Microsoft AZ-104 Full Practice Tests 1.pdf Flashcards
You have an Azure Active Directory (Azure AD) tenant named preparationlabs.onmicrosoft.com that
contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
- From the Licenses blade of Azure AD, assign a license
- From the Groups blade of each user, invite the users to a group
- From the Azure AD domain, add an enterprise application
- From the Directory role blade of each user, modify the directory role
From the Licenses blade of Azure AD, assign a license
To add a license, you need to navigate to Licenses blade in Azure AD and assign a license
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System
Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1
is below 10 percent.
What should you do first?
- Create an automation runbook
- Deploy a function app
- Deploy the IT Service Management Connector (ITSM)
- Create a notification
Deploy the IT Service Management Connector (ITSM)
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service
Management (ITSM) product or service.
Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and
troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue
typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure
and ITSM tools to help you resolve issues faster.
ITSMC supports connections with the following ITSM tools:
· ServiceNow
· System Center Service Manager
· Provance
· Cherwell
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity
Log alerts and Log Analytics alerts).
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1
is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles:
Reader
Security Admin
Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
- Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
- Assign User1 the Owner role for VNet1.
- Remove User1 from the Security Reader and Reader roles for Subscription1.
- Assign User1 the Network Contributor role for RG1.
Assign User1 the Owner role for VNet1.
Owner role allows to Delegate access to others.
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. You have the following resources in an Azure Resource Manager template (see attached image).
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
A. VM1 and VM2 can connect to VNET1.
B. If an Azure datacenter becomes unavailable, VM1 or VM2 will be available.
C. If the East US 2 region becomes unavailable, VM1 or VM2 will be available.
- Yes, Yes, Yes
- Yes, Yes, No
- No, Yes, Yes
- No, No, Yes
Yes, Yes, No
- VM1 and VM2 are in the same region like the VNET1.
- VM1 is in availability zone1 and VM2 is in availability zone2. An Availability Zone is a high-availability offering that protects your applications and data from datacenter failures. So, any one of the VM will be available.
- Availability zone does not protect from region failures.
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
You have an Azure subscription. You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
- Monitor
- Advisor
- Metrics
- Customer insights
Advisor
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
INCORRECT ANSWERS:
Monitor Azure Monitor is a solution for collecting, analyzing and acting on telemetry data from resources.
Metrics Metrics provide usage statistics like CPU, memory usage.
Customer insights This connects to various sources and provides all customer information at one place.
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure?
- Users and Groups
- Cloud Apps
- Conditions
- Grant
- Session
Users and Groups
Cloud Apps
Grant
Users and Groups Select the users and groups to apply this conditional access policy, in this case all users
Cloud Apps – You can choose to apply the Conditional Access policy to all cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy. In this case, Microsoft Azure Management so the policy applies to sign-in events to the Azure portal.
Grant – Access controls let you define the requirements for a user to be granted access, such as needing an approved client app or using a device that’s Hybrid Azure AD joined. In this case, configure the access
controls to require MFA during a sign-in event to the Azure portal.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
INCORRECT ANSWERS:
Conditions Conditions are used when you need to execute the access policy based on a condition like
users from a specific location. In this case, it is for all users.
Session — Session controls enable limited experience within a cloud app.
You have an Azure Active Directory (Azure AD) tenant named preparationlabs.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com” “Generic authorization exception.”
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
- From the Users blade, modify the External collaboration settings.
- From the Custom domain names blade, add a custom domain.
- From the Organizational relationships blade, add an identity provider.
- From the Roles and administrators blade, assign the Security administrator role to Admin1.
From the Users blade, modify the External collaboration settings.
External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests.
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations
You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com. preparationlabs.com contains the groups in the following table. (Image 1)
You create two user accounts that are configured as shown in the following table. (Image 2)
To which groups do User1 belong?
1. Group1 only
2. Group2 only
3. Group 3 only
4. Group1 and Group2 only
5. Group1 and Group3 only
6. Group2 and Group3 only
Group1 only
User1 city starts with m so User1 will be part of Group1. Group2 rule is department not in human resource. So, User1 will not be part of Group2.
Group3 membership type is assigned. User1 is not assigned to Group3 explicitly. So, User1 will not be part of Group3.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com.
preparationlabs.com contains the groups in the following table. (Image 1)
You create two user accounts that are configured as shown in the following table. (Image 2)
To which groups do User2 belong?
1. Group1 only
2. Group2 only
3. Group 3 only
4. Group1 and Group2 only
5. Group1 and Group3 only
6. Group2 and Group3 only
Group1 and Group2 only
User2 city starts with m so User2 will be part of Group1. Group2 rule is department not in human resource. So, User2 will be part of Group2.
