Microsoft AZ-104 Full Practice Tests 15.pdf Flashcards
You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address.
What should you use to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address?
- Azure Policy
- Azure Bastion
- Virtual network service endpoints
- Azure Firewall
- Azure Web Application Firewall (WAF)
Azure Bastion
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual
machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
INCORRECT ANSWERS:
Azure Policy – Azure policy is used to enforce organizational standards.
Virtual network service endpoints – Service endpoints are used to enable direct connectivity between Azure Service over Microsoft Backbone network.
Azure Firewall – Azure Firewall is to control inbound and outbound traffic.
Azure Web Application Firewall (WAF) – WAF is to protect web applications from common exploits and
vulnerabilities.
You have a resource group named RG1 that contains the following:
A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
An Azure Storage account named storageaccount1
An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that storageaccount1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
- Modify the Firewalls and virtual networks settings for storageaccount1.
- Create a stored access policy for storageaccount1.
- Implement a virtual network service endpoint.
- Remove the Azure firewall.
Implement a virtual network service endpoint.
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
INCORRECT ANSWERS:
Modify the Firewalls and virtual networks settings for storageaccount1. – Modifying firewalls either allow or deny traffic.
Create a stored access policy for storageaccount1. – A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
Remove the Azure firewall – By removing the firewall, you are removing the control on inbound and outbound traffic.
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected. You need to capture a network trace on VM1.
What should you do?
- From the VM1 blade, configure Connection troubleshoot.
- From Diagnostic settings for VM1, configure the performance counters to include network counters.
- From the VM1 blade, install performance diagnostics and run advanced performance analysis.
- From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
From the VM1 blade, install performance diagnostics and run advanced performance analysis.
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
It Checks for known issues, analyzes best practices, and collects diagnostics data and captures a network trace and SMB counters.
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-
diagnostics#select-an-analysis-scenario-to-run
Your company has an Azure environment that will contain many subscriptions. You are creating an Azure Policy as part of a governance solution.
To which three scopes can you assign Azure Policy definitions?
management groups
subscriptions
Azure Active Directory (Azure AD) tenants
resource groups
Azure Active Directory (Azure AD) administrative units
compute resources
management groups
subscriptions
resource groups
An assignment is a policy definition or initiative that has been assigned to take place within a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment.
For example, at the subscription scope, you can assign a definition that prevents the creation of networking resources. You could exclude a resource group in that subscription that is intended for networking infrastructure. You then grant access to this networking resource group to users that you
trust with creating networking resources.
https://docs.microsoft.com/en-us/azure/governance/policy/overview
INCORRECT ANSWERS:
Azure Active Directory (Azure AD) tenants – You can assign Azure Policy to a management group, subscription or resource group.
Azure Active Directory (Azure AD) administrative units- You can assign Azure Policy to a management group, subscription or resource group.
compute resources- You can assign Azure Policy to a management group, subscription or resource group.
You are implementing self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD). You need to select authentication mechanisms that can be used for both MFA
and SSPR.
Which two authentication methods should you use?
- Short Message Service (SMS) messages
- Microsoft Authenticator App
- Email addresses
- Security questions
- App passwords
Short Message Service (SMS) messages
Microsoft Authenticator App
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don’t need to know a username and password to access applications and services. The user instead enters their registered
mobile phone number, receives a text message with a verification code, and enters that in the sign-ininterface.
Users can also verify themselves using a mobile phone or office phone as secondary form ofauthentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
INCORRECT ANSWERS:
Email addresses – only used for SSPR
Security questions – only used for SSPR
App passwords – Can be used as primary authentication method for legacy apps, but cannot be used for both MFA & SSPR
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
- Owner
- Virtual Machine Contributor
- Contributor
- Virtual Machine Administrator Login
Contributor
Contributor role allows you to manage both virtual machines and virtual networks.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
INCORRECT ANSWERS:
Owner – Owner role allows you to manage both virtual machines and virtual networks, however it is not a least privileged role.
