Exam Questions Flashcards

1
Q

Q1

Your company has serval departments. Each department has a number of virtual machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?

A Create Azure Management Groups for each department.
B Create a resource group for each department.
C Assign tags to the virtual machines.
D Modify the settings of the virtual machines.

A

Correct Answer C

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Q2

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

The correct approach for ensuring that members of the Global Administrators group use Multi-Factor Authentication and an Azure AD-joined device from untrusted locations is through a Conditional Access policy. Adjusting the multi-factor authentication settings alone, as the proposed solution suggests, does not address the requirement for the device state or the specific user group conditions. Conditional Access policies enable granular control to enforce MFA and check if the device is Azure AD-joined, crucially meeting all the conditions set in the scenario. Hence, altering the conditional access policy within Azure AD is the right method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Q3

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

The provided solution does not meet the requirement because it incorrectly focuses on altering session control rather than grant control. To correctly configure the Azure AD conditional access policy as required, one must adjust the grant control settings. This involves ensuring that the policy mandates Multi-Factor Authentication and the use of an Azure AD-joined device for Global Administrators accessing Azure AD from untrusted locations. Hence, changing the grant control is necessary to enforce these specific conditions effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Q4

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: A

Yes, the solution provided is indeed suitable for meeting the specified goal. When configuring Azure AD conditional access policies, altering the grant control settings through the Azure portal is the correct approach. This method allows administrators to enforce requirements for Multi-Factor Authentication and the use of Azure AD-joined devices for members of the Global Administrators group when accessing from untrusted locations. This ensures that both authentication factors are in place, enhancing security protocols effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Q5

You are planning to deploy an Ubuntu Server virtual machine to your company’s Azure subscription.
You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA).

Which of the following should you use to create the virtual machine?

A The New-AzureRmVm cmdlet.
B The New-AzVM cmdlet.
C The Create-AzVM cmdlet.
D The az vm create command.

A

Correct Answer: D

The az vm create command. you need to create an Ubuntu Linux VM using a cloud-init script for configuration.

For example,

az vm create -g MyResourceGroup -n MyVm --image debian --custom-data MyCloudInitScript.yml

Reference 1
Reference 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Q6

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.

Solution: You reconfigure the existing usage model via the Azure portal.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Q7

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company’s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.

After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.

Solution: You reconfigure the existing usage model via the Azure CLI.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

Reference

The usage model for Multi-Factor Authentication (MFA) in Azure AD is a crucial factor to consider when implementing MFA for your organization.

Once an MFA provider is created, the usage model cannot be changed.

Carefully evaluate your organization’s needs and future plans before selecting a usage model (per enabled user or per authentication).
Incorrectly choosing a usage model can lead to unexpected costs or limitations.
Therefore, it’s essential to plan ahead and potentially create multiple MFA providers if you anticipate changes in your MFA requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Q8

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company’s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.

After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.

Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: A

Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Q9

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.

Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

B. No

The Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet will force an initial synchronization of your on-premises Active Directory with Azure AD. This will sync all objects, including the newly added users, to Azure AD.

However, this cmdlet does not change the MFA configuration or enforce MFA for the new users. It only synchronizes the user objects to Azure AD.

To enforce MFA for the new users, you would need to:

  1. Enable MFA for the new users: This can be done through the Azure AD portal or using PowerShell cmdlets.
  2. Configure the MFA policy: Ensure the correct MFA policy (per enabled user) is applied to the users.

Therefore, while the cmdlet is useful for synchronizing user objects, it does not address the core issue of enforcing MFA for the new users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Q10

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.

Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.

Does the solution meet the goal?

A Yes
B No

A

B. No

Using Active Directory Sites and Services to force replication of the Global Catalog on a domain controller will not enforce Multi-Factor Authentication (MFA) for new users.

While it’s essential to have a healthy Active Directory environment, including proper Global Catalog replication, this action does not directly address the MFA requirement.

To enforce MFA for new users, you need to:
1. Enable MFA for the specific users in Azure AD.
2. Configure the correct MFA policy (per enabled user) to apply to these users.

These steps are focused on the authentication and authorization aspect, which is directly related to MFA enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Q11

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.

Solution: You restart the NetLogon service on a domain controller.

Does the solution meet the goal?

A Yes
B No

A

No.

As described here

If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.

To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.

Running a full sync cycle can be very time consuming, so if you need to replicate the user information to Azure AD immediately then run Start-ADSyncSyncCycle -PolicyType Delta.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Q12

Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:

✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

A Geo-redundant storage
B Read-only geo-redundant storage
C Zone-redundant storage
D Locally redundant storage

A

Correct Answer: B

RA-GRS allows you to have higher read availability for your storage account by providing read only access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region. This is an
opt-in feature which requires the storage account be geo-replicated.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Q13

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.

Solution: You access the Virtual Machine blade.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

You should use the Resource Group blade

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Q14

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.

Solution: You access the Resource Group blade.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: A (Yes)

To view a template from deployment history:
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Q15

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.

Solution: You access the Container blade.

Does the solution meet the goal?

A Yes
B No

A

Correct Answer: B

You should use the Resource Group blade

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Q16

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?

A You should only stop one of the VMs.
B You should stop two of the VMs.
C You should stop all three VMs.
D You should remove the necessary VM from the availability set.

A

Correct Answer: C

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Q17

You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible.
Which of the following is the action you should take FIRST?

A Stop the VM that includes the data disk.
B Stop the VM that the data disk must be attached to.
C Detach the data disk.
D Delete the VM that includes the data disk.

A

C. Detach the data disk.

Here’s why:

  • Detaching the data disk is the first step to moving it to another VM. This process can be done while the VM is running, minimizing downtime.
  • Stopping the VMs is unnecessary at this stage and would increase downtime.
  • Deleting the VM is not required and would result in data loss.

By detaching the disk first, you can then proceed to attach it to the target VM with minimal interruption to both systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Q18

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the platformFaultDomainCount property?

A 10
B 30
C Min Value
D Max Value

A

Correct Answer: D

The number of fault domains for managed availability sets varies by region - either two or three per region.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Q19

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the platformUpdateDomainCount property?

A 10
B 20
C 30
D 40

A

Correct Answer: B

Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given availability set, five non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Q18

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the platformFaultDomainCount property?

A 10
B 30
C Min Value
D Max Value

A

Correct Answer: D

The number of fault domains for managed availability sets varies by region - either two or three per region.

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Q20

You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.

You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.

Select and Place

A

Answer

You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the password is never put in plain text in the template parameter file.

key vault + access policy

But please note that now the access policy is considered a legacy way to provide access to the key vault. Now you can use RBAC.

RBAC Access Policy
Assign Access Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Q21

Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.

The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?

A Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D Place the scripts in a new virtual hard disk (VHD).

A

C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.

Explanation:
* Group Policy Objects (GPOs) are the most effective way to manage configuration settings for multiple computers in an Active Directory environment.
* By configuring the scripts to run as startup scripts, they will execute automatically on each new VM when it boots up, ensuring consistent configuration.

Why not other options:
* A. SetupComplete.cmd: This method is unreliable as it depends on the setup process and might not always execute.
* B. Logon scripts: While they run on user logon, they are not ideal for system-level configuration tasks.
* D. VHD: This option is complex to manage and doesn’t provide the same level of control as a GPO.

By using a GPO to execute the scripts as startup scripts, you ensure that the new VMs are consistently configured according to your requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Q22

Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.

You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software requirements.

You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image.

You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.

Which PowerShell cmdlets should you use?

A Add-AzVM
B Add-AzVhd
C Add-AzImage
D Add-AzImageDataDisk

A

Correct Answer: B

The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.

“New-AzVM” is for creating new VMs, not uploading images.

“Add-AzImage” does not exist. the correct command is “New-AzImage”.

“Add-AzImageDataDisk” Adds a data disk to an image object.

“Add-AzVhd” seems to be the correct option, sing the it “Uploads a virtual hard disk from an on-premises machine to Azure (managed disk or blob).”

Reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Q23

Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.

Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.

Which of the following objects that must be created to achieve this goal? Answer by dragging the correct option from the list to the answer area.

A

Answer

For physical servers
- Storage Account
- Azure Recovery Services Vault
- Replication policy

For Hyper-v server
- Hyper-V site
- Azure Recovery Services Vault
- Replication policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Q24

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company’s Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.

VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company’s on- premises network and VirtualNetworkA.

You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company’s on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.

You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

Solution: You choose the Allow gateway transit setting on VirtualNetworkA.

Does the solution meet the goal?

A Yes
B No

A

Answer: B. No

“After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company’s on-premises network.” This indicates the Allow/Use gateway transit is set up working. The next step will be restart/reinstall the VPN-Client config at the windows 10 WS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Q25

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company’s Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.

VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company’s on- premises network and VirtualNetworkA.

You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company’s on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.

You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

Solution: You choose the Allow gateway transit setting on VirtualNetworkB.

Does the solution meet the goal?

A Yes
B No

A

Answer: B. No

After reconfiguring \ creating peering existing point-to-site VPN connections need to be recreated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Q26

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company’s Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.

VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company’s on- premises network and VirtualNetworkA.

You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company’s on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.

You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation.

Does the solution meet the goal?

A Yes
B No

A

Answer: B. Yes

If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Q27

Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1.

The company has users that work remotely. The remote workers require access to the VMs on VNet1.

You need to provide access for the remote workers.

What should you do?

A Configure a Site-to-Site (S2S) VPN.
B Configure a VNet-toVNet VPN.
C Configure a Point-to-Site (P2S) VPN.
D Configure DirectAccess on a Windows Server 2012 server VM.
E Configure a Multi-Site VPN

A

Correct Answer: C

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Q28

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).

You need to configure an Azure internal load balancer as a listener for the availability group.

Solution: You create an HTTP health probe on port 1433.

Does the solution meet the goal?

A Yes
B No

A

No, creating an HTTP health probe on port 1433 does not meet the goal of configuring an Azure internal load balancer as a listener for the SQL Server Always On availability group.

In order to configure an Azure internal load balancer as a listener for the availability group, you need to create a TCP health probe on port 1433. SQL Server uses TCP to communicate on port 1433, so a TCP health probe is the appropriate choice to ensure the availability and health of the SQL Server instances in the availability group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Q29

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).

You need to configure an Azure internal load balancer as a listener for the availability group.

Solution: You set Session persistence to Client IP.

Does the solution meet the goal?

A Yes
B No

A

No, Session persistence ensures that a client will remain connected to the same server throughout a session or period of time. Because load balancing may, by default, send users to unique servers each time they connect, this can mean that complicated or repeated requests are slowed down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Q30

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).

You need to configure an Azure internal load balancer as a listener for the availability group.

Solution: You enable Floating IP.

Does the solution meet the goal?

A Yes
B No

A

Answer Yes

The load balancing rules configure how the load balancer routes traffic to the SQL Server instances. For this load balancer, you enable direct server return because only one of the two SQL Server instances owns the availability group listener resource at a time.
» Floating IP (direct server return) Enabled

32
Q

Q31

Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address.

You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.

You need to configure the two VMs with static internal IP addresses.

What should you do?

A Run the New-AzureRMVMConfig PowerShell cmdlet.
B Run the Set-AzureSubnet PowerShell cmdlet.
C Modify the VM properties in the Azure Management Portal.
D Modify the IP properties in Windows Network and Sharing Center.
E Run the Set-AzureStaticVNetIP PowerShell cmdlet.

A

Option E is the correct answer.

The Set-AzureStaticVNetIP PowerShell cmdlet is used to set a static internal IP address for an Azure virtual machine. This cmdlet allows you to set the IP address, subnet mask, and default gateway for the virtual machine’s network interface.

Option A, New-AzureRMVMConfig, is used to create a new virtual machine configuration object.

Option B, Set-AzureSubnet, is used to modify the properties of an existing Azure subnet, not to set static IP addresses for virtual machines.

Option C, modifying VM properties in the Azure Management Portal, does not provide a way to set static IP addresses for virtual machines.

Option D, modifying the IP properties in Windows Network and Sharing Center, only applies to the local network interface of the VM and does not set a static internal IP address for the VM on the Azure virtual network.

33
Q

Q33

Your company has an Azure Active Directory (Azure AD) subscription.

You need to deploy five virtual machines (VMs) to your company’s virtual network subnet.

The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical.

Which of the following is the least amount of security groups needed for this configuration?

A 4
B 3
C 2
D 1

A

Correct Answer D

For the scenario described, you only need one network security group (NSG) to meet the requirements. As the security rules are identical for all five VMs, a single NSG can be applied to the subnet where all VMs are located. This allows for centralized management of security rules for all VMs in that subnet, simplifying configuration and enforcement of uniform security policies across multiple machines.

34
Q

Q34

Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.

One of the VMs is backed up every day using Azure Backup Instant Restore.

When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files.

Which of the following is TRUE in this scenario?

A You can only recover the files to the infected VM.
B You can recover the files to any VM within the company’s subscription.
C You can only recover the files to a new VM.
D You will not be able to recover the files.

A

Correct Answer B

The question says that “Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.” it doesn’t say that you have Linux machines. The answer A says that “You can ONLY recover the files to the infected VM”. that is definitely WRONG as you have other VMs to recovery your files. So the answer should be B.” You can recover the files to any VM within the company’s subscription”

35
Q

Q35

Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.

One of the VMs is backed up every day using Azure Backup Instant Restore.

When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.

Which of the following actions should you take?

A You should restore the VM after deleting the infected VM.
B You should restore the VM to any VM within the company’s subscription.
C You should restore the VM to a new Azure VM.
D You should restore the VM to an on-premise Windows device.

A

C. You should restore the VM to a new Azure VM.

Explanation:

  • Instant restore allows you to restore a VM to its previous state quickly and efficiently.
  • Creating a new VM ensures that the infected VM is isolated, preventing further contamination.
  • Restoring to the same VM could potentially reintroduce the ransomware.

By restoring the VM to a new Azure VM, you mitigate the risk of reinfection and can then analyze the original VM for the ransomware source.

Why Other Options Are Less Suitable

A. You should restore the VM after deleting the infected VM.
* While deleting the infected VM is a good initial step to isolate the threat, restoring the VM afterwards is not the most efficient or secure approach. It involves additional steps and time, increasing the risk of further contamination.

B. You should restore the VM to any VM within the company’s subscription.
* Restoring to an existing VM is highly discouraged as it could potentially spread the ransomware to other systems. This option poses a significant risk to the entire infrastructure.

D. You should restore the VM to an on-premise Windows device.
* Restoring to an on-premise device is not feasible as Azure Backup is specifically designed for Azure environments. This option is not applicable in this scenario.

By restoring the VM to a new Azure VM, you effectively isolate the infected system, prevent further spread, and allow for a clean recovery process.

36
Q

Q36

You administer a solution in Azure that is currently having performance issues.

You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.

Which of the following is the tool you should use?

A Azure Traffic Analytics
B Azure Monitor
C Azure Activity Log
D Azure Advisor

A

B. Azure Monitor is the tool used to collect and analyze performance metrics and logs in Azure. It provides insights into the performance of Azure resources, applications, and workloads, and helps identify and troubleshoot issues related to availability, performance, and security. Azure Traffic Analytics is used to monitor and analyze network traffic, Azure Activity Log provides insights into activities performed on Azure resources, and Azure Advisor provides recommendations for improving the performance, security, and reliability of Azure resources.

37
Q

Q37

Your company has an Azure subscription that includes a Recovery Services vault.

You want to use Azure Backup to schedule a backup of your company’s virtual machines (VMs) to the Recovery Services vault.

Which of the following VMs can you back up?
Choose all that apply.

A VMs that run Windows 10.
B VMs that run Windows Server 2012 or higher.
C VMs that have NOT been shut down.
D VMs that run Debian 8.2+.
E VMs that have been shut down.

A

Correct Answer: ABCDE

Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
Azure Backup supports backup of VM that are shutdown or offline.

Backup support matrix iaas
Linux VM endorsed distros

38
Q

Q38

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user.

Does this meet the goal?

A Yes
B No

A

Correct Answer: B. No

The New-AzureADUser cmdlet creates a user in Azure Active Directory (Azure AD).
Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

39
Q

Q39

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.

Does this meet the goal?

A Yes
B No

A

Correct Answer: B

Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

40
Q

Q40

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.

Does this meet the goal?

A Yes
B No

A

Correct Answer: A

Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

41
Q

Q41

You have an Azure subscription named Subscription1 that contains a resource group named RG1.

In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.

You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.

Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

A

Correct Answer

There is something that we all seem to be forgetting here..and that is that Azure RBAC roles can be applied at three different scopes…management group, subscription, resource group and finally resource. So, LB1 and LB2 are resources that we want the Network Contributor role to manage, which by the way satisfies the principle of least privilege. When you apply the scope to the resource group, then it is applied to all the resources in the resource group which is not what we want. The question specifically referred to LB1 and LB2. These resources are atomic, therefore applying the scope to the two will affect just those two resources. Therefore the given answers are correct.

42
Q

Q42

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.

An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.

You need to ensure that access to AKS1 can be granted to the contoso.com users.

What should you do first?

A From contoso.com, modify the Organization relationships settings.
B From contoso.com, create an OAuth 2.0 authorization endpoint.
C Recreate AKS1.
D From AKS1, create a namespace.

A

Answer is correct B

Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user’s identity or directory group membership. Azure ADauthentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol

43
Q

Q43

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.

You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.

You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A a Microsoft 365 group that uses the Assigned membership type
B a Security group that uses the Assigned membership type
C a Microsoft 365 group that uses the Dynamic User membership type
D a Security group that uses the Dynamic User membership type
E a Security group that uses the Dynamic Device membership type

A

Correct Answer: AC

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.

When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.

You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:

B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).

To meet the requirement of automatically deleting the groups after 180 days, you should use groups that can be configured with an expiration policy. In Azure Active Directory (Azure AD), Microsoft 365 groups support expiration policies, which allow you to set a lifetime for the group and automatically renew or delete it based on activity.

The two correct options are:

A. A Microsoft 365 group that uses the Assigned membership type

C. A Microsoft 365 group that uses the Dynamic User membership type

Both Microsoft 365 groups with assigned and dynamic user membership types can be configured with expiration policies to automatically delete the group after a specified period, such as 180 days. This feature is not available for security groups or dynamic device membership types.

44
Q

Q44

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table

User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area

A

Correct Answer

“If a group is assigned to Azure resource roles, the reviewer of the Azure resource role will see the expanded list of the users in a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully because the user will not be removed from the nested group.”

See

This means that users from nested groups are included in the review but applying a “deny” change won’t have any effect on them.

45
Q

Q45

You have the Azure management groups shown in the following table

You add Azure subscriptions to the management groups as shown in the following table

You create the Azure policies shown in the following table

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one
point.

Hot Area

A

Wrong Answer

Should be:

  • NO: Subscription 1: is not allowed to create a VNET.
  • NO: Subscription 2: Allowed to create a VNET which restricts anything else.
  • NO: Subscription 1: already in one Management group called 21, so cannot add into another. A Subscription can be assigned to 1 Management Group.

Original Answer:

Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Box 2: Yes -
Virtual Machines can be created on a [Management Group]((https://docs.microsoft.com/en-us/azure/governance/management-groups/overview) provided the user has the required RBAC permissions.

Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:

46
Q

Q46

You have an Azure policy as shown in the following exhibit

What is the effect of the policy?

A You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B You can create Azure SQL servers in ContosoRG1 only.
C You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D You can create Azure SQL servers in any resource group within Subscription 1.

A

Correct Answer: B

You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1

47
Q

Q47

You have an Azure subscription that contains the resources shown in the following table

You assign a policy to RG6 as shown in the following table

To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.

Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

A

Answer

VNET1: Department: D1, and Label:Value1 only.
Tags applied to the resource group or subscription are not inherited by the resources.

Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or across a whole
Azure subscription.
VNET2: Label:Value1 only.

Incorrect Answers:

RGROUP: RG6 -
Tags applied to the resource group or subscription are not inherited by the resources.

48
Q

Q48

You have an Azure subscription named AZPT1 that contains the resources shown in the following table

You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2.

Which resources should you identify?

A VM1, storage1, VNET1, and VM1Managed only
B VM1 and VM1Managed only
C VM1, storage1, VNET1, VM1Managed, and RVAULT1
D RVAULT1 only

A

Correct Answer: C

You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.

49
Q

Q49

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: User failed validation to purchase resources. Error message: Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.

You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

A From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B From the Azure portal, register the Microsoft.Marketplace resource provider
C From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
D From the Azure portal, assign the Billing administrator role to Admin1

A

Correct Answer: C

Set-AzMarketplaceTerms -Publisher <String> -Product <String> -Name <String> [-Accept] [-Terms <PSAgreementTerms>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]</CommonParameters></IAzureContextContainer></PSAgreementTerms></String></String></String>

Reference

50
Q

Q50

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.

You need to assign the User administrator administrative role to AdminUser1.

What should you do from the user account properties?

A From the Licenses blade, assign a new license
B From the Directory role blade, modify the directory role
C From the Groups blade, invite the user account to a new group

A

Correct Answer: B

Assign a role to a user -
1. Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.

51
Q

Q51

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.

You purchase 10 Azure AD Premium P2 licenses for the tenant.

You need to ensure that 10 users can use all the Azure AD Premium features.

What should you do?

A From the Licenses blade of Azure AD, assign a license
B From the Groups blade of each user, invite the users to a group
C From the Azure AD domain, add an enterprise application
D From the Directory role blade of each user, modify the directory role

A

Correct Answer: A

Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.

Reference

52
Q

Q52

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.

You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.

What should you do first?

A Create an automation runbook
B Deploy a function app
C Deploy the IT Service Management Connector (ITSM)
D Create a notification

A

Correct Answer: C

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the Microsoft System Center Service Manager.

With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

53
Q

Q53

You sign up for Azure Active Directory (Azure AD) Premium P2.

You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain.

What should you configure in Azure AD?

A Device settings from the Devices blade
B Providers from the MFA Server blade
C User settings from the Users blade
D General settings from the Groups blade

A

Correct Answer: A

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

  1. Sign in to your Azure portal as a global administrator or device administrator.
  2. On the left navbar, click Azure Active Directory.
  3. In the Manage section, click Devices.
  4. On the Devices page, click Device settings.
  5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
54
Q

Q54

You have Azure Active Directory tenant named Contoso.com that includes following users

Contoso.com includes following Windows 10 devices

You create following security groups in Contoso.com

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hot Area

A

To Check Answer

Box 1: Yes -
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD

Box 2: No -
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.

Box 3: Yes -
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.

Reference

Alternative:
User1 can add Device2 to Group1: No
User2 can add Device1 to Group1: Yes
User2 can add Device2 to Group2: No

Explaination:

Groups can contain both registered and joined devices as members.

As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices.

User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

User2 is the owner of Group1. He can add Device1 to Group1.

Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.

Reference

55
Q

Q55

You have an Azure subscription that contains a resource group named RG26.

RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.

You need to delete RG26.

What should you do first?

A Delete VM1
B Stop VM1
C Stop the backup of SQLDB01
D Delete sa001

A

Answer C

You can’t delete a Recovery Services vault with any of the following dependencies:
1.You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
2.You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
3.You can’t delete a vault that contains backup data in the soft deleted state.
4.You can’t delete a vault that has registered storage accounts.

To delete a vault, Go to vault Overview, click Delete, and then follow the instructions to complete the removal of Azure Backup and Azure Site Recovery items.

56
Q

Q56

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A Remove User1 from the Security Reader and Reader roles for Subscription1.
B Assign User1 the User Access Administrator role for VNet1.
C Assign User1 the Network Contributor role for VNet1.
D Assign User1 the Network Contributor role for RG1.

A

Correct Answer: B

Has full access to all resources including the right to delegate access to others.

Note:
There are several versions of this question in the exam. The question has two possible correct answers:
✑ Assign User1 the User Access Administrator role for VNet1.
✑ Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
✑ Assign User1 the Contributor role for VNet1.
✑ Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
✑ Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

Reference

57
Q

Q57

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.

You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

A MX
B NSEC
C PTR
D RRSIG

A

Correct Answer: A

To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answers:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3

Reference

58
Q

Q58

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.

Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.

Does this meet the goal?

A Yes
B No

A

Correct Answer: B

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Built-in roles
Securing a logic app

59
Q

Q59

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.

Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.

Does this meet the goal?

A Yes
B No

A

Correct Answer: B

You would need the Logic App Contributor role.

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Built-in roles
Securing a logic app

60
Q

Q60

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.

Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Dev, you assign the Contributor role to the Developers group

Does this meet the goal?

A Yes
B No

A

Correct Answer: A

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

Built-in roles
Securing a logic app

61
Q

Q61

You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.

You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place

A

Answer

Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.

Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a
Comma-Separated Values (.csv) file.

Box 3: Download the usage report

Resource groups using tags
Billing: Getting started

62
Q

Q62

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.

Which query should you run in Workspace1?

A Get-Event Event | where {$_.EventType == “error”}
B search in (Event) “error”
C select * from Event where EventType == “error”
D search in (Event) * | where EventType -eq “error”

A

Correct Answer: B

To search a term in a specific table, add the table-name just after the search operator

Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Event | search “error”
2. Event | where EventType == “error”
3. search in (Event) “error”

Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye “eq “error”}
2. Event | where EventType is “error”
3. search in (Event) * | where EventType “eq “error”
4. select * from Event where EventType is “error”

Reference:
Search Queries
Log query get started portal
Search operator

63
Q

Q63

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to
VNET1.
You successfully deploy the following Azure Resource Manager template.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area

A

Answer

Box 1: Yes -

Box 2: Yes -
VM1 is in Zone1, while VM2 is on Zone2.

Box 3: No -

Reference

64
Q

Q64

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?

A The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

A

Correct Answer: A

You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it’s in. However, you cannot change an App Service plan’s region.

65
Q

Q65

You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.

You need to create a custom RBAC role named CR1 that meets the following requirements:

✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups

What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

66
Q

Q66

You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.

You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A an internal load balancer
B a public load balancer
C an Azure Content Delivery Network (CDN)
D Traffic Manager
E an Azure Application Gateway

A

Correct Answer: AE

Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the front-end subnet of the application.

67
Q

Q67

You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?

A Monitor
B Advisor
C Metrics
D Customer insights

A

Correct Answer: B

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.

68
Q

Q68

You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

69
Q

Q69

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user [email protected] ” Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.

What should you do?

A From the Users settings blade, modify the External collaboration settings.
B From the Custom domain names blade, add a custom domain.
C From the Organizational relationships blade, add an identity provider.
D From the Roles and administrators blade, assign the Security administrator role to Admin1.

A

Correct Answer: A

Reference

70
Q

Q70

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.

What should you do?

A Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D Create a new management group and delegate User1 as the owner of the new management group.

A

Correct Answer: B

The following chart shows the list of roles and the supported actions on management groups.

Note:
Each directory is given a single top-level management group called the “Root” management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.

Reference

71
Q

Q71

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

Of which groups are User1 and User2 members? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

A

Answer

Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -
Both membership rules apply.
Reference

72
Q

Q72

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

A

Answer

Box 1: User1 and User3 only -
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active
Directory.

Box 2: User1, User2, and User3 -
Reference

73
Q

Q73

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Network Contributor role at the subscription level to Admin1.

Does this meet the goal?
A Yes
B No

A

Correct Answer: A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference

74
Q

Q74

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Owner role at the subscription level to Admin1.

Does this meet the goal?
A Yes
B No

A

Correct Answer: A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference

75
Q

Q75

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Reader role at the subscription level to Admin1.

Does this meet the goal?
A Yes
B No

A

Correct Answer: A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Reference

76
Q

Q76

You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.

Which role-based access control (RBAC) role should you assign to User1?

A Owner
B Virtual Machine Contributor
C Contributor
D Virtual Machine Administrator Login

A

Correct Answer: C

Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.

Reference