az305 Flashcards by Kerem Adalı

Whis of the following would you use to restrict access to KeyVault?

Access policies for KeyVault

An Azure Policy

RBAC

Azure Ad Multi Factor Auth

Access policies for KeyVault

How well did you know this?

Not at all

Perfectly

Requirement: All data in the storage account is encrypted at rest

Azure Storage Encryption

Azure Disk Encryption

Always Encyrpted

Transparent Data Encrption

Azure Storage Encryption

How well did you know this?

Not at all

Perfectly

To the manager of the developers, send a monthly email message that lists the access permissions to Application1.

If the manager does not verify an access permission, automatically revoke that permission.

Minimize development effort

A. In Azure Active Directory (Azure AD), create an access review of Application1.

B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.

C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.

D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.

A. In Azure Active Directory (Azure AD), create an access review of Application1.

How well did you know this?

Not at all

Perfectly

Some users work remotely and do NOT have VPN access to the on-premises network.You need to provide the remote users with single sign-on (SSO) access to WebApp1. Select 2

A. Azure AD Application Proxy

B. Azure AD Privileged Identity Management (PIM)

C. Conditional Access policies

D. Azure Arc

E. Azure AD enterprise applications

F. Azure Application Gateway

A,E

How well did you know this?

Not at all

Perfectly

✑ The evaluation must be repeated automatically every three months.

✑ Every member must be able to report whether they need to be in Group1.

✑ Users who report that they do not need to be in Group1 must be removed from Group1 automatically.

✑ Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.What should you include in the recommendation?

A. Implement Azure AD Identity Protection.

B. Change the Membership type of Group1 to Dynamic User.

C. Create an access review.

D. Implement Azure AD Privileged Identity Management (PIM).

C. Create an access review.

How well did you know this?

Not at all

Perfectly

You need to recommend a design for the planned Databrick deployment. The solution must meet the following requirements:

✑ Ensure that the data engineers can only access folders to which they have permissions.

✑ Minimize development effort.

✑ Minimize costs.

Databticks SKU: Premium or Standard
Cluster Config:
Credential Passthrough
Managed Identities
MLFlow
Secret Scope

Premium, Credential Passthrough

How well did you know this?

Not at all

Perfectly

You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.

Does this meet the goal?

Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic filtering issues at a VM level.

How well did you know this?

Not at all

Perfectly

Users can connect to app without being prompted for auth:
Azure AD App registration
Azure AD Managed identity
Azure Ad App Proxy

User can only access apps from company owned computers:
A conditional access policy
Azure AD administrative unit
Azure Application Gateway
Azure blueprionts
Azure Policy

Azure AD App registration

A conditional access policy

How well did you know this?

Not at all

Perfectly

You need to use Azure Monitor to design an alerting strategy for security-related events.
Which Azure Monitor Logs tables should you query?
Select for win and linux

Azure Activity
Azure Diagnostics
Event
syslog

Win: Event, Linux: Syslog

How well did you know this?

Not at all

Perfectly

To which three scopes can you assign Azure Policy definitions?

A. Azure Active Directory (Azure AD) administrative units
B. Azure Active Directory (Azure AD) tenants
C. subscriptions
D. compute resources
E. resource groups
F. management groups

C,E,F

How well did you know this?

Not at all

Perfectly

Your on-premises network contains a server named Server1 that runs an ASP.NET application named App1.
You have a hybrid deployment of Azure Active Directory (Azure AD).
You need to recommend a solution to ensure that users sign in by using their Azure AD account and Azure Multi-Factor Authentication (MFA) when they connect to App1 from the internet.
Which three features should you recommend be deployed and configured in sequence?

A public load balancer
A managed identity
an internal azure load balancer
conditional access policy
azure app service plan
Azure AD apllication proxy
Azure Ad application Enterprise

Application Proxy
Enterprise Application
Conditional Access

How well did you know this?

Not at all

Perfectly

A public load balancer
A managed identity
an internal azure load balancer
conditional access policy
azure app service plan
Azure AD apllication proxy
Azure Ad application Enterprise

Application Proxy
Enterprise Application
Conditional Access

How well did you know this?

Not at all

Perfectly

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription.
What should you include in the recommendation?

A. Azure Activity Log
B. Azure Advisor
C. Azure Analysis Services
D. Azure Monitor action groups

A. Azure Activity Log

How well did you know this?

Not at all

Perfectly

Your company, named Contoso, Ltd., implements several Azure logic apps that have HTTP triggers. The logic apps provide access to an on-premises web service.
Contoso establishes a partnership with another company named Fabrikam, Inc.
Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-party OAuth 2.0 identity management to authenticate its users.
Developers at Fabrikam plan to use a subset of the logic apps to build applications that will integrate with the on-premises web service of Contoso.
You need to design a solution to provide the Fabrikam developers with access to the logic apps. The solution must meet the following requirements:
✑ Requests to the logic apps from the developers must be limited to lower rates than the requests from the users at Contoso.
✑ The developers must be able to rely on their existing OAuth 2.0 provider to gain access to the logic apps.
✑ The solution must NOT require changes to the logic apps.
✑ The solution must NOT use Azure AD guest accounts.
What should you include in the solution?

A. Azure Front Door
B. Azure AD Application Proxy
C. Azure AD business-to-business (B2B)
D. Azure API Management

Many APIs support OAuth 2.0 to secure the API and ensure that only valid users have access, and they can only access resources to which they’re entitled. To use Azure API Management’s interactive developer console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.

Incorrect:
Azure AD business-to-business (B2B) uses guest accounts.
Azure AD Application Proxy is for on-premises scenarios.

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains 300 virtual machines that run Windows Server 2019.
You need to centrally monitor all warning events in the System logs of the virtual machines.

Resources to create:
Event hub
Log Analytics
search engine
storage acount

Conf on Vms:
Create event subs
Conf CD
Install Azure monitor agent
Modify membership of the Event Log Reader Group

Resources to create: Log Analytics
Conf on Vms: Install Azure monitor agent

How well did you know this?

Not at all

Perfectly

Security:
Get alerts about changes in administrator assignements
Development:
enable KeyVault access
Quality:
Require temporary admin roles

Azure AD Privilied Identity Management
Azure Managed Identity
Azure AD connect
Azure AD Identity Protection

Security: PIM
Development: MI
Quality: PIM

How well did you know this?

Not at all

Perfectly

East / Sub1,Sub2 / tenant1
west / Sub3,Sub4 / tenant2

of Management Group = ? 1,2,3,4
# of Blueprint Definitons = ? 1,2,3,4
# of Blueprint Assignments = ? 1,2,3,4

of Management Group = 2
# of Blueprint Definitons = 2
# of Blueprint Assignments = 2

How well did you know this?

Not at all

Perfectly

✑ For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.
✑ For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.
✑ For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design?