Virtual Machine Contributor – Virtual Machine Contributor lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Virtual Machine Administrator Login – View Virtual Machines in the portal and login as administrator
You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1. You need to identify the storage services in storage1 to which you can copy the data.
What should you identify?
- blob, file, table, and queue
- blob and file only
- file and table only
- file only
- blob, table, and queue only
blob and file only
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
INCORRECT ANSWERS:
AzCopy does not support copying data to Table & Queue.
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?
- Azure Files
- Azure Blob storage
- Azure Queue storage
- Azure Table storage
Azure Files
Azure file shares can be used as persistent volumes for stateful containers. Containers deliver “build once, run anywhere” capabilities that enable developers to accelerate innovation. For the containers that access raw data at every start, a shared file system is required to allow these containers to access the file system no matter which instance they run on.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
INCORRECT ANSWERS:
Azure Blob storage – Blob storage is optimized for storing massive amounts of unstructured data.
Azure Queue storage – Queue storage is for storing messages in distributed applications.
Azure Table storage – Table storage is for storing semi-structured data.
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting VM1 and VM2.
What should you include in the Availability Set?
- one update domain
- two fault domains
- one fault domain
- two update domains
two update domains
The hardware in a location is divided in to multiple update domains and fault domains. An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time. VMs in the same fault domain share common storage as well as a common power source and network switch.
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
INCORRECT ANSWERS:
one update domain – Adding VMs in the same update domain will not suffice the requirements since it shares same underlying physical hardware that can be rebooted at the same time.
two fault domains – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.
one fault domain – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts can you use for the Azure Backup reports of Vault1?
- storage1 only
- storage2 only
- storage3 only
- storage1, storage2 and storage3
storage3 only
To create a vault to protect any data source, the vault must be in the same region as the data source.
Storage account must be in the same region as your Recovery Service Vault.
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault
INCORRECT ANSWERS:
storage1 only – storage1 and vault1 are not in same region.
storage2 only – storage2 and vault1 are not in same region.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which Log Analytics workspaces can you use for the Azure Backup reports of Vault1?
- Analytics1 only
- Analytics2 only
- Analytics3 only
- Analytics1, Analytics2 and Analytics3
Analytics1, Analytics2 and Analytics3
The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults exist.
https://docs.microsoft.com/en-us/azure/backup/configure-reports
INCORRECT ANSWERS:
Analytics1 only – You can use any workspace
Analytics2 only – You can use any workspace
Analytics3 only – You can use any workspace
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named companydata.
Which command should you run?
- https://companydata.blob.core.windows.net/public
- azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
- azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive
- az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public
azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Syntax is : azcopy copy ‘‘ ‘https://..core.windows.net/‘ –recursive
Append the –recursive flag to upload files in all subdirectories.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs-upload
INCORRECT ANSWERS:
All incorrect answers does not match with azcopy syntax.
https://companydata.blob.core.windows.net/public
azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table. (see image)
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform?
- Detach VM1 network interface
- Attach a new network interface
- Move network interface to RG2
- Move VM1 to RG2
- Delete VM1
- Create a new virtual machine in VNet2
Delete VM1
Create a new virtual machine in VNet2
Microsoft does not support moving VMs between virtual networks. So, we have delete the VM and create a new VM in target VNet.
Detailed steps are mentioned in the below article.
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-move-a-vm-to-a-different-vnet-on-
azure
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
- an Azure Key Vault and an access policy
- an Azure Storage account and an access policy
- a Recovery Services vault and a backup policy
- Azure Active Directory (AD) Identity Protection and an Azure policy
an Azure Key Vault and an access policy
When you create a virtual machine (VM). You need to provide the VM administrator username and password. Instead of providing the password, you can pre-store the password in an Azure key vault and then customize the template to retrieve the password from the key vault during the deployment.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault
INCORRECT ANSWERS:
an Azure Storage account and an access policy Storage account is used to store the blobs. Not recommended to store sensitive data like passwords.
a Recovery Services vault and a backup policy Recovery services vault is to store backups.
Azure Active Directory (AD) Identity Protection and an Azure policy Identity protection is to detect and investigate identity based risks.
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform?
- Upload a configuration script
- Create an automation account
- Create an Azure policy
- Modify the extensionProfile section of the Azure Resource Manager template
- Create a new virtual scale set in the Azure portal
Upload a configuration script
Modify the extensionProfile section of the Azure Resource Manager template
When you define a virtual machine scale set with an Azure template, the Microsoft.Compute/virtualMachineScaleSets resource provider can include a section on extensions.
The extensionsProfile details what is applied to the VM instances in a scale set. To use the Custom Script Extension, you specify a publisher of Microsoft.Azure.Extensions and a type of CustomScript.
The Custom Script Extension downloads and executes scripts on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
INCORRECT ANSWERS:
Create an automation account Automation account is to automate azure management tasks.
Create an Azure policy Azure policy is to enforce organizational standards.
Create a new virtual scale set in the Azure portal You already have a virtual machine scale set.
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run?
- az aks install-cli
- docker aks install-cli
- msiexec.exe aks install-cli
- az /package install-cli
az aks install-cli
To install kubectl locally, use the az aks install-cli command
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
INCORRECT ANSWERS:
docker aks install-cli No such command exists
msiexec.exe aks install-cli msiexec.exe is to install windows installer packages
az /package install-cli No such command exists
You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
What should you do first?
- From Plan1, scale up the App Service plan
- From webapp1, modify the Application settings
- From webapp1, add a custom domain
- From Plan1, scale out the App Service plan
From Plan1, scale up the App Service plan
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn’t already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
INCORRECT ANSWERS:
From webapp1, modify the Application settings Slots are available based on app service plan, nothing to do with application settings.
From webapp1, add a custom domain Slots are not dependent on custom domains.
From Plan1, scale out the App Service plan scale out will increase the number of application instances. It will not create slots.
You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named http://www.preparationlabs.com to webapp1.
What should you do first?
Create a DNS record
Add a connection string
Upload a certificate.
Stop webapp1.
Create a DNS record
First purchase a domain name, and make sure you have access to the DNS registry for your domain provider. Then you can map the custom domain to your Azure web app. To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider.
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
INCORRECT ANSWERS:
Add a connection string Custom domain is not related to application settings or connection strings.
Upload a certificate. Uploading a certificate will make application to access on https protocol
Stop webapp1. No need to stop the web site to add a custom domain.
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
What should you identify?
- five Azure Application Gateways
- one App Service plan
- 10 App Service plans
- one Azure Traffic Manager
- one Azure Application Gateway
one App Service plan
You must create an app service plan before deploying web apps. One app service plan can have multiple web apps. To reduce the costs, create one app service and use it for 10 web apps.
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
INCORRECT ANSWERS:
five Azure Application Gateways Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.
10 App Service plans App service plan is mandatory to create a web app. However, 10 app service plans will increase the cost.
one Azure Traffic Manager Traffic manager is also a load balancer, not a pre-requisite to create web apps.
one Azure Application Gateway – Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
Change the size to D8s v3.
Add a 500-GB managed disk.
Add the Puppet Agent extension.
Enable Desired State Configuration Management.
Which change will cause downtime for VM1?
Enable Desired State Configuration Management
Add a 500-GB managed disk
Change the size to D8s v3
Add the Puppet Agent extension
Change the size to D8s v3
After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. This can happen if the new size is not available on the hardware cluster that is currently hosting the VM. If the virtual machine is currently running, changing its size will cause it to be restarted.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm
INCORRECT ANSWERS:
Enable Desired State Configuration Management VM restart is not required.
Add a 500-GB managed disk You can add managed disks while VM is running.
Add the Puppet Agent extension VM restart is not required.
You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use?
the kubectl command
the az aks command
the Set-AzVm cmdlet
the Azure portal
the Set-AzAks cmdlet
the kubectl command
the az aks command\
The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front –cpu-percent=50 –min=3 –max=10
Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
INCORRECT ANSWERS:
the Set-AzVm cmdlet This command sets VM as generalized
the Azure portal Not a valid command
the Set-AzAks cmdlet Creates or updates a Kubernetes cluster
You create the following resources in an Azure subscription:
An Azure Container Registry instance named Registry1
An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?
Run the docker push command.
Create an App Service plan.
Run the az acr build command.
the az aks create command.
Run the az acr build command.
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
–image contoso-website \
–registry $ACR_NAME \
–file Dockerfile .
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
INCORRECT ANSWERS:
Run the docker push command. We can use docker push command to push an image. However, there is no mention of docker tag in the question. So, I will rule out this option.
Create an App Service plan. No need of app service plan
the az aks create command. This command creates a new managed Kubernetes cluster. We already have a cluster.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
- Yes
- No
No
Resource lock is used to avoid accidental deletion of Azure resources
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?
- Yes
- No
No
Instead, use Azure policy.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
- Yes
- No
No
Built-in Azure policies does not provide the policy required for this requirement.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
- Yes
- No
Yes
You can create a custom policy to block port 8080. Azure policy enables you to establish conventions for resources in your subscription by describing when the policy is enforced and what effect to take.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table. (see image)
You need to add the address space of 10.33.0.0/16 to VNet1. You need to ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence?
- Add the 10.33.0.0/16 address space to VNet1 Remove peering between VNet1 and VNet2 Recreate peering between VNet1 and VNet2
- Remove peering between VNet1 and VNet2 Add the 10.33.0.0/16 address space to VNet1 Recreate peering between VNet1 and VNet2
- Remove VNet1 Create VNet1 with new IP ranges Create peering between VNet1 and VNet2
Remove peering between VNet1 and VNet2 Add the 10.33.0.0/16 address space to VNet1 Recreate peering between VNet1 and VNet2
You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com that contains the users shown in the following table: (see image 1)
User3 is the owner of Group1. Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit: (see image 2)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. User3 can perform an access review of User1
2. User3 can perform an access review of UserA
3. User3 can perform an access review of UserB
- Yes, Yes, Yes
- No, No, Yes
- Yes, No, Yes
- No, Yes, Yes
No, No, Yes
The access review Review1 is scoped only for Guest users in Group1.
1. User1 is not a guest users in Group1.So, the answer is No
2. Similarly, UserA is not a guest user. So, the answer is No.
3. UserB is a guest user and Group2 is a member of Group1. So, the group owner (User3) can perform access review for UserB.
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
You have an Azure policy as shown in the following exhibit: (see image)
Parameters:
Not allowed resource types: Microsoft.Sql/servers
What is the effect of the policy?
- You are prevented from creating Azure SQL servers anywhere in the Free Trial Subscription.
- You can create Azure SQL servers in RG1 only.
- You are prevented from creating Azure SQL Servers in RG1 only.
- You can create Azure SQL servers in any resource group within Free Trial Subscription.
You can create Azure SQL servers in RG1 only.
The resource group RG1 is excluded from policy assignment. So, you can create Azure SQL Server in
RG1 only.
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
INCORRECT ANSWERS:
You are prevented from creating Azure SQL servers anywhere in the Free Trial Subscription. RG1 is
excluded from policy.
You are prevented from creating Azure SQL Servers in RG1 only.
— RG1 is excluded from policy.
You can create Azure SQL servers in any resource group within Free Trial Subscription. Only in RG1 it is
allowed.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)
You create a new Azure subscription named Subscription2.
You need to identify which resources can be moved to Subscription2.
Which resources should you identify?
- VM1, storage1, VNET1, and VM1Managed only
- VM1 and VM1Managed only
- VM1, storage1, VNET1, VM1Managed, and RVAULT1
- RVAULT1 only
VM1, storage1, VNET1, VM1Managed, and RVAULT1
You can move a storage account, VM and its associated resources to a different subscription by using the Azure portal.
