Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ104 > Examtopics > Flashcards

Examtopics Flashcards

1
Q

Your company has serval departments. Each department has a number of virtual machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?

A

Assign tags to the virtual machines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?

A

No

The solution does not meet the goal. While accessing the multi-factor authentication page allows you to configure multi-factor authentication for users, it does not specifically target the members of the Global Administrators group. To meet the goal of requiring Global Administrators to use Multi-Factor Authentication and an Azure AD-joined device when connecting from untrusted locations, you need to set up an Azure AD conditional access policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.
Does the solution meet the goal?

A

No

The solution mentioned does not fully meet the goal of requiring members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect from untrusted locations. While accessing the Azure portal to alter the session control is a step in the right direction, it’s essential to configure the specific conditions and controls in the Azure AD conditional access policy to enforce these requirements.

To achieve the goal, you need to create or modify an Azure AD conditional access policy and specify the conditions that require Multi-Factor Authentication and Azure AD-joined devices for members of the Global Administrators group when they access Azure AD from untrusted locations. Simply accessing the Azure portal to alter session control is not sufficient to fully implement this policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.
Does the solution meet the goal?

A

Yes - There is another copy of this question that mentions going to the MFA page in Azure Portal as the solution = incorrect. On that page you cant make a Conditional Access Policy.
I did this in lab step by step:
- The Answer “A” is correct
- Instead of the MFA page mentioned above, you have to go the route of Conditional Access Policy–>Grant Control mentioned here for this question. Under Grant Control you are given the option of setting MFA and requiring AD joined devices in the exact same window.
Answer is correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are planning to deploy an Ubuntu Server virtual machine to your company’s Azure subscription.
You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA).
What cmdlet creates a new VM?

A

The AZ vm create command,

To create an Ubuntu Server virtual machine with a custom deployment that includes adding a trusted root certification authority (CA) in Microsoft Azure, you should use the “D. The az vm create command.”

The az vm create command is part of the Azure Command-Line Interface (CLI) and allows you to create virtual machines with custom configurations. This command gives you the flexibility to specify various parameters and configurations for the virtual machine during deployment, including any custom certificates or trusted root CAs that need to be added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
Does the solution meet the goal?

A

No, Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company’s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure CLI.
Does the solution meet the goal?

A

No, Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company’s Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
Does the solution meet the goal?

A

Yes, Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
What cmdlet should you run?

A

You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

A

No, You should use the Resource Group blade

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
What action should you take?

A

You should stop all three VMs.

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?

A

No
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.

To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.

Running a full sync cycle can be very time consuming, so if you need to replicate the user information to Azure AD immediately then run Start-ADSyncSyncCycle -PolicyType Delta.
Answer is No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?

A

Read-only geo-redundant storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
What should you access?

A

The resource group blade

Yes, accessing the Resource Group blade can meet the goal of reviewing the ARM template used by Jon Ross to deploy the virtual machine and additional Azure Storage account.

In the Resource Group blade, you can select the resource group where the virtual machine and additional storage account were deployed, and then click on the “Deployments” tab. This will display a list of all deployments made to the resource group, including the ARM template used for the deployment.

Therefore, the solution of accessing the Resource Group blade meets the goal of reviewing the ARM template used by Jon Ross. The answer is A. Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible.
Which action you should take FIRST?

A

Detach the data disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.
What should you configure for the platformFaultDomainCount property?

A

Max Value

The number of fault domains for managed availability sets varies by region - either two or three per region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.
You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the platformUpdateDomainCount property?

A. 10
B. 20
C. 30
D. 40

A

Correct Answer: B 20

Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given availability set, five non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
What components should you create to achieve your goal?

A

An Azure Key Vault & an access policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
What is the best solution?

A

Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.

After you deploy a Virtual Machine you typically need to make some changes before it’s ready to use. This is something you can do manually or you could use
Remote PowerShell to automate the configuration of your VM after deployment for example.
But now there’s a third alternative available allowing you customize your VM: the CustomScriptextension.
This CustomScript extension is executed by the VM Agent and it’s very straightforward: you specify which files it needs to download from your storage account and which file it needs to execute. You can even specify arguments that need to be passed to the script. The only requirement is that you execute a .ps1 file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.
You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software requirements.
You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image.
You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs.
Which PowerShell cmdlets should you use?

