exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam

Exam AZ-104 topic 2 question 112 discussion

Actual exam question from Microsoft's AZ-104
Question #: 112
Topic #: 2
[All AZ-104 Questions]

HOTSPOT
-


Case study
-

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study
-
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.


Overview
-

ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.


Existing Environment
-


Azure Environment
-

ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.

The subscription contains the storage accounts shown in the following table.



The subscription contains the virtual machines shown in the following table.



The subscription has an Azure container registry that contains the images shown in the following table.



The subscription contains the resources shown in the following table.




Azure Key Vault
-

The subscription contains an Azure key vault named Vault1.

Vault1 contains the certificates shown in the following table.



Vault1 contains the keys shown in the following table.




Microsoft Entra Environment
-

ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.



The tenant contains the groups shown in the following table.



The adatum.com tenant has a custom security attribute named Attribute1.


Planned Changes
-

ADatum plans to implement the following changes:

• Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
• In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
• Whenever possible, use directories to organize storage account content.
• Grant User1 the permissions required to link Zone1 to VNet1.
• Assign Attribute1 to supported adatum.com resources.
• In storage2, create an encryption scope named Scope1.
• Deploy new containers by using Image1 or Image2.


Technical Requirements
-

ADatum must meet the following technical requirements:

• Use TLS for WebApp1.
• Follow the principle of least privilege.
• Grant permissions at the required scope only.
• Ensure that Scope1 is used to encrypt storage services.
• Use Azure Backup to back up cont1 and share1 as frequently as possible.
• Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.


You need to implement the planned change for Attribute1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
dilopezat
1 week, 3 days ago
NNN Objects that support custom security attributes You can add custom security attributes for the following Microsoft Entra objects: - Microsoft Entra users - Microsoft Entra enterprise applications (service principals) https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview?wt.mc_id=knwlserapi_inproduct_azportal#what-are-custom-security-attributes-in-microsoft-entra-id References: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-manage?wt.mc_id=knwlserapi_inproduct_azportal&tabs=admin-center#manage-access-to-custom-security-attributes-in-microsoft-entra-id
upvoted 1 times
...
sca88
2 weeks, 5 days ago
https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-manage?tabs=admin-center So Attribute Definition can edit or add attribute for user and application, but CAN'T assign attribute to user and application. Assignement Admin, instead CAN assign Attribute to user and application. So answer should be correct: NNY
upvoted 3 times
kam1122
1 week, 6 days ago
Correct, only Attribute Assignment Admin able to assign
upvoted 1 times
...
sca88
2 weeks, 5 days ago
Exam topic should not allow comments without documentation link...
upvoted 1 times
...
...
155e6a0
2 months, 2 weeks ago
NNN is correct. Attribute Assignment Administrator CANNOT assign a custom security attribute to a M365 group. ChatGPT is wrong.
upvoted 2 times
...
SeMo0o0o0o
3 months ago
WRONG No No No
upvoted 1 times
...
pasangawa
3 months ago
tried to test on lab and box1. no. box 2. no. need Attribute assignment Administrator to assign. admin2 is just Attribute definition Administrator box 3 - No. Not sure if im doing it right but i can't find way to assign to a group, so it's a no unless someone points me to the right direction. if M365 group assigned user, it works if assigning to user and not the group.
upvoted 4 times
Adx_YT
1 month, 1 week ago
No3: You can add custom security attributes for the following Microsoft Entra objects: Microsoft Entra users Microsoft Entra enterprise applications (service principals) https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview#objects-that-support-custom-security-attributes
upvoted 1 times
...
...
kjujuai
3 months, 1 week ago
1. Global Admin does not have permission to assign Attribute a. Note: Prerequitesites Manage custom security attributes for an application - Microsoft Entra ID | Microsoft Learn 2. Attribute Definition Assignment does not have permission to assign Attribute a. Note: Prerequitesites Manage custom security attributes for an application - Microsoft Entra ID | Microsoft Learn 3. Microsoft 365 Group cannot be assigned an Attribute a. Note: Objects that support custom security attributes What are custom security attributes in Microsoft Entra ID? - Microsoft Entra | Microsoft Learn
upvoted 4 times
un4exa
3 months ago
NNN - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#attribute-assignment-administrator - only Microsoft entra objects users and sec principal or apps are eligible for Attributes and only Attribute Assignment Admin can assign for 2nd question definition Admin cannot assign but users are eligible for assignment
upvoted 1 times
...
kjujuai
3 months, 1 week ago
1,2. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/custom-security-attributes-apps?pivots=portal 3. https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview
upvoted 2 times
...
...
arunyadav09
3 months, 1 week ago
https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-manage?tabs=admin-center https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference In Microsoft Entra ID, the Attribute Assignment Administrator role is needed to assign custom security attribute values to objects like users and applications, while the Global Administrator role does not have this permission by default. Global Administrators can assign Attribute Assignment Administrator roles to themselves if needed. Attribute Definition Administrator define and manage the definition of custom security attributes but it can not assign custom security attribute values to objects like users and groups & applications etc. Hence NNY is right answer.
upvoted 2 times
...
DJHASH786
3 months, 2 weeks ago
Shouldn't First option be Yes, since Admin 1 is global admin ?
upvoted 1 times
itismadu
2 months ago
First time i see Global Admin does not have the ultimate rights . Microsoft must be ..... Attribute Assignment Administrator - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#attribute-assignment-administrator By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
upvoted 1 times
...
...
alsmk2
3 months, 2 weeks ago
NYN I'm not 100% on this, so do double check, but custom security attributes can only be assigned direct to users and service principals. I don't think you can assign them to a group.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...