az-104 dumps topic 2, 1-90(101) Flashcards
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
To add a backend pool to LB1:
Contributor on LB1
Network Contributor on LB1
Network Contributor on RG1
Owner on LB1
To add a health probe to LB2:
Contributor on LB2
Network Contributor on LB2
Network Contributor on RG1
Owner on LB2
The Network Contributor role lets you manage networks, but not access them.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
A. From contoso.com, modify the Organization relationships settings.
B. From contoso.com, create an OAuth 2.0 authorization endpoint.
C. Recreate AKS1.
D. From AKS1, create a namespace.
B. From contoso.com, create an OAuth 2.0 authorization endpoint.
Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user’s identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type
A. a Microsoft 365 group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
Name Туре Member of
User1 Member Group1
User2 Guest Group1
User3 Member None
UserA Member Group2
UserB Guest Group2
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
Create an access review
Access reviews enable reviewers to attest user’s membership in a group or access to an application.
* Review name: Review1
Description:
* Start date: 2018-11-22
Frequency: One time
Duration (in days): 1
End: Never/End by Occurrences
* Number of times: 0
* End date: 2018-12-22
Users
Users to review: Members of a group
Scope: +Guest users only/Everyone
* Group: Group1
Reviewers
Reviewers: Group owners
Programs
Link to program
Default program
Upon completion settings
Adavanced settings
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
User3 can perform an access review of User1
User3 can perform an access review of UserA
User3 can perform an access review of UserB
User3 can perform an access review of User1 - No
User3 can perform an access review of UserA - No
User3 can perform an access review of UserB - Yes
You have the Azure management groups shown in the following table:
Name In management group
Tenant Root Group Not applicable
ManagementGroup11 Tenant Root Group
ManagementGroup12 Tenant Root Group
ManagementGroup21 ManagementGroup11
You add Azure subscriptions to the management groups as shown in the following table:
Name Management group
Subscription1 ManagementGroup21
Subscription2 ManagementGroup12
You create the Azure policies shown in the following table:
Name Parameter Scope
Not allowed resource types virtualNetworks Tenant Root Group
Allowed resource types virtualNetworks ManagementGroup12
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
You can create a virtual network in Subscription1.
You can create a virtual machine in Subscription2.
You can add Subscription1 to ManagementGroup11.
You can create a virtual network in Subscription1 - No
You can create a virtual machine in Subscription2 - Yes
You can add Subscription1 to ManagementGroup11 - Yes
You have an Azure policy as shown in the following exhibit:
SCOPE
Scope: Subscription 1
Exclusions: Subscription 1/ContosoRG1
BASICS
Policy definition: Not allowed resource types
Assignment name: Not allowed resource types
Assignment ID: /subscriptions/5eb8d0b6-ce3b-4ce0-a631-9f5321bedabb/providers/Microsoft.Authorization/policyAssignments/0e6fb866bf854f54accae2a9
Description:
Assigned by: admin1@contoso.com
PARAMETERS
Not allowed resource types → Microsoft.Sql/servers
What is the effect of the policy?
A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You can create Azure SQL servers in any resource group within Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
You have an Azure subscription that contains the resources shown in the following table:
Name Туре Resource group Tag
RG6 Resource group Not applicable None
VNET1 Virtual network RG6 Department: D1
You assign a policy to RG6 as shown in the following table:
Section Setting Value
Scope Scope Subscription1/RG6
Exclusions None
Basics Policy definition Apply tag and its default value
Assignment name Apply tag and its default value
Parameters Tag name Label
Tag value Value1
To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.
VNET1:
None
Department: D1 only
Department: D1, and RGroup: RG6 only
Department: D1, and Label: Value1 only
Department: D1, RGroup: RG6, and Label: Value1
VNET2:
None
RGroup: RG6 only
Label: Value1 only
RGroup: RG6, and Label: Value1
VNET1: Department: D1
VNET2: Label: Value1 only
Incorrect Answers:
RGROUP: RG6 - Tags applied to the resource group or subscription are not inherited by the resources.
resources created before policy creation will not inherit the policy rules.
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
Name Туре
storage1 Azure Storage account
VNET1 Virtual network
VM1 Azure virtual machine
VM1Managed Managed disk for VM1
RVAULT1 Recovery Services vault for the site recovery of VM1
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: User failed validation to purchase resources. Error message:
Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.`
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?
A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B. From the Azure portal, register the Microsoft.Marketplace resource provider
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D. From the Azure portal, assign the Billing administrator role to Admin1
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
https://learn.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-11.2.0
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Licenses blade, assign a new license
B. From the Directory role blade, modify the directory role
C. From the Groups blade, invite the user account to a new group
B. From the Directory role blade, modify the directory role
- Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
- Select Azure Active Directory, select Users, and then select a specific user from the list.
- For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
- Press Select to save.