A

The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.
Which objects that must be created to achieve this goal?

A

Hyper-V site, Azure recovery Services Vault, Replication policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your company’s Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company’s on- premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company’s on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation. What should you do?

A

Download and re-install the VPN client configuration package on the Windows 10 workstation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1.
The company has users that work remotely. The remote workers require access to the VMs on VNet1.
You need to provide access for the remote workers.
What should you do?

A

Configure a Point-to-Site (P2S) VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability group.
what should you enable?

A

Solution: You enable Floating IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?

A

Run the Set-AzureStaticVNetIP PowerShell cmdlet.

Specify a static internal IP for a previously created VM
If you want to set a static IP address for a VM that you previously created, you can do so by using the following cmdlets. If you already set an IP address for the
VM and you want to change it to a different IP address, you’ll need to remove the existing static IP address before running these cmdlets. See the instructions below to remove a static IP.
For this procedure, you’ll use the Update-AzureVM cmdlet. The Update-AzureVM cmdlet restarts the VM as part of the update process. The DIP that you specify will be assigned after the VM restarts. In this example, we set the IP address for VM2, which is located in cloud service StaticDemo.
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Your company has an Azure Active Directory (Azure AD) subscription.
You need to deploy five virtual machines (VMs) to your company’s virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical.
Whatis the least amount of network interfaces needed for this configuration?

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Your company has an Azure Active Directory (Azure AD) subscription.
You need to deploy five virtual machines (VMs) to your company’s virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical.
Which of the following is the least amount of security groups needed for this configuration?

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files.
Which of the following is TRUE in this scenario?

A. You can only recover the files to the infected VM.
B. You can recover the files to any VM within the company’s subscription.
C. You can only recover the files to a new VM.
D. You will not be able to recover the files.

A

B. You can recover the files to any VM within the company’s subscription.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You administer a solution in Azure that is currently having performance issues.
You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure.
Which is the tool you should use?

A

Azure Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company’s virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.

A. VMs that run Windows 10.
B. VMs that run Windows Server 2012 or higher.
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down.

A

all

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
What is the best solution?

A

Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.

Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task?

A

Network contributor on both.

The Network Contributor role lets you manage networks, but not access them.

Azure RBAC roles can be applied at three different scopes…management group, subscription, resource group and finally resource. So, LB1 and LB2 are resources that we want the Network Contributor role to manage, which by the way satisfies the principle of least privilege. When you apply the scope to the resource group, then it is applied to all the resources in the resource group which is not what we want. The question specifically referred to LB1 and LB2. These resources are atomic, therefore applying the scope to the two will affect just those two resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?

A

From contoso.com, create an OAuth 2.0 authorization endpoint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create?

A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type

A

a Microsoft 365 group that uses the Assigned membership type and a Microsoft 365 group that uses the Dynamic User membership type

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: User failed validation to purchase resources. Error message: Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.`
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

A

From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

A

From the Directory role blade, modify the directory role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Question #11Topic 2
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?

A

From the Licenses blade of Azure AD, assign a license

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?

A

Deploy the IT Service Management Connector (ITSM)

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?

A

Device settings from the Devices blade

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

NAME | TYPE
storage1 | Azure Storage accoount
VNET1 |Virtual network
VM1 |Azure virtual machine
VM1Managed |Managed Disk for VM1
RVAULT1 |Recovery Services vault for the site recovery of VM1

You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only

A

C. VM1, storage1, VNET1, VM1Managed, and RVAULT1

You can move a VM and its associated resources to a different subscription by using the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.

However you cannot move RVAULT1 to another region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?

A. Create an automation runbook
B. Deploy a function app
C. Deploy the IT Service Management Connector (ITSM)
D. Create a notification

A

C. Deploy the IT Service Management Connector (ITSM)

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade

A

A. Device settings from the Devices blade

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices

43
Q

You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

NAME | TYPE |LOCATION
VM1 |VM |North Europe
RGV1| RSV |North Europe
SQLD01 |SQL server in Azure VM | North Europe
sa001| Storage Account | West Europe

SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?

A. Delete VM1
B. Stop VM1
C. Stop the backup of SQLDB01
D. Delete sa001

A

C. Stop the backup of SQLDB01

You can’t delete a Recovery Services vault with any of the following dependencies:
1. You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
2. You can’t delete a vault that contains backup data in the soft deleted state.

44
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the Network Contributor role for RG1.

A

B. Assign User1 the User Access Administrator role for VNet1

Any variations of Contributor role does not allow to grant roles to other users. Contributor can be understood as resource read/write permission. To assing roles to other users you need some variation of Owner to repurce or Administrator role.
Roles do not exclude each other, so if you have Read and Contributor role, you’re still a Contributor and gain nothing by removing Reader role

45
Q

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
A. MX
B. NSEC
C. PTR
D. RRSIG

A

A. MX

To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answers:
1. MX
2. TXT

46
Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: B

The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.

The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

47
Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: B

You would need the Logic App Contributor role.

Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them.

Logic App Contributor - Lets you create, manage logic apps, but not access to them.

48
Q

You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: A

The Contributor role can manage all resources (and add resources) in a Resource Group. Contributor role can create logic apps.

Alternatively, we can use the Logic App Contributor role, which lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.

49
Q

You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence?

A. Assign a tag to each resource group
B. Assign a tag to each resource
C. Download the usage report
D. From the Cost analysis blade, filter the view by tag
E. Open the resource costs bladeof each resource group

A
  1. B.
  2. D.
  3. C.
50
Q

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType == “error”}
B. search in (Event) “error”
C. select * from Event where EventType == “error”
D. search in (Event) * | where EventType -eq “error”

A

B. search in (Event) “error”

51
Q

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.

NAME |Azure region |Policy
RG1 | West Europe |Policy1
RG2 | North Europe | Policy2
RG3 | France Central | Policy3

You move WebApp1 to RG2.
What is the effect of the move?

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

A

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1

You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it’s in. However, you cannot change an App Service plan’s region.

52
Q

You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.

A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway

A

Correct Answer: A and E

A: The customer sites are connected through VPNs, so an internal load balancer is enough.

B: The customer sites are connected through VPNs, so there’s no need for a public load balancer, an internal load balancer is enough.

C: A CDN does not provide load balancing for applications, so it not relevant for this situation.

D: Traffic manager is a DNS based solution to direct users’ requests to the nearest (typically) instance and does not provide load balancing for this situation.

E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions

53
Q

You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Monitor
B. Advisor
C. Metrics
D. Customer insights

A

Correct Answer: B
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.

54
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user user1@outlook.com ” Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Users settings blade, modify the External collaboration settings.
B. From the Custom domain names blade, add a custom domain.
C. From the Organizational relationships blade, add an identity provider.
D. From the Roles and administrators blade, assign the Security administrator role to Admin1.

A

A.

You can adjust the guest user settings, their access, who can invite them from “External collaboration settings”

55
Q

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?

A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.

A

C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources

No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.

56
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: A - Yes

Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.
Network Contributor role - Lets you manage networks, but not access to them.

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

57
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: A

Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.
Network Contributor role - Lets you manage networks, but not access to them.

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

58
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No

A

Correct Answer: B - NO

Reader role - View all resources, but does not allow you to make any changes.

59
Q

You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login

A

Correct Answer: C
Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.

60
Q

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

What should you do first?
A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1

A

Correct Answer: A

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal.

RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples of Role Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group Policies on the other hand focus on resource properties during deployment and for already existing resources. As an example, a policy can be issued to ensure users can only deploy DS series VMs within a specified resource

61
Q

You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:

NAME | TYPE | DESCRIPTION
VM1 | VM | is running and configured to back up to Vault 1 daily
Vault1 | RSV |includes all backups of VM1
VNET1 | VN | has a resouce lock of type delete

You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1

A

Correct Answer: B

When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

So you have to remove the lock on order to delete the VNET and delete the backups in order to delete the vault.

62
Q

You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A. Create an NS record named research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *.research in the adatum.com zone.

A

Correct Answer: A

An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.

You need to create a name server (NS) record for the zone.

63
Q

You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence?

A. Add a record to the public contoso.com DNS Zone
B. Add a Azure AD tenant
C. Configure company branding
D. Create an Azure DNS Zone
E. Add a custom name
F. Verify the domain

A

A, E & F

  1. Add the custom domain name to your directory
  2. Add a DNS entry for the domain name at the domain name registrar
  3. Verify the custom domain name in Azure AD
64
Q

You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.

A

D. Modify the NS records in the DNS domain registrar.

To ensure that records created in the contoso.com zone are resolvable from the internet, you need to modify the NS (Name Server) records in the DNS domain registrar.

When you create a public Azure DNS zone named contoso.com, Azure assigns a set of NS records for that zone. These NS records specify the name servers responsible for handling DNS queries for the contoso.com domain. To make the records in the Azure DNS zone resolvable from the internet, you need to update the NS records at the DNS domain registrar to point to the name servers provided by Azure.

65
Q

You have the Azure resources shown on the following exhibit.

Tenant Root Group
Management group
Subscription
Resource Group
Virtual Machine

You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags?

A

Everything below Management group in the hierarchy.

Sub, RG & VM

66
Q

You have an Azure Active Directory (Azure AD) tenant.
You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center.
You need to create and upload a file for the bulk delete.
Which user attributes should you include in the file?
A. The user principal name and usage location of each user only
B. The user principal name of each user only
C. The display name of each user only
D. The display name and usage location of each user only
E. The display name and user principal name of each user only

A

B. The user principal name of each user only

To perform a bulk delete of users in Azure Active Directory, you need to create and upload a CSV file that contains the list of users to be deleted. The file should include the user principal name (UPN) of each user only. Therefore, the answer is B. The user principal name of each user only.
When you use the bulk delete feature in the Azure Active Directory admin center, you need to specify the UPN for each user that you want to delete. The UPN is a unique identifier for each user in Azure AD and is the primary way that Azure AD identifies and manages user accounts.
Including additional attributes like the display name or usage location is not required for the bulk delete operation, as the UPN is the only mandatory attribute for the user account. However, you may include additional attributes in the CSV file if you want to keep track of the metadata associated with each user account.

67
Q

You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
You need to grant user management permissions to a local administrator in each office.
What should you use?
A. Azure AD roles
B. administrative units
C. access packages in Azure AD entitlement management
D. Azure roles

A

B. Administrative units

Administrative units in Azure AD allow you to organize and delegate administrative tasks to specific administrative units. You can assign specific permissions and roles to administrators based on these units. This approach allows local administrators to have control over users and resources within their respective offices without having full global permissions. It’s a more granular and decentralized approach to user management.

Azure AD roles (Option A) typically deal with assigning permissions at a broader level, and they might not provide the necessary granularity for managing users within specific offices.

Access packages in Azure AD entitlement management (Option C) are used for granting access to resources and applications rather than delegating user management tasks.

Azure roles (Option D) are primarily focused on managing permissions for Azure resources and services, not user management within Azure AD.

So, the most suitable choice for delegating user management permissions to local administrators in different offices is “B. Administrative units.”

68
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
B. Assign User1 the Owner role for VNet1.
C. Assign User1 the Contributor role for VNet1.
D. Assign User1 the Network Contributor role for VNet1.

A

B. Owner correct

Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights)
User Access Administrator = Lets you manage user access to Azure resources.
Reader = View all resources, but does not allow you to make any changes.
Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)

69
Q

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.
What should you do first?
A. Enable Active Directory Domain Service (AD DS) authentication for storage1.
B. Grant share-level permissions by using File Explorer.
C. Mount share1 by using File Explorer.
D. Create a private endpoint.

A

A. Enable Active Directory Domain Service (AD DS) authentication for storage1.

To grant the Group1 the Storage File Data SMB Share Elevated Contributor role for share1, you need to enable Active Directory Domain Service (AD DS) authentication for the storage account.

By enabling AD DS authentication, you allow Azure AD security groups to be used for granting access control to file shares in the storage account. This enables you to assign roles, such as the Storage File Data SMB Share Elevated Contributor role, to the security group Group1 for the specific file share share1.