Azure Policy Effect to use:
Append
EnforceOPAConstraint
EnforceRegoPolicy
Modify

RBAC for remedition tasks:
Managed Identity with Contributer
Managed Identity with User Access Admin
Service Principal with Contributer
Service Principal with User Access Admin

Azure Policy Effect to use:
Modify

RBAC for remedition tasks:
Managed Identity with Contributer

How well did you know this?

Not at all

Perfectly

To DB1, you add a diagnostic setting named Settings1. Settings1 archive SQLInsights to storage1 and sends SQLInsights to Workspace1(Azure Log analytics Workspace).

T/F

You can add new dignostic setting that archives SqlInsights logs to storage2
You can add new dignostic setting that sends SqlInsights logs to Workspace2
You can add new dignostic setting that sends SqlInsights logs to EventHub1

T,T,T

How well did you know this?

Not at all

Perfectly

You plan to deploy an Azure SQL database that will store Personally Identifiable Information (PII).
You need to ensure that only privileged users can view the PII.
What should you include in the solution?
A. dynamic data masking
B. role-based access control (RBAC)
C. Data Discovery & Classification
D. Transparent Data Encryption (TDE)

A. dynamic data masking
Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.

How well did you know this?

Not at all

Perfectly

Store data for multiple users
Ecrypt each users data by using a separate key
Encrypt all the data in the storage account by using customer-managed keys

A. files in a premium file share storage account
B. blobs in a general purpose v2 storage account
C. blobs in an Azure Data Lake Storage Gen2 account
D. files in a general purpose v2 storage account

B. blobs in a general purpose v2 storage account

How well did you know this?

Not at all

Perfectly

You have an Azure App Service web app that uses a system-assigned managed identity.
You need to recommend a solution to store the settings of the web app as secrets in an Azure key vault. The solution must meet the following requirements:
✑ Minimize changes to the app code.
✑ Use the principle of least privilege.

KeyVault Integration method: ?
KeyVault permission for the managed identity: ?

KeyVault Integration method: Application settings
KeyVault permission for the managed identity: Secrets: Get

How well did you know this?

Not at all

Perfectly

You need to recommend a solution to meet the following requirements for the virtual machines that will run App1:
✑ Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
✑ Avoid assigning new roles and permissions for Azure services
✑ Avoid storing secrets and certificates on the virtual machines.
✑ Minimize administrative effort for managing identities.

Which type of identity should you include in the recommendation?

A. a system-assigned managed identity
B. a service principal that is configured to use a certificate
C. a service principal that is configured to use a client secret
D. a user-assigned managed identity

D. a user-assigned managed identity

User assigned MI can be shared with more than one Azure resource

How well did you know this?

Not at all

Perfectly

Azure cosmos DB hosts a container that stores continuously updated operational data.
You are designing a solution that will use AS1 to analyze the operational data daily.
You need to recommend a solution to analyze the data without affecting the performance of the operational data store.
What should you include in the recommendation?

A. Azure Cosmos DB change feed
B. Azure Data Factory with Azure Cosmos DB and Azure Synapse Analytics connectors
C. Azure Synapse Link for Azure Cosmos DB
D. Azure Synapse Analytics with PolyBase data loading

C. Azure Synapse Link for Azure Cosmos DB

How well did you know this?

Not at all

Perfectly

The maximum amount of time that the SQL Insights data can be stored in Azure Log Analytics is 30 90 730 indefinite

730

OpenID Connect and OAuth - Choose OpenID Connect and OAuth 2.0 if the application you're connecting to supports it. SAML - Choose SAML whenever possible for existing applications that do not use OpenID Connect or OAuth. Password-based - Choose password-based when the application has an HTML sign-in page. Password-based SSO is also known as password vaulting. Password-based SSO enables you to manage user access and passwords to web applications that don't support identity federation. It's also useful where several users need to share a single account, such as to your organization's social media app accounts. Password-based SSO supports applications that require multiple sign-in fields for applications that require more than just username and password fields to sign in.

The application manages its own credential store. Users must enter a username and password to access the application. The application does NOT support identity providers. You plan to upgrade the application to use single sign-on (SSO) authentication by using an Azure Active Directory (Azure AD) application registration. Which SSO method should you use? A. header-based B. SAML C. password-based D. OpenID Connect

C. password-based

Connect vms from the internet. ✑ Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication (MFA) before network connectivity is allowed. ✑ Incoming connections must use TLS and connect to TCP port 443. ✑ The solution must support RDP and SSH. Access the vms on Vnet, use: -Azure Bastion -JIT VM access -Azure Web App firewall(WAF) in Azure Front door Enforce MFA, use: -Azure Identoty Governance access package -Conditional Access policy that has the Cloud apps assignment set to Azure Windows VM Sign-in -Conditional Access policy that has the Cloud apps assignment set to Microsoft Azure Management

Access the vms on Vnet, use: -Azure Bastion (uses port 443) Enforce MFA, use: -Conditional Access policy that has the Cloud apps assignment set to Azure Windows VM Sign-in

All Azure resources must be easily identifiable based on the following operational information: environment, owner, department and cost center. You need to ensure that you can use the operational information when you generate reports for the Azure resources. A. an Azure data catalog that uses the Azure REST API as a data source B. an Azure management group that uses parent groups to create a hierarchy C. an Azure policy that enforces tagging rules D. Azure Active Directory (Azure AD) administrative units

C. an Azure policy that enforces tagging rules

There are 2 companies that use Azure AD. Company A wants to give Contributer access to 10 Company B employees . Employees should use their own credentials A. In the Azure AD tenant of Contoso. create cloud-only user accounts for the Fabrikam developers. B. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam. C. Configure an organization relationship between the Microsoft 365 tenants of Fabrikam and Contoso. D. In the Azure AD tenant of Contoso, create guest accounts for the Fabnkam developers.

D. In the Azure AD tenant of Contoso, create guest accounts for the Fabnkam developers. B is incorrect because forest is used for internal security not for external access

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1. A. Configure the Azure AD provisioning service. B. Enable Azure AD pass-through authentication and update the sign-in endpoint. C. Use Azure AD entitlement management to govern external users. D. Configure Azure AD join.

C is correct https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users IF App1 is multi-tenant application, A might be correct since you can provision users from other tenant to App1 and configure App1 to SSO with other tenants.

Grants permissions to allow web apps to access the web APIs: - Azure AD - Azure API Management - The web APIs Configures a JSON Web Token(JWT) validation policy: - Azure AD - Azure API Management - The web APIs

1: Azure AD 2: Azure API Management

You have 100 servers that run Windows Server 2012 R2 and host Microsoft SQL Server 2014 instances. The instances host databases that have the following characteristics: ✑ Stored procedures are implemented by using CLR. ✑ The largest database is currently 3 TB. None of the databases will ever exceed 4 TB. You plan to move all the data from SQL Server to Azure. You need to recommend a service to host the databases. The solution must meet the following requirements: ✑ Whenever possible, minimize management overhead for the migrated databases. ✑ Ensure that users can authenticate by using Azure Active Directory (Azure AD) credentials. ✑ Minimize the number of database changes required to facilitate the migration. A. Azure SQL Database elastic pools B. Azure SQL Managed Instance C. Azure SQL Database single databases D. SQL Server 2016 on Azure virtual machines

B. Azure SQL Managed Instance Azure SQL Database (single or elastic) does not support CLR

You have an Azure subscription that contains an Azure Blob Storage account named store1. You have an on-premises file server named Server1 that runs Windows Server 2016. Server1 stores 500 GB of company files. You need to store a copy of the company files from Server1 in store1. Which two possible Azure services achieve this goal? A. an Azure Logic Apps integration account B. an Azure Import/Export job C. Azure Data Factory D. an Azure Analysis services On-premises data gateway E. an Azure Batch account

B. an Azure Import/Export job C. Azure Data Factory

Multiple Applications should read one transaction info A. one Azure Data Factory pipeline B. multiple storage account queues C. one Azure Service Bus queue D. one Azure Service Bus topic

D. one Azure Service Bus topic

✑ Maximize data throughput. ✑ Prevent the modification of data for one year. ✑ Minimize latency for read and write operations. Storage account type: BlobStorage BlockBlobStorage FileStorage StorageV2 with Premium perf StorageV2 with Standard perf Storage service: Blob File Table

BlockBlobStorage: provide a very low latency

S1: StorageV2 - Standard S2: StorageV2 - Premium S3: BlobStorage - Standard S4: FileStorage - Premium App1: Use Lifecycle management Apps: Store app data in Azure File share App1: S1,S2 S1,S3 S1,S2,S3 S1,S2,S3,S4 App2: S4 S1,S4 S1,S2,S4 S1,S2,S3,S4

App1: Storage1 and storage3 only App2: Storage1 and storage4 only

The application will host video files that range from 50 MB to 12 GB. The application will use certificate-based authentication and will be available to users on the internet. - The solution must provide the fastest read performance and must minimize storage costs. A. Azure Files B. Azure Data Lake Storage Gen2 C. Azure Blob Storage D. Azure SQL Database

C. Azure Blob Storage Stores large amounts of unstructured data, such as text or binary data, that can be accessed from anywhere in the world

You need to recommend a database platform to host the databases. The solution must meet the following requirements: ✑ The solution must meet a Service Level Agreement (SLA) of 99.99% uptime. ✑ The compute resources allocated to the databases must scale dynamically. ✑ The solution must have reserved capacity. Compute charges must be minimized. A. an elastic pool that contains 20 Azure SQL databases B. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine in an availability set C. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine D. 20 instances of Azure SQL Database serverless

A is correct. Elastic pool is needed for SLA 99,95 % and auto scale.

You need to design the database architecture to meet the following requirements: ✑ Support scaling up and down. ✑ Support geo-redundant backups. ✑ Support a database of up to 75 TB. ✑ Be optimized for online transaction processing (OLTP).

Azure SQL Database HyperScale (up to 100TB)

You are planning an Azure IoT Hub solution that will include 50,000 IoT devices. Each device will stream data, including temperature, device ID, and time data. Approximately 50,000 records will be written every second. The data will be visualized in near real time.Which two services can you recommend? A. Azure Table Storage B. Azure Event Grid C. Azure Cosmos DB SQL API D. Azure Time Series Insights

C. Azure Cosmos DB SQL API D. Azure Time Series Insights

✑ Support SQL commands. ✑ Support multi-master writes. ✑ Guarantee low latency read operations. A. Azure Cosmos DB SQL API B. Azure SQL Database that uses active geo-replication C. Azure SQL Database Hyperscale D. Azure Database for PostgreSQL

A. Azure Cosmos DB SQL API Only Cosmos DB supports multi-master writes:

How to migrate data, you can sleect options more than 1? Microsoft SQL Server 2012 -> An Azure SQL DB A table in Microsoft Sql Server 2014 -> Cosmos account that use SQL API AzCopy azure Cosmos Db data migration tool Data Management Gateway Data Migration Assistant

1: Data Migration Assistant 2: Azure Cosmos DB data migration tool

You store web access logs data in Azure Blob Storage. You plan to generate monthly reports from the access logs. You need to recommend an automated process to upload the data to Azure SQL Database every month. A. Microsoft SQL Server Migration Assistant (SSMA) B. Data Migration Assistant (DMA) C. AzCopy D. Azure Data Factory

D. Azure Data Factory

Your on-premises network contains a file server named Server1. Server1 stores 5 ׀¢׀’ of company files that are accessed rarely. You plan to copy the files to Azure Storage. You need to implement a storage solution for the files that meets the following requirements: ✑ The files must be available within 24 hours of being requested. ✑ Storage costs must be minimized. Which two possible storage solutions achieve this goal? A. Create an Azure Blob Storage account that is configured for the Cool default access tier. Create a blob container, copy the files to the blob container, and set each file to the Archive access tier. B. Create a general-purpose v1 storage account. Create a blob container and copy the files to the blob container. C. Create a general-purpose v2 storage account that is configured for the Cool default access tier. Create a file share in the storage account and copy the files to the file share. D. Create a general-purpose v2 storage account that is configured for the Hot default access tier. Create a blob container, copy the files to the blob container, and set each file to the Archive access tier. E. Create a general-purpose v1 storage account. Create a fie share in the storage account and copy the files to the file share.

A, D Archive tier rehydration time is a claimed 15 hours. This meets their needs at the lowest cost.

You have an app named App1 that uses two on-premises Microsoft SQL Server databases named DB1 and DB2. You plan to migrate DB1 and DB2 to Azure You need to recommend an Azure solution to host DB1 and DB2. The solution must meet the following requirements: ✑ Support server-side transactions across DB1 and DB2. ✑ Minimize administrative effort to update the solution. A. two Azure SQL databases in an elastic pool B. two databases on the same Azure SQL managed instance C. two databases on the same SQL Server instance on an Azure virtual machine D. two Azure SQL databases on different Azure SQL Database servers

B. two databases on the same Azure SQL managed instance

✑ Failover between replicas of the database must occur without any data loss. ✑ The database must remain available in the event of a zone outage. ✑ Costs must be minimized. A. Azure SQL Database Hyperscale B. Azure SQL Database Premium C. Azure SQL Database Basic D. Azure SQL Managed Instance General Purpose

B. Azure SQL Database Premium Not A: Hyperscale is more expensive than Premium. Not C: Need Premium for Availability Zones. Not D: Zone redundant configuration that is free on Azure SQL Premium is not available on Azure SQL Managed Instance.

You need to recommend a storage solution that meets the following requirements: ✑ All the data written to storage must be retained for five years. ✑ Once the data is written, the data can only be read. Modifications and deletion must be prevented. ✑ After five years, the data can be deleted, but never modified. ✑ Data access charges must be minimized. Storage Account Type: Archive, Cool, Hot Prevent Modif and Deletion by: Container Access Level, Container Access Policy, Storage Account Access Lock

Hot Container Access Policy

The solution will ingest high volumes of data in the JSON format by using Azure Event Hubs. As the data arrives, Event Hubs will write the data to storage. The solution must meet the following requirements: ✑ Organize data in directories by date and time. ✑ Allow stored data to be queried directly, transformed into summarized tables, and then stored in a data warehouse. ✑ Ensure that the data warehouse can store 50 TB of relational data and support between 200 and 300 concurrent read operations. Which service should you recommend for each type of data store? Datastore for the ingested data: Azure Blob Storage Azure Datalake Storage Gen2 Azure Files Azure Netapp files Datastore for the warehouse: CosmosDb Cassandra API CosmosDb SQL API SQL Database Hyperscale Synapse Analytics dedicated SQL pools

Azure Datalake Storage Gen2 SQL Database Hyperscale

You need to recommend a disaster recovery solution for the data. The solution must meet the following requirements: ✑ Provide the ability to recover in the event of a regional outage. ✑ Support a recovery time objective (RTO) of 15 minutes. ✑ Support a recovery point objective (RPO) of 24 hours. ✑ Support automated recovery. ✑ Minimize costs. A. Azure virtual machine availability sets B. Azure Disk Backup C. an Always On availability group D. Azure Site Recovery

D. Azure Site Recovery

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements: ✑ Provide access to the full .NET framework. Provide redundancy if an Azure region fails. ✑ Grant administrators access to the operating system to install custom application dependencies. Solution: You deploy two Azure virtual machines to two Azure regions, and you create an Azure Traffic Manager profile. Does this meet the goal?

Yes Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements: ✑ Provide access to the full .NET framework. ✑ Provide redundancy if an Azure region fails. ✑ Grant administrators access to the operating system to install custom application dependencies. Solution: You deploy two Azure virtual machines to two Azure regions, and you deploy an Azure Application Gateway. Does this meet the goal?

No App Gateway will balance the traffic between VMs deployed in the same region. Create an Azure Traffic Manager profile instead

You plan to create an Azure Storage account that will host file shares. The shares will be accessed from on-premises applications that are transaction intensive. You need to recommend a solution to minimize latency when accessing the file shares. The solution must provide the highest-level of resiliency for the selected storage tier. What should you include in the recommendation? Storage Tier: Hot, Premium, Transaction optimized Redundancy: Geo-Redundant, Zone-Redundant, Locally-Redundant

Storage: Premium Hot is offered for general urpose file sharing Transaction Optimed: Does not support low latency Redundancy: ZRS Premium file share only supports LRS and ZRS

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements: ✑ Provide access to the full .NET framework. ✑ Provide redundancy if an Azure region fails. ✑ Grant administrators access to the operating system to install custom application dependencies. Solution: You deploy an Azure virtual machine scale set that uses autoscaling. Does this meet the goal?

No Instead, you should deploy two Azure virtual machines to two Azure regions, and you create a Traffic Manager profile.

The application deployment must meet the following requirements: ✑ Ensure that the applications remain available if a single AKS cluster fails. ✑ Ensure that the connection traffic over the internet is encrypted by using SSL without having to configure SSL on each container. A. Azure Front Door B. Azure Traffic Manager C. AKS ingress controller D. Azure Load Balancer

A. Azure Front Door

✑ Prevent new data from being modified for one year. ✑ Maximize data resiliency. ✑ Minimize read latency. Storage Account Type: Premium block blob Standard v1 Standard v2 Redundancy: ZRS LRS

Premium ZRS

You plan to deploy 10 applications to Azure. The applications will be deployed to two Azure Kubernetes Service (AKS) clusters. Each cluster will be deployed to a separate Azure region. The application deployment must meet the following requirements: ✑ Ensure that the applications remain available if a single AKS cluster fails. ✑ Ensure that the connection traffic over the internet is encrypted by using SSL without having to configure SSL on each container. A. Azure Front Door B. Azure Traffic Manager C. AKS ingress controller D. Azure Load Balancer

A. Azure Front Door Traffic Manager does not provide SSL Offloading. And the other options are not global options (multi-region)

✑ Be available if a single Azure datacenter fails. ✑ Support storage tiers. ✑ Minimize cost. Storage Account Type: Premium Standard v1 Standard v2 Redundancy: GRS ZRS LRS RA-GRS

v2, ZRS

App1 stores database connection strings in KV1. App1 performs the following types of requests to KV1: ✑ Get ✑ List ✑ Wrap ✑ Delete Unwrap - ✑ Backup ✑ Decrypt ✑ Encrypt You are evaluating the continuity of service for App1. You need to identify the following if the Azure region that hosts KV1 becomes unavailable: ✑ To where will KV1 fail over? ✑ During the failover, which request type will be unavailable? To where will KV1 failover? A server in the same availability set A server in the same fault domain a server in the paired region a virtual machine in a scale set During failover which requests are unavailable? Get List Wrap Delete Unwrap Backup Decrypt Encrypt

A server in the paired region Delete During failover, your key vault is in read-only mode.

Failover between replicas of the database must occur without any data loss. ✑ The database must remain available in the event of a zone outage. ✑ Costs must be minimized. Which deployment option should you use? A. Azure SQL Managed Instance Business Critical B. Azure SQL Database Premium C. Azure SQL Database Basic D. Azure SQL Managed Instance General Purpose

B. Azure SQL Database Premium A: Azure SQL Managed Instance Business Critical is more expensive. C: Azure SQL Database Basic, and General purpose provide only locally redundant availability.

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements: ✑ Provide access to the full .NET framework. ✑ Provide redundancy if an Azure region fails. ✑ Grant administrators access to the operating system to install custom application dependencies. Solution: You deploy a web app in an Isolated App Service plan. Does this meet the goal?

✑ Failover between replicas of the database must occur without any data loss. ✑ The database must remain available in the event of a zone outage. ✑ Costs must be minimized. Which deployment option should you use? A. Azure SQL Database Serverless B. Azure SQL Database Business Critical C. Azure SQL Database Basic D. Azure SQL Database Standard

A. Azure SQL Database Serverless

You have an ExpressRoute circuit in the US East Azure region. You need to create an ExpressRoute association to VirtualWAN1. What should you do first? A. Upgrade VirtualWAN1 to Standard. B. Create a gateway on Hub1. C. Enable the ExpressRoute premium add-on. D. Create a hub virtual network in US East.

A. Upgrade VirtualWAN1 to Standard. A basic Azure virtual WAN does not support express route. You have to upgrade to standard.

You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is run manually after approval from the operations manager. You need to recommend a serverless solution that performs the following actions: ✑ Runs the script once an hour to identify whether duplicate files exist ✑ Sends an email notification to the operations manager requesting approval to delete the duplicate files ✑ Processes an email response from the operations manager specifying whether the deletion was approved ✑ Runs the script if the deletion was approved What should you include in the recommendation? A. Azure Logic Apps and Azure Event Grid B. Azure Logic Apps and Azure Functions C. Azure Pipelines and Azure Service Fabric D. Azure Functions and Azure Batch

B. Azure Logic Apps and Azure Functions

The on-premises Active Directory domain syncs with Azure Active Directory (Azure AD). Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain. You plan to migrate Server1 to a virtual machine in Subscription1. A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network. You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy. What should you include in the recommendation? A. Azure AD Application Proxy B. the Active Directory Domain Services role on a virtual machine C. an Azure VPN gateway D. Azure AD Domain Services (Azure AD DS)

D. Azure AD Domain Services (Azure AD DS) An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment.

You need to design a solution that will execute custom C# code in response to an event routed to Azure Event Grid. The solution must meet the following requirements: ✑ The executed code must be able to access the private IP address of a Microsoft SQL Server instance that runs on an Azure virtual machine. ✑ Costs must be minimized. What should you include in the solution? A. Azure Logic Apps in the Consumption plan B. Azure Functions in the Premium plan C. Azure Functions in the Consumption plan D. Azure Logic Apps in the integrated service environment

Correct answer - B Consumption plan cannot access Virtual Network Integration features. Virtual network integration allows your function app to access resources inside a virtual network.

You have an on-premises network and an Azure subscription. The on-premises network has several branch offices. A branch office in Toronto contains a virtual machine named VM1 that is configured as a file server. Users access the shared files on VM1 from all the offices. You need to recommend a solution to ensure that the users can access the shared files as quickly as possible if the Toronto branch office is inaccessible. What should you include in the recommendation? A. a Recovery Services vault and Windows Server Backup B. Azure blob containers and Azure File Sync C. a Recovery Services vault and Azure Backup D. an Azure file share and Azure File Sync

Use Azure File Sync to centralize your organization's file shares in Azure Files

You have an Azure subscription named Subscription1 that is linked to a hybrid Azure Active Directory (Azure AD) tenant. You have an on-premises datacenter that does NOT have a VPN connection to Subscription1. The datacenter contains a computer named Server1 that has Microsoft SQL Server 2016 installed. Server is prevented from accessing the internet. An Azure logic app resource named LogicApp1 requires write access to a database on Server1. You need to recommend a solution to provide LogicApp1 with the ability to access Server1. On-Premises: A web app Proxy for Win Server an Azure AD app Proxy connector Az on-premises data gateway Azure: A connection gateway resource az azure app gateway az azure event grid domain

On-Premises: Az on-premises data gateway Azure: A connection gateway resource

- Store JSON - Low latency - Use SQL like queries A- Azure Blob B- Azure CosmosDB C- Azure HDInsight D- Azure Redis

B- Azure CosmosDB

Your org has 2 CosmosDBs. Which APIs (2) do you suggest to host a JSON file? A- SQL B- Table C- Gremlin D- Cassandra E- MongoDB

D- Cassandra E- MongoDB Table is for key/value pairs Gremlin is for graph queries and stores data as edges and vertices

VM1 - EUS VM2 - EUS VM3 - WUS VM4 - WUS VM1 and VM2 are protected by a recovery service vault. How to protect the rest? A- a new recovery services policy B- a new backup policy C- a new subscription D- a new recovery services vault

D- a new recovery services vault Vaults are location specific

St1 premium LRS St2 standard GRS St3 standard LRS Can you convert St3 to GRS?

YES

you enable Azure Disk Encryption -VolumeType All Then add disks to the VM. Do they get encrpyted?

YES,

'Notify an admin when a VM setting is changed' What to do in Logic App in order? 1- A condition control 2- an action 3- A variable 4- an azure event grid trigger 5- az azure service bus trigger

4 - 1 - 2

What two parameters to set up to ensure that the instance will scale to meet to the workload demands? A- max of cpu cores B- Max of allocaterd storage C- Max resources per DB D- Max resource limit per p of DB

A- max of cpu cores B- Max of allocaterd storage

which tool would you use to monitor Azure AD FS servers? - Azure Security Server - Azure AD Connect Health - Active directory Health Check solution in Azure Log analytics - Active Directory Federation Services Health Check solution in Azure Log A.

- Azure AD Connect Health

HyperV.cluster1 - 3 nodes - 10vm HyperV.cluster2 - 5 nodes - 20vm HyperV.cluster3 - 10 nodes - 30vm how many azure site recovery agents are recommended? how many azure migrate appliances are recommended? - 1 - 3 - 18 - 60

azure site recovery agents: 3 1 per cluster azure migrate appliances: 1 One appliance supports up to 5000 Hyper-V VMs

Only select workstation with static Public IP addresses should be allowed to connect SQL server and perform administration on the database. - azure Network Watcher - server level Ip Firewall rules - Network Security rules - Application security groups

- server level Ip Firewall rules

Req: they are using App Insights they intend to use continius export App insights data needs to be stored for 4 years A- Azure Storage B- Azure Backup C- Azure SQL DB D- Azure Storage Service Encryption (SSE)

A- Azure Storage

- They want to migrate 8 on-premises SQL server to Azure - Solution must be able to host SSIS packages - Solutions needs to ensure that packages can target SQL DB instances as destinactions A- Azure Migration Assistant B- Azure Backup C- Azure Data Factory D- Azure Data Catalog

C- Azure Data Factory

Generate montly record on all the recent ARM resource deployments in a subs. Select 2 A- Azure Advisor B- Azure Activity Log C- Application Insights D- Azure Log analytics E- Azure Mopnitor Action Groups

B- Azure Activity Log D- Azure Log analytics

o Collect log and diagnostic data from all subscriptions and third-party providers into a central repository. o Also, services that analyze log data, detect threats, and provide automatic responses to known events. - Azure Activity Log - Application Insights - Azure Sentinel - Azure Log Analytics - Azure Monitor

- Azure Sentinel If the case is more about security like this one answer is Sentinel otherwise Azure monitor is possible too

The developers want to be notified if thresholds of the transaction response times are not met. What should you recommend for the solution? - Azure Network Watcher - Azure Sentinel - Azure Log Analytics - Application Insights

Application Insights

visualize relationships between application components - Azure application Insights - Azure Service Map - Azure Monitor Logs - Azure Activity Log

- Azure Service Map

The Hyper-V cluster contains 30 virtual machines that run Windows Server 2012 R2. Each virtual machine runs a different workload. The workloads have predictable consumption patterns. You plan to replace the virtual machines with Azure virtual machines that run Windows Server 2016. The virtual machines will be sized according to the consumption pattern of each workload. You need to recommend a solution to minimize the compute costs of the Azure virtual machines. (Select 2) A. Configure a spending limit in the Azure account center. B. Create a virtual machine scale set that uses autoscaling. C. Activate Azure Hybrid Benefit for the Azure virtual machines. D. Purchase Azure Reserved Virtual Machine Instances for the Azure virtual machines. E. Create a lab in Azure DevTest Labs and place the Azure virtual machines in the lab.

C. Activate Azure Hybrid Benefit for the Azure virtual machines. D. Purchase Azure Reserved Virtual Machine Instances for the Azure virtual machines.

Audit log destination region can be in another region other than db and the server T/F

False

The subscription contains 10 resource groups, one for each department at your company. Each department has a specific spending limit for its Azure resources. You need to ensure that when a department reaches its spending limit, the compute resources of the department shut down automatically. Select 2 A. Azure Logic Apps B. Azure Monitor alerts C. the spending limit of an Azure account D. Cost Management budgets E. Azure Log Analytics alerts

A,D

Your company uses Microsoft System Center Service Manager on its on-premises network. You plan to deploy several services to Azure. You need to recommend a solution to push Azure service health alerts to Service Manager. What should you include in the recommendation? A. IT Service Management Connector (ITSM) B. Azure Event Hubs C. Azure Notification Hubs D. Application Insights Connector

ITSMC supports connections with the following ITSM tools: ServiceNow System Center Service Manager Provance Cherwell With ITSMC, you can:

You have an Azure SQL database named DB1 that contains multiple tables. You need to improve the performance of DB1. The solution must minimize administrative effort. What should you use? A. automatic tuning B. Azure Advisor C. Azure Monitor D. Query Performance Insight

A. automatic tuning

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription. What should you include in the recommendation? A. Azure Advisor B. Azure Analysis Services C. Azure Monitor action groups D. Azure Log Analytics

D. Azure Log Analytics

You need to recommend a solution to meet the following requirements: ✑ Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault. ✑ Use the principle of least privilege. Which two actions should you recommend? Each correct answer presents part of the solution. A. Create a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions. B. From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment. C. Create a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions. D. Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission. E. Assign the Key Vault Contributor role to the IT staff.

B,D

You have an Azure subscription that contains web apps in three Azure regions. You need to implement Azure Key Vault to meet the following requirements: ✑ In the event of a regional outage, all keys must be readable. ✑ All the web apps in the subscription must be able to access Key Vault. ✑ The number of Key Vault resources to be deployed and managed must be minimized. How many instances of Key Vault should you implement? A. 1 B. 2 C. 3 D. 6

1 The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away but within the same geography

You have an Azure Active Directory (Azure AD) tenant. You plan to provide users with access to shared files by using Azure Storage. The users will be provided with different levels of access to various Azure file shares based on their user account or their group membership. You need to recommend which additional Azure services must be used to support the planned deployment. What should you include in the recommendation? A. an Azure AD enterprise application B. Azure Information Protection C. an Azure AD Domain Services (Azure AD DS) instance D. an Azure Front Door instance

C. an Azure AD Domain Services (Azure AD DS) instance

what is the correct way of using Authorization and Authentication for CosmosDb? Hash based message authentication code (HMAC) (RBAC) Azure Managed Identity Https Encryption

Authorization: HMAC Authentication: AMI

Customer App: Users must authenticate by using their personal Microsoft accounts and MFA Reporting App: Users must authenticate by their company credentials or personal Microsoft accounts. You must be able to mamnage accounts from Azure AD Azure AD B2C tenant Azure AD v1.0 endpoint Azure AD v2.0 endpoint

Reporting: "Must be able to manage account from Azure AD" thus V2 is correct Customer: B2C supports MFA from personal account V1 is not recommended

How should you describe each identity provider? Sync and fedaration - User management occurs on on-premises. Azure Ad authenticates employees by using on-premises passwords. - User management occurs on on-premises. the on-premises domain controller authenticates employees credentials - Both user management and authentication occurs on Azure AD

synch: User management occurs on on-premises. Azure Ad authenticates employees by using on-premises passwords. federation: User management occurs on on-premises. the on-premises domain controller authenticates employees credentials

Diagnostic settings for an SQL database How to perform Realtime PowerBI reporting - clear send log to analytics - clear SQLInsights - Select archive to srtorage account - select stream to event hub Diagnostic data can be reviewed in ---? - Azure analysis Service - Azure App Insights - Azure SQL analytics - Microsoft SQL server analysis services - SQL Health Check

-select stream to event hub - Data streamed to a Log Analytics workspace can be consumed by SQL Analytics

You plan to use Azure Policy as part of a governance solution. To which three scopes can you assign Azure Policy definitions? Each correct answer presents a complete solution. A. management groups B. subscriptions C. Azure Active Directory (Azure AD) tenants D. resource groups E. Azure Active Directory (Azure AD) administrative units F. compute resources

A. management groups B. subscriptions D. resource groups

You need to design a solution to expose the microservices to the consumer apps. The solution must meet the following requirements: ✑ Ingress access to the microservices must be restricted to a single private IP address and protected by using mutual TLS authentication. ✑ The number of incoming microservice calls must be rate-limited. ✑ Costs must be minimized. What should you include in the solution? A. Azure App Gateway with Azure Web Application Firewall (WAF) B. Azure API Management Premium tier with virtual network connection C. Azure API Management Standard tier with a service endpoint D. Azure Front Door with Azure Web Application Firewall (WAF)

B. Azure API Management Premium tier with virtual network connection Vnet support is only on Premium version.

A company plans to implement an HTTP-based API to support a web app. The web app allows customers to check the status of their orders. The API must meet the following requirements: ✑ Implement Azure Functions. ✑ Provide public read-only operations. ✑ Do not allow write operations. HTTP MEthods: API Methods, Get, Get & Post Authorization Level: Admin, Function,anonymous

HTTP MEthods: Get, Authorization Level: anonymous anonymous: No API key is required. function: A function-specific API key is required. This is the default value if none is provided. admin: The master key is required.

A company named Contoso Ltd., has a single-domain Active Directory forest named contoso.com. Contoso is preparing to migrate all workloads to Azure. Contoso wants users to use single sign-on (SSO) when they access cloud-based services that integrate with Azure Active Directory (Azure AD). You need to identify any objects in Active Directory that will fail to synchronize to Azure AD due to formatting issues. The solution must minimize costs. What should you include in the solution? A. Azure AD Connect Health B. Microsoft Office 365 IdFix C. Azure Advisor D. Password Export Server version 3.1 (PES v3.1) in Active Directory Migration Tool (ADMT)

B. Microsoft Office 365 IdFix

Check for min numbers Level at where to create blueprint def: root M child M subs Level at where to create blueprint assignments: root M child M subs

root M subs

The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD). All users connect to an Exchange Online. You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to Exchange Online from one of the offices. What should you include in the recommendation? A. a virtual network and two Microsoft Cloud App Security policies B. a named location and two Microsoft Cloud App Security policies C. a conditional access policy and two virtual networks D. a conditional access policy and two named locations

D. a conditional access policy and two named locations Named locations Locations are named in the Azure portal under Azure Active Directory > Security > Conditional Access > Named locations. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations can be defined by IPv4/IPv6 address ranges or by countries. To define a named location by IPv4/IPv6 address ranges, you'll need to provide:

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity. The solution must meet the following requirements: ✑ Ensure that the applications can authenticate only when running on the 10 virtual machines. ✑ Minimize administrative effort. What should you include in the recommendation? To answer, select the appropriate options in the answer area. To provision the Azure AD identity: system assigned managed identity user-assiugned managed identity register each app in Azure AD To authenticate, request a token by using Azure AD v1 endpoint Azure AD v2 endpoint Azure instance metadata service identity Oauth2 endpoint

User assigned managed identity = 5 apps on 10 VMs. Endpoint v2 = only one that remains supported and provide authentication. V1 depreciated. IMDS provided info about vm for all processes inside vm, anonymously.

2 tenants, 2 sub for each how many? management group: 1,2,3,4? bluprint def:: 1,2,3,4? blueprint assignments:: 1,2,3,4?

2,2,4

Your company wants to use an Azure Active Directory (Azure AD) hybrid identity solution. You need to ensure that users can authenticate if the internet connection to the on-premises Active Directory is unavailable. The solution must minimize authentication prompts for the users. What should you include in the solution? A. password hash synchronization and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) B. pass-through authentication and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) C. an Active Directory Federation Services (AD FS) server

A. password hash synchronization and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network. You need to enable single sign-on (SSO) for company users. Solution: Install and configure an Azure AD Connect server to use password hash synchronization and select the `Enable single sign-on` option. Does the solution meet the goal?

YES

You need to create an Azure Storage account that uses a custom encryption key. What do you need to implement the encryption? A. a certificate issued by an integrated certification authority (CA) and stored in Azure Key Vault B. a managed identity that is configured to access the storage account C. an Azure Active Directory Premium subscription D. an Azure key vault in the same Azure region as the storage account

B. a managed identity that is configured to access the storage account

Your company purchases an app named App1. You need to recommend a solution to ensure that App1 can read and modify access reviews. What should you recommend? A. From API Management services, publish the API of App1, and then delegate permissions to the Microsoft Graph API. B. From the Azure Active Directory admin center, register App1. From the Access control (IAM) blade, delegate permissions. C. From the Azure Active Directory admin center, register App1, and then delegate permissions to the Microsoft Graph API. D. From API Management services, publish the API of App1. From the Access control (IAM) blade, delegate permissions.

C. From the Azure Active Directory admin center, register App1, and then delegate permissions to the Microsoft Graph API.

You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events. You need to recommend a solution to trigger the alerts based on the events. What should you include in the recommendation? Send Azure AD logs to: Event Hub Log Analytics ws Storage Account Signal Type: Activity Log Log Metric

Send Azure AD logs to: Log Analytics ws Signal Type: Log

Match API Management grant types: 1- Authorization code 2- Implicit 3- Resource Owner Password 4- Client Credentials a- Server-side apps such as web apps b- Machine-to-machine, backend services c- Highly trusted apps d- Not secure apps such as mobile or single page apps

1-a 2-d 3-c 4-b

You have 500 Azure web apps in the same Azure region. The apps use a premium Azure key vault for authentication. A developer reports that some authentication requests are being throttled. You need to recommend a solution to increase the available throughput of the key vault. The solution must minimize costs. What should you recommend? A. Change the pricing tier. B. Configure geo-replication. C. Configure load balancing for the apps. D. Increase the number of key vaults in the subscription.

D. Increase the number of key vaults in the subscription.

Occasionally, the developers at the company must stop, start, and restart Azure virtual machines. The development team changes often. You need to recommend a solution to provide the developers with the required access to the virtual machines. The solution must meet the following requirements: ✑ Provide permissions only when needed. ✑ Use the principle of least privilege. ✑ Minimize costs. What should you include in the recommendation? Active Directory licence: Free Premium P1 Premium P2 Security Feature: JIT Condiitonal access policy PIM

P2, PIM JIT is for RDP and SSH access not resource control

You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant uses password hash synchronization. You need to recommend a solution to meet the following requirements: ✑ Prevent Active Directory domain user accounts from being locked out as the result of brute force attacks targeting Azure AD user accounts. ✑ Block legacy authentication attempts to Azure AD integrated apps. ✑ Minimize costs. What should you recommend for each requirement? Prevent brut force attacks: Azure AD Pass Protection conditional access Pass-through authentication Smart lockout Block legacy authentication: Azure AD App Proxy Azure AD Pass Protection Conditional Access Policy enable Security defauts

Smart lockout (is enabled for every customers but needs P1 for customization) Security Defaults

You need to recommend a solution to identify which administrative user accounts have NOT signed in during the previous 30 days. Which service should you include in the recommendation? A. Azure AD Privileged Identity Management (PIM) B. Azure AD Identity Protection C. Azure Advisor D. Azure Activity Log

PIM

A company deploys Azure Active Directory (Azure AD) Connect to synchronize identity information from their on-premises Active Directory Domain Services (AD DS) directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, credential hashes for authentication (password sync), and group memberships. The company plans to deploy several Windows and Linux virtual machines (VMs) to support their applications. The VMs have the following requirements: ✑ Support domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. ✑ Allow users to sign in to the domain using their corporate credentials and connect remotely to the VM by using Remote Desktop. You need to support the VM deployment. Which service should you use? A. Active Directory Federation Services (AD FS) B. Azure AD Privileged Identity Management C. Azure Managed Identity D. Azure AD Domain Services

D. Azure AD Domain Services

You are designing a software as a service (SaaS) application that will enable Azure Active Directory (Azure AD) users to create and publish online surveys. The SaaS application will have a front-end web app and a back-end web API. The web app will rely on the web API to handle updates to customer surveys. You need to design an authorization flow for the SaaS application. The solution must meet the following requirements: ✑ To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens. ✑ The web app must authenticate by using the identities of individual users. Access token generated by: Azure AD A web App A web API Authorization decisions will be performed by: Azure AD A web app A web API

Azure AD A web API: Since the web app authenticates by using the identities of individual users, API has the knowledge of the user so it can make authorization decisions

You manage an Azure environment for a company. The environment has over 25,000 licensed users and 100 mission-critical applications. You need to recommend a solution that provides advanced user threat detection and remediation strategies. What should you recommend? A. Azure Active Directory (Azure AD) authentication B. Microsoft Identity Manager C. Azure Active Directory (Azure AD) Identity Protection D. Azure Active Directory Federation Services (AD FS) E. Azure Active Directory (Azure AD) Connect

C. Azure Active Directory (Azure AD) Identity Protection

You need to deploy 50 databases. The solution must meet the following requirements: ✑ Support automatic scaling. ✑ Minimize Microsoft SQL Server licensing costs. Purchase Model: DTU CPU reserved Deployment Option: MAnaged Instance Elastic Pool SQL Server Always On Availablilty Group

Reserved Elastic Pool: ✑ Elastic pool is a collection of single databases with a shared set of resources, such as CPU or memory. Single databases can be moved into and out of an elastic pool.

You have an Azure virtual machine named VM1 that runs Windows Server 2019 and contains 500 GB of data files. You are designing a solution that will use Azure Data Factory to transform the data files, and then load the files to Azure Data Lake Storage. What should you deploy on VM1 to support the design? A. the Azure Pipelines agent B. the Azure File Sync agent C. the On-premises data gateway D. the self-hosted integration runtime

D. the self-hosted integration runtime If your data store is located inside an on-premises network, an Azure virtual network, or Amazon Virtual Private Cloud, you need to configure a self-hosted integration runtime to connect to it.

You plan to create an Azure Cosmos DB account that uses the SQL API. The account will contain data added by a web application. The web application will send data daily. You need to recommend a notification solution that meets the following requirements: ✑ Sends email notifications when data is received from the web application ✑ Minimizes compute cost What should you include in the recommendation? A. Deploy an Azure logic app that has a SendGrid connector configured to use an Azure Cosmos DB action. B. Deploy a function app that is configured to use the Consumption plan and an Azure Event Hubs binding. C. Deploy a function app that is configured to use the Consumption plan and a SendGrid binding. D. Deploy an Azure logic app that has a webhook configured to use a SendGrid action.

C. Deploy a function app that is configured to use the Consumption plan and a SendGrid binding. Function apps support triggers for CosmosDB, logic apps do not.

You need to use Azure Data Factory to copy the data from Server1 to Azure Storage. You add a new data factory. What should you do next? Server: -Install Azure File sync Agent -Install a self hosted integration run time -Install the File Server Resource Manage role Service Data Factory: - Create a pipeline - Create an import/ export job - Provision an Azure SQL Server Integration Services

Server: Install a self hosted integration run time Data Factory: - Create a pipeline

✑ Be available if a single Azure datacenter fails. ✑ Support storage tiers. ✑ Minimize cost Account Type: Blob General V1 General V2 Replication Solution: GRS ZRS LRS RA-GRS

Account Type: StorageV2 Replication solution: Zone-redundant storage (ZRS) The blobstorage and StorageV1 doesn't support ZRS replication.

You have 100 devices that write performance data to Azure Blob storage. You plan to store and analyze the performance data in an Azure SQL database. You need to recommend a solution to move the performance data to the SQL database. What should you include in the recommendation? A. Azure Database Migration Service B. Azure Data Factory C. Azure Data Box D. Data Migration Assistant

B. Azure Data Factory

✑ The largest database is currently 3 TB. None of the databases will ever exceed 4 TB. ✑ Stored procedures are implemented by using CLR. You plan to move all the data from SQL Server to Azure. You need to recommend an Azure service to host the databases. The solution must meet the following requirements: ✑ Whenever possible, minimize management overhead for the migrated databases. ✑ Minimize the number of database changes required to facilitate the migration. ✑ Ensure that users can authenticate by using their Active Directory credentials. A. Azure SQL Database elastic pools B. Azure SQL Database Managed Instance C. Azure SQL Database single databases D. SQL Server 2016 on Azure virtual machines

B. Azure SQL Database Managed Instance

The order processing system will have the following transaction flow: ✑ A customer will place an order by using App1. ✑ When the order is received, App1 will generate a message to check for product availability at vendor 1 and vendor 2. ✑ An integration component will process the message, and then trigger either Function1 or Function2 depending on the type of order. ✑ Once a vendor confirms the product availability, a status message for App1 will be generated by Function1 or Function2. ✑ All the steps of the transaction will be logged to storage1. Which type of resource should you recommend for the integration component? A. an Azure Data Factory pipeline B. an Azure Service Bus queue C. an Azure Event Grid domain D. an Azure Event Hubs capture

A. an Azure Data Factory pipeline

You have 70 TB of files on your on-premises file server. You need to recommend solution for importing data to Azure. The solution must minimize cost. What Azure service should you recommend? A. Azure StorSimple B. Azure Batch C. Azure Data Box D. Azure Stack Hub

C. Azure Data Box

You plan to design a data protection strategy to encrypt the virtual disks. You need to recommend a solution to encrypt the disks by using Azure Disk Encryption. The solution must provide the ability to encrypt operating system disks and data disks. What should you include in the recommendation? A. a certificate B. a key C. a passphrase D. a secret

B. a key

You have an application named App1. App1 generates log files that must be archived for five years. The log files must be readable by App1 but must not be modified. Which storage solution should you recommend for archiving? A. Ingest the log files into an Azure Log Analytics workspace B. Use an Azure Blob storage account and a time-based retention policy C. Use an Azure Blob storage account configured to use the Archive access tier D. Use an Azure file share that has access control enabled

Time-based retention policy support: Users can set policies to store data for a specified interval. When a time-based retention policy is set, blobs can be created and read, but not modified or deleted. After the retention period has expired, blobs can be deleted but not overwritten.

Automated backup v2 of a SQL Server - Be able to meet a recovery point objective of 15 min - Retain backups for 30 days - Encrpyt the backups at rest A- Elastic DB kobs B- Azure Keyvault C- Azure Storage account D- Revovery Service Vault

C- Azure Storage account For Automated backup v2 storage accoutn is used

186.16.0.0/16is the on-premise network. You need design a virtual network that will use site-to-site VPN connection. there will be 20 VMs. Whic address space is ok for gateway subnet? A- 186.16.0.0/16 B- 186.16.255.0/27 C- 192.168.0.0/24 D- 192.168.0.0/28

D- 192.168.0.0/28 /27 or /28 is the advised subnet space for gateway

There is an archived file on Azure Storage(Auth type: Access Key). To access the file what should be done first? A- Generate snapshot B- Modify access tier C- Generate a sas token D- Modify the type of blob

B- Modify access tier To access archived files, one should be rehydrated(hot or cool) first

A- Express Route B- VNet Peering C- Vpn Gateway 1- Private bridge between Azure VNetworks 2- Private bridge between Azure Vnetwork and on-premise networks 3- Bridge to the Azure VNetwork on public internet

A- 2 B- 1 C- 3

Centralized key management and stores the database secrets in an isolated and secure component that enables you ti safeguard crytographic keys for your cloud applications, using FIPS 140-2 level 3. Which solution is enough? A- Premium Key Vault B- Standard Keyvault C- Key Vault Managed HSM

C- Key Vault Managed HSM

az305 Flashcards

(135 cards)