Microsoft AZ-104 Full Practice Tests 1.pdf Flashcards

1
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabs.onmicrosoft.com that
contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?

  1. From the Licenses blade of Azure AD, assign a license
  2. From the Groups blade of each user, invite the users to a group
  3. From the Azure AD domain, add an enterprise application
  4. From the Directory role blade of each user, modify the directory role
A

From the Licenses blade of Azure AD, assign a license

To add a license, you need to navigate to Licenses blade in Azure AD and assign a license
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System
Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1
is below 10 percent.
What should you do first?

  1. Create an automation runbook
  2. Deploy a function app
  3. Deploy the IT Service Management Connector (ITSM)
  4. Create a notification
A

Deploy the IT Service Management Connector (ITSM)

IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service
Management (ITSM) product or service.
Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and
troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue
typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure
and ITSM tools to help you resolve issues faster.
ITSMC supports connections with the following ITSM tools:
· ServiceNow
· System Center Service Manager
· Provance
· Cherwell
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity
Log alerts and Log Analytics alerts).
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1
is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles:
Reader
Security Admin
Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

  1. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
  2. Assign User1 the Owner role for VNet1.
  3. Remove User1 from the Security Reader and Reader roles for Subscription1.
  4. Assign User1 the Network Contributor role for RG1.
A

Assign User1 the Owner role for VNet1.

Owner role allows to Delegate access to others.
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. You have the following resources in an Azure Resource Manager template (see attached image).

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
A. VM1 and VM2 can connect to VNET1.
B. If an Azure datacenter becomes unavailable, VM1 or VM2 will be available.
C. If the East US 2 region becomes unavailable, VM1 or VM2 will be available.

  1. Yes, Yes, Yes
  2. Yes, Yes, No
  3. No, Yes, Yes
  4. No, No, Yes
A

Yes, Yes, No

  1. VM1 and VM2 are in the same region like the VNET1.
  2. VM1 is in availability zone1 and VM2 is in availability zone2. An Availability Zone is a high-availability offering that protects your applications and data from datacenter failures. So, any one of the VM will be available.
  3. Availability zone does not protect from region failures.
    https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
    https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure subscription. You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?

  1. Monitor
  2. Advisor
  3. Metrics
  4. Customer insights
A

Advisor

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.

https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

INCORRECT ANSWERS:
Monitor – Azure Monitor is a solution for collecting, analyzing and acting on telemetry data from resources.
Metrics –Metrics provide usage statistics like CPU, memory usage.
Customer insights – This connects to various sources and provides all customer information at one place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure?

  1. Users and Groups
  2. Cloud Apps
  3. Conditions
  4. Grant
  5. Session
A

Users and Groups
Cloud Apps
Grant

Users and Groups – Select the users and groups to apply this conditional access policy, in this case all users
Cloud Apps – You can choose to apply the Conditional Access policy to all cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy. In this case, Microsoft Azure Management so the policy applies to sign-in events to the Azure portal.
Grant – Access controls let you define the requirements for a user to be granted access, such as needing an approved client app or using a device that’s Hybrid Azure AD joined. In this case, configure the access
controls to require MFA during a sign-in event to the Azure portal.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

INCORRECT ANSWERS:
Conditions –Conditions are used when you need to execute the access policy based on a condition like
users from a specific location. In this case, it is for all users.
Session — Session controls enable limited experience within a cloud app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabs.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com” “Generic authorization exception.”
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?

  1. From the Users blade, modify the External collaboration settings.
  2. From the Custom domain names blade, add a custom domain.
  3. From the Organizational relationships blade, add an identity provider.
  4. From the Roles and administrators blade, assign the Security administrator role to Admin1.
A

From the Users blade, modify the External collaboration settings.

External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests.
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com. preparationlabs.com contains the groups in the following table. (Image 1)

You create two user accounts that are configured as shown in the following table. (Image 2)

To which groups do User1 belong?
1. Group1 only
2. Group2 only
3. Group 3 only
4. Group1 and Group2 only
5. Group1 and Group3 only
6. Group2 and Group3 only

A

Group1 only

User1 city starts with ‘m’ so User1 will be part of Group1. Group2 rule is department not in human resource. So, User1 will not be part of Group2.
Group3 membership type is assigned. User1 is not assigned to Group3 explicitly. So, User1 will not be part of Group3.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com.
preparationlabs.com contains the groups in the following table. (Image 1)

You create two user accounts that are configured as shown in the following table. (Image 2)

To which groups do User2 belong?
1. Group1 only
2. Group2 only
3. Group 3 only
4. Group1 and Group2 only
5. Group1 and Group3 only
6. Group2 and Group3 only

A

Group1 and Group2 only

User2 city starts with ‘m’ so User2 will be part of Group1. Group2 rule is department not in human resource. So, User2 will be part of Group2.
Group3 membership type is assigned. User2 is not assigned to Group3 explicitly. So, User2 will not be part of Group3.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage in storage1.
Which authentication method should you use?

  1. Azure Active Directory (Azure AD) only
  2. Shared access signatures (SAS) only
  3. Access Keys and Shared access signatures (SAS) only
  4. Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
  5. Access Keys, Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
A

Azure Active Directory (Azure AD) and Shared access signatures (SAS) only

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the file storage in storage1.
Which authentication method should you use?

  1. Azure Active Directory (Azure AD) only
  2. Shared access signatures (SAS) only
  3. Access Keys and Shared access signatures (SAS) only
  4. Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
  5. Access Keys, Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
A

Shared access signatures (SAS) only

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You need to create an Azure Storage account that meets the following requirements:
Minimizes costs
Supports hot, cool, and archive blob tiers
Provides fault tolerance if a disaster affects the Azure region where the account resides

How should you complete the command?

  1. az storage account create -n storageaccount1 -g RG1 –kind BlobStorage –sku Standard_GRS
  2. az storage account create -n storageaccount1 -g RG1 –kind Storage –sku Standard_GRS
  3. az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GRS
  4. az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_LRS
  5. az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GAGRS
A

az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GRS

Below is the sample command to create a storage account ‘mystorageaccount’ in resource group
‘MyResourceGroup’ in the West US region with locally redundant storage.
az storage account create -n mystorageaccount -g MyResourceGroup -l westus –sku Standard_LRS
The requirement is to be fault tolerant for region failures. So, SKU must be Standard_GRS
The other requirement is to support access tiers. That is available for StorageV2 account types.
https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-
latest#az_storage_account_create
For applications requiring high availability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region.
Azure Storage offers two options for copying your data to a secondary region:
· Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region.
· Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.
The requirement in the question is to provide fault tolerance keeping costs minimal. So, GRS is the right choice.
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy?
toc=/azure/storage/blobs/toc.json#redundancy-in-a-secondary-region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure subscription that contains the resources in the following table (see image)
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform?

  1. Create a container instance
  2. Register Server1
  3. Install the Azure File Sync agent on Server1
  4. Download an automation script
  5. Create a sync group
A

Register Server1
Install the Azure File Sync agent on Server1
Create a sync group

You can use Azure File Sync to centralize your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms
Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
The steps are as follows.
Install the Azure File Sync agent
Register Windows Server with Storage Sync Service
Create a sync group and a cloud endpoint
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You have an Azure web app named App1. App1 has the deployment slots shown in the following table. (see image)

In webapp1-test, you test several changes to App1. You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?

  1. Redeploy App1
  2. Swap the slots
  3. Clone App1
  4. Restore the backup of App1
A

Swap the slots

If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by swapping the same two slots immediately.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?

  1. Yes
  2. No
A

Yes

Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an
automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on- premises. It collects data into a Log Analytics
workspace.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
Does this meet the goal?

  1. Yes
  2. No
A

No

Instead you create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source
Does this meet the goal?

  1. Yes
  2. No
A

No

Instead you create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an Azure subscription named Subscription1 that has the following providers registered:
-> Authorization
-> Automation
-> Resources
-> Compute
-> KeyVault
-> Network
-> Storage
-> Billing
-> Web

Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
-> Private IP address: 10.0.0.4 (dynamic)
-> Network security group (NSG): NSG1
-> Public IP address: None
-> Availability set: AVSet
-> Subnet: 10.0.0.0/24
-> Managed disks: No
Location: East US –
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform?

