AZ-104 Question #724: Real Exam Question with Answer & Explanation

Question

Case Study 6 - ADatum Corporation Overview ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York. Existing Environment Azure Environment ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3. The subscription contains the storage accounts shown in the following table. The subscription contains the virtual machines shown in the following table. The subscription has an Azure container registry that contains the images shown in the following table. The subscription contains the resources shown in the following table. Azure Key Vault The subscription contains an Azure key vault named Vault1. Vault1 contains the certificates shown in the following table. Vault1 contains the keys shown in the following table. Microsoft Entra Environment ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table. The tenant contains the groups shown in the following table. The adatum.com tenant has a custom security attribute named Attribute1. Planned Changes ADatum plans to implement the following changes: - Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. - In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage - Whenever possible, use directories to organize storage account content. - Grant User1 the permissions required to link Zone1 to VNet1. - Assign Attribute1 to supported adatum.com resources. - In storage2, create an encryption scope named Scope1. - Deploy new containers by using Image1 or Image2. Technical Requirements ADatum must meet the following technical requirements: - Use TLS for WebApp1. - Follow the principle of least privilege. - Grant permissions at the required scope only. - Ensure that Scope1 is used to encrypt storage services. - Use Azure Backup to back up cont1 and share1 as frequently as possible. - Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines. Hotspot Question You need to implement the planned change for Attribute1. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantyes_no

Explanation

The correct interaction is to select 'No' for all three statements because assigning Microsoft Entra custom security attributes requires the specific 'Attribute Assignment Administrator' role, which is not granted by default to general administrative accounts and is not indicated in the case study for Admin1, Admin2, or Admin3.

Approach. For each of the three statements presented, the correct interaction is to select the 'No' radio button.

Common mistakes.

• common_mistake. A common mistake is assuming that any user named 'AdminX' or holding a general administrative role (like Global Administrator) automatically possesses all necessary permissions within Microsoft Entra ID, including the ability to manage custom security attributes. This is incorrect; custom security attributes adhere to the principle of least privilege and require specific, dedicated roles ('Attribute Assignment Administrator' for assigning, and 'Attribute Definition Administrator' for defining) that are not part of broader administrative roles. Another mistake could be confusing the role needed to define (create/manage) custom attributes with the role needed to assign them, or simply not being aware of these specific required roles at all.

Concept tested. The core technical concept being tested is the understanding of Microsoft Entra Custom Security Attributes and the specific Role-Based Access Control (RBAC) permissions, specifically the 'Attribute Assignment Administrator' role, required to assign these attributes to user and group objects in Microsoft Entra ID. It assesses knowledge of granular permissions and the principle of least privilege in Azure AD.

No community discussion yet for this question.