Implement and manage storage for Microsoft Azure Administrator (AZ-104)

Sample Practice Questions

1. Question 1

   Your company has a Microsoft Azure subscription. The company has datacenters in Los Angeles and New York. You are configuring the two datacenters as geo-clustered sites for site resiliency. You need to recommend an Azure storage redundancy option. You have the following data storage requirements: Data must be stored on multiple nodes. Data must be stored on nodes in separate geographic locations. Data can be read from the secondary location as well as from the primary location. Which of the following Azure stored redundancy options should you recommend?
   1. A. Geo-redundant storage
   2. B. Read-only geo-redundant storage
   3. C. Zone-redundant storage
   4. D. Locally redundant storage
   Explanation

   The correct answer is: B. Read-only geo-redundant storage.

   Read-only geo-redundant storage (RA-GRS) is correct because it stores six copies of each object: three in the primary region across separate fault and update domains, and three more in the paired secondary region. This satisfies the requirements that data be stored on multiple nodes and in separate geographic locations. The read-access variant additionally exposes a secondary endpoint so applications can read from the secondary region while the primary remains the write target, fulfilling the read-from-both-locations requirement. Geo-redundant storage without the read-access option provides the same dual-region replication but does not expose a readable secondary, so applications cannot read from the secondary except after a failover. Zone-redundant storage spreads copies across availability zones within a single region, missing the geographic separation requirement. Locally redundant storage keeps three copies inside one datacenter and fails both the geographic and read-from-secondary requirements.

2. Question 2

   HOTSPOT - You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain. The domain contains the security principals shown in the following table. In Azure AD, you create a user named User2. The storage1 account contains a file share named share1 and has the following configurations. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
   Explanation

   Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

3. Question 3

   You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1. The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1 .You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.What should you do first ?
   1. A. Enable Active Directory Domain Service (AD DS) authentication for storage1.
   2. B. Grant share-level permissions by using File Explorer.
   3. C. Mount share1 by using File Explorer.
   4. D. Create a private endpoint.
   Explanation

   The correct answer is: A. Enable Active Directory Domain Service (AD DS) authentication for storage1..

   Enable Active Directory Domain Service (AD DS) authentication for storage1 is correct because the Storage File Data SMB Share Elevated Contributor role requires identity-based authentication on the file share, and AD DS authentication is the supported option in a hybrid scenario where users sync from on-premises AD to Microsoft Entra ID. Once the storage account is joined to the AD DS domain and identity-based authentication is enabled, the role can be assigned to the security group at the share scope and SMB clients authenticate with Kerberos using their domain identity. Granting share-level permissions in File Explorer is an NTFS-level operation and does not replace the Azure RBAC step. Mounting share1 in File Explorer is just a client action and grants no permissions. Creating a private endpoint controls network reachability and has no effect on share-level authentication or RBAC role binding.

4. Question 4

   You have an Azure subscription that contains the resources shown in the following table. You need to assign User1 the Storage File Data SMB Share Contributor role for share1. What should you do first?
   1. A. Enable identity-based data access for the file shares in storage1.
   2. B. Modify the security profile for the file shares in storage1.
   3. C. Select Default to Azure Active Directory authorization in the Azure portal for storage1.
   4. D. Configure Access control (IAM) for share1.
   Explanation

   The correct answer is: A. Enable identity-based data access for the file shares in storage1..

   Enable identity-based data access for the file shares in storage1 is correct because the Storage File Data SMB Share Contributor role and its peers only take effect when the file shares have identity-based authentication enabled, which is configured under File shares > Active Directory in the storage account; supported identity sources include on-premises AD DS, Microsoft Entra Domain Services, and Microsoft Entra Kerberos for hybrid users. Without that step, SMB clients fall back to storage account key authentication and Azure RBAC at the share scope is not honored. Modifying the security profile is not a standard precondition for SMB share role assignments. Selecting Default to Azure Active Directory authorization controls portal data-plane authentication for blobs and queues, not SMB file share access. Configuring Access control (IAM) for share1 is the step that follows once identity-based access is enabled; it cannot be done meaningfully until SMB identity-based auth is on.

5. Question 5

   HOTSPOT - You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage. You need to use AzCopy to copy data to the blob storage and file storage in storage1. Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Other Microsoft Azure Administrator (AZ-104) domains

• Deploy and manage Azure compute resources (123 questions)
• Implement and manage virtual networking (157 questions)
• Manage Azure identities and governance (127 questions)
• Monitor and maintain Azure resources (94 questions)