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
A. From the Licenses blade of Azure AD, assign a license
B. From the Groups blade of each user, invite the users to a group
C. From the Azure AD domain, add an enterprise application
D. From the Directory role blade of each user, modify the directory role
A. From the Licenses blade of Azure AD, assign a license
Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?
A. Create an automation runbook
B. Deploy a function app
C. Deploy the IT Service Management Connector (ITSM)
D. Create a notification
C. Deploy the IT Service Management Connector (ITSM)
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center Service Manager, Provance, Cherwell.
You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade
A. Device settings from the Devices blade
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
You have Azure Active Directory tenant named Contoso.com that includes following users:
Name Role
User1 Cloud device administrator
User2 User administrator
Contoso.com includes following Windows 10 devices:
Name Join type
Device1 Azure AD registered
Device2 Azure AD joined
You create following security groups in Contoso.com:
Name Membership Type Owner
Group1 Assigned User2
Group2 Dynamic Device User2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
User1 can add Device2 to Group1
User2 can add Device1 to Group1
User2 can add Device2 to Group2
User1 can add Device2 to Group1: No (because User1 is Cloud Device Admin and cannot change the group membership for Group1)
User2 can add Device1 to Group1: Yes (because User2 is Group Owner which has the requisite authority for changing group membership. furthermore, Group1 has Assigned membership type)
User2 can add Device2 to Group2: No (because though User2 is Group Owner with requisite rights but Group2 has Dynamic Device membership type)
Explaination:
Groups can contain both registered and joined devices as members.
As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices.
User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
User2 is the owner of Group1. He can add Device1 to Group1.
Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.
Name Туре Location
VM1 Virtual machine North Europe
RGV1 Recovery Services vault North Europe
SQLD01 SQL server in Azure VM North Europe
sa001 Storage account West Europe
SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?
A. Delete VM1
B. Stop VM1
C. Stop the backup of SQLDB01
D. Delete sa001
C. Stop the backup of SQLDB01
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the Network Contributor role for RG1.
E. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
F. Assign User1 the Owner role for VNet1.
G. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
H. Assign User1 the Contributor role for VNet1.
B. Assign User1 the User Access Administrator role for VNet1.
F. Assign User1 the Owner role for VNet1.
Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights)
User Access Administrator = Lets you manage user access to Azure resources.
Reader = View all resources, but does not allow you to make any changes.
Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create? (choose all correct options)
A. MX
B. NSEC
C. PTR
D. RRSIG
E. SRV
F. TXT
G. NSEC3
A. MX
F. TXT
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A. Yes
B. No
B. No
The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?
A. Yes
B. No
B. No
You would need the Logic App Contributor role.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No
A. Yes
The Contributor role can manage all resources (and add resources) in a Resource Group.
DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions
- Assign a tag to each resource group.
-Assign a tag to each resource.
- Download the usage report.
- From the Cost analysis blade, filter the view by tag.
- Open the Resource costs blade of each resource group.
-Assign a tag to each resource.
- From the Cost analysis blade, filter the view by tag.
- Download the usage report.
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1? (chose all correct)
A. Get-Event Event | where {$_.EventType == “error”}
B. search in (Event) “error”
C. Event | where EventType == “error”
D select * from Event where EventType == “error”
E. search in (Event) * | where EventType -eq “error”
F. select * from Event where EventType is “error”
G. Event | where EventType is “error”
H. search in (Event) * | where EventType == “error”
I. Event | search “error”
B. search in (Event) “error”
C. Event | where EventType == “error”
I. Event | search “error”
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following Azure Resource Manager template.
{
“apiVersion”: “2017-03-30”,
“type”: “Microsoft.Compute/virtualMachines”,
“name”: “VM1”,
“zones”: “1”,
“location”: “EastUS2”,
“dependsOn”: [
“[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM1-NI’)]”
],
“properties”: {
“hardwareProfile”: {
“vmSize”: “Standard_A2_v2”
},
“osProfile”: {
“computerName”: “VM1”,
“adminUsername”: “AzureAdmin”,
“adminPassword”: “[parameters(‘adminPassword’)]”
},
“storageProfile”: {
“imageReference”: “[variables (‘image’)]”,
“osDisk”: {
“createOption”: “FromImage”
} },
“networkProfile”: {
“networkInterfaces”: [ {
“id”: “[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM1-NI’)]”
} ] } } },
{
“apiVersion”: “2017-03-30”,
“type”: “Microsoft.Compute/virtualMachines”,
“name”: “VM2”,
“zones”: “2”,
“location: “EastUS2”,
“dependsOn”: [
“[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM2-NI’)]”
],
“properties”: {
“hardwareProfile”: {
“vmSize”: “Standard_A2_v2”
},
“osProfile”: {
“computerName”: “VM2”,
“adminUsername”: “AzureAdmin”,
“adminPassword”: “[parameters (‘adminPassword’)]”
},
“storageProfile”: {
“imageReference”: “[variables(‘image’)]”,
“osDisk”: {
“createOption”: “FromImage”
} },
“networkProfile”: {
“networkInterfaces”: [ {
“id”: “[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM2-NI’)]”
} ] } } }
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
VM1 and VM2 can connect to VNET1
If an Azure datacenter becomes unavailable, VM1 or VM2 will be available.