Group3 membership type is assigned. User2 is not assigned to Group3 explicitly. So, User2 will not be part of Group3.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the blob storage in storage1.
Which authentication method should you use?
- Azure Active Directory (Azure AD) only
- Shared access signatures (SAS) only
- Access Keys and Shared access signatures (SAS) only
- Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
- Access Keys, Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.
You need to use AzCopy to copy data to the file storage in storage1.
Which authentication method should you use?
- Azure Active Directory (Azure AD) only
- Shared access signatures (SAS) only
- Access Keys and Shared access signatures (SAS) only
- Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
- Access Keys, Azure Active Directory (Azure AD) and Shared access signatures (SAS) only
Shared access signatures (SAS) only
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy
You need to create an Azure Storage account that meets the following requirements:
Minimizes costs
Supports hot, cool, and archive blob tiers
Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command?
- az storage account create -n storageaccount1 -g RG1 –kind BlobStorage –sku Standard_GRS
- az storage account create -n storageaccount1 -g RG1 –kind Storage –sku Standard_GRS
- az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GRS
- az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_LRS
- az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GAGRS
az storage account create -n storageaccount1 -g RG1 –kind StorageV2 –sku Standard_GRS
Below is the sample command to create a storage account ‘mystorageaccount’ in resource group
‘MyResourceGroup’ in the West US region with locally redundant storage.
az storage account create -n mystorageaccount -g MyResourceGroup -l westus –sku Standard_LRS
The requirement is to be fault tolerant for region failures. So, SKU must be Standard_GRS
The other requirement is to support access tiers. That is available for StorageV2 account types.
https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-
latest#az_storage_account_create
For applications requiring high availability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region.
Azure Storage offers two options for copying your data to a secondary region:
· Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region.
· Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.
The requirement in the question is to provide fault tolerance keeping costs minimal. So, GRS is the right choice.
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy?
toc=/azure/storage/blobs/toc.json#redundancy-in-a-secondary-region
You have an Azure subscription that contains the resources in the following table (see image)
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform?
- Create a container instance
- Register Server1
- Install the Azure File Sync agent on Server1
- Download an automation script
- Create a sync group
Register Server1
Install the Azure File Sync agent on Server1
Create a sync group
You can use Azure File Sync to centralize your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms
Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
The steps are as follows.
Install the Azure File Sync agent
Register Windows Server with Storage Sync Service
Create a sync group and a cloud endpoint
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal
You have an Azure web app named App1. App1 has the deployment slots shown in the following table. (see image)
In webapp1-test, you test several changes to App1. You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
- Redeploy App1
- Swap the slots
- Clone App1
- Restore the backup of App1
Swap the slots
If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by swapping the same two slots immediately.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
- Yes
- No
Yes
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an
automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on- premises. It collects data into a Log Analytics
workspace.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
Does this meet the goal?
- Yes
- No
No
Instead you create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source
Does this meet the goal?
- Yes
- No
No
Instead you create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
You have an Azure subscription named Subscription1 that has the following providers registered:
-> Authorization
-> Automation
-> Resources
-> Compute
-> KeyVault
-> Network
-> Storage
-> Billing
-> Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
-> Private IP address: 10.0.0.4 (dynamic)
-> Network security group (NSG): NSG1
-> Public IP address: None
-> Availability set: AVSet
-> Subnet: 10.0.0.0/24
-> Managed disks: No
Location: East US –
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform?
- Enable Azure Network Watcher in the East US Azure region.
- Add an Azure Network Watcher connection monitor.
- Register the MicrosoftLogAnalytics provider.
- Create an Azure Storage account.
- Register the Microsoft.Insights resource provider.
- Enable Azure Network Watcher flow logs.
Enable Azure Network Watcher in the East US Azure region.
Create an Azure Storage account.
Register the Microsoft.Insights resource provider.
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.
The steps involves:
Enable Network Watcher and register the Microsoft.Insights provider
Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability. This requires an Azure storage account.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table. (see image)
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.
- Deploy the App1 update to webapp1-test, and then test the update
- Deploy the App1 update to webapp1-prod, and then test the update
- Swap the slots
- Stop webapp1-prod
- Stop webapp1-test
Deploy the App1 update to webapp1-test, and then test the update
Swap the slots
When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment slot instead of the default production slot when you’re running in the Standard, Premium, or Isolated App Service plan tier. Deployment slots are live apps with their own
host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.
You can validate app changes in a staging deployment slot before swapping it with the production slot.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
I
NCORRECT ANSWERS:
Deploy the App1 update to webapp1-prod, and then test the update We cannot deploy directly to prod
for testing an update. Not a right way of releasing an update.
Stop webapp1-prod No need to stop the application
Stop webapp1-test No need to stop the application
You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
What should you do?
- Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.
- Deploy five virtual machines. Modify the Size setting for each virtual machine.
- Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.
- Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
Virtual machine instances can be added to the scale set based on the scale set configuration model. You need to set orchestration mode to ScaleSetVM to achieve this.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
INCORRECT ANSWERS:
Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine. This willspread VMs into different availability zones.
Deploy five virtual machines. Modify the Size setting for each virtual machine. Changing the Size of VM does not put VMs in to scale set.
Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode. VM orchestration mode is to add external VMs to a scaleset.
You plan to create the Azure web apps shown in the following table. (see image)
What is the minimum number of App Service plans you should create for the web apps?
1
2
3
4
2
An app service plan can have multiple web apps. However, the app service plan should be either windows or linux based. The windows app service plan supports .NET, .NET Core and PHP whereas
Linux app service plan is needed for Ruby. So, you need two app service plans.
https://docs.microsoft.com/en-us/azure/app-service/overview#app-service-on-linux
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table. (see image 1)
You create the budget shown in the following exhibit. (see image 2)
The AG1 action group contains a user named admin@preparationlabs.com only.
What happens when the maximum amount in Budget1 is reached?
- VM1 and VM2 are turned off
- VM1 and VM2 continue to run
- VM1 is turned off and VM2 continues to run
- VM1 and VM2 continue to run
When the budget thresholds you’ve created are exceeded, only notifications are triggered. None of your resources are affected and your consumption isn’t stopped. You can use budgets to compare and track spending as you analyze costs.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table. (see image 1)
You create the budget shown in the following exhibit. (see image 2)
The AG1 action group contains a user named admin@preparationlabs.com only.
Based on the current usage costs of the virtual machines, how many notifications will be sent?
- No email notifications will be sent each month
- One email notification will be sent each month
- Two email notifications will be sent each month
- Three email notifications will be sent each month
One email notification will be sent each month
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day.
The 50%, 500 Euro limit, will be reached in 25 days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don’t trigger email actions anyway.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
CASE STUDY
Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses adomain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New
users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image 1)
PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image 2)
The network security team implements several network security groups (NSGs)
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question:
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?
- Diagnostic settings in Azure Monitor
- Diagnose and solve problems in Traffic Manager profiles
- The security recommendations in Azure Advisor
- IP flow verify in Azure Network Watcher
IP flow verify in Azure Network Watcher
Scenario: PreparationLabs must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
CASE STUDY
Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image 1)
PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image 2)
The network security team implements several network security groups (NSGs)
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the
Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question:
You need to meet the connection requirements for the New York office.
What should you do?
- From the Azure portal: Create an ExpressRoute circuit only.
- From the Azure portal: Create a virtual network gateway only.
- From the Azure portal: Create a virtual network gateway and local network gateway.
- From the Azure portal: Create an ExpressRoute circuit and an on-premises data gateway.
- From the Azure portal: Create a virtual network gateway and an on-premises data gateway.
- In the New York office: Configure a site-to-site VPN connection.
From the Azure portal: Create a virtual network gateway and local network gateway.
In the New York office: Configure a site-to-site VPN connection.
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
You need to setup a site-to-site VPN connection between New York office and Azure.
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Case Study
Overview –
PreparationLabs, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by PreparationLabs are hosted on-premises.
PreparationLabs creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named PreparationLabs.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment –
The network contains an Active Directory forest named PreparationLabs.com. All domain controllers are configured as DNS servers and host the PreparationLabs.com DNS zone.
PreparationLabs has finance, human resources, sales, research, and information technology departments.
Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
PreparationLabs.com contains a user named User1.
All the offices connect by using private connections.
PreparationLabs has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table. (see image1)
PreparationLabs uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table. (see image2)
The network security team implements several network security groups (NSGs)
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2. PreparationLabs.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question:
You need to implement Role1.
Which command should you run before you create Role1?
- Get-AzRoleDefinition Name Reader | ConvertTo-Json
- Get-AzRoleDefinition Name Reader | ConvertFrom-Json
- Get-AzADDirectoryRole Name Reader | ConvertTo-Json
- Get-AzADDirectoryRole Name Reader | ConvertFrom-Json
- Get-AzRoleDefinition Name Reader | ConvertTo-Json
Scenario: Create a custom Azure role named Role1 that is based on the Reader role.
So, you need to get the reader role definition.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell