Monitor and maintain Azure resources

Monitor resources using Azure Monitor and implement backup/recovery.

Involves monitoring resources with Azure Monitor, interpreting metrics and logs, and implementing backup and recovery strategies using Azure Backup and Site Recovery.

5 minutes 5 Questions

Monitoring and maintaining Azure resources constitutes a vital domain within the Azure Administrator Associate (AZ-104) certification, focusing on ensuring operational health, performance, and business continuity across the cloud environment. At the core is **Azure Monitor**, a centralized service…

Concepts covered: Azure Monitor metrics and logs, Azure Monitor alerts and action groups, Azure Monitor Insights (VMs, Storage, Networks), Azure Network Watcher and Connection Monitor, Recovery Services vault and Backup vault, Azure Backup policies and operations, Azure Site Recovery (ASR)

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AZ-104 - Monitor and maintain Azure resources Example Questions

Test your knowledge of Monitor and maintain Azure resources

Question 1

You manage a Log Analytics workspace named 'Mon-WS' collecting data from fifty virtual machines in the 'Compute-RG' resource group. You create a log search alert rule to trigger when specific error patterns occur. You also implement an Alert Processing Rule scoped explicitly to 'Compute-RG' to suppress notifications into the Action Group during a weekly maintenance window. During the maintenance period, you observe that notifications are still sent. You determine that the Alert Processing Rule targets the resource group, but the fired alerts are technically associated with the workspace resource. You need to correct this behavior by modifying the alert rule. What should you do?

Update the aggregation granularity to ensure the evaluation period exceeds the data ingestion latency Refine the Kusto query syntax to project the Computer field as the primary output for the signal logic Configure the dimension splitting settings to group the query evaluation by the '_ResourceId' column Enable the system-assigned managed identity on the alert rule to authenticate the resource context

Correct Answer: Configure the dimension splitting settings to group the query evaluation by the '_ResourceId' column

The correct answer is to Configure the dimension splitting settings to group the query evaluation by the '_ResourceId' column.

By default, a log search alert rule created on a Log Analytics workspace targets the workspace resource itself. Consequently, any fired alert is associated with the workspace, not the individual virtual machines generating the logs. Since your Alert Processing Rule is scoped to the 'Compute-RG' (where the VMs reside) and not the workspace, it fails to suppress alerts targeting the workspace.

By configuring the alert rule to split by dimensions using the '_ResourceId' column, the alert engine analyzes the log data and generates separate alert instances for each unique resource found. Crucially, this changes the target of the fired alert from the generic workspace to the specific Azure resource instance (the VM). Once the alert targets the VM resource, it falls within the scope of the 'Compute-RG', allowing the Alert Processing Rule to successfully apply the suppression logic during the maintenance window.

Regarding the other options:
- Enabling a system-assigned managed identity addresses authentication and permission scopes for running the query, not the association of the resulting alert instance to a specific resource.
- Updating aggregation granularity helps with data consistency and ingestion latency issues but does not change the target resource context of the fired alert.
- Refining the Kusto query to project the 'Computer' field is a step in data preparation, but without explicitly configuring the alert rule settings to 'Split by dimensions' on a resource identifier, the alert system will still treat the Workspace as the primary target resource.

Question 2

You are configuring an Azure Network Watcher Connection Monitor to track latency and reachability from an Azure virtual machine to an on-premises database server. You need to confirm that the specific extension required for Network Watcher capabilities is operating on the virtual machine. Which extension must be present on the virtual machine?

The Guest Configuration extension The Azure Monitor Dependency agent The Network Watcher Agent extension The Performance Diagnostics extension

Correct Answer: The Network Watcher Agent extension

The Network Watcher Agent extension is the correct answer.

To utilize Network Watcher features such as Connection Monitor, Packet Capture, and IP Flow Verify on an Azure virtual machine, the Network Watcher Agent extension must be installed and enabled. This extension is responsible for generating the traffic required to test reachability and measure latency, as well as collecting the necessary network telemetry.

Why the other answers are incorrect:
- The Azure Monitor Dependency agent is used primarily by Azure Monitor (specifically VM Insights and Service Map) to visualize dependencies and connections between server processes, rather than facilitating the active network tests performed by Network Watcher.
- The Performance Diagnostics extension is designed to troubleshoot virtual machine performance issues, such as high CPU or memory consumption, rather than network connectivity.
- The Guest Configuration extension is used in conjunction with Azure Policy to audit or apply configurations inside the operating system, unrelated to network monitoring.

Question 3

You manage an Azure environment containing an active Recovery Services vault for Azure Virtual Machine backups and an active Backup vault for Azure Managed Disk backups. Both vaults currently utilize platform-managed keys. To comply with a new corporate security policy, you must implement Customer-Managed Keys (CMK) for the encryption of all backup data at rest. You have already generated the required RSA keys in an Azure Key Vault. Which sequence of actions should you perform to meet this requirement?

Deploy new instances of both vault types, configure the encryption properties using the customer-managed keys, and then configure protection for the resources in the new vaults. Assign a system-assigned managed identity to the existing vaults, grant the identity permissions on the Azure Key Vault, and then update the specific encryption settings properties. Enable infrastructure encryption on the existing vaults and then configure the backup policies to reference the specific key version within the target Azure Key Vault. Configure the Managed Identity verification on the existing vaults, grant the necessary Key Vault access policies, and then change the encryption type from platform-managed to customer-managed keys.

Correct Answer: Deploy new instances of both vault types, configure the encryption properties using the customer-managed keys, and then configure protection for the resources in the new vaults.

The correct action is to deploy new instances of both vault types, configure the encryption properties using the customer-managed keys, and then configure protection for the resources in the new vaults.

Azure Backup allows the configuration of Customer-Managed Keys (CMK) for encryption at rest. However, a critical limitation exists regarding when this configuration can be applied. For Recovery Services vaults, encryption settings using CMK can only be configured at the time of creation or before any items have been protected to the vault. Once a vault contains backup items or is actively protecting resources, you cannot switch from platform-managed keys to customer-managed keys. The same limitation generally applies to Backup vaults where the encryption properties are set during deployment or before protection is initialized.

Because the scenario states that the vaults are 'active' (implying they already contain backup data or registered items), you cannot simply update the encryption settings of the existing resources. Therefore, the only viable path to compliance is to create new vaults, enable CMK immediately upon creation/before registration, and then protect the workloads using these new vaults.

Why the other answers are incorrect:

Assigning a managed identity and updating properties works for enabling CMK on vaults that are empty or new, but because the existing vaults are active and already populated, the platform prevents changing the encryption method to CMK.
Configuring Managed Identity verification and changing encryption types faces the same restriction: active vaults containing backup data cannot be migrated from platform-managed to customer-managed encryption.
Enabling infrastructure encryption is a separate feature (double encryption) and does not address the specific requirement to switch the primary encryption key from platform-managed to customer-managed for active vaults, nor does it bypass the restriction on modifying active vaults.

🎓 Unlock Premium Access

Azure Administrator Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
1731 Superior-grade Azure Administrator Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AZ-104: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Monitor and maintain Azure resources questions

207 questions (total)

Start 100 question test