Microsoft AZ-104 Full Practice Tests 4.pdf Flashcards

1
Q

Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm1 There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to create a Data Collector set.
Does this solution fulfill the requirement?

A.Yes
B.No

A

B. No

The right solution is to use Network watcher.
A data collector set if used to collect data for Performance counters.
For more information:
https://docs.microsoft.com/en-us/dynamics-nav/how-to–view-performance-counter-data-for-a-data-
collector-set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm1 There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to run Packet Capture on Azure Network watcher
Does this solution fulfil the requirement?

A.Yes
B.No

A

A. Yes

The Microsoft documentation mentions the following
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactivity. Other uses include gathering network statistics, gaining information on network intrusions, to
debug client-server communications and much more.

For more information on Network watcher, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to create a metric chart for Network In and Network Out
Does this solution fulfill the requirement?

A.Yes
B.No

A

B. No

This is used to just see the number of packets coming into and out of the Virtual machine but will not do a detailed packet inspection.
For more information on monitoring Virtual Machine, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are working as an IT administrator for your company. The company has just purchased an Azure subscription and are looking at setting up the resources in the subscription. One of the requirements is to use Azure AD Privileged Identity Management to manage access to roles for users. You have to setup a
procedure document for the roles that can be assigned to users using PIM. Which of the following are roles that CANNOT be assigned to users using PIM? Choose 3 answers from the options given below

A. Application Administrator
B. Billing Administrator
C. Conditional Access Administrator
D. Account Administrator
E. Service Administrator
F. Co-Administrator

A

D. Account Administrator
E. Service Administrator
F. Co-Administrator

This is given in the Microsoft documentation

Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on PIM roles, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A team is preparing the use of the Azure Import/Export service to import a set of files onto Azure storage.
Which of the following is used to specify the list of directories/files that need to be copied to the destination?

A. driveset.csv
B. driveset.xml
C. dataset.csv
D. dataset.json

A

C. dataset.csv

This is clearly given in the Microsoft documentation

Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on preparing drives for usage with the Import/Export service, one can go to the following link
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-tool-preparing-hard-
drives-import

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company has the following set of Virtual Machines defined in the Azure account
Name Region
skillcertpro-vm1 East US
skillcertpro-vm2 Central US
The company wants to move skillcertpro-vm1 to another subscription. Which of the following can be done to fulfil this requirement?

A. Move the Virtual Machine to the Central US region first
B. You cannot move the Virtual Machine across subscriptions. You would need to delete and recreate the VM in the new subscription
C. Use the Move-AzResource powershell command to move the Virtual Machine
D. Use the Move-VMResource powershell command to move the Virtual Machine

A

C. Use the Move-AzResource powershell command to move the Virtual Machine

You can move Azure resources across subscriptions using the Move-AzResource powershell command.
There are just some restrictions when moving Virtual Machines.
Below is the command provided in the Microsoft documentation
Option A is incorrect since you don’t need to move the Virtual machine to any specific region for the
move
Option B is incorrect since you can move resources across subscriptions
Option D is incorrect since the right command is Move-AzResource
For more information on moving virtual machines, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company has the following virtual networks defined in Azure
Name Address space
skillcertpro-network1 10.1.0.0/16
skillcertpro-network2 10.2.0.0/16
The following virtual machines have been defined as well
Name Network
skillcertprovm1 skillcertpro-network1
skillcertprovm2 skillcertpro-network2
The necessary peering connections have been created between skillcertpro-network1 and skillcertpro-network2. The firewalls on the virtual machines have been modified to allow ICMP traffic. But traffic does not seem to flow between the virtual machines when the ping request is made.
Which of the following can be used to diagnose the issue?

A. Application Insights
B. IP Flow Verify
C. Azure Advisor
D. Azure Security Center

A

B. IP Flow Verify

The issue could be due to the security groups. You can diagnose the issue using IP Flow Verify.
The Microsoft documentation mentions the following
Option A is incorrect since this is normally used from an application diagnostics perspective
Option C is incorrect since this is used to provide recommendations on various types of Azure resources
Option D is incorrect since this is used mainly from a security aspect in Azure
For more information on IP Flow Verify, one can go to the following link
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A company has the following virtual networks defined in Azure
Name Address space
skillcertpro-network1 10.1.0.0/16
skillcertpro-network2 10.2.0.0/16
The following virtual machines have been defined as well
Name Network
skillcertprovm1 skillcertpro-network1
skillcertprovm2 skillcertpro-network2
The necessary peering connections have been created between skillcertpro-network1 and skillcertpro-network2. The firewalls on the virtual machines have been modified to allow ICMP traffic. But traffic does not seem to flow between the virtual machines when the ping request is made.
If the security department wanted to check on any network intrusions into the virtual networks, which of
the following tool could be used for this purpose?

A. IP Flow Verify
B. Variable packet capture
C. Azure connection monitor
D. Application Insights

A

B. Variable packet capture

Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on packet capture, one can go to the following link
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Your company has an Azure account and subsription. The subscription contains a virtual machine named demovm. You have a computer named Computer1 that runs Windows 10. Computer1 is connected
to the Internet. You add a network interface to the VM1 as shown in the exhibit below (see image)

From Computer1, you attempt to connect to demovm by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to demovm.
What should you do first?

A. Start demovm.
B. Attach a network interface.
C. Delete the DenyAllOutBound outbound port rule.
D. Delete the DenyAllInBound inbound port rule.

A

A. Start demovm.

Here the main issue is that the VM is not started an allocated an IP address. When you start the VM, you will get a public IP addresses which will be assigned to the Network Interface. The Network security groups are fine for allowing RDP access

Option B is incorrect because adding a new interface will not solve the connectivity issue
Options C and D are incorrect since you cannot delete the built-in network security group rules
For more information on Network security groups, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company has an Azure account and subsription. The subscription contains a virtual machine named demovm. You have a computer named Computer1 that runs Windows 10. Computer1 is connected
to the Internet. You add a network interface to the VM1 as shown in the exhibit below (see image)

From Computer1 you want to be able to also access a web service running on port 80 after demovm is started. Which of the following must be done for this to work?

A. Attach a network interface.
B. Add an incoming network security group rule for allowing traffic on port 80
C. Add an outgoing network security group rule for allowing traffic on port 80
D. Delete the DenyAllOutBound outbound port rule.
E. Delete the DenyAllInBound inbound port rule.

A

B. Add an incoming network security group rule for allowing traffic on port 80

Here you need to add an incoming rule to allow traffic on port 80

Option A is incorrect since this needs to be done for the current attached network interface
Option C is incorrect since the incoming traffic needs to be allowed
Options D and E are incorrect since you cannot delete the built-in network security group rules
For more information on Network security groups, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company has an Azure account and subscription. The subscription contains the resources in the
following table:
Name Type
skillcertprotore Storage container
skillcertpro-rg Resource Group
documents BLOB container
demo File share
Your IT administrator has deployed a virtual machine called demovm and a storage account called skillcertpro-temp by using a single Azure Resource Manager template. You want to do a review of the template that was used for the deployment. Which of the following resource blade could be used to view the template that was used for the deployment?

A. skillcertpro-rg
B. demovm
C. skillcertpro-temp
D. skillcertprotore

A

A. skillcertpro-rg

If you to the Resource Group, you can see the deployments made to that resource group.
And if you go to any deployment you can go the Template and see the template used for the
deployment.
The other options are incorrect because these will not give the overall template deployment for multiple
resources.
For more information on resource template deployments, please visit the below URL
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have configured Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network for your company. But users are reporting that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com. You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources. What should you do first?

A. From the on-premises network, deploy Active Directory Federation Services in a clustered environment.
B. From Azure AD, go ahead add and verify a custom domain name.
C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options

A

B. From Azure AD, go ahead add and verify a custom domain name.

This is also given in the Microsoft documentation
Option A is incorrect since we don’t need AD FS in this scenario
Option C is incorrect since we don’t need the certificate for Azure AD Connect
Option D is incorrect since the filtering is used for which objects need to be synched
For more information on the UPN in Azure AD Connect, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Your company has an Azure subscription. In the subscription, you go ahead and create an Azure file share
named share1. You also create a shared access signature (SAS) named SASdemo as shown in the
following exhibit.

If you run Microsoft Azure Storage Explorer on a computer that has an IP address of 193.77.134.1 and you
use SASdemo to connect to the storage account, then you

A. will be prompted for the credentials
B. will have no access
C. will have read, write and list access
D. will have read-only access

A

B. will have no access

Since the IP address is not in the valid IP address range defined by the SAS url , you will be denied access.
You will get the below error in Azure Storage Explorer

Since this is the result of the SAS , all other options are incorrect.
For more information on Shared access signatures, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your company has an Azure subscription. In the subscription, you go ahead and create an Azure file share named share1. You also create a shared access signature (SAS) named SASdemo as shown in the following exhibit.

If you run net use command on a computer that has an IP address of 193.77.134.50 and you use SASdemo as the to connect to share1 then you

A. will be prompted for the credentials
B. will have no access
C. will have read,write and list access
D. will have read-only access

A

C. will have read,write and list access

Since the IP address is in the valid IP address range, you will get the desired access that is specified in the SAS signature
net use : \.file.core.windows.net\ /u:
example :
net use z: \samples.file.core.windows.net\logs /u:samples
For more information on Shared access signatures, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.

Each virtual machine requires the same inbound and outbound security rules.
How many minimum Network Interface is required?

A. 5
B. 10
C. 15
D. 20

A

A. 5

So, when you attach or have a network interface for a Virtual Machine, that network interface can have both a private and public IP address.

So, by this measure, we only need to define 5 network interface cards, one for each virtual machine.
Hence all the other options are incorrect
For more information on the virtual network interfaces in Azure, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have a virtual network named VNet2 that has the configuration shown in the following exhibit.

Before a virtual machine on VNET2 can receive an IP address from 192.168.1.0/24 you must first

A. Add a network interface
B. Add a subnet
C. Add an address space
D. Delete a subnet
E. Delete an address space

A

C. Add an address space

The Virtual Network has no address space which is relative to 192.168.1.0/24 as per the powershell output given in the Exhibit.
Hence first, you need to add an address space as shown below.

After you save the address space, create a new subnet with the address space and then ensure the VM is put in the new subnet
Option A is incorrect since the network interface can only receive an address from 10.2.0.0/24 as per the powershell output given in the Exhibit.
Option B is incorrect since you need to add the address space 192.168.1.0/24 before adding the subnet
Options D and E are incorrect since you need to add the address space and subnet and not delete the address space and subnet
For more information on Virtual Networks, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A company has an Azure subscription that contains the resources in the following table.
Name Type
skillcertpro-rg Resource Group
skillcertprotore Azure Storage account
skillcertproync Azure File Sync
skillcertprotore contains a file share named documents. The document file share contains 1000 files.
You need to synchronize the files in Data to an on-premises server named skillcertproerver. Which of the following would need to be implemented to fulfil this requirement? Choose 3 answers from the options given below

A. Download an automation script.
B. Create a container instance.
C. Create a sync group.
D. Register skillcertproerver.
E. Install the Azure File Sync agent on skillcertproerver.

A

C. Create a sync group.
D. Register skillcertproerver.
E. Install the Azure File Sync agent on skillcertproerver.

So, the Microsoft documentation gives the list of steps for using the Azure File Sync service
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on deploying Azure File Sync share, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You sign up for Azure Active Directory (Azure AD) Premium. You need to add a user named skillcertpro-usr1@skillcertpro.com as an administrator on all the computers that will be joined to the Azure AD domain.
Where should you go in Azure AD to configure this setting?

A. From Device settings from the Devices blade.
B. From General settings from the Groups blade.
C. From User settings from the Users blade.
D. From Providers from the MFA Server blade.

A

A. From Device settings from the Devices blade.

If you go to the Devices blade in Azure AD , you can see the option to add local administrators
Since this is the way to achieve this requirement, all other options are incorrect
For more information on device settings, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A company needs to create a storage account that needs to conform to the following requirements
Users should be able to add files such as images and videos
Ability to store archive data

File shares need to be in place which can be accessed across several VM’s
The data needs to be available even if a region goes down
The solution needs to be cost effective
Which of the following type of storage account would you create for this purpose?

A. BLOB storage
B. General Purpose(v1)
C. General Purpose(v2)
D. 0

A

C. General Purpose(v2)

The below snapshot from the Microsoft documentation shows the different types of storage accounts
Over here we can see that only General Purpose v2 supports all of the requirements. Hence all other
options are incorrect.
For more information on storage accounts, please visit the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016.
The deployment must meet the following requirements:
Provide a Service Level Agreement (SLA) of 99.95 percent availability.
Use managed disks
You propose a solution to create a scale set for the requirement.
Would the solution meet the goal?

A.Yes
B.No

A

A. Yes

Scale sets are used to create and manage a group of identical, load balanced VMs. The number of VMs can automatically increase or decrease in respond to demand or scheduled. Scale sets provide “high availability” to your applications.
For further information on Scale Sets, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016 image. The deployment must meet the following requirements:
Provide a Service Level Agreement (SLA) of 99.95 percent availability.
Use managed disks
You propose a solution to create an availability set for the requirement.
Would the solution meet the goal?

A.Yes
B.No

A

A.Yes

The Microsoft documentation mentions the following

For more information on availability sets, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

22
Q

You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016.
The deployment must meet the following requirements:
Provide a Service Level Agreement (SLA) of 99.95 percent availability.
Use managed disks
You propose a solution to create a Traffic Manager for the requirement.
Would the solution meet the goal?

A.Yes
B.No

A

B.No

Azure Traffic manager is used for traffic distribution based on DNS queries. For achieving high availability, you need to use Availability sets.
For more information on Azure Traffic Manager, please visit the below URL
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

23
Q

A company has an Azure account and subscription. They are planning on implementing Azure AD connect to sync their on-premise users to Azure AD. You have so far carried out the following steps
Installed Azure AD connect on a domain joined member server
Setup a custom domain in Azure AD
Ensured all user’s objects conform to the synchronization using the IdFix tool
Successfully setup Pass through authentication and Single Sign-on using the Azure AD connect wizard
Have confirmed that users from the on-premise AD have been successfully synced to Azure AD
You are now trying out Single Sign-on from a few machines, but it not working as expected. You are still being prompted for a user name and password. Which of the following should also be considered during
the deployment process?

A. Install Azure AD connect on the domain controller
B. Use password hash synchronization instead of pass through authentication
C. Ensure a certificate is installed on the on-premise AD FS server
D. Add “https://autologon.microsoftazuread-sso.com” to the Intranet zone settings by using Group Policy in Active Directory

A

D. Add “https://autologon.microsoftazuread-sso.com” to the Intranet zone settings by using Group Policy in Active Directory

This is mentioned in the Microsoft documentation as well as part of the steps required for implementing
Single Sign-on

Option A is incorrect since Azure AD Connect should be installed on a domain joined member server and
not on a domain controller.
Option B is incorrect since Single-Sign On can also be used for Pass through authentication
Option C is incorrect since for Azure AD Connect , you don’t need an AD FS Server
For more information on Single Sign-On, one can go to the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

24
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
Which of the following should be used to ensure an SLA of 99.95% for the availability of Virtual Machines?
Choose 2 answers from the options given below

A. Azure Managed Disks
B. Azure Network Interfaces
C. Azure Availability sets
D. Azure scale sets

A

A. Azure Managed Disks
C. Azure Availability sets

The Microsoft documentation mentions the following
To provide redundancy to your application, we recommend that you group two or more virtual machines in an availability set. This configuration within a datacenter ensures that during either a planned or unplanned maintenance event, at least one virtual machine is available and meets the 99.95% Azure SLA
Managed disks provide better reliability for Availability Sets by ensuring that the disks of VMs in an Availability Set are sufficiently isolated from each other to avoid single points of failure. It does this by automatically placing the disks in different storage fault domains (storage clusters) and aligning them
with the VM fault domain. If a storage fault domain fails due to hardware or software failure, only the VM instance with disks on the storage fault domain fails.
Option B is incorrect. Having multiple network interfaces can be used for recovery of application on virtual machines since you can move network interfaces across virtual machines. But then here to ensure that you are guaranteed an SLA of 99.5% uptime, you should use a combination of Azure Managed Disks
and Azure availability sets
Option D is incorrect since this can be used to scale your application and can be used for high availability.
But then here to ensure that you are guaranteed an SLA of 99.5% uptime, you should use a combination of Azure Managed Disks and Azure availability sets
For more information on managing availability for Virtual Machines, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

25
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
Which of the following account kind should be used for the storage account?

A. BLOB storage
B. General Purpose v1
C. General Purpose v2
D. 0

A

C. General Purpose v2

Since the question has the key requirement “Storage replication needs to be in place to ensure that data
is available even in the case of a data centre failure”, this means that you need to use Zone redundant replication which is only available in General Purpose v2.
The below snapshot from the Microsoft documentation shows the details of the different account types

For more information on storage accounts, one can go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

26
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
You need to install the Azure AD Connect health agent on a domain joined member server. Which of the following role can be assigned to a user in Azure AD to perform this operation. You need to follow the least
privilege rule when assigning roles.

A. Service Administrator
B. Global Administrator
C. User Administrator
D. Compliance Administrator

A

B. Global Administrator

The Microsoft documentation mentions that only the Global administrator can perform this operation

Since this is clearly mentioned in the documentation, all other options are invalid.
For more information on how to use Azure AD health agent, one can go to the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install

27
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized

How many availability sets would you create for deployment of the web and database virtual machines onto Azure?
A. 1
B. 2
C. 4
D. 10

A

B. 2

You should ideally create availability sets based on the number of tiers you have for your application. This is also given in the Microsoft documentation

Since this is clearly mentioned in the documentation, all other options are invalid.
For more information on availability sets, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

28
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
When adding custom domain names, which of the following record needs to be added to your custom domain registrar?

A. A record
B. NS record
C. TXT record
D. PTR record

A

C. TXT record

When you add a custom domain name in Azure AD, below is an example of what you would need to add to your domain registrar to complete the registration of the custom domain.
Since this is clearly shown, all other options are invalid
For more information on custom domain names in Azure, one can go to the below URL
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

29
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
Which of the following rule would you apply to the Network Security Group for the Network interface attached to the Web server?

A. An inbound rule allowing traffic on port 80
B. An inbound rule allowing traffic on port 443
C. An outbound rule allowing traffic on port 80
D. An outbound rule allowing traffic on port 443

A

B. An inbound rule allowing traffic on port 443

Since the users will connect via HTTPS, that means that port 443 should be open. And we need to add an Inbound security rule. An example is shown below

Option A is incorrect since this is the port for HTTP traffic
Options C and D are incorrect since you need to modify the Inbound security rule
For more information on security groups, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

30
Q

View Case Study:

Overview:
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2

Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
You need to ensure that Internet Information Services is automatically installed on the web tier Virtual Machines. You also need to ensure that Internet Information Services is always available on these machines. Which of the following can help achieve this requirement?

A. Use the Azure DSC extension
B. Use the Network Watcher agent
C. Create an availability set
D. Create a scale set

A

A. Use the Azure DSC extension

This is also given as an example in the Microsoft documentation
Option B is invalid since this is used as a network performance monitoring, diagnostic, and analytics service
Option C is invalid since this is used to create a high availability solution
Option D is invalid since this is used to scale your solution
For more information on Overview of DSC for Azure Virtual Machines, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

31
Q

Your company wants to deploy a blogging solution on Azure. Below are the key deployment requirements
Ability to connect to Azure BLOB storage as the origin
Ensure that users across the world get the same performance when they access the blogging site You provide a solution of using the Azure File Sync service. Does this solution meet the requirement?

A.Yes
B.No

A

B.No

The Azure File Sync service is used as a file distribution service. The ideal solution to use here is the Content Delivery service
For more information on the File Sync Service, one can go to the below URL
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning

32
Q

Your company wants to deploy a blogging solution on Azure. Below are the key deployment requirements
Ability to connect to Azure BLOB storage as the origin
Ensure that users across the world get the same performance when they access the blogging site
You provide a solution of using the Content Delivery service. Does this solution meet the requirement?

A.Yes
B.No

A

A.Yes

Yes, this is the correct solution. The Microsoft documentation mentions the following
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway
Protocol (BGP).
The benefits of using Azure CDN to deliver web site assets include:
Better performance and improved user experience for end users, especially when using applications in which multiple round-trips are required to load content.
Large scaling to better handle instantaneous high loads, such as the start of a product launch event.
Distribution of user requests and serving of content directly from edge servers so that less traffic is sent to the origin server.
For more information on the Content Delivery Network service, one can go to the below URL
https://docs.microsoft.com/en-us/azure/cdn/cdn-overview

33
Q

Your company has an Azure account and an Azure subscription. They have created a Virtual Network named skillcertpro-net. The following users have been setup
User Role
skillcertpro-usr1 Owner
skillcertpro-usr2 Security admin
skillcertpro-usr3 Network Contributor
Which of the following users would be able to add a subnet to the Virtual Network?

A. skillcertpro-usr1 only
B. skillcertpro-usr2 only
C. skillcertpro-usr3 only
D. skillcertpro-usr1 and skillcertpro-usr2 only
E. skillcertpro-usr1 and skillcertpro-usr3 only
F. skillcertpro-usr2 and skillcertpro-usr3 only

A

E. skillcertpro-usr1 and skillcertpro-usr3 only

If you look at the Network Contributor Role, they have access to manage Virtual Networks. And then by default the Owner will have all privileges over Azure resources.

For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

34
Q

Your company has an Azure account and an Azure subscription. They have created a Virtual Network named skillcertpro-net. The following users have been setup
User Role
skillcertpro-usr1 Owner
skillcertpro-usr2 Security admin
skillcertpro-usr3 Network Contributor
Which of the following users would be able to add the Reader role access for a user to the Virtual Network?

A. skillcertpro-usr1 only
B. skillcertpro-usr2 only
C. skillcertpro-usr3 only
D. skillcertpro-usr1 and skillcertpro-usr2 only
E. skillcertpro-usr1 and skillcertpro-usr3 only
F. skillcertpro-usr2 and skillcertpro-usr3 only

A

A. skillcertpro-usr1 only

The Network Contributor does not have access to assign roles. And if you look at the Security admin role, it only has the privilege to work with Security Center.

For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

35
Q

You work as an Azure Administrator for a company. You have to ensure that a role can be in place that would have the following requirements
View all the resources in the Azure subscription
Issue support requests to Microsoft.
Use the principle of least privilege.
You have to complete the below JSON role definition (see image)

Which of the following would go into Slot1?
A. “Microsoft.Authorization//
B. “Microsoft.Authorization//read”
C. “ Microsoft.Authorization/read/

D. 0

A

B. “Microsoft.Authorization/*/read”

If you look at the Microsoft documentation for the role definition, you can see that the correct action is “Microsoft.Authorization/*/read”

For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

36
Q

View Case Study:

Overview
skillcertlabs is an online training provider.

Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
Below are the servers present on the on-premise environment
Name – Environment
skillcertlabs-serverA – Hyper-V on Windows Server 2016
skillcertlabs-serverB – VMWare vCenter Server 6.5
The database virtual machines are set on skillcertlabs-serverA
An Active directory setup using Windows Server 2012 R2

Proposed Environment:
skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
The following network has been setup in Azure
Name – Type – Address space
skillcertlabs-net – Virtual Network – 10.0.0.0/16
SubnetA – Subnet – 10.0.1.0/24
SubnetB – Subnet – 10.0.2.0/24
They want to migrate their web and database workloads to the cloud
They also want to setup a document store where users will be able to upload and download files

Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* Users from the Finance group need to use MFA during the login process
* The web apps should be deployed using the Azure Web app service
* Developers should have the ability to publish their changes to slots in the main production application
* A Site-to-Site connection needs to be established with the on-premise network
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users

Non-Functional requirements:
* The database servers
* Should be made highly available
* Should not be accessible from the Internet
* Traffic should be distributed across multiple instances of the database server
* Custom code needs to be executed automatically whenever a document is added to the document store
* Wherever possible costs should be minimized
Which of the following needs to be setup in Azure for the Site-to-Site VPN connection?

A. An additional address space for the Virtual Network
B. A service endpoint
C. A gateway subnet
D. A gateway Virtual Machine

A

C. A gateway subnet

This is also given in the Microsoft documentation
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on creating a Site-to-Site VPN connection, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-
portal

37
Q

“Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table (see image1)

The subscription also contains the virtual machines in the following table (see image2)

The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table. (see image3)

For each of the following statements, select Yes if the statement is true
VM1 can ping VM3

A.Yes
B.No

A

A.Yes

So, if you look at the overall picture for the VNET peerings , below is the diagram that we have

Now since there are peerings in both directions for VNET1 and VNET3 , the VM’s can ping each other.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

38
Q

Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table

The subscription also contains the virtual machines in the following table

The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table.

VM2 can ping VM3

A.Yes
B.No

A

B.No

So, if you look at the overall picture for the VNET peerings , below is the diagram that we have

In order for peering to work, you have to create peerings in both directions , so this will not work.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

39
Q

Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table

The subscription also contains the virtual machines in the following table

The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table.

VM2 can ping VM1

A.Yes
B.No

A

B.No

So, if you look at the overall picture for the VNET peerings , below is the diagram that we have

VNET1 and VNET2 don’t have any peering connection , so this will not work.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

40
Q

A company has setup their Azure account. They have also setup different Azure AD groups and assigned the appropriate roles to the groups. There is a requirement to ensure that the Security department gets notified if any of the following actions are taken
If anybody creates a new role assignment
If anybody deletes an existing role assignment
Which of the following can help accomplish this requirement?

A. Diagnostic logs for the resource groups.
B. Azure Advisor
C. Activity logs in Azure Monitor
D. Azure Security Center

A

C. Activity logs in Azure Monitor

You can view the relevant activities in Azure Monitor. You can also create alerts based on Activity Log.
The Microsoft documentation mentions the following

The other services mentioned in the other options will not provide the facility to view the relevant RBAC changes.
For more information on Activity logs for RBAC changes, one can go to the following link
https://docs.microsoft.com/en-us/azure/role-based-access-control/change-history-report

41
Q

A company has a storage account named skillcertprotore1 defined as part of their Azure subscription. It needs to be ensured that only IP addresses within the range of 15.16.7.0/24 have access to the storage account. Which of the following powershell command could be used for this purpose?

A. Add-AzStorageAccountNetworkRule
B. Set-AzStorageAccountNetwork
C. Update-AzStorage
D. Set-AzRmStorageAccountNetwork

A

A. Add-AzStorageAccountNetworkRule

An example of this is given in the Microsoft documentation. The Add-AzStorageAccountNetworkRule is used to add an IP address or an IP address range to have access to the storage account.

Since this is clearly given in the documentation, all other options are incorrect
For more information on network security for the storage account, one can go to the following link
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

42
Q

A team needs to deploy a set of Windows virtual machines to Azure. Below are the key requirements when it comes to the storage needs for the data disks attached to the virtual machines
Should have the ability to store at least 10TB of data
Have the ability to support a maximum IOPS of 10,000
Minimize storage cost
Which of the following would you choose as the disk type, if you were considering using managed disks for the virtual machines?

A. Standard HDD
B. Standard SSD
C. Premium SSD
D. Primary SSD

A

C. Premium SSD

Now even though Premium SSD is a costly option, you still need to use that disk type if you need to fulfill all the requirements. Premium SSD has the capability to support an IOPS up to 20,000. The Microsoft documentation mentions the aspects of the different types of disks

Since this is clearly given in the documentation, all other options are incorrect
For more information on disks types of Windows, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types

43
Q

A company has the following windows virtual machines deployed to their subscription in Azure
skillcertprovm1
skillcertprovm2
The Monitoring department needs to collect certain performance-based counters from the virtual
machines. Which of the following could help accomplish this?

A. Enable base collection of metrics
B. Enable collection of boot diagnostics
C. Enable collection of performance diagnostics
D. Enable collection of guest OS diagnostics data

A

Incorrect
If you enable collection of guest OS diagnostics data, you will have the ability to collect data on the performance counters on Windows based virtual machines. The Microsoft documentation mentions the following

The other options are invalid, because they won’t provide the ability to collect performance counters for Windows based virtual machines.
For more information on monitoring Windows machines, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor

44
Q

A company needs to deploy the following architecture to Azure (see image)

The architecture would consist of a load balancer that should only accept request via private IP addresses and should not flow via the internet. The Load balancer would direct requests to database servers hosted on Virtual machines.
Which of the following load balancer type should be implemented for this architecture?

A. Public Load balancer
B. Private Load balancer
C. Internal Load balancer
D. External Load balancer

A

C. Internal Load balancer

Since we don’t want requests to flow via the Internet, we should create an Internal load balancer. The Microsoft documentation mentions the following

Option A is incorrect since this is created when requests need to flow via the Internet
Option B and D are incorrect terms when it comes to the load balancer.
For more information on the Azure Load balancer, one can go to the following link
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

45
Q

A company needs to deploy the following architecture to Azure (see image)

The architecture would consist of a load balancer that should only accept request via private IP addresses and should not flow via the internet. The Load balancer would direct requests to database servers hosted
on Virtual machines.
You need to ensure that all requests for the Remote Desktop protocol for the virtual machine are accepted on a custom port number of 3400. Which of the following is the right powershell command to execute for this requirement?

A. New-AzLoadBalancerInboundNatRuleConfig
B. New-AzLoadBalancerProbeConfig
C. New-AzLoadBalancerRuleConfig
D. New-AzLoadBalancer

A

A. New-AzLoadBalancerInboundNatRuleConfig

For the requirement, we have to create a NAT rule. An example of this is also given in the Microsoft documentation

Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on configuring the Azure Load balancer via powershell, one can go to the following link
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-arm-ps

46
Q

Your company currently has an on-premise Active directory setup with a domain of skillcertpro.com. The company has also setup an Azure AD tenant of skillcertpro.onmicrosoft.com. They now want to use Azure AD connect to synchronize the users from the on-premise Active Directory to Azure AD. Which of the following must be done as a pre-requisite on the side on Azure AD?

A. Run the IdFix tool
B. Ensure that the forest functional level is Windows 2003 or greater
C. Ensure to add and verify the domain
D. Setup the Azure AD connect server

A

C. Ensure to add and verify the domain

In order to ensure that users from the skillcertpro.com domain is synchronized to Azure AD you have to ensure first that the domain is setup in Azure. The Microsoft documentation mentions the following

All other options are incorrect because these are all settings that need to be carried out on the on-premise server.
For more information on the pre-requisites for Azure AD connect, one can go to the following link
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

47
Q

A team has a set of Linux Virtual Machines defined in Azure. The size of one of the Virtual machines needs to be changed. You have to write an Azure CLI script for this. Which of the following should ideally be part of the first steps in the script?

A. Deallocate the virtual machine first
B. Restart the virtual machine first
C. Check the list of VM sizes on the hardware cluster
D. Detach the primary network interface

A

C. Check the list of VM sizes on the hardware cluster

First you have to check the availability of the required VM size on the hardware cluster. The Microsoft documentation mentions the following

Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on a tutorial to resize a Linux VM, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/change-vm-size

48
Q

A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was
generated and installed on “WorkstationB”. You need to ensure you can create a successful point to site VPN connection.
You decide to join “WorkstationB” to the Azure AD tenant.

Would this solution fulfil the requirement?
A.Yes
B.No

A

B.No

Joining devices to Azure AD reaps other benefits as shown below. But it does not fulfil the current requirement.

For more information on Azure AD Join, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-
with-azure-ad-join

49
Q

A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was
generated and installed on “WorkstationB”. You need to ensure you can create a successful point to site VPN connection.
You decide to create a local VPN gateway.

Would this solution fulfil the requirement?
A.Yes
B.No

A

B.No

The local VPN gateway is used when you want to define site-to-site VPN connections.
For more information on creating site-to-site VPN connections, please visit the below URL
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-
portal

50
Q

A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was
generated and installed on “WorkstationB”. You need to ensure you can create a successful point to site VPN connection.
You decide to export and install the client certificate on “WorkstationB”
Would this solution fulfil the requirement?

A.Yes
B.No

A

A.Yes

Yes, this is one of the requirements. This is also mentioned in the Microsoft documentation

For more information on creating point-to-site VPN connections, please visit the below URL
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-
portal