If the East US 2 region becomes unavailable, VM1 or VM2 will be available.
VM1 and VM2 can connect to VNET1 - Yes
If an Azure datacenter becomes unavailable, VM1 or VM2 will be available - Yes (VM1 is in Zone1, while VM2 is on Zone2)
If the East US 2 region becomes unavailable, VM1 or VM2 will be available - No
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
Name Azure region Policy
RG1 West Europe Policy1
RG2 North Europe Policy2
RG3 France Central Policy3
RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
You can only move a resource to a Resource Group or Subscription, but the location stays the same. When you move WebApp1 to RG2, the resource will be restricted based on the policy of the new Resource Group (Policy2).
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it’s in. However, you cannot change an App Service plan’s region.
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer Area
“assignableScopes”:[ …
- “”
- “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”
- “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups”
],
“permissions”: [ {
“actions”: [ “” ],
“additional Properties”:{},
“dataActions”: [],
“notActions”: [ …
- “Microsoft Authorization/”
- “Microsoft.Resources/”
- “Microsoft.Security/”
],
“notDataActions”: [ ] } ],
- “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups” - checked in Azure it’s invalid scope, so it’s either “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e” or adding every rg as “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/{rg-name}”
- “Microsoft Authorization/*”
You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway
A. an internal load balancer
E. an Azure Application Gateway
A: The customer sites are connected through VPNs, so an internal load balancer is enough.
B: The customer sites are connected through VPNs, so there’s no need for a public load balancer, an internal load balancer is enough.
C: A CDN does not provide load balancing for applications, so it not relevant for this situation.
D: Traffic manager is a DNS based solution to direct users’ requests to the nearest (typically) instance and does not provide load balancing for this situation.
E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Monitor
B. Advisor
C. Metrics
D. Customer insights
B. Advisor
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific subscriptions and resource types. The recommendations are divided into five categories:
Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications. For more information, see Advisor Reliability recommendations.
Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.
Performance: To improve the speed of your applications. For more information, see Advisor Performance recommendations.
Cost: To optimize and reduce your overall Azure spending. For more information, see Advisor Cost recommendations.
Operational Excellence: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more information, see Advisor Operational Excellence recommendations.
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
Answer Area
* Name: Policy1
Assignments:
- Users and groups
0 users and groups selected
- Cloud apps
0 cloud apps selected
- Conditions
0 conditions selected
Access controls:
- Grant
0 controls selected
- Session
- Select Users & Groups : Where you have to choose all users.
- Select Cloud apps or actions: To specify the Azure portal
- Select Grant: To grant the MFA.
Those are the minimum requirements to create MFA policy. No conditions are required in the question.
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user user1@outlook.com
” Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Users settings blade, modify the External collaboration settings.
B. From the Custom domain names blade, add a custom domain.
C. From the Organizational relationships blade, add an identity provider.
D. From the Roles and administrators blade, assign the Security administrator role to Admin1.
A. From the Users settings blade, modify the External collaboration settings.
You can adjust the guest user settings, their access, who can invite them from “External collaboration settings”
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
Name Group type Membership type Membership rule
Group1 Security Dynamic user (user.city -startsWith “m”
Group2 Microsoft 365 Dynamic user (user.department -notIn
[“human resources”])
Group3 Microsoft 365 Assigned Not applicable
You create two user accounts that are configured as shown in the following table.
Name City Department Office 365 license assigned
User1 Montreal Human resources Yes
User2 Melbourne Marketing No
Of which groups are User1 and User2 members? To answer, select the appropriate options in the answer area.
User1:
User2:
- Group1 only
- Group2 only
- Group3 only
- Group1 and Group2 only
- Group1 and Group3 only
- Group2 and Group3 only
- Group1, Group2, Group3
User1: Group1
User2: Group1, Group2
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
Name Type Source
User1 Member Azure AD
User2 Member Windows Server Active Directory
User3 Guest Microsoft account
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.
JobTitle:
UsageLocation:
- User1 only
- User1 and User2 only
- User1 and User3 only
- User1, User2, and User3
JobTitle: - User1 and User3 only
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active
UsageLocation: - User1, User2, and User3
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
A. Yes
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
A. Yes
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
B. No
One of the following roles can enable Traffic Analytics:
Owner
Contributor
Network Contributor
Monitoring Contributor
(https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites)
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login
C. Contributor
Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.