  1. Enable Azure Network Watcher in the East US Azure region.
  2. Add an Azure Network Watcher connection monitor.
  3. Register the MicrosoftLogAnalytics provider.
  4. Create an Azure Storage account.
  5. Register the Microsoft.Insights resource provider.
  6. Enable Azure Network Watcher flow logs.
A

Enable Azure Network Watcher in the East US Azure region.
Create an Azure Storage account.
Register the Microsoft.Insights resource provider.

A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.
The steps involves:
Enable Network Watcher and register the Microsoft.Insights provider
Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability. This requires an Azure storage account.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table. (see image)

You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.

  1. Deploy the App1 update to webapp1-test, and then test the update
  2. Deploy the App1 update to webapp1-prod, and then test the update
  3. Swap the slots
  4. Stop webapp1-prod
  5. Stop webapp1-test
A

Deploy the App1 update to webapp1-test, and then test the update
Swap the slots

When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment slot instead of the default production slot when you’re running in the Standard, Premium, or Isolated App Service plan tier. Deployment slots are live apps with their own
host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.
You can validate app changes in a staging deployment slot before swapping it with the production slot.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
I
NCORRECT ANSWERS:
Deploy the App1 update to webapp1-prod, and then test the update – We cannot deploy directly to prod
for testing an update. Not a right way of releasing an update.
Stop webapp1-prod – No need to stop the application
Stop webapp1-test– No need to stop the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
What should you do?

  1. Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.
  2. Deploy five virtual machines. Modify the Size setting for each virtual machine.
  3. Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.
  4. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
A

Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.

Virtual machine instances can be added to the scale set based on the scale set configuration model. You need to set orchestration mode to ScaleSetVM to achieve this.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes

INCORRECT ANSWERS:
Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine. – This willspread VM’s into different availability zones.
Deploy five virtual machines. Modify the Size setting for each virtual machine. Changing the Size of VM does not put VM’s in to scale set.
Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode. – VM orchestration mode is to add external VMs to a scaleset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You plan to create the Azure web apps shown in the following table. (see image)
What is the minimum number of App Service plans you should create for the web apps?

1
2
3
4

A

2

An app service plan can have multiple web apps. However, the app service plan should be either windows or linux based. The windows app service plan supports .NET, .NET Core and PHP whereas
Linux app service plan is needed for Ruby. So, you need two app service plans.
https://docs.microsoft.com/en-us/azure/app-service/overview#app-service-on-linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table. (see image 1)

You create the budget shown in the following exhibit. (see image 2)

The AG1 action group contains a user named admin@preparationlabs.com only.
What happens when the maximum amount in Budget1 is reached?

  1. VM1 and VM2 are turned off
  2. VM1 and VM2 continue to run
  3. VM1 is turned off and VM2 continues to run
A
  1. VM1 and VM2 continue to run

When the budget thresholds you’ve created are exceeded, only notifications are triggered. None of your resources are affected and your consumption isn’t stopped. You can use budgets to compare and track spending as you analyze costs.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table. (see image 1)

You create the budget shown in the following exhibit. (see image 2)

The AG1 action group contains a user named admin@preparationlabs.com only.
Based on the current usage costs of the virtual machines, how many notifications will be sent?

  1. No email notifications will be sent each month
  2. One email notification will be sent each month
  3. Two email notifications will be sent each month
  4. Three email notifications will be sent each month
A

One email notification will be sent each month

Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day.
The 50%, 500 Euro limit, will be reached in 25 days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don’t trigger email actions anyway.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CASE STUDY
Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses adomain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New
users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image 1)

PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image 2)

The network security team implements several network security groups (NSGs)
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

Question:
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?

  1. Diagnostic settings in Azure Monitor
  2. Diagnose and solve problems in Traffic Manager profiles
  3. The security recommendations in Azure Advisor
  4. IP flow verify in Azure Network Watcher
A

IP flow verify in Azure Network Watcher

Scenario: PreparationLabs must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CASE STUDY
Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image 1)

PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image 2)

The network security team implements several network security groups (NSGs)
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the
Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

Question:
You need to meet the connection requirements for the New York office.
What should you do?

  1. From the Azure portal: Create an ExpressRoute circuit only.
  2. From the Azure portal: Create a virtual network gateway only.
  3. From the Azure portal: Create a virtual network gateway and local network gateway.
  4. From the Azure portal: Create an ExpressRoute circuit and an on-premises data gateway.
  5. From the Azure portal: Create a virtual network gateway and an on-premises data gateway.
  6. In the New York office: Configure a site-to-site VPN connection.
A

From the Azure portal: Create a virtual network gateway and local network gateway.
In the New York office: Configure a site-to-site VPN connection.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
You need to setup a site-to-site VPN connection between New York office and Azure.
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Case Study

Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image1)

PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image2)

The network security team implements several network security groups (NSGs)

Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

Question:
You need to implement Role1.
Which command should you run before you create Role1?

  1. Get-AzRoleDefinition –Name “Reader’ | ConvertTo-Json
  2. Get-AzRoleDefinition –Name “Reader’ | ConvertFrom-Json
  3. Get-AzADDirectoryRole –Name “Reader’ | ConvertTo-Json
  4. Get-AzADDirectoryRole –Name “Reader’ | ConvertFrom-Json
A
  1. Get-AzRoleDefinition –Name “Reader’ | ConvertTo-Json

Scenario: Create a custom Azure role named Role1 that is based on the Reader role.
So, you need to get the reader role definition.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Case Study

Case Study

Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image1)

PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image2)

The network security team implements several network security groups (NSGs)

Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

Question:
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.
What should you include in the recommendation?

  1. Azure AD B2C
  2. dynamic groups and conditional access policies
  3. Azure AD Identity Protection
  4. an Azure logic app and the Microsoft Identity Management (MIM) client
A
  1. dynamic groups and conditional access policies

Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other conditions.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

28
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?

  1. Yes
  2. No
A

Yes

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor to enable traffic analytics.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

29
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?

Yes
No

A

Yes

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor to enable traffic analytics.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

30
Q

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?

Yes
No

A

Yes

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor to enable traffic analytics.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

31
Q

You have an Azure Storage account named storage1.
You have an Azure Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
Minimize the number of secrets used.
Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for App1?

  1. Access Keys
  2. Advanced Security
  3. Access Control (IAM)
  4. Shared access signature (SAS)
A

Access Control (IAM)

Azure Blob and Queue storage support Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to blob and
queue data using Azure AD credentials.
This minimizes the number of secrets need to be configured in the application.
Once you create a managed identity, you need to provide access through IAM.
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi
https://docs.microsoft.com/en-us/azure/search/search-howto-managed-identities-storage

INCORRECT ANSWERS:
Access Keys – Not a recommended approach to access storage account. It also needs to be stored as a secret.
Advanced Security – Not applicable.
Shared access signature (SAS) – You can create a SAS key, but apps already have managed identity. So, we can use managed identity. Also, using managed identity will ensure that minimum number of secrets are used.

32
Q

You have an Azure Storage account named storage1.
You have an Azure Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
Minimize the number of secrets used.
Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for App2?

  1. Access Keys
  2. Advanced Security
  3. Access Control (IAM)
  4. Shared access signature (SAS)
A

Shared access signature (SAS)

A shared access signature (SAS) provides secure delegated access to resources in your storage account.
With a SAS, you have granular control over how a client can access your data. For example:
· What resources the client may access.
· What permissions they have to those resources.
· How long the SAS is valid.
For App2, we need to provide access only for 30 days. So, create a SAS token that is valid for 30 days.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
INCORRECT ANSWERS:
Access Keys – Not a recommended approach to access storage account. It also needs to be stored as a
secret.
Advanced Security – Not applicable.
Access Control (IAM) – Since app needs access only for 30 days, SAS is ideal than managed identity.

33
Q

You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the below actions?
1. From the Azure portal, update the import job
2. From the Azure portal, create an import job
3. Attach an external disk to Server1 and then run waimportexpot.exe
4. Detach the external disks from Server1 and ship the disks to an Azure data center

  1. 2,1,3,4
  2. 3,2,4,1
  3. 3,2,1,4
A

3,2,4,1

At a high level, an import job involves the following steps:
1. Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
2. Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
3. Create an import job in your target storage account in Azure portal. Upload the drive journal files.
4. Provide the return address and carrier account number for shipping the drives back to you.
5. Ship the disk drives to the shipping address provided during job creation.
6. Update the delivery tracking number in the import job details and submit the import job.
7. The drives are received and processed at the Azure data center.
8. The drives are shipped using your carrier account to the return address provided in the import job.
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

34
Q

You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure
maintenance.
What should you create?

  1. one virtual machine scale set that has 10 virtual machines instances
  2. one Availability Set that has three fault domains and one update domain
  3. one Availability Set that has 10 update domains and one fault domain
  4. one virtual machine scale set that has 12 virtual machines instances
A

one virtual machine scale set that has 10 virtual machines instances

A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update domains. If you have 10 VMs spread across five update domains, the 8
VMs will be available for any given Azure planned maintenance.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#do-scale-sets-work-with-azure-availability-sets
INCORRECT ANSWERS:
one Availability Set that has three fault domains and one update domain We cannot create with one update domain. It should be 2 or more.
one Availability Set that has 10 update domains and one fault domain – We cannot create with one fault domain. It should be 2 or more.
one virtual machine scale set that has 12 virtual machines instances – This will create more VMs than required, thus increasing costs.

35
Q

You have an Azure subscription named Subscription1 that contains the quotas shown in the following table. (see image 1)

You deploy virtual machine to Subscription1 as shown in the following table. (see image 2)

You plan to deploy the virtual machines shown in the following table. (see image 3)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
a. You can deploy VM3 to West US.
b. You can deploy VM4 to West US.
c. You can deploy VM5 to West US.

  1. Yes, Yes, Yes
  2. Yes, Yes, No
  3. No, No, No
  4. Yes, No, No
  5. Yes, No, Yes
A

Yes, No, No

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. Quota is calculated based on the
total number of cores in use both allocated and deallocated. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
So, we can fit in only VM3 that has 1 vCPU.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

36
Q

You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?

Modify the address space of the local network gateway
Create a deny rule in a network security group (NSG) that is linked to Subnet1
Remove the public IP addresses from the virtual machines
Modify the address space of Subnet1

A

Create a deny rule in a network security group (NSG) that is linked to Subnet1

You can create deny rule for RDP or SSH with source as internet. This will block remote desktop access connections from internet. You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection.
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

INCORRECT ANSWERS:
Modify the address space of the local network gateway – Modifying address space will not restrict the
VM access from public internet.
Remove the public IP addresses from the virtual machines – Though this will restrict VM accessible from
internet, it will also impact the existing applications hosted on the VM.
Modify the address space of Subnet1 gateway – Modifying address space will not restrict the VM access
from public internet.

37
Q

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1.
VNet1 connects to your on-premises network by using Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform?

Create a connection
Create a local site VPN gateway
Create a VPN gateway that uses the VpnGw1 SKU
Create a gateway subnet
Create a VPN gateway that uses the Basic SKU

A

Create a connection
Create a gateway subnet
Create a VPN gateway that uses the Basic SKU

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. The steps to create a site-to-site VPN is as follows.
1. Create a virtual network – In this case, VNet is already created.
2. Create a VPN gateway – Select Basic SKU to reduce costs.
3. Create a local network gateway
4. Configure VPN device
5. Create a VPN connection
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

38
Q

You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:
Operating system: Windows Server 2016
Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit: (see image)

When an administrator changes the virtual machine size, the size will be changed on up to how many virtual machines simultaneously?

  1. 0
  2. 1
  3. 2
  4. 4
A

0

Some properties of VM scale sets only be changed to certain values if the VMs in the scale set are deallocated. These properties include:
· SKU Name- If the new VM SKU is not supported on the hardware the scale set is currently on, you need to deallocate the VMs in the scale set before you modify the SKU name.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#properties-with-restrictions-on-modification

39
Q

You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:
Operating system: Windows Server 2016
Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit: (see image)

When a new build of the Windows server 2016 image is released, the new build will be deployed up to how many virtual machines simultaneously?

  1. 0
  2. 1
  3. 2
  4. 4
A

1

An upgrade works by replacing the OS disk of a VM with a new disk created using the latest image version. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, upgrades take place in batches, with no more than 20% of the scale set upgrading at any time.
So, a minimum of 1 VM will be updated at a time.
https://github.com/MicrosoftDocs/azure-docs/

40
Q

You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table: (see image)

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?

  1. VM1
  2. RG1
  3. storage2
  4. container1
A

RG1

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

41
Q

You have an Azure Directory (Azure AD) tenant named PreparationLabs and an Azure Subscription named Subscription1. PreparationLabs contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?

