Medium AZ-104 practice questions
Applied — put a concept to work in a realistic situation. 138 medium questions available — no sign-up, always free.
Your team runs a nightly data-processing batch job packaged as a container image in Azure Container Registry. You want to deploy it using Azure Container Instances so that the container runs once, processes the data, and then stops without being restarted. Azure should not bill you for the container after it finishes. Which restart policy should you configure for the container group?
Your team runs a nightly batch job as an Azure Container Instance (ACI) container group. The image is stored in a Premium Azure Container Registry named 'contosoacr'. Security policy prohibits storing registry admin credentials or long-lived passwords anywhere in the deployment pipeline. You must configure the container group to pull the image from the registry without embedding any static secrets. What should you do?
You deploy a background image-processing microservice to Azure Container Apps. The workload is not exposed over HTTP; instead it pulls jobs from an Azure Service Bus queue. During peak hours the queue grows to thousands of messages, and processing falls behind. You need the container app to automatically add replicas based on the number of messages waiting in the queue, and scale back down when the queue is empty. What should you configure?
You manage an Azure Container Instances (ACI) deployment for a lightweight API. The container image is stored in a private Azure Container Registry named 'prodregistry'. When you deploy the container group using the Azure CLI without specifying registry credentials, the deployment fails to pull the image. Which additional parameters must you provide to the 'az container create' command so ACI can authenticate and pull the private image using the registry's admin account?
Your company runs a production Azure Container Registry named prodacr. The security team requires that only digitally signed container images can be pulled and deployed from the registry, ensuring image integrity and publisher authenticity. Which action should you take to enforce this requirement?
Your company runs Azure Kubernetes Service clusters in East US and West Europe. Both clusters pull container images from a single Azure Container Registry currently on the Basic SKU. Users in West Europe report slow image pulls, and you want to serve images from a registry endpoint local to each region while keeping a single registry name and image tags. What should you do first?
Your company runs a private Azure Container Registry named contosoacr. A partner has published a required base image in a public Docker Hub repository. Corporate policy blocks running Docker Engine on any workstation or build agent, and outbound Docker pull/push operations are not permitted from those machines. You need to bring a copy of the public image into contosoacr using the least administrative effort. What should you do?
Your development team stores a Dockerfile in a Git repository but the build agents do not have Docker Engine installed and cannot run local builds. You need to build a container image and push it directly to your Azure Container Registry named 'contosoacr' using Azure's cloud infrastructure, without provisioning any VM or installing Docker. Which command should you use?
Your company runs a container platform on Azure and stores images in an Azure Container Registry (ACR) on the Basic SKU. Developers report frequent throttling errors during peak CI/CD pipeline runs, and the registry is nearing its included storage limit. You need to increase throughput and storage capacity with the least administrative effort, while keeping costs lower than the highest available tier. What should you do?
Your team stores a custom application image in an Azure Container Registry (ACR) named contosoreg. The image is built from a public base image. Company policy requires that whenever the base image receives a security patch, your application image is automatically rebuilt and pushed to the registry without manual intervention. Which ACR feature should you configure to meet this requirement?
Your company stores container images in an Azure Container Registry (ACR) named contosoacr. You have a web application running as an Azure Container Instance (ACI). You need to automatically notify an external CI/CD endpoint whenever a new image tag is pushed to the registry, so the endpoint can trigger a redeployment. Which ACR feature should you configure?
Your company runs a monthly maintenance window on the first Saturday of each month from 02:00 to 06:00. During this time, several Azure Monitor metric alerts fire because VMs are rebooted and services are temporarily unavailable, generating unwanted notifications to the on-call team. You need to prevent these alerts from sending notifications only during the maintenance window, without deleting or disabling the underlying alert rules. What should you configure?
Your organization has a single Microsoft Entra tenant with users from several regional offices. The IT team in the Berlin office must be able to reset passwords and manage properties only for users who belong to the Berlin office, without gaining any control over users in other offices. You want to grant this access using the least-privilege approach. What should you do?
You manage a company web application running on Azure App Service in a Basic (B1) App Service plan. Management requests that you configure automated scheduled backups of the app content and its linked Azure SQL Database directly from the App Service backup feature. When you open the Backups blade, the scheduled backup option is unavailable. What is the minimum action required to enable scheduled backups?
Your company runs a production web application on an Azure App Service in the Standard (S1) plan. The development team wants to deploy new releases without downtime and be able to quickly revert if a release causes problems in production. They also want the new build to be warmed up before receiving live traffic. What should you configure?
You manage a web app named contoso-app running on an App Service plan (Standard S1 tier). The app already has the custom domain www.contoso.com verified and bound to it. Your security team requires HTTPS with a valid TLS certificate for the custom domain, and they want to avoid any recurring certificate purchase or manual renewal effort. What should you do?
Your company runs a web app on an Azure App Service in a Standard (S1) App Service plan. During occasional marketing campaigns, the app experiences short bursts of high traffic that exhaust CPU on the single instance. Between campaigns, traffic is minimal. You want to automatically add and remove instances to handle these bursts while keeping costs low during quiet periods. What should you do?
You manage a web application hosted on an Azure App Service running in a Basic (B1) App Service plan. The development team wants to use deployment slots to test new releases before swapping them into production. When they attempt to add a staging slot, the option is unavailable. What is the minimum action required to enable deployment slots for this app?
You manage an ASP.NET web app running in an App Service plan on the Standard (S1) tier with a single instance. During business hours, users report slow response times, and metrics show sustained CPU usage above 80%. You need to automatically add instances when demand is high and remove them when demand drops, without changing the app code. What should you configure?
Your company runs a web app on an App Service plan (Standard tier) in Azure. The application must make outbound calls to an Azure SQL Database that has been configured to accept traffic only from a specific subnet in a virtual network via a service endpoint. The App Service must reach the database over the virtual network without exposing the database to the public internet. Which App Service networking feature should you configure?
Your company runs a three-tier application in a single virtual network. The web tier has 8 VMs and the app tier has 6 VMs, and their IP addresses change frequently due to autoscaling. You must configure an NSG so that only the web-tier VMs can initiate connections to the app-tier VMs on port 8080, without hardcoding IP addresses and without creating a separate NSG rule per VM. What should you do?
Your company requires that every resource within the resource group 'RG-Finance' carry a 'CostCenter' tag with the value 'FIN-2024' for chargeback reporting. Developers frequently deploy new resources without specifying tags, and manually tagging each resource is not sustainable. You want resources to automatically receive the correct tag value at deployment time without blocking deployments. What should you do?
You manage a resource group named RG-Prod that currently contains three storage accounts and one virtual network. You deploy an ARM template that defines only two of the storage accounts, using deployment mode set to Complete. What happens to the resources in RG-Prod after the deployment succeeds?
You maintain an ARM template named 'app-infra.json' that defines a set of resources with several parameters, including 'environmentName' and 'skuTier'. You want to deploy the same template to a production environment using values that differ from the defaults, without editing the template itself. You plan to use Azure CLI. Which approach lets you supply the production-specific values at deployment time?
Your organization has 3,500 users in Microsoft Entra ID. The HR department frequently adds and removes users from a dynamic group named 'Sales-Team'. You need to ensure that every current and future member of the Sales-Team group automatically receives a Microsoft 365 E3 license without manual intervention, while minimizing administrative effort. What should you do?