You can also move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
You have an Azure subscription that contains a resource group named ResourceGroup1.
ResourceGroup1is set to the West Europe location and is used to create temporary resources for a project.
ResourceGroup1contains the resources shown in the following table. (see image)
SQLD01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete ResourceGroup1.
What should you do first?
- Delete VM1
- Stop VM1
- Stop the backup of SQLD01
- Delete sa001
Stop the backup of SQLD01
You can’t delete a Recovery Services vault with any of the following dependencies:
· You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
· You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
· You can’t delete a vault that contains backup data in the soft deleted state.
· You can’t delete a vault that has registered storage accounts.
Therefore, resource group deletion will fail. You must stop the backup before initiating a delete.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com: (see image)
User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?
Yes
No
No
To add or delete users you must be a User administrator or Global administrator.
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?
Yes
No
No
The new tenant external.preparationlabs.onmicrosoft.com will not have users from primary tenant until we add them.
You have an Azure subscription that contains the storage accounts shown in the following table. (see image)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. storage1 can host Azure file shares
2. There are six copies of the data in storage2.
3. storage3 can be converted to a GRS account.
- Yes, Yes, Yes
- Yes, No, Yes
- Yes, Yes, No
- No, Yes, Yes
No, Yes, Yes
- Azure file shares are deployed into storage accounts, which are top-level objects that represent a shared pool of storage. GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based (HDD-based) hardware. (Not on the premium tier).
- Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS. Along with the three copies of your data stored within a single region, a further three copies are stored in the twinned Azure region.
- You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. If you want to add or remove geo-replication or read access to the secondary region, you can use the Azure portal, PowerShell, or Azure CLI to update the replication
setting.
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
You have an Azure subscription.
You create a custom role in Azure by using the following Azure Resource Manager template. (see image)
You assign the role to a user named User1.
Which action can User1 perform?
- Create virtual machines.
- Create resource groups.
- Delete virtual machines.
- Create support requests.
Create support requests.
This role has read permissions on storage, network, and start/restart permissions on Compute. Full access is provided on Microsoft.Support/*. So, User1 will be able to create support requests.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
INCORRECT ANSWERS:
Create virtual machines The role has only read access on compute, so creating virtual machines is not possible.
Create resource groups – The role has only read access on resource groups, so creating resource groups is not possible.
Delete virtual machines – The role has only read access on compute, so deleting virtual machines is not possible.
You have an Azure subscription that contains the resources shown in the following table. (see image)
In RG2, you need to create a new virtual machine named VM2 that will connect to VNET1, VM2 will use a network interface named VM2_interface.
In which region should you create VM2 and VM2_interface?
- VM2: West US
- VM2: East US
- VM2_interface: West US
- VM2_interface: East US
VM2: East US
VM2_interface: East US
Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#network-interfaces
INCORRECT ANSWERS:
VM2: West US The region does not match with VNET1 region
VM2_interface: West US The region does not match with VNET1 region
You have the Azure management groups shown in the following table: (see image 1)
You add Azure subscriptions to the management groups as shown in the following table: (see image 2)
You create the Azure policies shown in the following table: (see image 3)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. You can create a virtual network in Subscription1
2. You can create a virtual machine in Subscription2
3. You can add Subscription1 to ManagementGroup11
- No, Yes, No
- Yes, No, No
- Yes, No, Yes
- Yes, Yes, Yes
No, Yes, No
- The azure policy (not allowed resource types Virtual networks) is inherited to Subscription1. So, Virtual networks are not allowed to create in Subscription1.
- Policy assignments get evaluated top-to-bottom. The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level. So the azure policy (not allowed resource types Virtual networks) will be applied to Subscription2. The deny policy is only for virtual networks. This allows to create a virtual machine by leveraging existing VNets.
- Each management group and subscription can only support one parent. Subscription1 is already part of a management group. We can’t add this to another management group though we can move.
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
