bakom väggen

Question 1

You have an Azure subscription.
In the Azure portal, you plan to create a storage account named storage1 that will have the following settings:
✑ Performance: Standard
✑ Replication: Zone-redundant storage (ZRS)
✑ Access tier (default): Cool
✑ Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?
A. Performance
B. Replication
C. Access tier (default)
D. Hierarchical namespace

Answer 1

A. Performance

Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. For more information, see Types of storage accounts.

Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:

Block blobs
File shares
Page blobs

Question 2

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.

A user named User1 has the following roles for Subscription1:

• Reader
• Security Admin
• Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
B. Assign User1 the Contributor role for VNet1.
C. Assign User1 the Owner role for VNet1.
D. Assign User1 the Network Contributor role for RG1.

Answer 2

C. Assign User1 the Owner role for VNet1.

Question 3

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?
A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.

Answer 3

C. You should stop all three VMs.

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.

Question 4

You have an Azure subscription that contains a storage account named storage1 in the North Europe Azure region.

You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize administrative effort.

What should you configure?

A. operational backup
B. object replication
C. geo-redundant storage (GRS)
D. a lifecycle management rule

Answer 4

B. object replication

Object replication is a feature that allows you to replicate data, such as blobs, across different storage accounts or containers within the same storage account. This can be configured to automatically copy data from one storage location to another, either within the same region or across different regions. Object replication can be used to create disaster recovery solutions or to distribute data globally for better performance and availability.
It is similar to GRS but it is more flexible as you can choose the storage account and container to replicate the data.
The GRS of a North Europe region is a secondary copy of the data stored in a different region. The exact location of the secondary region will depend on the specific Azure region you have selected. For the North Europe region, the secondary copy is stored in the West Europe region. This means that if there is an outage or disaster in the North Europe region, your data will still be available in the West Europe region. This provides a high level of data durability and protection.

Question 5

You plan to create the Azure web apps shown in the following table.

WebApp1 - .NET 6 (LTS)
WebApp2 - ASP.NET V4.8
WebApp3 - PHP 8.1
WebApp4 - Python 3.11

What is the minimum number of App Service plans you should create for the web apps?

A. 1
B. 2
C. 3
D. 4

Answer 5

B. 2

Can run only on Windows: .NET, ASP.NET
Can run only on Linux: Python
Can run on either Windows/Linux: PHP

From Azure documentation:
ASP.NET Core (on Windows or Linux)
ASP.NET (on Windows)
PHP (on Windows or Linux)
Ruby (on Linux)
Node.js (on Windows or Linux)
Java (on Windows or Linux)
Python (on Linux)
HTML
Custom container (Windows or Linux)

Question 6

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1.

You need to configure access to container1. The solution must meet the following requirements:
* Only allow read access.
* Allow both HTTP and HTTPS protocols.
* Apply access permissions to all the content in the container.

What should you use?

A. an access policy
B. a shared access signature (SAS)
C. Azure Content Delivery Network (CDN)
D. access keys

Answer 6

B. a shared access signature (SAS)

To configure read access to a container in an Azure Storage account while allowing both HTTP and HTTPS protocols and applying access permissions to all the content in the container, you should use a Shared Access Signature (SAS).

Therefore, the correct option is:

B. a shared access signature (SAS)

Shared Access Signatures (SAS) are used to grant limited access to specific resources in your storage account while maintaining fine-grained control over the allowed operations, including read access. You can create a SAS token with the necessary permissions and then provide this token to the users or applications that need access to the container.

Question 7

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
Name | User type | on-prem sync enabled
USER1 | Member | NO
USER2 | Member | YES
USER3 | Guest | NO

You need to modify the JobTitle and UsageLocation attributes for the users.

For which users can you modify the attributes from Azure AD?
1. JobTitle?
2. UsageLocation?

Answer 7

1. USER1 and USER2
2. USER1, USER2 and USER3

Users syncing from an On Prem AD to AAD cannot have the job title altered in AAD. it would need to be done in local AD , as AADC by default synchronizes the jobTitle property. Usage location is set only on the cloud side for all users, and Guest users can have their job titles set as well as cloud native (AAD) users.

Question 8

Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage

Answer 8

B. Read-only geo-redundant storage

RA-GRS allows you to have higher read availability for your storage account by providing read only access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region.

Question 9

You have two Azure App Service app named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table.

App: | Backup Every | Start from | Retention (days)
App1 |1 Days | Jan 6, 2021| 0
App2 |1 Days | Jan 6, 2021| 30

Statements:
1. On Jan 15, 2021, App 1 will have only one backup in storage? Y/N
2. On Feb 6 2021, you can access the back up of the App2 test slot from Jan 15 2021? Y/N
3. On Jan 15 2021, you can restore the App2 production slot backup from Jan 6 to the test slot? Y/N

Answer 9

1. No - On January 15, 2021, App1 will have only one backup in storage: No. App1 is configured to backup every day starting from January 6, 2021, and retains each backup for 30 days. So on January 15, 2021, there will be 10 backups in storage (from January 6 to January 15).
2. No - On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021: No. The backup configuration settings provided are for the production slots of App1 and App2. Unless the test slots have the same settings, we cannot assume that a backup from January 15, 2021 for the App2 test slot will be accessible on February 6, 2021.
3. Yes - On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot: Yes. The backups for App2 are retained for 30 days. So a backup from January 6 would still be available on January 15 and could be restored to any slot including the test slot.

Question 10

You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.

On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK).

You need to prepare Vault1 for Azure Disk Encryption.

Which two actions should you perform on Vault1? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Select Azure Virtual machines for deployment.
B. Create a new key.
C. Create a new secret.
D. Configure a key rotation policy.
E. Select Azure Disk Encryption for volume encryption.

Answer 10

B & E

To prepare Vault1 for Azure Disk Encryption with a key encryption key (KEK):

1. You need to have a key in the Key Vault. This will be the KEK. Azure Disk Encryption uses BitLocker for Windows VMs, which requires a key for encrypting the data disk. If you’re using a KEK, the BEK (BitLocker Encryption Key) will be wrapped by this KEK.

So, you should:
B. Create a new key.

2. The key vault itself should be configured for Azure Disk Encryption. This ensures the vault is set up to work with Azure VMs and their disks.

Therefore:
E. Select Azure Disk Encryption for volume encryption.

So, the correct actions are B and E.

Question 11

You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal?

A. An Azure Key Vault
B. An Azure Storage Account
C. Azure Active Directory (AD/Entra ID) identity protection
D. An access policy
E. An Azure policy
F. A backup policy

Answer 11

A & D

I agree : key vault + access policy
But please note that now the access policy is considered a legacy way to provide access to the key vault. Now you can use RBAC.

Question 12

You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible.
Which of the following is the action you should take FIRST?
A. Stop the VM that includes the data disk.
B. Stop the VM that the data disk must be attached to.
C. Detach the data disk.
D. Delete the VM that includes the data disk.

Answer 12

C.

You can simply detach a data disk from one VM and attach it to the other VM without stopping either of the VMs.

Question 13

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.

Which of the following actions should you take?
A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.

Answer 13

C. You should stop all three VMs.

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.

Question 14

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.

Does the solution meet the goal?
A. Yes
B. No

Answer 14

Answer is B ( No )
Initial will perform a full sync and add the user account created but it will take time,
Delta, will kick off a delta sync and bring only the last change, so it will be “immediately” and will fulfill the requirements.

Question 15

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.

A user named User1 has the following roles for Subscription1:

• Reader
• Security Admin
• Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Assign User1 the Contributor role for VNet1.
B. Assign User1 the Network Contributor role for VNet1.
C. Assign User1 the User Access Administrator role for VNet1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.

Answer 15

C. Assign User1 the User Access Administrator role for VNet1.

To allow User1 to assign the Reader role for VNet1 to other users, User1 needs to have permissions related to Azure RBAC (Role-Based Access Control).

Among the listed options:

A. Assign User1 the Contributor role for VNet1. - The Contributor role allows a user to manage everything except access.

B. Assign User1 the Network Contributor role for VNet1. - This role provides permissions to manage networking resources, not role assignments.

C. Assign User1 the User Access Administrator role for VNet1. - This role provides permissions to manage user access to Azure resources, which means User1 can assign roles to other users for VNet1.

D. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1. - This does not directly provide User1 with permissions to manage user acces

Question 16

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?

A. Yes
B. No

Answer 16

A. Yes

This meets the goal because the Logic App Contributor role on Dev resource group will allow the Developers group to create and manage Azure logic apps in that resource group. According to the web search results, the Logic App Contributor role has the following actions: Microsoft.Logic/, Microsoft.Resources/deployments/, Microsoft.Resources/subscriptions/resourceGroups/read, and Microsoft.Support/*. These actions are sufficient for creating and managing logic apps in Dev resource group. Therefore, the solution is correct.

Question 17

You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:

Name | Type | Description
VM1 | Virtual machine | Is running and backed up daily
Vault1|Recovery service vault | includes backups of VM1
VNET1| Virtual Network | has a resource lock of type delete

You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1

Answer 17

Correct Answer: B

When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

So you have to remove the lock on order to delete the VNET and delete the backups in order to delete the vault.

Question 18

You have an Azure subscription that uses Azure AD Privileged Identity Management (PIM).

A user named User1 is eligible for the Billing administrator role.

You need to ensure that the role can only be used for a maximum of two hours.

What should you do?

A. Create a new access review.
B. Edit the role assignment settings.
C. Update the end date of the user assignment.
D. Edit the role activation settings.

Answer 18

D. Edit the role activation settings

To ensure that the Billing administrator role can only be used for a maximum of two hours, you need to edit the role activation settings. To do this, follow these steps:
1. Sign in to the Azure portal.
2. Go to Azure Active Directory > Privileged Identity Management.
3. Click Roles > Role settings.
4. Select the Billing administrator role.
5. Under Activation maximum duration, set the maximum duration to 2 hours.
6. Click Save.
Once you have edited the role activation settings, User1 will be able to activate the Billing administrator role for a maximum of two hours at a time. After two hours, the role assignment will automatically expire.

Question 19

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Container blade.
Does the solution meet the goal?
A. Yes
B. No

Answer 19

B. No - you should access the Resource blade

Question 20

You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.

NAME | TYPE
RG1 | Resource Group
storage1 |Storage Account
VET1 | Virtual Network

You assign an Azure policy that has the following settings:
✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.

RESOURCE | TAG
Sub1 | Tag1: subscription
RG1 | Tag2: IT
storage1 | Tag3: value1
VNET1 | Tag4: value2

1. RG1 has the Tag2:IT tag assigned to it? Y/N
2. Storage 1 has the Tag1, Tag2, Tag3 & Tag 4 assigned? Y/N
3. VNET1 has the Tag2 and Tag3 assigned only? Y/N

Answer 20

1: No -
The Azure Policy will add Tag4 to RG1.

2: No -
Tags applied to the resource group or subscription aren’t inherited by the resources although you can enable inheritance with Azure Policy. Storage1 has Tag3:
Value1 and the Azure Policy will add Tag4.

3: No -
Tags applied to the resource group or subscription aren’t inherited by the resources so VNET1 does not have Tag2.
VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be added to VNET1.

Question 21

You have an Azure subscription that contains the resources shown in the following table.

RG = Resource Group
VMSS = Virtual Machine scale set
PPG = Proximity placement group

NAME |TYPE |RESOUCE GROUP | LOCATION
RG1 | RG | not applicable | Central US
RG2 | RG | not applicable | West US
VMSS1| VMSS| RG2 | West US
Prox1 | PPG | RG1 | Central US
Prox2 | PPG | RG2 | West US
Prox3 | PPG | RG1 | Central US

You need to configure a proximity placement group for VMSS1.
Which proximity placement groups should you use?

A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only

Answer 21

Correct Answer: A

Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among them, for improved application performance.

Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications.

The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center. Accordingly, it should be proximity 2 only.