Skills measured Manage Azure identities and governance (15-20%)
Implement and manage storage (15-20%)
Deploy and manage Azure compute resources (20-25%)
Configure and manage virtual networking (25-30%)
Monitor and back up Azure resources (10-15%)
This exam was updated on September 24, 2021.
Following the current exam guide, we have included a version of the exam guide
with Track Changes set to “On,” showing the changes that were made to the exam
on that date.
Audience Profile Candidates for this exam should have subject matter expertise implementing,
managing, and monitoring an organization’s Microsoft Azure environment.
Responsibilities for this role include implementing, managing, and monitoring
identity, governance, storage, compute, and virtual networks in a cloud
environment, plus provision, size, monitor, and adjust resources, when needed.
An Azure administrator often serves as part of a larger team dedicated to
implementing an organization’s cloud infrastructure.
A candidate for this exam should have at least six months of hands-on experience
administering Azure, along with a strong understanding of core Azure services,
Azure workloads, security, and governance. In addition, this role should have
experience using PowerShell, Azure CLI, Azure portal, and Azure Resource Manager
templates.
Skills Measured NOTE: The bullets that follow each of the skills measured are intended to
illustrate how we assess that skill. This list is not definitive or exhaustive.
NOTE: Most questions cover features that are General Availability (GA). The exam
may contain questions on Preview features if those features are commonly used.
Manage Azure identities and governance (15–20%)
Manage Azure Active Directory (Azure AD) objects
create users and groups
create administrative units
manage user and group properties
manage device settings
perform bulk user updates
manage guest accounts
configure Azure AD join
configure self-service password reset
Manage role-based access control (RBAC)
create a custom role
provide access to Azure resources by assigning roles at different scopes
interpret access assignments
Manage subscriptions and governance
configure Azure policies
configure resource locks
apply and manage tags on resources
manage resource groups
manage subscriptions
manage costs
configure management groups
Implement and manage storage (15–20%) Secure storage configure network access to storage accounts
create and configure storage accounts
generate shared access signature (SAS) tokens
manage access keys
configure Azure AD authentication for a storage account
configure access to Azure Files
Manage storage
export from Azure job
import into Azure job
install and use Azure Storage Explorer
copy data by using AZCopy
implement Azure Storage replication
configure blob object replication
Configure Azure files and Azure Blob Storage
create an Azure file share
create and configure Azure File Sync service
configure Azure Blob Storage
configure storage tiers
configure blob lifecycle management
Deploy and manage Azure compute resources (20–25%) Automate deployment of virtual machines (VMs) by using Azure Resource Manager
templates modify an Azure Resource Manager template
configure a virtual hard disk (VHD) template
deploy from a template
save a deployment as an Azure Resource Manager template
deploy virtual machine extensions
Configure VMs
configure Azure Disk Encryption
move VMs from one resource group to another
manage VM sizes
add data disks
configure networking
redeploy VMs
configure high availability
deploy and configure virtual machine scale
sets
Create and configure containers configure sizing and scaling for Azure Container Instances
configure container groups for Azure Container Instances
configure storage for Azure Kubernetes Service (AKS)
configure scaling for AKS
configure network connections for AKS
upgrade an AKS cluster
Create and configure Azure App Service
create an App Service plan
configure scaling settings in an App Service plan
create an App Service
secure an App Service
configure custom domain names
configure backup for an App Service
configure networking settings
configure deployment settings
Configure and manage virtual networking (25–30%) Implement and manage virtual networking create and configure virtual networks, including peering
configure private and public IP addresses
configure user-defined network routes
implement subnets
configure endpoints on subnets
configure private endpoints
configure Azure DNS, including custom DNS settings and private or public DNS
zones
Secure access to virtual networks
create security rules
associate a network security group (NSG) to a subnet or network interface
evaluate effective security rules
implement Azure Firewall
implement Azure Bastion
Configure load balancing configure Azure Application Gateway
configure an internal or public load balancer
troubleshoot load balancing
Monitor and troubleshoot virtual networking monitor on-premises connectivity
configure and use Azure Monitor for Networks
use Azure Network Watcher
troubleshoot external networking
troubleshoot virtual network connectivity
Integrate an on-premises network with an Azure virtual network
create and configure Azure VPN Gateway
create and configure Azure ExpressRoute
configure Azure Virtual WAN
Monitor and back up Azure resources (10–15%)
Monitor resources by using Azure Monitor
configure and interpret metrics
configure Azure Monitor logs
query and analyze logs
set up alerts and actions
configure Application Insights
Implement backup and recovery
create a Recovery Services vault
create a Backup vault
create and configure backup policy
perform backup and restore operations by using Azure Backup
perform site-to-site recovery by using Azure Site Recovery
configure and review backup reports
QUESTION 1
Your company has serval departments. Each department has a number of virtual machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?
A. Create Azure Management Groups for each department.
B. Create a resource group for each department.
C. Assign tags to the virtual machines.
D. Modify the settings of the virtual machines.
Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
QUESTION 2
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor
Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
QUESTION 3
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor
Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
QUESTION 4
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor
Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
QUESTION 5
You are planning to deploy an Ubuntu Server virtual machine to your company’s Azure subscription.
You are required to implement a custom deployment that includes adding a particular trusted root certification
authority (CA).
Which of the following should you use to create the virtual machine?
A. The New-AzureRmVm cmdlet.
B. The New-AzVM cmdlet.
C. The Create-AzVM cmdlet.
D. The az vm create command.
Answer: C
Explanation: Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, using the –customdata
parameter to provide the full path to the cloud-init.txt file.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment
Audience Profile Candidates for this exam should have subject matter expertise implementing, managing, and monitoring an organization’s Microsoft Azure environment. Responsibilities for an Azure Administrator include implementing, managing, and monitoring identity, governance, storage, compute, and virtual networks in a cloud environment, plus provision, size, monitor, and adjust resources, when needed. An Azure Administrator often serves as part of a larger team dedicated to implementing your organization’s cloud infrastructure.
A candidate for this exam should have at least six months of hands-on experience administering Azure, along with a strong understanding of core Azure services, Azure workloads, security, and governance. In addition, this role should have experience using PowerShell, Azure CLI, Azure portal, and Azure Resource Manager templates.
Skills Measured NOTE: The bullets that appear below each of the skills measured are intended to illustrate how we are assessing that skill. This list is not definitive or exhaustive. NOTE: In most cases, exams do NOT cover preview features, and some features will only be added to an exam when they are GA (General Availability).
Manage Azure identities and governance (15-20%) Manage Azure AD objects . create users and groups . manage user and group properties . manage device settings . perform bulk user updates . manage guest accounts . configure Azure AD Join . configure self-service password reset . NOT: Azure AD Connect; PIM
Manage role-based access control (RBAC) . create a custom role . provide access to Azure resources by assigning roles o subscriptions o resource groups o resources (VM, disk, etc.) . interpret access assignments . manage multiple directories
. NOT: Traffic Manager and FrontDoor and PrivateLink
Monitor and troubleshoot virtual networking . monitor on-premises connectivity
. use Network Performance Monitor
. use Network Watcher
. troubleshoot external networking
. troubleshoot virtual network connectivity
Integrate an on-premises network with an Azure virtual network . create and configure Azure VPN Gateway
. create and configure VPNs
. configure ExpressRoute
. configure Azure Virtual WAN
Monitor and back up Azure resources (10-15%) Monitor resources by using Azure Monitor . configure and interpret metrics
o analyze metrics across subscriptions
. configure Log Analytics
o implement a Log Analytics workspace
o configure diagnostic settings
. query and analyze logs
o create a query
o save a query to the dashboard
o interpret graphs
. set up alerts and actions
o create and test alerts
o create action groups
o view alerts in Azure Monitor
o analyze alerts across subscriptions
. configure Application Insights
. NOT: Network monitoring
Implement backup and recovery . configure and review backup reports
. perform backup and restore operations by using Azure Backup Service
. create a Recovery Services Vault
o use soft delete to recover Azure VMs
. create and configure backup policy
. perform site-to-site recovery by using Azure Site Recovery
. NOT: SQL or HANA
AZ-103/104 Comparison Microsoft Azure Administrator
Current Skills Measured as of January 15, 2020 Updated Skills Measured List (ignore the numbering below)
Audience Profile Candidates for this exam are Azure Administrators who manage cloud services that span storage, security, networking, and compute cloud capabilities. Candidates have a deep understanding of each service across the full IT lifecycle, and take requests for infrastructure services, applications, and environments. They make recommendations on services to use for optimal performance and scale, as well as provision, size, monitor, and adjust resources as appropriate. Candidates for this exam should have proficiency in using PowerShell, the Command Line Interface, Azure Portal, ARM templates, operating systems, virtualization, cloud infrastructure, storage structures, and networking.
Audience Profile The Azure Administrator implements, manages, and monitors identity, governance, storage, computevirtual machines, and virtual networks in a cloud environment. This role focuses primarily on enabling Infrastructure as a Service (IaaS). The Azure Administrator will provision, size, monitor, and adjust resources as appropriate. Candidates should have a minimum of six months of hands-on experience administering Azure. Candidates should have a strong understanding of core Azure services, Azure workloads, security, and governance. Candidates for this exam should have experience in using PowerShell, the Command Line Interface, Azure Portal, and ARM templates.
1. Manage Azure subscriptions and resources (15-20%) 1.1 Manage Azure subscriptions Assign administrator permissions; configure cost center quotas and tagging; configure policies at Azure subscription level 1.2 Analyze resource utilization and consumption 6. Manage Azure Identities and Governance (15-20%) 6.1 Manage Azure AD objects . create users and groups
. manage user and group properties
. manage device settings
. perform bulk user updates
. manage guest accounts
. configure Azure AD Join
. configure self-service password reset
Configure diagnostic settings on resources; create baseline for resources; create and test alerts; analyze alerts across subscription; analyze metrics across subscription; create action groups and action rules; monitor for unused resources; monitor spend; report on spend; utilize log queries in Azure Monitor; view alerts in Azure Monitor 1.3 Manage resource groups Use Azure policies for resource groups; configure resource locks; configure resource policies; implement and set tagging on resource groups; move resources across resource groups; remove resource groups 1.4 Managed role based access control (RBAC) May include but is not limited to: Create a custom role, configure access to Azure resources by assigning roles, configure management access to Azure, troubleshoot RBAC, implement RBAC policies, assign RBAC Roles . NOT: Azure AD Connect; PIM
6.2 Manage role-based access control (RBAC) . create a custom role
. provide access to Azure resources by assigning roles
o subscriptions
o resource groups
o resources (VM, disk, etc.)
. interpret access assignments
. manage multiple directories
6.3 Manage subscriptions and governance . configure Azure policies
. configure resource locks
. apply tags
. create and manage resource groups
o move resources
o remove RGs
. manage subscriptions
. configure Cost Management
. configure management groups
2. Implement and manage storage (15-20%) 2.1 Create and configure storage accounts Configure network access to the storage account; create and configure storage account; generate shared access signature; install and use Azure Storage Explorer; manage access keys; monitor activity log by using Monitor Logs; implement Azure storage replication; Implement Azure AD Authentication, manage blob storage lifecycle management 7. Implement and Manage Storage (10-15%) 7.1 Manage storage accounts . configure network access to storage accounts
. create and configure storage accounts
. generate shared access signature
. manage access keys
. implement Azure storage replication
. configure Azure AD Authentication for a storage account
7.2 Manage data in Azure Storage
2.2 Import and export data to Azure Create export from Azure job; create import into Azure job; configure and use Azure blob storage; configure Azure content delivery network (CDN) endpoints 2.3 Configure Azure files Create Azure file share; create Azure File Sync service; create Azure sync group; troubleshoot Azure File Sync 2.4 Implement Azure backup Configure and review backup reports; perform backup operation; create Recovery Services Vault; create and configure backup policy; perform a restore operation . export from Azure job
. import into Azure job
. install and use Azure Storage Explorer
. copy data by using AZCopy
7.3 Configure Azure files and Azure blob storage . create an Azure file share
. create and configure Azure File Sync service
. configure Azure blob storage
. configure storage tiers for Azure blobs
3. Deploy and manage virtual machines (VMs) (15-20%) 3.1 Create and configure a VM for Windows and Linux Configure high availability; configure monitoring, networking, storage, and virtual machine size; deploy and configure scale sets 3.2 Automate deployment of VMs Modify Azure Resource Manager (ARM) template; configure location of new VMs; configure VHD template; deploy from template; save a deployment as an ARM template; deploy Windows and Linux VMs 3.3 Manage Azure VM Add data discs; add network interfaces; automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent by using custom script extensions; manage 8. Deploy and Manage Azure Compute Resources (25-30%) 8.1 Configure VMs for high availability and scalability . configure high availability
. deploy and configure scale sets
8.2 Automate deployment and configuration of VMs . modify Azure Resource Manager (ARM) template
. configure VHD template
. deploy from template
. save a deployment as an ARM template
. automate configuration management by using custom script extensions
8.3 Create and configure VMs . configure Azure Disk Encryption
. move VMs from one resource group to another
VM sizes; move VMs from one resource group to another; redeploy VMs 3.4 Manage VM backups Configure VM backup; define backup policies; implement backup policies; perform VM restore; soft delete for Azure VMs; Azure Site Recovery . manage VM sizes
. add data discs
. configure networking
. redeploy VMs
8.4 Create and configure containers . create and configure Azure Kubernetes Service (AKS)
. create and configure Azure Container Instances (ACI)
. NOT: selecting an container solution architecture or product; container registry settings
8.5 Create and configure Web Apps . create and configure App Service
. create and configure App Service Plans
. NOT: Azure Functions; Logic Apps; Event Grid
4. Configure and manage virtual networks (30-35%) 4.1 Create connectivity between virtual networks Create and configure VNET peering; create and configure VNET to VNET connections; verify virtual network connectivity; create virtual network gateway 4.2 Implement and manage virtual networking Configure private and public IP addresses, network routes, network interface, subnets, and virtual network 4.3 Configure name resolution Configure Azure DNS; configure custom DNS settings; configure private and public 9. Configure and Manage Virtual Networking (30-35%) 9.1 Implement and manage virtual networking . create and configure VNET peering
. configure private and public IP addresses, network routes, network interface, subnets, and virtual network
9.2 Configure name resolution . configure Azure DNS
. configure custom DNS settings
. configure a private or public DNS zone
9.3 Secure access to virtual networks . create security rules
. associate an NSG to a subnet or
DNS zones 4.4 Create and configure a Network Security Group (NSG) Create security rules; associate NSG to a subnet or network interface; identify required ports; evaluate effective security rules 4.5 Implement Azure load balancer May include but is not limited to: Configure internal load balancer, configure load balancing rules, configure public load balancer, troubleshoot load balancing 4.6 Monitor and troubleshoot virtual networking May include but is not limited to: Monitor on-premises connectivity, use Network resource monitoring, use Network Watcher, troubleshoot external networking, troubleshoot virtual network connectivity 4.7 Integrate on premises network with Azure virtual network May include but is not limited to: Create and configure Azure VPN Gateway, create and configure site to site VPN, configure Express Route, verify on premises connectivity, troubleshoot on premises connectivity with Azure network interface
. NOT: Traffic Manager and FrontDoor and PrivateLink
9.5 Monitor and troubleshoot virtual networking . monitor on-premises connectivity
. use Network resource monitoring
. use Network Watcher
. troubleshoot external networking
. troubleshoot virtual network connectivity
9.6 Integrate an on-premises network with an Azure virtual network . create and configure Azure VPN Gateway
. create and configure VPNs
. configure ExpressRoute
. configure Azure Virtual WAN
5. Manage identities (15-20%) 5.1 Manage Azure Active Directory (AD) Add custom domains; Azure AD Join; configure self-service password reset;
[NO EQUIVALENT — SEE NEW FG 5 BELOW]
manage multiple directories 5.2 Manage Azure AD objects (users, groups, and devices) Create users and groups; manage user and group properties; manage device settings; perform bulk user updates; manage guest accounts 5.3 Implement and manage hybrid identities Install Azure AD Connect, including password hash and pass-through synchronization; use Azure AD Connect to configure federation with on-premises Active Directory Domain Services (AD DS); manage Azure AD Connect; manage password sync and password writeback 5.4 Implement multi-factor authentication (MFA) May include but is not limited to: Configure user accounts for MFA, enable MFA by using bulk update, configure fraud alerts, configure bypass options, configure Trusted IPs, configure verification methods
10. Monitor and back up Azure resources (10-15%) 10.1 Monitor resources by using Azure Monitor . configure and interpret metrics
o analyze metrics across subscriptions
. configure Log Analytics
o implement a Log Analytics workspace
o configure diagnostic settings
. query and analyze logs
o create a query
o save a query to the dashboard
o interpret graphs
. set up alerts and actions
o create and test alerts
o create action groups
o view alerts in Azure Monitor
o analyze alerts across subscriptions
. configure Application Insights
. NOT: Network monitoring
10.2 Implement backup and recovery . configure and review backup reports
. perform backup and restore operations by using Azure Backup Service
. create a Recovery Services Vault
o use soft delete to recover Azure VMs
. create and configure backup policy
. perform site-to-site recovery by using Azure Site Recovery
. NOT: SQL or HANA
QUESTION 1 You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1. An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users. What should you do first?
A. From contoso.com, modify the Organization relationships settings. B. From contoso.com, create an OAuth 2.0 authorization endpoint. C. Recreate AKS1. D. From AKS1, create a namespace.
Correct Answer: B
QUESTION 2 You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. an Office 365 group that uses the Assigned membership type B. a Security group that uses the Assigned membership type C. an Office 365 group that uses the Dynamic User membership type D. a Security group that uses the Dynamic User membership type E. a Security group that uses the Dynamic Device membership type
Correct Answer: AC
QUESTION 3 You recently created a new Azure subscription that contains a user named Admin1. Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure PowerShell and receives the following error message: “User failed validation to purchase resources. Error message: “Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (https:://go.microsoft.com/fwlink/? LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.” You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do? A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet B. From the Azure portal, register the Microsoft.Marketplace resource provider C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet D. From the Azure portal, assign the Billing administrator role to Admin1
Correct Answer: C
QUESTION 4 You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties?
A. From the Licenses blade, assign a new license B. From the Directory role blade, modify the directory role C. From the Groups blade, invite the user account to a new group Correct Answer: B
QUESTION 5 You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts. You purchase 10 Azure AD Premium P2 licenses for the tenant. You need to ensure that 10 users can use all the Azure AD Premium features. What should you do?
A. From the Licenses blade of Azure AD, assign a license B. From the Groups blade of each user, invite the users to a group C. From the Azure AD domain, add an enterprise application D. From the Directory role blade of each user, modify the directory role