AZ-304 Practice Exam Free – 50 Questions to Simulate the Real Exam
Are you getting ready for the AZ-304 certification? Take your preparation to the next level with our AZ-304 Practice Exam Free – a carefully designed set of 50 realistic exam-style questions to help you evaluate your knowledge and boost your confidence.
Using a AZ-304 practice exam free is one of the best ways to:
Experience the format and difficulty of the real exam
Identify your strengths and focus on weak areas
Improve your test-taking speed and accuracy
Below, you will find 50 realistic AZ-304 practice exam free questions covering key exam topics. Each question reflects the structure and challenge of the actual exam.
DRAG DROP -
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that uses the Basic license.
You plan to deploy two applications to Azure. The applications have the requirements shown in the following table.
Which authentication strategy should you recommend for each application? To answer, drag the appropriate authentication strategies to the correct applications.
Each authentication strategy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggested Answer:
Box 1: Azure AD V2.0 endpoint –
Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all
Microsoft identities and get tokens to call Microsoft APIs, such as Microsoft Graph, or APIs that developers have built. The Microsoft identity platform consists of:
OAuth 2.0 and OpenID Connect standard-compliant authentication service that enables developers to authenticate any Microsoft identity, including:
Work or school accounts (provisioned through Azure AD)
Personal Microsoft accounts (such as Skype, Xbox, and Outlook.com)
Social or local accounts (via Azure AD B2C)
Box 2: Azure AD B2C tenant –
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Azure Active Directory B2C (Azure AD B2C) integrates directly with Azure Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications.
Reference: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-mfa https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview
HOTSPOT -
You need to design an Azure policy that will implement the following functionality:
✑ For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.
✑ For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.
✑ For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Modify –
Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.
Incorrect Answers:
✑ The following effects are deprecated: EnforceOPAConstraint, EnforceRegoPolicy
✑ Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
Box 2: A managed identity with the Contributor role
✑ Managed identity
How remediation security works: When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure
Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity.
✑ Contributor role
The Contributor role grants the required access to apply tags to any entity.
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an on-premises Hyper-V cluster that hosts 20 virtual machines. Some virtual machines run Windows Server 2016 and some run Linux.
You plan to migrate the virtual machines to an Azure subscription.
You need to recommend a solution to replicate the disks of the virtual machines to Azure. The solution must ensure that the virtual machines remain available during the migration of the disks.
Solution: You recommend implementing an Azure Storage account, and then running AzCopy.
Does this meet the goal?
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events.
You need to recommend a solution to trigger the alerts based on the events.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: A
The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of
Azure ExpressRoute.
Note:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an on-premises Hyper-V cluster that hosts 20 virtual machines. Some virtual machines run Windows Server 2016 and some run Linux.
You plan to migrate the virtual machines to an Azure subscription.
You need to recommend a solution to replicate the disks of the virtual machines to Azure. The solution must ensure that the virtual machines remain available during the migration of the disks.
Solution: You recommend implementing an Azure Storage account, and then using Azure Migrate.
Does this meet the goal?
You plan to deploy an application that will run in a Linux-based Docker container.
You need to recommend a solution to host the application in Azure. The solution must meet the following requirements:
✑ Support a custom domain name and an associated SSL certificate.
✑ Scale-out automatically based on demand.
✑ Minimize administrative effort and costs.
What should you include in the recommendation?
A. Azure App Service
B. Azure Container Instances
C. an Azure virtual machine
D. Azure Kubernetes Service (AKS)
Suggested Answer: A
App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.
Key features of App Service include:
✑ Containerization and Docker – Dockerize your app and host a custom Windows or Linux container in App Service.
✑ Scale up or out manually or automatically. Host your apps anywhere in Microsoft’s global datacenter infrastructure, and the App Service SLA promises high availability.
App Service can also host web apps natively on Linux for supported application stacks. It can also run custom Linux containers (also known as Web App for
Containers).
Reference: https://docs.microsoft.com/en-us/azure/app-service/overview
HOTSPOT -
You configure the Diagnostics settings for an Azure SQL database as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Your company has offices in the United States, Europe, Asia, and Australia.
You have an on-premises app named App1 that uses Azure Table storage. Each office hosts a local instance of App1.
You need to upgrade the storage for App1. The solution must meet the following requirements:
✑ Enable simultaneous write operations in multiple Azure regions.
✑ Ensure that write latency is less than 10 ms.
✑ Support indexing on all columns.
Minimize development effort.
Which data platform should you use?
A. Azure SQL Database
B. Azure SQL Managed Instance
C. Azure Cosmos DB
D. Table storage that uses geo-zone-redundant storage (GZRS) replication
Suggested Answer: D
Azure Cosmos DB Table API has –
✑ Single-digit millisecond latency for reads and writes, backed with <10-ms latency reads and <15-ms latency writes at the 99th percentile, at any scale, anywhere in the world.
✑ Automatic and complete indexing on all properties, no index management.
✑ Turnkey global distribution from one to 30+ regions. Support for automatic and manual failovers at any time, anywhere in the world.
Incorrect Answers:
D: Azure Table storage, but has no upper bounds on latency.
Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/table-support
HOTSPOT -
You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.
You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity. The solution must meet the following requirements:
✑ Ensure that the applications can authenticate only when running on the 10 virtual machines.
✑ Minimize administrative effort.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
Hot Area:
Suggested Answer:
Box 1: Create a system-assigned Managed Identities for Azure resource
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.
Box 2: An Azure Instance Metadata Service Identity
See step 3 and 5 below.
How a system-assigned managed identity works with an Azure VM
1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM.
2. Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. The service principal is created in the Azure AD tenant that’s trusted by the subscription.
3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client
ID and certificate.
4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
5. Your code that’s running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
You have an Azure subscription that contains a storage account.
An application sometimes writes duplicate files to the storage account.
You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is run manually after approval from the operations manager.
You need to recommend a serverless solution that performs the following actions:
✑ Runs the script once an hour to identify whether duplicate files exist
✑ Sends an email notification to the operations manager requesting approval to delete the duplicate files
✑ Processes an email response from the operations manager specifying whether the deletion was approved
✑ Runs the script if the deletion was approved
What should you include in the recommendation?
A. Azure Logic Apps and Azure Functions
B. Azure Pipelines and Azure Service Fabric
C. Azure Logic Apps and Azure Event Grid
D. Azure Functions and Azure Batch
Suggested Answer: A
You can schedule a powershell script with Azure Logic Apps.
When you want to run code that performs a specific job in your logic apps, you can create your own function by using Azure Functions. This service helps you create Node.js, C#, and F# functions so you don’t have to build a complete app or infrastructure to run code. You can also call logic apps from inside Azure functions. Azure Functions provides serverless computing in the cloud and is useful for performing tasks such as these examples:
Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
You create an Azure SQL database named DB1 that is hosted in the East US region.
To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends SQLInsights to Workspace1.
For each of the following statements, select Yes if the statement is true, Otherwise, select No.
Hot Area:
Suggested Answer:
Box 1: No –
You archive logs only to Azure Storage accounts.
Box 2: Yes –
Box 3: Yes –
Sending logs to Event Hubs allows you to stream data to external systems such as third-party SIEMs and other log analytics solutions.
Note: A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type
(for example, two different Log Analytics workspaces), then create multiple settings. Each resource can have up to 5 diagnostic settings.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
You have an application that sends events to an Azure event hub by using HTTP requests over the internet.
You plan to increase the number of application instances.
You need to recommend a solution to reduce the overhead associated with sending events to the hub.
What should you recommend?
A. Configure the application to send events by using the AMQP protocol
B. Reduce the retention period of the event hub.
C. Replace the event hub with an Azure Service Bus instance.
D. Configure the application to send events by using the HTTPS protocol.
Suggested Answer: A
Compared to HTTP, AMQP is easy to scale.
Note: Facts pro-AMQP –
Delivering messages with AMQP gives you reliability and being asynchronous allows you to not worry about the delivery at all.
Incorrect Answres:
B: Changing the retention period would not reduce the overhead.
C: Azure event hub has a low latency compared to Azure Service Bus.
D: Overhead increases with HTTPS compared to HTTP.
Reference: https://dev.to/fedejsoren/amqp-vs-http
You have an Azure web app that uses an Azure key vault named KeyVault1 in the West US Azure region.
You are designing a disaster recovery plan for KeyVault1.
You plan to back up the keys in KeyVault1.
You need to identify to where you can restore the backup.
What should you identify?
