AZ-104 Exam Dumps - Microsoft Azure Administrator Associate Questions and Answers

 Stored access policies: ✅ 2

 Immutable blob storage policies: ✅ 1

From the scenario in the earlier case study (A. Datum Corporation):

The planned change requires creating a new container named cont2 in storage1, with the following:

Three stored access policies (Stored1, Stored2, Stored3)

A legal hold for immutable blob storage

Also, recall from the table:

storage1 has Hierarchical namespace = Yes (Data Lake Storage Gen2 enabled).

storage2 has Hierarchical namespace = No.

The question asks: “What is the maximum number of additional access policies you can create for cont2?”

According to Microsoft Azure Storage documentation:

A blob container can have a maximum of five stored access policies.

These policies allow shared access signatures (SAS) to be managed centrally, letting you define start times, expiry times, and permissions at the container level.

Since three stored access policies (Stored1, Stored2, Stored3) already exist, the maximum additional policies that can still be created is:

→ 5 (maximum allowed) – 3 (already existing) = 2

For immutable blob storage policies:

A container can have one active immutability policy at a time.

This can be either a time-based retention policy or a legal hold policy.

Since cont2 already has a legal hold applied, no additional immutable policy can coexist with it, but it can have one defined policy type (the legal hold).

Therefore:

Stored access policies: 2 additional policies can still be created.

Immutable blob storage policies: 1 policy (the existing legal hold).

This aligns exactly with Microsoft Learn: Azure Storage Blob Service limits and immutable storage documentation:

“A container may have up to five stored access policies. Immutable storage supports either a time-based retention policy or legal hold policy per container.”

Final Verified Answer:

✅ Stored access policies: 2

✅ Immutable blob storage policies: 1

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.

Explanation

Scenario:

1. Web administrators will deploy Azure web apps for the marketing department.

2. Each web app will be added to a separate resource group.

3. The initial configuration of the web apps will be identical.

4. The web administrators have permission to deploy web apps to resource groups.

Steps:

1 --> Create a resource group, and then deploy a web app to the resource group.

2 --> From the Automation script blade of the resource group , click Add to Library.

3 --> From the Templates service, select the template, and then share the template to the web administrators .

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.

You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.

Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.

Click Opt in and accept the terms.

Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

In this scenario, Contoso Ltd. must designate a new user named Admin1 as the service administrator of the Azure subscription and ensure that Admin1 receives email alerts about service outages.

In Azure, there are three classic administrative roles associated with subscriptions:

Account Administrator – The individual who created the subscription and manages billing.

Service Administrator – The primary contact responsible for managing services and resources in the subscription.

Co-Administrator – Has the same management privileges as the Service Administrator but cannot change subscription associations.

According to Microsoft Azure Administrator documentation, to change the Service Administrator, you must perform the following steps:

In the Azure portal, navigate to Subscriptions.

Select the specific subscription.

Under Settings, choose Properties.

In the Service Administrator field, update the name and email address to that of the new administrator (in this case, Admin1).

This modification ensures that Admin1 becomes the Service Administrator, and Azure will automatically send service-related notifications and outage alerts to that user’s registered email address, as defined by Microsoft’s subscription notification process.

Option B (IAM settings) is used for Role-Based Access Control (RBAC) and assigning Azure Resource Manager roles such as Owner, Contributor, or Reader. However, RBAC roles do not change the Service Administrator at the subscription level — that’s only done through the Properties blade.

Options C (AAD Properties) and D (AAD Groups) are unrelated to subscription-level administrative settings.

Therefore, the verified and Microsoft-documented answer is:

✅ A. From the Subscriptions blade, select the subscription, and then modify the Properties.

Final Verified Answer: ✅ A. From the Subscriptions blade, select the subscription, and then modify the Properties.

In Azure, Azure Policy is a governance tool used to enforce organizational standards and assess compliance across Azure resources. It allows administrators to define and assign policy definitions that automatically audit, deny, or modify resource configurations at deployment or runtime.

In this scenario, the requirement is that every time a Network Security Group (NSG) is created, it should automatically contain a rule that blocks TCP port 8080 traffic between virtual networks.

The Microsoft Azure Policy documentation confirms that you can create a custom policy definition using the Microsoft.Network/networkSecurityGroups/securityRules resource type. Within the policy’s JSON definition, you can specify conditions such as:

The resource type to which the policy applies (networkSecurityGroups).

The enforcement mode (deny or deployIfNotExists).

The required configuration, such as a specific inbound or outbound rule (in this case, a rule denying TCP 8080).

By using the DeployIfNotExists effect in the policy, Azure automatically ensures that the NSG includes the required rule. If the rule does not exist, Azure deploys it automatically during resource creation.

Assigning this custom policy definition at the subscription level ensures it is inherited by all resource groups and applies to all virtual networks created in that subscription. This meets the goal because the requirement is to enforce a security configuration across all NSGs, regardless of which resource group or virtual network they belong to.

Therefore, configuring and assigning a custom Azure Policy to the subscription fully satisfies the requirement.