Yes
No

A

No

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user

42
Q

You have an Azure Directory (Azure AD) tenant named PreparationLabs and an Azure Subscription named Subscription1. PreparationLabs contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?

Yes
No

A

No

Logic App Operator – Lets you read, enable, and disable logic apps, but not edit or update them.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-operator

43
Q

You have an Azure Directory (Azure AD) tenant named PreparationLabs and an Azure Subscription named Subscription1. PreparationLabs contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?

Yes
No

A

Yes

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

44
Q

You have an Azure Directory (Azure AD) tenant named PreparationLabs and an Azure Subscription named Subscription1. PreparationLabs contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?

Yes
No

A

Yes

Logic App Contributor role lets you manage logic apps, but not change access to them.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor

45
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabscloud.onmicrosoft.com.
Your company has a public DNS zone for preparationlabs.com.
You add preparationlabs.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?

  1. MX
  2. NSEC
  3. PTR
  4. RRSIG
A

MX

You can create either TXT or MX record type. Only these two options are available.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#verify-your-
custom-domain-name

46
Q

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table. (see image)

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the JobTitle attribute from Azure AD?

  1. User1 only
  2. User1 and User2 only
  3. User1 and User3 only
  4. User1, User2 and User3
A

User1 and User3 only

You can update JobTitle for User1 and User3. Since, User2 is from Windows server active directory, you must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you’ll see the changes.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal

47
Q

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table. (see image)

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the UsageLocation attribute from Azure AD?

User1 only
User1 and User2 only
User1 and User3 only
User1, User2 and User3

A

User1, User2 and User3

You can update usage location for all users. Before allocating, Azure AD license, we must specify the Usage location for all members. You can set this value in the Azure Active Directory > Users > Profile > Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

48
Q

You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
Can be assigned only to the resource groups in Subscription1.
Prevents the management of the access permissions for the resource groups.
Allows the viewing, creating, modifying, and deleting of resources within the resource groups.
What should you specify in the assignable scopes and the permission elements of the definition of CR1?

  1. “AssignableScopes”: [ “/” ], “permissions”: [ { “actions”: [ “ * ” ], “notActions”: [ “Microsoft.Security” ], “dataActions”: [], “notDataActions”: [] } ],
  2. “AssignableScopes”: [ “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourcegroups” ], “permissions”: [ { “actions”: [ “ * ”], “notActions”: [ “Microsoft.Authorization/” ], “dataActions”: [], “notDataActions”: [] } ],
  3. “AssignableScopes”: [ “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e” ], “permissions”: [ { “actions”: [ “ * ” ], “notActions”: [
    “Microsoft.Authorization/” ], “dataActions”: [], “notDataActions”: [] } ],
A

“AssignableScopes”: [ “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourcegroups” ], “permissions”: [ { “actions”: [ “ * ”], “notActions”: [ “Microsoft.Authorization/” ], “dataActions”: [], “notDataActions”: [] } ],

The AssignableScopes must be limited to resource groups and the custom role should not allow authorization activities to prevents the management of the access permissions for the resource groups
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources

INCORRECT ANSWERS:
The assignable scope must be limited to resource groups.
The incorrect answers has assignable scope as either subscription or *.

48
Q

You have an Azure subscription named Subscription1. In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit: (see image)

On September 2, 2018, you run Microsoft Azure Storage Explorer on a computer that has an IP address of 193.77.134.1, and you use SAS1 to connect to the storage account.
Select the correct behavior from the below options

  1. Will be prompted for credentials
  2. Will have no access
  3. Will have read, write and list access
  4. Will have read-only access
A

Will have no access

The IP 193.77.134.1 is not added to allow IP addresses range. So, you will have no access to storage account.
INCORRECT ANSWERS:
IP address of the client must be whitelisted to access the storage account. So, you will not be prompted
for credentials nor will have access to perform any operation on the storage account.