A. KeyVault1 only
B. the same region only
C. the same geography only
D. any region worldwide
Suggested Answer: C
When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can’t be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/backup
You have an on-premises Hyper-V cluster. The cluster contains Hyper-V hosts that run Windows Server 2016 Datacenter. The hosts are licensed under a
Microsoft Enterprise Agreement that has Software Assurance.
The Hyper-V cluster contains 30 virtual machines that run Windows Server 2012 R2. Each virtual machine runs a different workload. The workloads have predictable consumption patterns.
You plan to replace the virtual machines with Azure virtual machines that run Windows Server 2016. The virtual machines will be sized according to the consumption pattern of each workload.
You need to recommend a solution to minimize the compute costs of the Azure virtual machines.
Which two recommendations should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure a spending limit in the Azure account center.
B. Create a virtual machine scale set that uses autoscaling.
C. Activate Azure Hybrid Benefit for the Azure virtual machines.
D. Purchase Azure Reserved Virtual Machine Instances for the Azure virtual machines.
E. Create a lab in Azure DevTest Labs and place the Azure virtual machines in the lab.
You need to design a solution that will execute custom C# code in response to an event routed to Azure Event Grid. The solution must meet the following requirements:
✑ The executed code must be able to access the private IP address of a Microsoft SQL Server instance that runs on an Azure virtual machine.
✑ Costs must be minimized.
What should you include in the solution?
A. Azure Logic Apps in the integrated service environment
B. Azure Functions in the Dedicated plan and the Basic Azure App Service plan
C. Azure Logic Apps in the Consumption plan
D. Azure Functions in the Consumption plan
Suggested Answer: D
When you create a function app in Azure, you must choose a hosting plan for your app. There are three basic hosting plans available for Azure Functions:
Consumption plan, Premium plan, and Dedicated (App Service) plan.
For the Consumption plan, you don’t have to pay for idle VMs or reserve capacity in advance.
Connect to private endpoints with Azure Functions
As enterprises continue to adopt serverless (and Platform-as-a-Service, or PaaS) solutions, they often need a way to integrate with existing resources on a virtual network. These existing resources could be databases, file storage, message queues or event streams, or REST APIs.
Reference: https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale https://techcommunity.microsoft.com/t5/azure-functions/connect-to-private-endpoints-with-azure-functions/ba-p/1426615
HOTSPOT -
You need to design a resource governance solution for an Azure subscription. The solution must meet the following requirements:
✑ Ensure that all ExpressRoute resources are created in a resource group named RG1.
✑ Delegate the creation of the ExpressRoute resources to an Azure Active Directory (Azure AD) group named Networking.
✑ Use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: An Azure policy assignment at the subscription level that has an exclusion
Box 2: A custom RBAC role assignment at the level of RG1
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
You are designing a data protection strategy for Azure virtual machines. All the virtual machines use managed disks.
You need to recommend a solution that meets the following requirements:
✑ The use of encryption keys is audited.
✑ All the data is encrypted at rest always.
✑ You manage the encryption keys, not Microsoft.
What should you include in the recommendation?
You have an on-premises network to which you deploy a virtual appliance.
You plan to deploy several Azure virtual machines and connect the on-premises network to Azure by using a Site-to-Site connection.
All network traffic that will be directed from the Azure virtual machines to a specific subnet must flow through the virtual appliance.
You need to recommend solutions to manage network traffic.
Which two options should you recommend? Each correct answer presents a complete solution.
A. Configure Azure Traffic Manager.
B. Implement Azure ExpressRoute.
C. Configure a routing table.
D. Implement an Azure virtual network.
Suggested Answer: BC
B: Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.
This is a critical security requirement for most enterprise IT policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from
Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Forced tunneling in Azure is configured via virtual network user-defined routes.
C: ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With
ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.
Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co- location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.
You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting that displays cost broken down by department.
Solution: Create a resource group for each resource type. Assign tags to each resource group.
Does this meet the goal?
You deploy two instances of an Azure web app. One instance is in the East US Azure region and the other instance is in the West US Azure region. The web app uses Azure Blob storage to deliver large files to end users.
You need to recommend a solution for delivering the files to the users. The solution must meet the following requirements:
✑ Ensure that the users receive files from the same region as the web app that they access.
✑ Ensure that the files only need to be uploaded once.
✑ Minimize costs.
What should you include in the recommendation?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Implement Azure AD Identity Protection for Group1.
Does this solution meet the goal?
You plan to migrate App1 to Azure.
You need to recommend a network connectivity solution for the Azure Storage account that will host the App1 data. The solution must meet the security and compliance requirements.
What should you include in the recommendation?
A. a private endpoint
B. a service endpoint that has a service endpoint policy
C. Azure public peering for an ExpressRoute circuit
D. Microsoft peering for an ExpressRoute circuit
Suggested Answer: D
By default, Azure service resources secured to virtual networks aren’t reachable from on-premises networks. If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. You can add these IP addresses through the IP firewall configuration for Azure service resources.
You can use ExpressRoute for public peering and Microsoft peering.
Scenario:
✑ On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
✑ Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
Incorrect Answers:
C: Public Peering is deprecated for new circuits.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings
HOTSPOT -
You plan to create a storage account and to save the files as shown in the exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
You need to recommend a disaster recovery solution for the back-end tier of the payment processing system.
What should you include in the recommendation?
A. Azure Site Recovery
B. an auto-failover group
C. Always On Failover Cluster Instances
D. geo-redundant database backups
Suggested Answer: B
Scenario:
✑ The back-end data store is implemented as a Microsoft SQL Server 2014 database.
✑ If a data center fails, ensure that the payment processing system remains available without any administrative intervention.
Note: Auto-failover groups is a SQL Database feature that allows you to manage replication and failover of a group of databases on a SQL Database server or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing active geo-replication feature, designed to simplify deployment and management of geo-replicated databases at scale.
Reference: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auto-failover-group
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.
You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting that displays cost broken down by department.
Solution: Create a separate resource group for each department. Place the resources for each department in its respective resource group.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B
Instead create a resources group for each resource type. Assign tags to each resource group.
Note: Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
HOTSPOT -
Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys. Several departments have the following requests to support the applications:
You need to recommend the appropriate Azure service for each department request.
What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You plan to run an image rendering workload in Azure. The workload uses parallel compute processes.
What is the best service to use to run the workload? More than one answer choice may achieve the goal. Select the BEST answer.
A. an Azure virtual machine scale set
B. Azure Function App
C. Azure Kubernetes Service (AKS)
D. Azure Batch
Suggested Answer: D
Azure Batch works well with intrinsically parallel (also known as “embarrassingly parallel”) workloads. Intrinsically parallel workloads are those where the applications can run independently, and each instance completes part of the work. When the applications are executing, they might access some common data, but they do not communicate with other instances of the application. Intrinsically parallel workloads can therefore run at a large scale, determined by the amount of compute resources available to run applications simultaneously.
Reference: https://docs.microsoft.com/en-us/azure/batch/batch-technical-overview
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you create a Traffic Manager profile.
Does this meet the goal?
You are designing a SQL database solution. The solution will include 20 databases that will be 20 GB each and have varying usage patterns.
You need to recommend a database platform to host the databases. The solution must meet the following requirements:
✑ The compute resources allocated to the databases must scale dynamically.
✑ The solution must meet an SLA of 99.99% uptime.
✑ The solution must have reserved capacity.
✑ Compute charges must be minimized.
What should you include in the recommendation?
A. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine in an availability set
B. 20 instances of Azure SQL Database serverless
C. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine
D. an elastic pool that contains 20 Azure SQL databases
Suggested Answer: D
Azure SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single server and share a set number of resources at a set price. Elastic pools in Azure SQL Database enable
SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.
Guaranteed 99.995 percent uptime for SQL Database
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-pool-overview https://azure.microsoft.com/en-us/pricing/details/sql-database/elastic/
You have an Azure subscription. The subscription contains an app that is hosted in the East US, Central Europe, and East Asia regions.
You need to recommend a data-tier solution for the app. The solution must meet the following requirements:
✑ Support multiple consistency levels.
✑ Be able to store at least 1 TB of data.
✑ Be able to perform read and write operations in the Azure region that is local to the app instance.
What should you include in the recommendation?
A. an Azure Cosmos DB database
B. a Microsoft SQL Server Always On availability group on Azure virtual machines
C. an Azure SQL database in an elastic pool
D. Azure Table storage that uses geo-redundant storage (GRS) replication
Suggested Answer: A
Azure Cosmos DB approaches data consistency as a spectrum of choices. This approach includes more options than the two extremes of strong and eventual consistency. You can choose from five well-defined levels on the consistency spectrum.
With Cosmos DB any write into any region must be replicated and committed to all configured regions within the account.
Incorrect Answers:
D: Not able to do local writes.
Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/consistency-levels-tradeoffs
HOTSPOT -
You are building an application that will run in a virtual machine (VM). The application will use Azure Managed Identity.
The application uses Azure Key Vault, Azure SQL Database, and Azure Cosmos DB.
You need to ensure the application can use secure credentials to access these services.
Which authorization method should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You have an Azure subscription that contains two applications named App1 and App2. App1 is a sales processing application. When a transaction in App1 requires shipping, a message is added to an Azure Storage account queue, and then App2 listens to the queue for relevant transactions.
In the future, additional applications will be added that will process some of the shipping requests based on the specific details of the transactions.
You need to recommend a replacement for the storage account queue to ensure that each additional application will be able to read the relevant transactions.
What should you recommend?
A. one Azure Service Bus topic
B. multiple storage account queues
C. one Azure Data Factory pipeline
D. one Azure Service Bus queue
Suggested Answer: A
A queue allows processing of a message by a single consumer. In contrast to queues, topics and subscriptions provide a one-to-many form of communication in a publish and subscribe pattern. It’s useful for scaling to large numbers of recipients. Each published message is made available to each subscription registered with the topic. Publisher sends a message to a topic and one or more subscribers receive a copy of the message, depending on filter rules set on these subscriptions.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains several administrative user accounts.
You need to recommend a solution to identify which administrative user accounts have NOT signed in during the previous 30 days.
Which service should you include in the recommendation?
You use Azure virtual machines to run a custom application that uses an Azure SQL Database instance on the back end.
The IT department at your company recently enabled forced tunneling.
Since the configuration change, developers have noticed degraded performance when they access the database from the Azure virtual machine.
You need to recommend a solution to minimize latency when accessing the database. The solution must minimize costs.
What should you include in the recommendation?
A. Virtual Network (VNET) service endpoints
B. Azure virtual machines that run Microsoft SQL Server servers
HOTSPOT -
You have a web application that uses a MongoDB database. You plan to migrate the web application to Azure.
You must migrate to Cosmos DB while minimizing code and configuration changes.
You need to design the Cosmos DB configuration.
What should you recommend? To answer, select the appropriate values in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
MongoDB compatibility: API –
API: MongoDB API –
Azure Cosmos DB comes with multiple APIs:
✑ SQL API, a JSON document database service that supports SQL queries. This is compatible with the former Azure DocumentDB.
✑ MongoDB API, compatible with existing Mongo DB libraries, drivers, tools and applications.
✑ Cassandra API, compatible with existing Apache Cassandra libraries, drivers, tools, and applications.
✑ Azure Table API, a key-value database service compatible with existing Azure Table Storage.
✑ Gremlin (graph) API, a graph database service supporting Apache Tinkerpop’s graph traversal language, Gremlin.
Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/create-mongodb-dotnet
HOTSPOT -
You manage a network that includes an on-premises Active Directory domain and an Azure Active Directory (Azure AD).
Employees are required to use different accounts when using on-premises or cloud resources. You must recommend a solution that lets employees sign in to all company resources by using a single account. The solution must implement an identity provider.
You need to provide guidance on the different identity providers.
How should you describe each identity provider? To answer, select the appropriate description from each list in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box1: User management occurs on-premises. Azure AD authenticates employees by using on-premises passwords.
Azure AD Domain Services for hybrid organizations
Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them.
Example: Litware Corporation has deployed Azure AD Connect, to synchronize identity information from their on-premises directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, their credential hashes for authentication (password hash sync) and group memberships.
User accounts, group memberships, and credentials from Litware’s on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.
Box 2: User management occurs on-premises. The on-promises domain controller authenticates employee credentials.
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises.
Reference: alt=”Reference Image” />
User accounts, group memberships, and credentials from Litware’s on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.
Box 2: User management occurs on-premises. The on-promises domain controller authenticates employee credentials.
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises.
<img src=”https://www.examtopics.com/assets/media/exam-media/04027/0005700001.png” alt=”Reference Image” />
Reference: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
You are designing a message application that will run on an on-premises Ubuntu virtual machine. The application will use Azure Storage queues.
You need to recommend a processing solution for the application to interact with the storage queues. The solution must meet the following requirements:
✑ Create and delete queues daily.
✑ Be scheduled by using a CRON job.
✑ Upload messages every five minutes.
What should developers use to interact with the queues?
You plan to archive 10 TB of on-premises data files to Azure.
You need to recommend a data archival solution. The solution must minimize the cost of storing the data files.
Which Azure Storage account type should you include in the recommendation?
Your company has the infrastructure shown in the following table.
The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD).
Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain.
You plan to migrate Server1 to a virtual machine in Subscription1.
A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network.
You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy.
What should you include in the recommendation?
A. Azure AD Application Proxy
B. an Azure VPN gateway
C. Azure AD Domain Services (Azure AD DS)
D. the Active Directory Domain Services role on a virtual machine
Your company has the offices shown in the following table.
The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD).
All users connect to an Exchange Online.
You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to Exchange Online from one of the offices.
What should you include in the recommendation?
A. a virtual network and two Microsoft Cloud App Security policies
B. a named location and two Microsoft Cloud App Security policies
C. a conditional access policy and two virtual networks
D. a conditional access policy and two named locations
You plan to create an Azure Cosmos DB account that uses the SQL API. The account will contain data added by a web application. The web application will send data daily.
You need to recommend a notification solution that meets the following requirements:
✑ Sends email notifications when data is received from the web application
✑ Minimizes compute cost
What should you include in the recommendation?
A. Deploy an Azure logic app that has a SendGrid connector configured to use an Azure Cosmos DB action.
B. Deploy a function app that is configured to use the Consumption plan and an Azure Event Hubs binding.
C. Deploy a function app that is configured to use the Consumption plan and a SendGrid binding.
D. Deploy an Azure logic app that has a webhook configured to use a SendGrid action.
You are reviewing an Azure architecture as shown in the Architecture exhibit. (Click the Architecture tab.)
The estimated monthly costs for the architecture are shown in the Costs exhibit. (Click the Costs tab.)
The log files are generated by user activity to Apache web servers. The log files are in a consistent format. Approximately 1 GB of logs are generated per day.
Microsoft Power BI is used to display weekly reports of the user activity.
You need to recommend a solution to minimize costs while maintaining the functionality of the architecture.
What should you recommend?
A. Replace Azure Synapse Analytics and Azure Analysis Services with SQL Server on an Azure virtual machine.
B. Replace Azure Synapse Analytics with Azure SQL Database Hyperscale.
C. Replace Azure Data Factory with CRON jobs that use AzCopy.
D. Replace Azure Databricks with Azure Machine Learning.
Suggested Answer: C
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
Cron is one of the most useful utility that you can find in any Unix-like operating system. It is used to schedule commands at a specific time. These scheduled commands or tasks are known as “Cron Jobs”.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-configure
HOTSPOT -
You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant uses password hash synchronization.
You need to recommend a solution to meet the following requirements:
✑ Prevent Active Directory domain user accounts from being locked out as the result of brute force attacks targeting Azure AD user accounts.
✑ Block legacy authentication attempts to Azure AD integrated apps.
✑ Minimize costs.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Smart lockout –
Smart lockout helps lock out bad actors that try to guess your users’ passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.
Box 2: Conditional access policies
If your environment is ready to block legacy authentication to improve your tenant’s protection, you can accomplish this goal with Conditional Access.
How can you prevent apps using legacy authentication from accessing your tenant’s resources? The recommendation is to just block them with a Conditional
Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription.
What should you include in the recommendation?
A. the Change Tracking management solution
B. Application Insights
C. Azure Monitor action groups
D. Azure Activity Log
Suggested Answer: D
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.
Through activity logs, you can determine:
✑ what operations were taken on the resources in your subscription
✑ who started the operation
✑ when the operation occurred
✑ the status of the operation
✑ the values of other properties that might help you research the operation
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
Your company has the divisions shown in the following table.
Sub1 contains an Azure web app that runs an ASP.NET application named App1. App1 uses the Microsoft identity platform (v2.0) to handle user authentication.
Users from east.contoso.com can authenticate to App1.
You need to recommend a solution to allow users from west.contoso.com to authenticate to App1.
What should you recommend for the west.contoso.com Azure AD tenant?
A. a conditional access policy
B. pass-through authentication
C. guest accounts
D. an app registration
Suggested Answer: D
There are several components that make up the Microsoft identity platform:
✑ OAuth 2.0 and OpenID Connect standard-compliant authentication service
Application management portal: A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.
You register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform and call Microsoft Graph.
Reference: alt=”Reference Image” />
You register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform and call Microsoft Graph.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview https://docs.microsoft.com/en-us/graph/auth-register-app-v2
You have an Azure subscription that contains an Azure SQL database.
You are evaluating whether to use Azure reservations on the Azure SQL database.
Which tool should you use to estimate the potential savings?
A. The Purchase reservations blade in the Azure portal
B. The Advisor blade in the Azure portal
C. The SQL database blade in the Azure portal
Suggested Answer: A
Buy reserved capacity –
1. Sign in to the Azure portal.
2. Select All services > Reservations.
3. Select Add and then in the Purchase Reservations pane, select SQL Database to purchase a new reservation for SQL Database.
4. Fill in the required fields. Existing databases in SQL Database and SQL Managed Instance that match the attributes you select qualify to get the reserved capacity discount. The actual number of databases or managed instances that get the discount depends on the scope and quantity selected.
5. Review the cost of the capacity reservation in the Costs section.
6. Select Purchase.
7. Select View this Reservation to see the status of your purchase.
Reference: alt=”Reference Image” />
5. Review the cost of the capacity reservation in the Costs section.
6. Select Purchase.
7. Select View this Reservation to see the status of your purchase.
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/reserved-capacity-overview
You need to design a highly available Azure SQL database that meets the following requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?
A. Azure SQL Database Standard
B. Azure SQL Database Serverless
C. Azure SQL Database Business Critical
D. Azure SQL Database Basic
Suggested Answer: A
Standard geo-replication is available with Standard and General Purpose databases in the current Azure Management Portal and standard APIs.
Incorrect Answers:
B: Business Critical service tier is designed for applications that require low-latency responses from the underlying SSD storage (1-2 ms in average), fast recovery if the underlying infrastructure fails, or need to off-load reports, analytics, and read-only queries to the free of charge readable secondary replica of the primary database.
Note: Azure SQL Database and Azure SQL Managed Instance are both based on SQL Server database engine architecture that is adjusted for the cloud environment in order to ensure 99.99% availability even in the cases of infrastructure failures. There are three architectural models that are used:
✑ General Purpose/Standard
✑ Business Critical/Premium
Hyperscale –
Reference: alt=”Reference Image” />
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tier-business-critical
Free Access Full AZ-304 Practice Exam Free
Looking for additional practice? Click here to access a full set of AZ-304 practice exam free questions and continue building your skills across all exam domains.
Our question sets are updated regularly to ensure they stay aligned with the latest exam objectives—so be sure to visit often!
Which authentication strategy should you recommend for each application? To answer, drag the appropriate authentication strategies to the correct applications. Each authentication strategy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
Which data platform should you use?
You create an Azure SQL database named DB1 that is hosted in the East US region. To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends SQLInsights to Workspace1. For each of the following statements, select Yes if the statement is true, Otherwise, select No. Hot Area:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
You need to recommend the appropriate Azure service for each department request. What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD). Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain. You plan to migrate Server1 to a virtual machine in Subscription1. A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network. You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy. What should you include in the recommendation?
The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD). All users connect to an Exchange Online. You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to Exchange Online from one of the offices. What should you include in the recommendation?
The estimated monthly costs for the architecture are shown in the Costs exhibit. (Click the Costs tab.)
The log files are generated by user activity to Apache web servers. The log files are in a consistent format. Approximately 1 GB of logs are generated per day. Microsoft Power BI is used to display weekly reports of the user activity. You need to recommend a solution to minimize costs while maintaining the functionality of the architecture. What should you recommend?
Sub1 contains an Azure web app that runs an ASP.NET application named App1. App1 uses the Microsoft identity platform (v2.0) to handle user authentication. Users from east.contoso.com can authenticate to App1. You need to recommend a solution to allow users from west.contoso.com to authenticate to App1. What should you recommend for the west.contoso.com Azure AD tenant?
