect unless RG1 itself is located in West US, because the template uses `resourceGroup().location`.
- “Prefix not 0” is incorrect because `copyIndex(0)` starts numbering at 0 by default.
Exam Tips:
- Watch for the classic trap: a `location` parameter exists, but the resource actually uses `resourceGroup().location`.
- When you see `copy`/`copyIndex()`, assume the first iteration is index **0** unless an offset is explicitly applied.
- In PowerShell ARM deployments, remember the deployment itself is recorded in deployment history (`Microsoft.Resources/deployments`).
3.0 Deploy and manage Azure compute resources (20–25%) |__3.1 Automate deployment of resources by using Azure Resource Manager (ARM) templates or Bicep files |__|__3.1.1 Interpret an Azure Resource Manager template or a Bicep file |__|__3.1.4 Deploy resources by using an Azure Resource Manager template or a Bicep file
Question 282:
You have an Azure subscription named Subcription1 that contains the storage accounts shown in the following table.
You plan 10 use the Azure Import/Export service to export data from Subscription1.
- Azure Import/Export is used to transfer data into or out of **Azure Storage** using disk drives.
- For an export job, the data source must be in a storage account that contains the data in supported services-commonly **Blob storage** for export scenarios.
- In the table, only storage4 is a BlobStorage account and contains Blob data, making it the valid target for an export job.
Why the other selections are incorrect:
- storage1
- Account kind is Storage and contains File service data; not the intended/typical export source in this scenario.
- storage2
- StorageV2, but contains File and Table data (not the Blob source indicated for export scenarios).
- storage3
- StorageV2, but contains Queue data (not applicable as an export source here).
1. Azure Import/Export service overview https://learn.microsoft.com/en-us/azure/import-export/storage-import-export-service Date Modified: Unable to locate date modified on page Date Accessed: 01/25/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- AZ-104: Import/Export questions usually reduce to "Is it **Azure Storage** and is it the **right service** (Blob vs Files)x"
- Always map the *storage service that contains the data* (Blob/File/Queue/Table) to what the transfer method supports.
Summary:
Selecting a supported storage account/service type for an Azure Import/Export export job.
AZ-104 Exam Objective Hierarchy:
2.0 Implement and manage storage (15?0%) |__ 2.2 Configure and manage storage accounts
Question 283:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes B. No
B. No
No
Traffic Analytics is a Network Watcher capability that depends on Network Watcher/flow logs and related permissions. Assigning the Traffic Manager Contributor role is not the appropriate role to enable or manage Traffic Analytics for a subscription because Traffic Manager is a different service and its contributor role does not grant the required Network Watcher permissions.
To use Network Watcher capabilities, the user typically needs roles such as Owner, Contributor, or Network Contributor (or an appropriate custom role including the required actions) at the required scope. Therefore, the stated role assignment does not meet the goal.
Microsoft Exam Tips:
- AZ-104 often tests service-role alignment: a role for Service A rarely grants permissions for Service B.
- For Network Watcher features, "Network Contributor / Contributor / Owner" is a common baseline.
Summary:
RBAC requirements for Network Watcher/Traffic Analytics vs unrelated service roles.
AZ-104 Exam Objective Hierarchy:
1.0 Manage Azure identities and governance (20?5%) |__ 1.2 Manage access to Azure resources |__ 1.2.1 Manage built-in Azure roles
Question 284:
HOTSPOT
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of 193.77.134.10.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
VM1 connects to 193.77.134.10 for DNS queries: Yes
VM2 connects to 193.77.134.10 for DNS queries: No
VM3 connects to 192.168.10.15 for DNS queries: Yes
Why this is correct:
- A VM will use the DNS server settings it is configured to use. If the VM is not explicitly configured, it will use the DNS settings provided by the virtual network (via DHCP options).
- VM1 has no VM-level DNS server configured, so it uses the VNET1 DNS server (193.77.134.10) --> Yes.
- VM2 has a VM-level DNS server configured (192.168.10.15), so it does not use the VNET1 DNS server (193.77.134.10) --> No.
- VM3 is configured to use 192.168.10.15, so its DNS queries go to 192.168.10.15 --> Yes.
Exam Tips:
- “VNet DNS” applies when the VM/NIC/OS is not overriding DNS. If the OS is manually set, it wins.
AZ-104 Exam Objective Hierarchy
4.0 Implement and manage virtual networking (15–20%) └── 4.3 Configure name resolution and load balancing └── 4.3.1 Configure Azure DNS
Question 285:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
Running "az aks" by itself is not the action that deploys a YAML manifest to the cluster. You must use kubectl (for example, kubectl apply -f) after you have cluster credentials configured (commonly via az aks get-credentials).
Not selected:
- Yes: incorrect because the kubectl apply step is what actually submits the YAML to Kubernetes.
References:
1. AKS quickstart (configure kubectl via az aks get-credentials) https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-cli Date Modified: 08/19/2025 Date Accessed: 01/24/2026
Microsoft Exam Tips:
- "Deploy YAML" usually implies kubectl apply. Azure CLI is commonly used to obtain credentials, not to apply manifests.
Summary:
Correct tooling for applying Kubernetes manifests to AKS.
AZ-104 Exam Objective Hierarchy:
3.0 Deploy and manage Azure compute resources (20?5%) | |__ 3.3 Provision and manage containers in the Azure portal
Question 286:
DRAG DROP
You have an Azure subscription that contains an Azure Service Bus named Bus1. Your company plans to deploy two Azure web apps named App1 and App2. The web apps will create messages that have the following requirements:
1. Each message created by App1 must be consumed by only a single consumer 2. Each message created by App2 will be consumed by multiple consumers.
Which resource should you create for each web app? To answer, drag the appropriate resources to the correct web apps. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Box 1 (App1): A Service Bus queue
Box 2 (App2): A Service Bus topic
Explanation:
You have two apps that will process messages, with different consumption requirements.
Why the answers are correct:
Box 1 (App1): A Service Bus queue
- A queue supports **competing consumers** where each message is typically processed by **one** consumer. This matches “each message must be consumed by only a single consumer.”
Box 2 (App2): A Service Bus topic
- A topic supports **publish/subscribe** via subscriptions, where the same message can be delivered to **multiple** consumers (multiple subscriptions). This matches “each message should be consumed by multiple consumers.”
Why the other resources are not correct:
- Azure Blob storage
- Object storage, not a message broker.
- Azure Event Grid topic
- Great for eventing and fan-out, but the question’s requirements align directly with Service Bus queue vs topic semantics for message consumption patterns.
References:
1. Microsoft Learn. Azure Service Bus messaging: queues and topics/subscriptions.
https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview Last updated: Unable to locate on page. Date Accessed: 01/26/2026.
2. Microsoft Learn. Azure Service Bus queues.
https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions Last updated: Unable to locate on page. Date Accessed: 01/26/2026.
- **Topic** = one-to-many / pub-sub (multiple consumers per message via subscriptions)
- If the prompt says “multiple consumers need the same message,” topics are usually the answer.
Summary:
This question tested selecting the correct Service Bus entity based on message consumption requirements: queue for single-consumer processing and topic for multi-consumer fan-out.
AZ-104 Exam Objective Hierarchy:
3.0 - Deploy and manage Azure compute resources (20–25%) |__ 3.4 - Create and configure Azure App Service
Question 287:
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.
What should you configure?
A. private endpoints B. Azure Firewall rules C. Routing preference D. load balancing
To ensure inbound users reach the Microsoft point-of-presence (POP) closest to them when accessing Azure Storage, you configure the storage account **routing preference** to use **Microsoft network routing**. This steers traffic onto Microsoft's global network earlier (at the closest POP), improving path optimization and consistency.
Why other selections are not correct:
- private endpoints: Provide private connectivity from VNets; they do not optimize global user ingress via closest POP for public website traffic.
- Azure Firewall rules: Control/filter traffic; not a global ingress optimization mechanism.
- load balancing: Does not determine Microsoft POP selection for storage public endpoints.
1. Routing preference for Azure Storage https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference Modified: Unable to locate date modified Date Access: 01/24/2026
-------------------------------------------------------------------------------- Microsoft Exam Tips:
- For Azure Storage "closest POP / Microsoft global network" wording, look for **routing preference** and "Microsoft network routing."
- Do not confuse with Azure Front Door/CDN unless those services are explicitly in the options.
2.0 Implement and manage storage (15?0%) |__ 2.1 Configure access to storage |__ 2.1.1 Configure Azure Storage firewalls and virtual networks
Question 288:
You have an on-premises network that contains a database server named dbserver1.
You have an Azure subscription.
You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone.
You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ensure that the virtual machines can connect to dbserver1.
Which type of public IP address SKU and assignment should you use for the gateway?
A. a basic SKU and a static IP address assignment B. a standard SKU and a static IP address assignment C. a basic SKU and a dynamic IP address assignment
B. a standard SKU and a static IP address assignment
When availability zones are in scope for the gateway scenario, the public IP used with the VPN gateway must be a Standard SKU and must be Static. This aligns with zone-aware/zone-redundant requirements and is the supported pairing for resilient gateway deployments.
Why the other choices are not correct:
- Basic SKU public IPs and/or Dynamic assignment are not the correct combination for zonal gateway scenarios.
References:
1. VPN Gateway availability zones / zone-redundant guidance https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vpn-gateway Date Modified: Unable to locate date modified Date Access: 01/24/2026
4.0 Implement and manage virtual networking (15?0%) |__ 4.1 Configure and manage virtual networks in Azure |__ |__ 4.1.3 Configure public IP addresses
Question 289:
HOTSPOT
You implement The planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
VM1 can establish an RDP session to VM2: Yes VM2 can ping VM3: Yes VM2 can establish an RDP session to VM3: No
Network Security Groups evaluate rules by priority, and explicit rules can override the default 'AllowVNetInBound' behavior. In this scenario, intra-VNet traffic needed for the first two statements remains allowed, while RDP in the third statement is blocked by a higher-priority rule (for example, a deny on TCP/3389) on the destination subnet/NIC.
References Azure network security groups overview (architecture guide). (Last updated 2025-07-15). Retrieved 2026-01-31 from https://learn.microsoft.com/en-us/azure/architecture/networking/guide/network-level-segmentation How network security groups filter network traffic. (Last updated 2025-07-29). Retrieved 2026-01-31 from https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
AZ-104 Exam Objective Hierarchy (Mapped to this question) 4.0 Implement and manage virtual networking (15–20%) |__4.2 Configure secure access to virtual networks |__|__4.2.1 Create and configure network security groups (NSGs) and application security groups |__|__4.2.2 Evaluate effective security rules in NSGs
Question 290:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, those questions will not appear in the review screen.
You have a Microsoft Entra tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Microsoft Entra ID in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?
A. Yes B. No
B. No
No
The Bulk create user operation in Microsoft Entra ID creates internal user accounts (member users) in the tenant, not B2B guest users. Creating guest users for external users is typically done by using Bulk invite users (B2B) instead. Therefore, “Bulk create user” does not meet the goal.
Why the other option is not correct:
Yes: Incorrect because Bulk create user is not the guest onboarding mechanism for external users.
Exam Tips:
AZ-104: Guest onboarding = “invite” (B2B). Member or internal user provisioning = “create users.”
Watch for wording: “external users” plus “guest account” strongly implies the B2B invite flow.
Summary:
Bulk create users does not create guest users; use bulk invite for external guests.
AZ-104 Exam Objective Hierarchy:
1.0 Manage Azure identities and governance (20–25%) └── 1.1 Manage Microsoft Entra users and groups └── 1.1.4 Manage external users
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-104 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.