Once AD DS authentication is enabled and the security group is assigned the appropriate role, Group1 will have the necessary permissions to access and manage the file share.

Therefore, enabling Active Directory Domain Service (AD DS) authentication for storage1 is the first step you should take to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1.

70
Q

You have 15 Azure subscriptions.
You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
✑ Use the principle of least privilege.
✑ Minimize administrative effort.
What should you do?
A. Assign Group1 the Owner role for the root management group.
B. Assign Group1 the User Access Administrator role for the root management group.
C. Create a new management group and assign Group1 the User Access Administrator role for the group.
D. Create a new management group and assign Group1 the Owner role for the group.

A

B. Assign Group1 the User Access Administrator role for the root management group.

The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have.
Each directory is given a single top-level management group called the “Root” management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Incorrect:
Not C: A few directories that started using management groups early in the preview before June 25 2018 could see an issue where not all the subscriptions were within the hierarchy. The process to have all subscriptions in the hierarchy was put in place after a role or policy assignment was done on the root management group in the directory.

71
Q

You have two Azure subscriptions named Sub1 and Sub2.
An administrator creates a custom role that has an assignable scope to a resource group named RG1 in Sub1.
You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort.

What should you do?
A. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.
B. Create a new custom role for Sub1. Create a new custom role for Sub2. Remove the role from RG1.
C. Create a new custom role for Sub1 and add Sub2 to the assignable scopes. Remove the role from RG1.
D. Select the custom role and add Sub1 to the assignable scopes. Remove RG1 from the assignable scopes. Create a new custom role for Sub2

A

A. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes

To assure the solution minimizes the administrative effort, we just need to change the assignable scope list of the custom role.

72
Q

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.

You need to view the error events from a table named Event.

Which query should you run in Workspace1?

A. select * from Event where EventType == “error”
B. Event | search “error”
C. Event | where EventType is “error”
D. Get-Event Event | where {$_.EventType == “error”}

A

B. Event | search “error”

73
Q

You have an Azure App Services web app named App1.

You plan to deploy App1 by using Web Deploy.

You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1. The solution must use the principle of least privilege.

What should you do?

A. Assign the Owner role to the developers
B. Configure app-level credentials for FTPS
C. Assign the Website Contributor role to the developers
D. Configure user-level credentials for FTPS

A

C. Assign the Website Contributor role to the developers.
To allow the developers of App1 to use their Azure AD credentials to deploy content to App1 using Web Deploy, you should assign the Website Contributor role to the developers. This role provides the necessary permissions for developers to deploy content to the web app, but does not grant them excessive permissions that could be used to make unwanted changes.
Option A is not recommended as it would grant excessive permissions to the developers, which could be used to make unwanted changes.
Option B and D are not relevant to the scenario as the question is specifically asking for how to use Azure AD credentials for Web Deploy, not FTPS.
Option C is a potential solution, but the Website Contributor role provides a more targeted and appropriate level of permissions for the scenario.

74
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.

Does this meet the goal?

A. Yes
B. No

A

B. No

The question states “You have a CSV file that contains the names and email addresses of 500 external users.”
This implies that the required fields (Email and Redirection URL)are missing from the .csv file.
Here are the csv field pre-requisites that are needed for bulk upload of external users:

75
Q

You have an Azure subscription named Sub1 that contains two users named User1 and User2.

You need to assign role-based access control (RBAC) roles to User1 and User2. The users must be able to perform the following tasks in Sub1:

  • User1 must view the data in any storage account.
  • User2 must assign users the Contributor role for storage accounts.

The solution must use the principle of least privilege.

Which RBAC role should you assign to each user

A. Owner
B. Contributor
C. Reader and Data Access
D. Storage Account Contributor

A

User1: C
User 2: A

76
Q

You have an Azure subscription that contains 10 virtual machines, a key vault named Vault1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.

The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.

You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort

What should you configure as the destination of the outbound security rule for NSG1?

A. an application security group
B. a service tag
C. an IP address range

A

The correct answer is B. a service tag.

In order to ensure that the virtual machines can access Vault1 while also using the principle of least privilege and minimizing administrative effort, you should configure a service tag as the destination of the outbound security rule for NSG1. Service tags represent a group of IP addresses associated with Azure PaaS and SaaS services. By specifying a service tag as the destination of the outbound security rule, you can allow the virtual machines to access Vault1 without having to manually specify the IP addresses of Vault1. This reduces administrative effort and ensures that the virtual machines are only able to access Vault1, rather than any other internet destination.

77
Q

You have an Azure AD tenant named adatum.com that contains the groups shown in the following table.

NAME | MEMBER OF
Group1 | None
Group2 | Group1
Group3 | Group 2

Adatum.com contains the users shown in the following table.

NAME |MEMBER OF
User1 | Group1
User2 | Group2
User3 | Group3
User4 | None

You assign the Azure Active Directory Premium Plan 2 license to Group1 and User4.

Which users are assigned the Azure Active Directory Premium Plan 2 license?

A. User4 only
B. User1 and User4 only
C. User1, User2, and User4 only
D. User1, User2, User3, and User4

A

B. User1 and User4 only

https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced
Under Limitations and known issues:
“Group-based licensing currently does not support groups that contain other groups (nested groups). If you apply a license to a nested group, only the immediate first-level user members of the group have the licenses applied.”

78
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

  • Reader
  • Security Admin
  • Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Assign User1 the Network Contributor role for VNet1.
B. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
C. Assign User1 the Owner role for VNet1.
D. Assign User1 the Network Contributor role for RG1.

A

C. Assign User1 the Owner role for VNet1.

There is only two choices for that puspose;

  • Assign User1 the Owner role for VNet1.
  • Assign User1 the User Access Administrator role for VNet1.
79
Q

Your on-premises network contains a VPN gateway.

You have an Azure subscription that contains the resources shown in the following table.

NAME | TYPE |DESCRIPTION
vgw1 | Virtual network gateway |for site to site VPN to the on-prem network
storage1| Storage Account |Standard perforamnce tier
Vnet1 |VN | Enabled forced tunneling
VM1 |VM |Conneced to Vnet1

You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.

What should you configure?

A. Azure Application Gateway
B. private endpoints
C. a network security group (NSG)
D. Azure Virtual WAN

A

B. private endpoints

Per the MS documentation, private endpoint seems to be the proper choice: “You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.”

80
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

  • Reader
  • Security Admin
  • Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
B. Assign User1 the Access Administrator role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
D. Assign User1 the Network Contributor role for RG1.

A

B. Assign User1 the Access Administrator role for VNet1

81
Q

You have three Azure subscriptions named Sub1, Sub2, and Sub3 that are linked to an Azure AD tenant.

The tenant contains a user named User1, a security group named Group1, and a management group named MG1. User is a member of Group1.

Sub1 and Sub2 are members of MG1. Sub1 contains a resource group named RG1. RG1 contains five Azure functions.

You create the following role assignments for MG1:

  • Group1: Reader
  • User1: User Access Administrator

You assign User the Virtual Machine Contributor role for Sub1 and Sub2.

  1. The Group1 members can view the configurations of the Azure functions? Y/N
  2. User1 can assign the Owner role for RG1? Y/N
  3. User1 can create a new reource group and deploy a virtual machine to the new group? Y/N
A
  1. Yes - Reader access provides access to view all items exept secrets
  2. Yes - both owner and user admin can assign owner
  3. No - neither user access admin role or the reader role allows to create new resources
82
Q

You have an Azure subscription that contains the resources shown in the following table.

NAME | DESCRIPTION
share1 |File share in storage 1
storage1 |Storage account
User1 | Azure AD user

You need to assign User1 the Storage File Data SMB Share Contributor role for share1.

What should you do first?

A. Enable identity-based data access for the file shares in storage1.
B. Modify the security profile for the file shares in storage1.
C. Select Default to Azure Active Directory authorization in the Azure portal for storage1.
D. Configure Access control (IAM) for share1.

A

D. Configure Access control (IAM) for share1.

83
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

  • Reader
  • Security Admin
  • Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1.
D. Assign User1 the Contributor role for VNet1.

A

B. Assign User1 the User Access Administrator role for VNet1.

84
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: You create a PowerShell script that runs the New-MgUser cmdlet for each external user.

Does this meet the goal?

A. Yes
B. No

A

The New-MgUser cmdlet is part of the Microsoft Graph PowerShell module, and it’s used for creating new users in Azure AD. However, when creating guest users (or B2B users), you typically would invite them rather than create them like regular members.

The cmdlet you’d want to use for inviting external guest users is New-AzureADMSInvitation if you’re using the AzureAD module or a related command in the Microsoft Graph module.

Given the provided solution, the answer is:

B. No

85
Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: You create a PowerShell script that runs the New-MgInvitation cmdlet for each external user.

Does this meet the goal?

A. Yes
B. No

A

The New-MgInvitation cmdlet is part of the Microsoft Graph PowerShell module. It’s used to create an invitation to an external user. When the invited user redeems their invitation, a guest user is created in the directory.

If you use a PowerShell script that loops through each external user in the CSV file and runs the New-MgInvitation cmdlet for each of them, it will send out invitation emails to each of those external users. Once an external user accepts the invitation, they’ll be added to the Azure AD tenant as a guest user.

So, using the New-MgInvitation cmdlet in a PowerShell script for each external user does meet the goal of creating a guest user account in contoso.com for each of the 500 external users.

The answer is:

A. Yes

86
Q

You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.

You need to use AzCopy to copy data to the blob storage and file storage in storage1.

Which authentication method should you use for each type of storage?

  1. Blob storage?
  2. File storage?
A
  1. Azure AD and SAS
  2. SAS only
87
Q

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.

A user named User1 has the following roles for Subscription1:

  • Reader
  • Security Admin
  • Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

A. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
B. Assign User1 the Contributor role for VNet1.
C. Assign User1 the Owner role for VNet1.
D. Assign User1 the Network Contributor role for RG1.

A

C. Assign User1 the Owner role for VNet1

88
Q

You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
NAME | Account kind | Azure serrvice that contains data
storage1 | Storage | File
storage2 | StorageV2 (GPv2) |File, Table
storage3 | StorageV2 (GPv2) | Queue
storage4 | BlobStorage|Blob

You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4

A

Correct Answer: D

Azure Import/Export service supports the following of storage accounts:
✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)
✑ Blob Storage accounts
✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),

Azure Import/Export service supports the following storage types:
✑ Import supports Azure Blob storage and Azure File storage
✑ Export supports Azure Blob storage. Azure Files not supported.

Only storage4 can be exported.

89
Q

You have an Azure Storage account named storage1.
You have an Azure App Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
✑ Minimize the number of secrets used.
✑ Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app?

  1. Access Keys
  2. Advanced security
  3. Access control ( IAM)
  4. Shared access signatures
A

App1: Access control (IAM)
Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal.

App2: SAS
We need temp access for App2, so we need to use SAS.

90
Q

You need to create an Azure Storage account that meets the following requirements:
✑ Minimizes costs
✑ Supports hot, cool, and archive blob tiers
✑ Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area.

Kind?
- FileStorage
- Storage
- StorageV2

SKU?
- Standard_GRS
- Standard_LRS
- Standard_RAGRS
- Premium_LRS

A

Kind: StorageV2
SKU: Standard_GRS

91
Q

You have an Azure subscription that contains the resources in the following table.

NAME| TYPE
RG1 | Resource Group
store1 | Azure Storage account
Sync1 | Azure File Sync

Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.

A. Create a container instance
B. Register Server1
C. Install the Azure File Sync agent on Server1
D. Download an automation script
E. Create a sync group

A

Correct Answer: B, C and E

Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server and the Storage Sync Service.

Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.

92
Q

You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.

  • From the Azure portal, update the import job
  • From the Azure portal, create an import job
  • Attach an external disk to Server 1 and then run waimportexport.exe
  • Detach the external disks from Server1 and ship the disks to an Azure data center
A

Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe)
Step 2: Create an import job (From the Azure portal, create an import job)
Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center)
Step 4: Update the job with tracking information (From the Azure portal, update the import job)

93
Q

You have an Azure File sync group that has the endpoints shown in the following table.

NAME | TYPE
Endpoint1 | Cloud endpoint
Endpoint2 | Server endpoint
Endpoint3 | Server endpoint

Cloud tiering is enabled for Endpoint3.
You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.

On which endpoints will File1 and File2 be available within 24 hours of adding the files?

A

Correct Answer:

File1: Endpoint1 only
It is a cloud endpoint, and it is scanned by the detection job every 24 hours.

File2: Endpoint1, Endpoint2 and Endpoint3
With the on-premises servers the file is scanned and synced automatically after it’s being added.

Note: They changed the question in Exam from “within 24 hours” to “after 24 hours”.
So, the answer is:
File1: Endpoint1, Endpoint2 and Endpoint3
File2: Endpoint1, Endpoint2 and Endpoint3

94
Q

You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

A. Install the Azure File Sync agent on Server1
B. Create an Azure on-premises data gateway
C. Create a Recovery Services Vault
D. Register Server1
E. Add a server endpoint
F. Install the DFS Replication serer role on Server1

A

A. D. E.

Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

Step 2: Register Server1
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.

Step 3: Add a server endpoint
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.

95
Q

You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously.
✑ Remains available if a single data center in the region fails.
How should you configure the storage account? To answer, select the appropriate options in the answer area.

Replication?
- GRS
- LRS
- RA-GRS
- ZRS

Account type?
- Blob storage
- GPv1
- GPv2

A

Replication:
Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single Region.
GRS protects against Zone failure, while ZRS protects against data center failure.
LRS would not remain available if a data center in the region fails.
GRS and RA GRS use asynchronous replication.

Account type?
StorageV2 (general purpose V2)

96
Q

You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. an XML manifest file
B. a dataset CSV file
C. a JSON configuration file
D. a PowerShell PS1 file
E. a driveset CSV file

A

Correct Answer: B and E

Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file

Modify the driveset.csv file in the root folder where the tool is.

97
Q

You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?
A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. Modify the locks of each virtual machine.
D. From the Recovery Service vault, stop the backup of each backup item.

A

D. From the Recovery Service vault, stop the backup of each backup item.

98
Q

You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. a virtual machine
B. an Azure Cosmos DB database
C. Azure File Storage
D. the Azure File Sync Storage Sync Service

A

Correct Answer: C

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files. The maximum size of an Azure Files Resource of a file share is 5 TB.

Note: There are several versions of this question in the exam. The question has two correct answers:
1. Azure File Storage
or
2. Azure Blob Storage

The question can have other incorrect answer options, including the following:
✑ Azure Data Lake Store
✑ Azure SQL Database
✑ Azure Data Factory

99
Q

You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data.
Which storage services should you identify?
A. blob, file, table, and queue
B. blob and file only
C. file and table only
D. file only
E. blob, table, and queue only

A

B. blob and file only

100
Q

You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?
A. Azure Files
B. Azure Blob storage
C. Azure Queue storage
D. Azure Table storage

A

A. Azure Files

101
Q

You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting
VM1 and VM2.
What should you include in the Availability Set?
A. one update domain
B. two fault domains
C. one fault domain
D. two update domains

A

D. two update domains

102
Q

You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database
B. Azure Blob storage
C. Azure Data Lake Store
D. the Azure File Sync Storage Sync Service

A

B. Azure Blob storage

103
Q

You have an Azure subscription that contains an Azure file share.
You have an on-premises server named Server1 that runs Windows Server 2016.
You plan to set up Azure File Sync between Server1 and the Azure file share.
You need to prepare the subscription for the planned Azure File Sync.
Which two actions should you perform in the Azure subscription? To answer, drag the appropriate actions to the correct targets. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  • Create a Storage Sync Service
  • Install the Azure File Sync Agent
  • Create a sync Group
  • Run Server Registratoin
A

Correct Answer:

First action: Create a Storage Sync Service
The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a resource group of your selected subscription.

Second action: Install the Azure File Sync agent
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

  1. Prepare Windows Server to use with Azure File Sync
  2. Deploy the Storage Sync Service
  3. Install the Azure File Sync agent
  4. Register Windows Server with Storage Sync Service
  5. Create a sync group and a cloud endpoint
  6. Create a server endpoint
  7. Configure firewall and virtual network settings
104
Q
A

AZ104 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions