AZ-304 Practice Questions Free – 50 Exam-Style Questions to Sharpen Your Skills
Are you preparing for the AZ-304 certification exam? Kickstart your success with our AZ-304 Practice Questions Free – a carefully selected set of 50 real exam-style questions to help you test your knowledge and identify areas for improvement.
Practicing with AZ-304 practice questions free gives you a powerful edge by allowing you to:
Understand the exam structure and question formats
Discover your strong and weak areas
Build the confidence you need for test day success
Below, you will find 50 free AZ-304 practice questions designed to match the real exam in both difficulty and topic coverage. They’re ideal for self-assessment or final review. You can click on each Question to explore the details.
You plan to store data in Azure Blob storage for many years. The stored data will be accessed rarely.
You need to ensure that the data in Blob storage is always available for immediate access. The solution must minimize storage costs.
Which storage tier should you use?
A. Cool
B. Archive
C. Hot
Suggested Answer: A
Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
Incorrect Answers:
B: Archive storage stores data offline and offers the lowest storage costs but also the highest data rehydrate and access costs.
Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours).
Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
You deploy an Azure virtual machine that runs an ASP.NET application. The application will be accessed from the internet by the users at your company.
You need to recommend a solution to ensure that the users are pre-authenticated by using their Azure Active Directory (Azure AD) account before they can connect to the ASP.NET application.
What should you include in the recommendation?
You need to recommend a high-availability solution for the middle tier of the payment processing system.
What should you include in the recommendation?
You are designing an Azure resource deployment that will use Azure Resource Manager templates. The deployment will use Azure Key Vault to store secrets.
You need to recommend a solution to meet the following requirements:
✑ Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault.
✑ Use the principle of least privilege.
Which two actions should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions.
B. From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment.
C. Create a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions.
D. Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.
E. Assign the Key Vault Contributor role to the IT staff.
Suggested Answer: BD
B: To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true.
D: The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault.
Incorrect Answers:
E: To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope.
If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has Contributor role access to your key vaults. Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security
HOTSPOT -
You configure OAuth2 authorization in API Management as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Web applications –
The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes an app.
Note: The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.
After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.
Incorrect Answers:
Not Headless device authentication:
A headless system is a computer that operates without a monitor, graphical user interface (GUI) or peripheral devices, such as keyboard and mouse.
Headless computers are usually embedded systems in various devices or servers in multi-server data center environments. Industrial machines, automobiles, medical equipment, cameras, household appliances, airplanes, vending machines and toys are among the myriad possible hosts of embedded systems.
Box 2: Client Credentials –
How to include additional client data
In case you need to store additional details about a client that don’t fit into the standard parameter set the custom data parameter comes to help:
POST /c2id/clients HTTP/1.1 –
Host: demo.c2id.com –
Content-Type: application/json –
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
“redirect_uris” : [ “https://myapp.example.com/callback” ],
“data” : { “reg_type” : “3rd-party”,
“approved” : true,
“author_id” : 792440 }
}
The data parameter permits arbitrary content packaged in a JSON object. To set it you will need the master registration token or a one-time access token with a client-reg:data scope.
Incorrect Answers:
Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.
Reference:https://myapp.example.com/callback”
],
“data” : { “reg_type” : “3rd-party”,
“approved” : true,
“author_id” : 792440 }
}
The data parameter permits arbitrary content packaged in a JSON object. To set it you will need the master registration token or a one-time access token with a client-reg:data scope.
Incorrect Answers:
Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.
Reference: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type https://connect2id.com/products/server/docs/guides/client-registration
You have an Azure subscription that contains 100 virtual machines.
You plan to design a data protection strategy to encrypt the virtual disks.
You need to recommend a solution to encrypt the disks by using Azure Disk Encryption. The solution must provide the ability to encrypt operating system disks and data disks.
What should you include in the recommendation?
A. a certificate
B. a key
C. a passphrase
D. a secret
Suggested Answer: B
For enhanced virtual machine (VM) security and compliance, virtual disks in Azure can be encrypted. Disks are encrypted by using cryptographic keys that are secured in an Azure Key Vault. You control these cryptographic keys and can audit their use.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks
HOTSPOT -
Your company has two on-premises sites in New York and Los Angeles and Azure virtual networks in the East US Azure region and the West US Azure region.
Each on-premises site has Azure ExpressRoute Global Reach circuits to both regions.
You need to recommend a solution that meets the following requirements:
✑ Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.
✑ If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You are designing an Azure web app that will use Azure Active Directory (Azure AD) for authentication.
You need to recommend a solution to provide users from multiple Azure AD tenants with access to App1. The solution must ensure that the users use Azure Multi-
Factor Authentication (MFA) when they connect to App1.
Which two types of objects should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD conditional access policies
B. Azure AD managed identities
C. an Identity Experience Framework policy
D. an Azure application security group
E. an Endpoint Manager app protection policy
F. Azure AD guest accounts
Suggested Answer: AF
A: The Conditional Access feature in Azure Active Directory (Azure AD) offers one of several ways that you can use to secure your app and protect a service.
Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:
✑ Multi-factor authentication
✑ Allowing only Intune enrolled devices to access specific services
✑ Restricting user locations and IP ranges
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
✑ Service accounts and service principals.
If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.
Incorrect Answers:
B: Managed Identity does not support cross-directory scenarios.
E: Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
Note: The correct options should be application registration with Azure, this will allow the authentication of users on the AD to access the application. A default application registration validates that the user has valid login credentials. This can be your Active Directory or in case of a multi-tenant application the directory where the user is originated from.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-conditional-access-dev-guide https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management https://www.re-mark-able.net/understanding-azure-active-directory-application-registrations/
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.
You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting that displays cost broken down by department.
Solution: Place all resources in the same resource group. Assign tags to each resource.
Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: B
Instead, create a resources group for each resource type. Assign tags to each resource
Note: Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
You use Azure Application Insights.
You plan to use continuous export.
You need to store Application Insights data for five years.
Which Azure service should you use?
A. Azure SQL Database
B. Azure Monitor Logs
C. Azure Backup
D. Azure Storage
Suggested Answer: D
Create a Continuous Export.
1. In the Application Insights resource for your app under configure on the left, open Continuous Export and choose Add:
2. Choose the telemetry data types you want to export.
3. Create or select an Azure storage account where you want to store the data. Click Add, Export Destination, Storage account, and then either create a new store or choose an existing store.
4. Create or select a container in the storage.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/export-telemetry#continuous-export-advanced-storage-configuration
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Install and configure the Microsoft Monitoring Agent and the Dependency Agent on all VMs. Use the Wire Data solution in Azure Monitor to analyze the network traffic.
Does the solution meet the goal?
HOTSPOT -
You are planning an Azure Storage solution for sensitive data. The data will be accessed daily. The data set is less than 10 GB.
You need to recommend a storage solution that meets the following requirements:
✑ All the data written to storage must be retained for five years.
✑ Once the data is written, the data can only be read. Modifications and deletion must be prevented.
✑ After five years, the data can be deleted, but never modified.
✑ Data access charges must be minimized.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: General purpose v2 with Archive acce3ss tier for blobs
Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours.
Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Hot – Optimized for storing data that is accessed frequently.
Box 2: Storage account resource lock
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.
Note: You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
✑ CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
✑ ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
You have an application that sends events to an Azure event hub by using HTTP requests over the internet.
You plan to increase the number of application instances.
You need to recommend a solution to reduce the overhead associated with sending events to the hub.
What should you recommend?
A. Configure the application to send events by using the AMQP protocol
B. Reduce the retention period of the event hub.
C. Replace the event hub with an Azure Service Bus instance.
D. Configure the application to send events by using the HTTPS protocol.
Suggested Answer: A
Compared to HTTP, AMQP is easy to scale.
Note: Facts pro-AMQP –
Delivering messages with AMQP gives you reliability and being asynchronous allows you to not worry about the delivery at all.
Incorrect Answres:
B: Changing the retention period would not reduce the overhead.
C: Azure event hub has a low latency compared to Azure Service Bus.
D: Overhead increases with HTTPS compared to HTTP.
Reference: https://dev.to/fedejsoren/amqp-vs-http
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You plan to deploy multiple instances of an Azure web app across several Azure regions.
You need to design an access solution for the app. The solution must meet the following replication requirements:
✑ Support rate limiting.
✑ Balance requests between all instances.
✑ Ensure that users can access the app in the event of a regional outage.
Solution: You use Azure Traffic Manager to provide access to the app.
Does this meet the goal?
You manage an Azure environment for a company. The environment has over 25,000 licensed users and 100 mission-critical applications.
You need to recommend a solution that provides advanced user threat detection and remediation strategies.
What should you recommend?
A. Azure Active Directory (Azure AD) authentication
B. Microsoft Identity Manager
C. Azure Active Directory (Azure AD) Identity Protection
D. Azure Active Directory Federation Services (AD FS)
You are designing a data protection strategy for Azure virtual machines. All the virtual machines use managed disks.
You need to recommend a solution that meets the following requirements:
✑ The use of encryption keys is audited.
✑ All the data is encrypted at rest always.
✑ You manage the encryption keys, not Microsoft.
What should you include in the recommendation?
HOTSPOT -
You have an Azure App Service Web App that includes Azure Blob storage and an Azure SQL Database instance. The application is instrumented by using the
Application Insights SDK.
You need to design a monitoring solution for the web app.
Which Azure monitoring services should you use? To answer, select the appropriate Azure monitoring services in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
A company deploys Azure Active Directory (Azure AD) Connect to synchronize identity information from their on-premises Active Directory Domain Services (AD
DS) directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, credential hashes for authentication (password sync), and group memberships. The company plans to deploy several Windows and Linux virtual machines (VMs) to support their applications.
The VMs have the following requirements:
✑ Support domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.
✑ Allow users to sign in to the domain using their corporate credentials and connect remotely to the VM by using Remote Desktop.
You need to support the VM deployment.
Which service should you use?
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events.
You need to recommend a solution to trigger the alerts based on the events.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You have an Azure subscription that contains an Azure SQL database named DB1.
Several queries that query the data in DB1 take a long time to execute.
You need to recommend a solution to identify the queries that take the longest to execute.
What should you include in the recommendation?
A. SQL Database Advisor
B. Azure Monitor
C. Performance Recommendations
D. Query Performance Insight
Suggested Answer: D
Query Performance Insight provides intelligent query analysis for single and pooled databases. It helps identify the top resource consuming and long-running queries in your workload. This helps you find the queries to optimize to improve overall workload performance and efficiently use the resource that you are paying for.
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/query-performance-insight-use
You have 70 TB of files on your on-premises file server.
You need to recommend solution for importing data to Azure. The solution must minimize cost.
What Azure service should you recommend?
A. Azure StorSimple
B. Azure Batch
C. Azure Data Box
D. Azure Stack Hub
Suggested Answer: C
Microsoft has engineered an extremely powerful solution that helps customers get their data to the Azure public cloud in a cost-effective, secure, and efficient manner with powerful Azure and machine learning at play. The solution is called Data Box.
Data Box and is in general availability status. It is a rugged device that allows organizations to have 100 TB of capacity on which to copy their data and then send it to be transferred to Azure.
Incorrect Answers:
A: StoreSimple would not be able to handle 70 TB of data.
Reference: https://www.vembu.com/blog/what-is-microsoft-azure-data-box-disk-edge-heavy-gateway-overview/
What should you include in the identity management strategy to support the planned changes?
A. Move all the domain controllers from corp.fabrikam.com to virtual networks in Azure.
B. Deploy domain controllers for the rd.fabrikam.com forest to virtual networks in Azure.
C. Deploy domain controllers for corp.fabrikam.com to virtual networks in Azure.
D. Deploy a new Azure AD tenant for the authentication of new R&D projects.
Suggested Answer: C
Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network. (This requires domain controllers in Azure)
Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails. (This requires domain controllers on-premises)
Your network contains an on-premises Active Directory forest.
You discover that when users change jobs within your company, the membership of the user groups are not being updated. As a result, the users can access resources that are no longer relevant to their job.
You plan to integrate Active Directory and Azure Active Directory (Azure AD) by using Azure AD Connect.
You need to recommend a solution to ensure that group owners are emailed monthly about the group memberships they manage.
What should you include in the recommendation?
HOTSPOT -
You have a resource group named RG1 that contains the objects shown in the following table.
You need to configure permissions so that App1 can copy all the secrets from KV1 to KV2. App1 currently has the Get permission for the secrets in KV1.
Which additional permissions should you assign to App1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: List –
Get: Gets the specified Azure key vault.
List: The List operation gets information about the vaults associated with the subscription.
Box 2: Create –
Create Or Update: Create or update a key vault in the specified subscription.
Reference: https://docs.microsoft.com/en-us/rest/api/keyvault/
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.
Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.
You need to enable single sign-on (SSO) for company users.
Solution: Install and configure an Azure AD Connect server to use pass-through authentication and select the `Enable single sign-on` option.
Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: A
Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an on-premises Hyper-V cluster that hosts 20 virtual machines. Some virtual machines run Windows Server 2016 and some run Linux.
You plan to migrate the virtual machines to an Azure subscription.
You need to recommend a solution to replicate the disks of the virtual machines to Azure. The solution must ensure that the virtual machines remain available during the migration of the disks.
Solution: You recommend implementing a Recovery Services vault, and then using Azure Site Recovery.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: A
Site Recovery can replicate on-premises VMware VMs, Hyper-V VMs, physical servers (Windows and Linux), Azure Stack VMs to Azure.
Note: Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to secondary location, and access apps from there. After the primary location is running again, you can fail back to it.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
HOTSPOT -
You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.
You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity. The solution must meet the following requirements:
✑ Ensure that the applications can authenticate only when running on the 10 virtual machines.
✑ Minimize administrative effort.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
Hot Area:
Suggested Answer:
Box 1: Create a system-assigned Managed Identities for Azure resource
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.
Box 2: An Azure Instance Metadata Service Identity
See step 3 and 5 below.
How a system-assigned managed identity works with an Azure VM
1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM.
2. Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. The service principal is created in the Azure AD tenant that’s trusted by the subscription.
3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client
ID and certificate.
4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
5. Your code that’s running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
You need to recommend a strategy for migrating the database content of WebApp1 to Azure.
What should you include in the recommendation?
A. Use Azure Site Recovery to replicate the SQL servers to Azure.
B. Copy the BACPAC file that contains the Azure SQL database files to Azure Blob storage.
C. Use SQL Server transactional replication.
D. Copy the VHD that contains the Azure SQL database files to Azure Blob storage.
Suggested Answer: D
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX).
Scenario: WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
HOTSPOT -
You design a solution for the web tier of WebApp1 as shown in the exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
Any new deployments to Azure must be redundant in case an Azure region fails.
Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.
Box 2: Yes –
Recent changes in Azure brought some significant changes in autoscaling options for Azure Web Apps (i.e. Azure App Service to be precise as scaling happens on App Service plan level and has effect on all Web Apps running in that App Service plan).
Box 3: No –
Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models.
Traffic Manager is resilient to failure, including the failure of an entire Azure region.
Reference: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview https://blogs.msdn.microsoft.com/hsirtl/2017/07/03/autoscaling-azure-web-apps/
You plan to deploy an Azure App Service web app that will have multiple instances across multiple Azure regions.
You need to recommend a load balancing service for the planned deployment. The solution must meet the following requirements:
✑ Maintain access to the app in the event of a regional outage.
✑ Support Azure Web Application Firewall (WAF).
✑ Support cookie-based affinity.
✑ Support URL routing.
What should you include in the recommendation?
A. Azure Front Door
B. Azure Load Balancer
C. Azure Traffic Manager
D. Azure Application Gateway
Suggested Answer: C
Azure Traffic Manager performs the global load balancing of web traffic across Azure regions, which have a regional load balancer based on Azure Application
Gateway. This combination gets you the benefits of Traffic Manager many routing rules and Application Gateway’s capabilities such as WAF, TLS termination, path-based routing, cookie-based session affinity among others.
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/features
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you create a Traffic Manager profile.
Does this meet the goal?
Your company purchases an app named App1.
You need to recommend a solution to ensure that App1 can read and modify access reviews.
What should you recommend?
A. From API Management services, publish the API of App1, and then delegate permissions to the Microsoft Graph API.
B. From the Azure Active Directory admin center, register App1. From the Access control (IAM) blade, delegate permissions.
C. From the Azure Active Directory admin center, register App1, and then delegate permissions to the Microsoft Graph API.
D. From API Management services, publish the API of App1. From the Access control (IAM) blade, delegate permissions.
Suggested Answer: B
The app must be registered. You can register the application in the Azure Active Directory admin center.
The Azure AD access reviews feature has an API in the Microsoft Graph endpoint.
You can register an Azure AD application and set it up for permissions to call the access reviews API in Graph.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Your company has the infrastructure shown in the following table.
The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD).
Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain.
You plan to migrate Server1 to a virtual machine in Subscription1.
A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network.
You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy.
What should you include in the recommendation?
A. Azure AD Application Proxy
B. an Azure VPN gateway
C. Azure AD Domain Services (Azure AD DS)
D. the Active Directory Domain Services role on a virtual machine
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: You implement an access package.
Does this meet the goal?
HOTSPOT -
Your company deploys an Azure App Service Web App.
During testing the application fails under load. The application cannot handle more than 100 concurrent user sessions. You enable the Always On feature. You also configure auto-scaling to increase instance counts from two to 10 based on HTTP queue length.
You need to improve the performance of the application.
Which solution should you use for each application scenario? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Content Delivery Network –
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).
Box 2: Azure Redis Cache –
Azure Cache for Redis is based on the popular software Redis. It is typically used as a cache to improve the performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by temporarily copying frequently accessed data to fast storage located close to the application. With
Azure Cache for Redis, this fast storage is located in-memory with Azure Cache for Redis instead of being loaded from disk by a database.
Reference: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview
You are designing an Azure governance solution.
All Azure resources must be easily identifiable based on the following operational information: environment, owner, department, and cost center.
You need to ensure that you can use the operational information when you generate reports for the Azure resources.
What should you include in the solution?
A. an Azure data catalog that uses the Azure REST API as a data source
B. Azure Active Directory (Azure AD) administrative units
C. an Azure management group that uses parent groups to create a hierarchy
D. an Azure policy that enforces tagging rules
Suggested Answer: D
You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to your subscription that don’t have the expected tags for your organization. Instead of manually applying tags or searching for resources that aren’t compliant, you create a policy that automatically applies the needed tags during deployment.
Note: Organizing cloud-based resources is a crucial task for IT, unless you only have simple deployments. Use naming and tagging standards to organize your resources for these reasons:
Resource management: Your IT teams will need to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information. Organizing resources is critical to assigning organizational roles and access permissions for resource management.
Reference: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
HOTSPOT -
You plan to create a storage account and to save the files as shown in the exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
You deploy two instances of an Azure web app. One instance is in the East US Azure region and the other instance is in the West US Azure region. The web app uses Azure Blob storage to deliver large files to end users.
You need to recommend a solution for delivering the files to the users. The solution must meet the following requirements:
✑ Ensure that the users receive files from the same region as the web app that they access.
✑ Ensure that the files only need to be uploaded once.
✑ Minimize costs.
What should you include in the recommendation?
HOTSPOT -
You have an Azure blueprint named BP1.
The properties of BP1 are shown in the Properties exhibit. (Click the Properties tab.)
The basic configuration of the blueprint is shown in the Basics exhibit. (Click the Basics tab.)
The artifacts attached to BP1 are shown in the Artifacts exhibit. (Click the Artifacts tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: No –
BP1 is in draft mode.
When a blueprint is first created, it’s considered to be in Draft mode. When it’s ready to be assigned, it needs to be Published.
Box 2: No –
The BP1 artifacts include one Policy assignment and a Resource group, but no Role assignments.
Note: Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Role Assignments –
Policy Assignments –
Azure Resource Manager templates (ARM templates)
Resource Groups –
Box 3: Yes –
Yes, the BP1 artifacts include a Resource group.
Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
DRAG DROP -
You are designing a virtual machine that will run Microsoft SQL Server and will contain two data disks. The first data disk will store log files, and the second data disk will store data. Both disks are P40 managed disks.
You need to recommend a caching policy for each disk. The policy must provide the best overall performance for the virtual machine while preserving integrity of the SQL data and logs.
Which caching policy should you recommend for each disk? To answer, drag the appropriate policies to the correct disks. Each policy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
HOTSPOT -
You plan to create an Azure environment that will contain a root management group and 10 child management groups. Each child management group will contain five Azure subscriptions. You plan to have between 10 and 30 resource groups in each subscription.
You need to design an Azure governance solution. The solution must meet the following requirements:
✑ Use Azure Blueprints to control governance across all the subscriptions and resource groups.
✑ Ensure that Blueprints-based configurations are consistent across all the subscriptions and resource groups.
✑ Minimize the number of blueprint definitions and assignments.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: The root management group
When creating a blueprint definition, you’ll define where the blueprint is saved. Blueprints can be saved to a management group or subscription that you have
Contributor access to. If the location is a management group, the blueprint is available to assign to any child subscription of that management group.
Box 2: The root management group
Each directory is given a single top-level management group called the “Root” management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Each Published Version of a blueprint can be assigned to an existing management group or subscription.
Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/overview https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
You are designing a solution that will include containerized applications running in an Azure Kubernetes Service (AKS) cluster.
You need to recommend a load balancing solution for HTTPS traffic. The solution must meet the following requirements:
✑ Automatically configure load balancing rules as the applications are deployed to the cluster.
✑ Support Azure Web Application Firewall (WAF).
✑ Support cookie-based affinity.
✑ Support URL routing.
What should you include the recommendation?
A. an NGINX ingress controller
B. Application Gateway Ingress Controller (AGIC)
C. an HTTP application routing ingress controller
D. the Kubernetes load balancer service
Suggested Answer: B
Much like the most popular Kubernetes Ingress Controllers, the Application Gateway Ingress Controller provides several features, leveraging Azure’s native
Application Gateway L7 load balancer. To name a few:
✑ URL routing
✑ Cookie-based affinity
Secure Sockets Layer (SSL) termination
✑ End-to-end SSL
✑ Support for public, private, and hybrid web sites
✑ Integrated support of Azure web application firewall
Application Gateway redirection support isn’t limited to HTTP to HTTPS redirection alone. This is a generic redirection mechanism, so you can redirect from and to any port you define using rules. It also supports redirection to an external site as well.
Reference: alt=”Reference Image” />
✑ End-to-end SSL
✑ Support for public, private, and hybrid web sites
✑ Integrated support of Azure web application firewall
Application Gateway redirection support isn’t limited to HTTP to HTTPS redirection alone. This is a generic redirection mechanism, so you can redirect from and to any port you define using rules. It also supports redirection to an external site as well.
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/features
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: A
The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of
Azure ExpressRoute.
Note:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
HOTSPOT -
You are evaluating the components of the migration to Azure that require you to provision an Azure Storage account.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you deploy an Azure Application Gateway.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B
You need to deploy two Azure virtual machines to two Azure regions, but also create a Traffic Manager profile.
You plan to deploy an application that will run in a Linux-based Docker container.
You need to recommend a solution to host the application in Azure. The solution must meet the following requirements:
✑ Support a custom domain name and an associated SSL certificate.
✑ Scale-out automatically based on demand.
✑ Minimize administrative effort and costs.
What should you include in the recommendation?
A. Azure App Service
B. Azure Container Instances
C. an Azure virtual machine
D. Azure Kubernetes Service (AKS)
Suggested Answer: A
App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.
Key features of App Service include:
✑ Containerization and Docker – Dockerize your app and host a custom Windows or Linux container in App Service.
✑ Scale up or out manually or automatically. Host your apps anywhere in Microsoft’s global datacenter infrastructure, and the App Service SLA promises high availability.
App Service can also host web apps natively on Linux for supported application stacks. It can also run custom Linux containers (also known as Web App for
Containers).
Reference: https://docs.microsoft.com/en-us/azure/app-service/overview
You plan to automate the deployment of resources to Azure subscriptions.
What is a difference between using Azure Blueprints and Azure Resource Manager templates?
A. Azure Resource Manager templates remain connected to the deployed resources.
B. Only Azure Resource Manager templates can contain policy definitions.
C. Azure Blueprints remain connected to the deployed resources.
D. Only Azure Blueprints can contain policy definitions.
Suggested Answer: C
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
This connection supports improved tracking and auditing of deployments. Azure Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.
Incorrect:
Not A: Nearly everything that you want to include for deployment in Azure Blueprints can be accomplished with a Resource Manager template. However, a
Resource Manager template is a document that doesn’t exist natively in Azure ג€” each is stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there’s no active connection or relationship to the template.
Reference: https://docs.microsoft.com/en-us/answers/questions/26851/how-is-azure-blue-prints-different-from-resource-m.html
HOTSPOT -
You plan to deploy a network-intensive application to several Azure virtual machines.
You need to recommend a solution that meets the following requirements:
✑ Minimizes the use of the virtual machine processors to transfer data
✑ Minimizes network latency
Which virtual machine size and feature should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Want more hands-on practice? Click here to access the full bank of AZ-304 practice questions free and reinforce your understanding of all exam objectives.
We update our question sets regularly, so check back often for new and relevant content.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
You need to configure permissions so that App1 can copy all the secrets from KV1 to KV2. App1 currently has the Get permission for the secrets in KV1. Which additional permissions should you assign to App1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD). Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain. You plan to migrate Server1 to a virtual machine in Subscription1. A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network. You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy. What should you include in the recommendation?
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
The basic configuration of the blueprint is shown in the Basics exhibit. (Click the Basics tab.)
The artifacts attached to BP1 are shown in the Artifacts exhibit. (Click the Artifacts tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