49
Q

You have an Azure subscription named Subscription1. In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit: (see image)

On September 10, 2018, you run the net use command on a computer that has an IP address of 193.77.134.50, and you use SAS1 to connect to share1.
Select the correct behavior from the below options

  1. Will be prompted for credentials
  2. Will have no access
  3. Will have read, write and list access
  4. Will have read-only access
A

Will have read, write and list access

The IP 193.77.134.50 is part of allow IP addresses range. So, you can access the file share.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
INCORRECT ANSWERS:
Will be prompted for credentials – You will not be prompted for credentials since you must pass SAS Key in the command
Will have no access – You will have access since you have valid SAS token and IP address is whitelisted.
Will have read-only access – SAS token has read and write permissions.

50
Q

You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?

  1. storage1
  2. storage2
  3. storage3
  4. storage4
A

storage4

Azure Import/Export service supports the following types of storage accounts:
· Standard General Purpose v2 storage accounts (recommended for most scenarios)
· Blob Storage accounts
· General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
The following list of storage types is supported with Azure Import/Export service. (see image)

Therefore, only storage4 data can be exported.
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

51
Q

You have Azure Storage accounts as shown in the following exhibit. (see image)

Which of the Azure storage accounts can be used for Azure Table Storage?

  1. storageaccount1 only
  2. storageaccount2 only
  3. storageaccount3 only
  4. storageaccount1 and storageaccount2 only
  5. storageaccount2 and storageaccount3 only
A

storageaccount1 and storageaccount2 only

The following table describes the types of storage accounts and their capabilities: (see image)

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

INCORRECT ANSWER:
storageaccount3 – BlobStorage account type does not support table storage.

52
Q

You have Azure Storage accounts as shown in the following exhibit. (see image)

Which of the Azure storage accounts can be used for Azure blob storage?

  1. storageaccount1 only
  2. storageaccount2 only
  3. storageaccount3 only
  4. storageaccount1 and storageaccount2 only
  5. storageaccount2 and storageaccount3 only
  6. All storage accounts
A

All storage accounts

The following table describes the types of storage accounts and their capabilities: (see image)

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

53
Q

You have Azure subscription that includes following Azure file shares: (see image 1)

You have the following on-premises servers: (see image 2)

You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. Share2 can be added as a cloud endpoint for Group1
2. E:\Folder2 on Server1 can be added as a server endpoint for Group1
3. D:\Data on Server2 can be added as a server endpoint for Group1

  1. Yes, Yes, Yes
  2. Yes, No, No
  3. No, No, No
  4. No, Yes, Yes
A

No, Yes, Yes

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync\ with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on a registered server. A server can have server endpoints in multiple sync groups. You can create as many sync groups as you need to appropriately describe your desired sync topology.
1. No since a sync group must contain one cloud endpoint.
2. Yes since a sync group can have one or more serve endpoints on registered server. In this case, both Server1 and Server2 are registered.
3. Yes since a sync group can have one or more serve endpoints on registered server. In this case, both Server1 and Server2 are registered.
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-sync-group-and-a-cloud-endpoint

54
Q

You have the App Service plans shown in the following table. (see image 1)

You plan to create the Azure web apps shown in the following table. (see image 2)

You need to identify the App Service plans that can be used for the WebApp1.
What should you identify?

  1. ASP1 only
  2. ASP3 only
  3. ASP1 and ASP2 only
  4. ASP1 and ASP3 only
  5. ASP1, ASP2 and ASP3
A

ASP1 and ASP3 only

.NET Core applications can be deployed on both Windows and Linux environments. The region in which your app runs is the region of the App Service plan it’s in. WebApp1 location is West US. So, you can deploy it to either ASP1 or ASP3 only.
https://docs.microsoft.com/en-us/azure/app-service/overview

INCORRECT ANSWER:
ASP2 – The location of ASP2 is Central US. The region in which your app runs is the region of the App
Service plan it’s in.

55
Q

You have the App Service plans shown in the following table. (see image 1)

You plan to create the Azure web apps shown in the following table. (see image 2)

You need to identify the App Service plans that can be used for the WebApp2.
What should you identify?

  1. ASP1 only
  2. ASP3 only
  3. ASP1 and ASP2 only
  4. ASP1 and ASP3 only
  5. ASP1, ASP2 and ASP3
A

ASP1 only

ASP.NET applications can be deployed on Windows environment only. The region in which your app runs is the region of the App Service plan it’s in. WebApp1 location is West US. So, you can deploy it to ASP1
only.
https://docs.microsoft.com/en-us/azure/app-service/overview

INCORRECT ANSWER:
ASP2 – The location of ASP2 is Central US. The region in which your app runs is the region of the AppService plan it’s in.
ASP3 – Linux app service plan does not support .NET/ASP.NET applications.

56
Q

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit. (see image)

If Scale1 is utilized at 85 percent for six minutes after it is deployed, Scale1 will be running?

  1. 2 virtual machines
  2. 4 virtual machines
  3. 6 virtual machines
  4. 10 virtual machines
  5. 20 virtual machines
A

6 virtual machines

The CPU threshold in scale out condition is 80% and duration is five minutes. As the CPU threshold increased more than 80% for six minutes, it will add 2 VM’s to the scale set.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices

57
Q

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit. (see image)

If scale is first utilized at 25 percent for six minutes after it is deployed, and then utilized at 50 percent for six minutes, Scale1 will be running?

2 virtual machines
4 virtual machines
6 virtual machines
10 virtual machines
20 virtual machines

A

2 virtual machines

As the CPU threshold decreased to less than 30 percent, the scale in will reduce the VMs by 4. However,the minimum number of VMs that should be maintained is 2. So, there will be 2 VMs in the scale set.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices

58
Q

You onboard 10 Azure virtual machines to Azure Automation State Configuration.
You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations.
Which actions should you perform in sequence?

  1. Upload a configuration to Azure Automation State Configuration. Onboard the virtual machines to Azure State Configuration. Assign the node configuration. Compile a configuration into a node configuration. Check the compliance status of the node.
  2. Upload a configuration to Azure Automation State Configuration. Compile a configuration into a node configuration. Onboard the virtual machines to Azure State Configuration. Check the compliance status of the node. Assign the node configuration.
  3. Upload a configuration to Azure Automation State Configuration. Compile a configuration into a node configuration. Onboard the virtual machines to Azure State Configuration. Assign the node configuration. Check the compliance status of the node.
A

Upload a configuration to Azure Automation State Configuration. Compile a configuration into a node configuration. Onboard the virtual machines to Azure State Configuration. Assign the node configuration. Check the compliance status of the node.

Check the below article for detailed steps.
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

59
Q

You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine.
Template1 contains the following text: (see image 1)

The variables section in Template1 contains the following text:
“location”: “westeurope”
The resources section in Template1 contains the following text: (see image 2)

You need to deploy the virtual machine to the West US location by using Template1.
What should you do?

Modify the location in the resource section to westus
Select West US during the deployment
Modify the location in the variables section to westus

A

Modify the location in the resource section to westus

The location parameter and variable is not used in the resources sections. So, we need to update the location directly in the resource section.
INCORRECT ANSWERS:
Select West US during the deployment – The location is hardcoded in the template, selecting West US during the deployment will have no impact on the location.
Modify the location in the variables section to westus – Variable is not used in the resources section.

60
Q

You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
Does this meet the goal?

Yes
No

A

No

Instead redeploy the VM. If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection or application access to Windows-based Azure virtual machine (VM), redeploying the VM may help. When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the
Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

61
Q

You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource
Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Redeploy blade, you click Redeploy.
Does this meet the goal?

Yes
No

A

Yes

If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection or application access to Windows-based Azure virtual machine (VM), redeploying the VM may help. When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

62
Q

You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Update management blade, you click Enable.
Does this meet the goal?

Yes
No

A

No

Instead, redeploy the VM. If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection or application access to Windows-based Azure virtual machine (VM), redeploying the VM may help. When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the
Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

63
Q

You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit. (see image)

You add 14 virtual machines to WEBPROD-AS-USE2.
When Microsoft performs planned maintenance in East US2, the maximum number of unavailable virtual machines will be?

  1. 2
  2. 7
  3. 10
  4. 14
A

2

There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update
domains will have two VMs and six update domains will have one VM. Only one update domain is
rebooted at a time. Therefore, a maximum of two VMs will be offline.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

64
Q

You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit. (see image)

You add 14 virtual machines to WEBPROD-AS-USE2.

If the server rack in the Azure datacenter that hosts WEBPROD-AS-USE2 experience a power failure, themaximum number of unavailable virtual machines will be?

  1. 2
  2. 7
  3. 10
  4. 14
A

7

There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault domain so 7 VMs will be offline.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability