Microsoft AZ-104 Full Practice Tests 4.pdf Flashcards
Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm1 There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to create a Data Collector set.
Does this solution fulfill the requirement?
A.Yes
B.No
B. No
The right solution is to use Network watcher.
A data collector set if used to collect data for Performance counters.
For more information:
https://docs.microsoft.com/en-us/dynamics-nav/how-to–view-performance-counter-data-for-a-data-
collector-set
Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm1 There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to run Packet Capture on Azure Network watcher
Does this solution fulfil the requirement?
A.Yes
B.No
A. Yes
The Microsoft documentation mentions the following
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactivity. Other uses include gathering network statistics, gaining information on network intrusions, to
debug client-server communications and much more.
For more information on Network watcher, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named demovm and demovm There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to create a metric chart for Network In and Network Out
Does this solution fulfill the requirement?
A.Yes
B.No
B. No
This is used to just see the number of packets coming into and out of the Virtual machine but will not do a detailed packet inspection.
For more information on monitoring Virtual Machine, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor
You are working as an IT administrator for your company. The company has just purchased an Azure subscription and are looking at setting up the resources in the subscription. One of the requirements is to use Azure AD Privileged Identity Management to manage access to roles for users. You have to setup a
procedure document for the roles that can be assigned to users using PIM. Which of the following are roles that CANNOT be assigned to users using PIM? Choose 3 answers from the options given below
A. Application Administrator
B. Billing Administrator
C. Conditional Access Administrator
D. Account Administrator
E. Service Administrator
F. Co-Administrator
D. Account Administrator
E. Service Administrator
F. Co-Administrator
This is given in the Microsoft documentation
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on PIM roles, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-roles
A team is preparing the use of the Azure Import/Export service to import a set of files onto Azure storage.
Which of the following is used to specify the list of directories/files that need to be copied to the destination?
A. driveset.csv
B. driveset.xml
C. dataset.csv
D. dataset.json
C. dataset.csv
This is clearly given in the Microsoft documentation
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on preparing drives for usage with the Import/Export service, one can go to the following link
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-tool-preparing-hard-
drives-import
A company has the following set of Virtual Machines defined in the Azure account
Name Region
skillcertpro-vm1 East US
skillcertpro-vm2 Central US
The company wants to move skillcertpro-vm1 to another subscription. Which of the following can be done to fulfil this requirement?
A. Move the Virtual Machine to the Central US region first
B. You cannot move the Virtual Machine across subscriptions. You would need to delete and recreate the VM in the new subscription
C. Use the Move-AzResource powershell command to move the Virtual Machine
D. Use the Move-VMResource powershell command to move the Virtual Machine
C. Use the Move-AzResource powershell command to move the Virtual Machine
You can move Azure resources across subscriptions using the Move-AzResource powershell command.
There are just some restrictions when moving Virtual Machines.
Below is the command provided in the Microsoft documentation
Option A is incorrect since you don’t need to move the Virtual machine to any specific region for the
move
Option B is incorrect since you can move resources across subscriptions
Option D is incorrect since the right command is Move-AzResource
For more information on moving virtual machines, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
A company has the following virtual networks defined in Azure
Name Address space
skillcertpro-network1 10.1.0.0/16
skillcertpro-network2 10.2.0.0/16
The following virtual machines have been defined as well
Name Network
skillcertprovm1 skillcertpro-network1
skillcertprovm2 skillcertpro-network2
The necessary peering connections have been created between skillcertpro-network1 and skillcertpro-network2. The firewalls on the virtual machines have been modified to allow ICMP traffic. But traffic does not seem to flow between the virtual machines when the ping request is made.
Which of the following can be used to diagnose the issue?
A. Application Insights
B. IP Flow Verify
C. Azure Advisor
D. Azure Security Center
B. IP Flow Verify
The issue could be due to the security groups. You can diagnose the issue using IP Flow Verify.
The Microsoft documentation mentions the following
Option A is incorrect since this is normally used from an application diagnostics perspective
Option C is incorrect since this is used to provide recommendations on various types of Azure resources
Option D is incorrect since this is used mainly from a security aspect in Azure
For more information on IP Flow Verify, one can go to the following link
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
A company has the following virtual networks defined in Azure
Name Address space
skillcertpro-network1 10.1.0.0/16
skillcertpro-network2 10.2.0.0/16
The following virtual machines have been defined as well
Name Network
skillcertprovm1 skillcertpro-network1
skillcertprovm2 skillcertpro-network2
The necessary peering connections have been created between skillcertpro-network1 and skillcertpro-network2. The firewalls on the virtual machines have been modified to allow ICMP traffic. But traffic does not seem to flow between the virtual machines when the ping request is made.
If the security department wanted to check on any network intrusions into the virtual networks, which of
the following tool could be used for this purpose?
A. IP Flow Verify
B. Variable packet capture
C. Azure connection monitor
D. Application Insights
B. Variable packet capture
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on packet capture, one can go to the following link
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Your company has an Azure account and subsription. The subscription contains a virtual machine named demovm. You have a computer named Computer1 that runs Windows 10. Computer1 is connected
to the Internet. You add a network interface to the VM1 as shown in the exhibit below (see image)
From Computer1, you attempt to connect to demovm by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to demovm.
What should you do first?
A. Start demovm.
B. Attach a network interface.
C. Delete the DenyAllOutBound outbound port rule.
D. Delete the DenyAllInBound inbound port rule.
A. Start demovm.
Here the main issue is that the VM is not started an allocated an IP address. When you start the VM, you will get a public IP addresses which will be assigned to the Network Interface. The Network security groups are fine for allowing RDP access
Option B is incorrect because adding a new interface will not solve the connectivity issue
Options C and D are incorrect since you cannot delete the built-in network security group rules
For more information on Network security groups, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Your company has an Azure account and subsription. The subscription contains a virtual machine named demovm. You have a computer named Computer1 that runs Windows 10. Computer1 is connected
to the Internet. You add a network interface to the VM1 as shown in the exhibit below (see image)
From Computer1 you want to be able to also access a web service running on port 80 after demovm is started. Which of the following must be done for this to work?
A. Attach a network interface.
B. Add an incoming network security group rule for allowing traffic on port 80
C. Add an outgoing network security group rule for allowing traffic on port 80
D. Delete the DenyAllOutBound outbound port rule.
E. Delete the DenyAllInBound inbound port rule.
B. Add an incoming network security group rule for allowing traffic on port 80
Here you need to add an incoming rule to allow traffic on port 80
Option A is incorrect since this needs to be done for the current attached network interface
Option C is incorrect since the incoming traffic needs to be allowed
Options D and E are incorrect since you cannot delete the built-in network security group rules
For more information on Network security groups, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Your company has an Azure account and subscription. The subscription contains the resources in the
following table:
Name Type
skillcertprotore Storage container
skillcertpro-rg Resource Group
documents BLOB container
demo File share
Your IT administrator has deployed a virtual machine called demovm and a storage account called skillcertpro-temp by using a single Azure Resource Manager template. You want to do a review of the template that was used for the deployment. Which of the following resource blade could be used to view the template that was used for the deployment?
A. skillcertpro-rg
B. demovm
C. skillcertpro-temp
D. skillcertprotore
A. skillcertpro-rg
If you to the Resource Group, you can see the deployments made to that resource group.
And if you go to any deployment you can go the Template and see the template used for the
deployment.
The other options are incorrect because these will not give the overall template deployment for multiple
resources.
For more information on resource template deployments, please visit the below URL
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-portal
You have configured Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network for your company. But users are reporting that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com. You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources. What should you do first?
A. From the on-premises network, deploy Active Directory Federation Services in a clustered environment.
B. From Azure AD, go ahead add and verify a custom domain name.
C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options
B. From Azure AD, go ahead add and verify a custom domain name.
This is also given in the Microsoft documentation
Option A is incorrect since we don’t need AD FS in this scenario
Option C is incorrect since we don’t need the certificate for Azure AD Connect
Option D is incorrect since the filtering is used for which objects need to be synched
For more information on the UPN in Azure AD Connect, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname
Your company has an Azure subscription. In the subscription, you go ahead and create an Azure file share
named share1. You also create a shared access signature (SAS) named SASdemo as shown in the
following exhibit.
If you run Microsoft Azure Storage Explorer on a computer that has an IP address of 193.77.134.1 and you
use SASdemo to connect to the storage account, then you
A. will be prompted for the credentials
B. will have no access
C. will have read, write and list access
D. will have read-only access
B. will have no access
Since the IP address is not in the valid IP address range defined by the SAS url , you will be denied access.
You will get the below error in Azure Storage Explorer
Since this is the result of the SAS , all other options are incorrect.
For more information on Shared access signatures, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
Your company has an Azure subscription. In the subscription, you go ahead and create an Azure file share named share1. You also create a shared access signature (SAS) named SASdemo as shown in the following exhibit.
If you run net use command on a computer that has an IP address of 193.77.134.50 and you use SASdemo as the to connect to share1 then you
A. will be prompted for the credentials
B. will have no access
C. will have read,write and list access
D. will have read-only access
C. will have read,write and list access
Since the IP address is in the valid IP address range, you will get the desired access that is specified in the SAS signature
net use : \.file.core.windows.net\ /u:
example :
net use z: \samples.file.core.windows.net\logs /u:samples
For more information on Shared access signatures, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
How many minimum Network Interface is required?
A. 5
B. 10
C. 15
D. 20
A. 5
So, when you attach or have a network interface for a Virtual Machine, that network interface can have both a private and public IP address.
So, by this measure, we only need to define 5 network interface cards, one for each virtual machine.
Hence all the other options are incorrect
For more information on the virtual network interfaces in Azure, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
You have a virtual network named VNet2 that has the configuration shown in the following exhibit.
Before a virtual machine on VNET2 can receive an IP address from 192.168.1.0/24 you must first
A. Add a network interface
B. Add a subnet
C. Add an address space
D. Delete a subnet
E. Delete an address space
C. Add an address space
The Virtual Network has no address space which is relative to 192.168.1.0/24 as per the powershell output given in the Exhibit.
Hence first, you need to add an address space as shown below.
After you save the address space, create a new subnet with the address space and then ensure the VM is put in the new subnet
Option A is incorrect since the network interface can only receive an address from 10.2.0.0/24 as per the powershell output given in the Exhibit.
Option B is incorrect since you need to add the address space 192.168.1.0/24 before adding the subnet
Options D and E are incorrect since you need to add the address space and subnet and not delete the address space and subnet
For more information on Virtual Networks, please go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
A company has an Azure subscription that contains the resources in the following table.
Name Type
skillcertpro-rg Resource Group
skillcertprotore Azure Storage account
skillcertproync Azure File Sync
skillcertprotore contains a file share named documents. The document file share contains 1000 files.
You need to synchronize the files in Data to an on-premises server named skillcertproerver. Which of the following would need to be implemented to fulfil this requirement? Choose 3 answers from the options given below
A. Download an automation script.
B. Create a container instance.
C. Create a sync group.
D. Register skillcertproerver.
E. Install the Azure File Sync agent on skillcertproerver.
C. Create a sync group.
D. Register skillcertproerver.
E. Install the Azure File Sync agent on skillcertproerver.
So, the Microsoft documentation gives the list of steps for using the Azure File Sync service
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on deploying Azure File Sync share, please go to the below URL
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=portal
You sign up for Azure Active Directory (Azure AD) Premium. You need to add a user named skillcertpro-usr1@skillcertpro.com as an administrator on all the computers that will be joined to the Azure AD domain.
Where should you go in Azure AD to configure this setting?
A. From Device settings from the Devices blade.
B. From General settings from the Groups blade.
C. From User settings from the Users blade.
D. From Providers from the MFA Server blade.
A. From Device settings from the Devices blade.
If you go to the Devices blade in Azure AD , you can see the option to add local administrators
Since this is the way to achieve this requirement, all other options are incorrect
For more information on device settings, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
A company needs to create a storage account that needs to conform to the following requirements
Users should be able to add files such as images and videos
Ability to store archive data
File shares need to be in place which can be accessed across several VM’s
The data needs to be available even if a region goes down
The solution needs to be cost effective
Which of the following type of storage account would you create for this purpose?
A. BLOB storage
B. General Purpose(v1)
C. General Purpose(v2)
D. 0
C. General Purpose(v2)
The below snapshot from the Microsoft documentation shows the different types of storage accounts
Over here we can see that only General Purpose v2 supports all of the requirements. Hence all other
options are incorrect.
For more information on storage accounts, please visit the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016.
The deployment must meet the following requirements:
Provide a Service Level Agreement (SLA) of 99.95 percent availability.
Use managed disks
You propose a solution to create a scale set for the requirement.
Would the solution meet the goal?
A.Yes
B.No
A. Yes
Scale sets are used to create and manage a group of identical, load balanced VMs. The number of VMs can automatically increase or decrease in respond to demand or scheduled. Scale sets provide “high availability” to your applications.
For further information on Scale Sets, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016 image. The deployment must meet the following requirements:
Provide a Service Level Agreement (SLA) of 99.95 percent availability.
Use managed disks
You propose a solution to create an availability set for the requirement.
Would the solution meet the goal?
A.Yes
B.No
A.Yes
The Microsoft documentation mentions the following
For more information on availability sets, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
A company has an Azure account and subscription. They are planning on implementing Azure AD connect to sync their on-premise users to Azure AD. You have so far carried out the following steps
Installed Azure AD connect on a domain joined member server
Setup a custom domain in Azure AD
Ensured all user’s objects conform to the synchronization using the IdFix tool
Successfully setup Pass through authentication and Single Sign-on using the Azure AD connect wizard
Have confirmed that users from the on-premise AD have been successfully synced to Azure AD
You are now trying out Single Sign-on from a few machines, but it not working as expected. You are still being prompted for a user name and password. Which of the following should also be considered during
the deployment process?
A. Install Azure AD connect on the domain controller
B. Use password hash synchronization instead of pass through authentication
C. Ensure a certificate is installed on the on-premise AD FS server
D. Add “https://autologon.microsoftazuread-sso.com” to the Intranet zone settings by using Group Policy in Active Directory
D. Add “https://autologon.microsoftazuread-sso.com” to the Intranet zone settings by using Group Policy in Active Directory
This is mentioned in the Microsoft documentation as well as part of the steps required for implementing
Single Sign-on
Option A is incorrect since Azure AD Connect should be installed on a domain joined member server and
not on a domain controller.
Option B is incorrect since Single-Sign On can also be used for Pass through authentication
Option C is incorrect since for Azure AD Connect , you don’t need an AD FS Server
For more information on Single Sign-On, one can go to the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
View Case Study:
Overview:
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2
Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
Which of the following account kind should be used for the storage account?
A. BLOB storage
B. General Purpose v1
C. General Purpose v2
D. 0
C. General Purpose v2
Since the question has the key requirement “Storage replication needs to be in place to ensure that data
is available even in the case of a data centre failure”, this means that you need to use Zone redundant replication which is only available in General Purpose v2.
The below snapshot from the Microsoft documentation shows the details of the different account types
For more information on storage accounts, one can go to the below URL
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
View Case Study:
Overview:
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2
Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
You need to install the Azure AD Connect health agent on a domain joined member server. Which of the following role can be assigned to a user in Azure AD to perform this operation. You need to follow the least
privilege rule when assigning roles.
A. Service Administrator
B. Global Administrator
C. User Administrator
D. Compliance Administrator
B. Global Administrator
The Microsoft documentation mentions that only the Global administrator can perform this operation
Since this is clearly mentioned in the documentation, all other options are invalid.
For more information on how to use Azure AD health agent, one can go to the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install
View Case Study:
Overview:
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2
Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
How many availability sets would you create for deployment of the web and database virtual machines onto Azure?
A. 1
B. 2
C. 4
D. 10
B. 2
You should ideally create availability sets based on the number of tiers you have for your application. This is also given in the Microsoft documentation
Since this is clearly mentioned in the documentation, all other options are invalid.
For more information on availability sets, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
View Case Study:
Overview:
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2
Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
Which of the following rule would you apply to the Network Security Group for the Network interface attached to the Web server?
A. An inbound rule allowing traffic on port 80
B. An inbound rule allowing traffic on port 443
C. An outbound rule allowing traffic on port 80
D. An outbound rule allowing traffic on port 443
B. An inbound rule allowing traffic on port 443
Since the users will connect via HTTPS, that means that port 443 should be open. And we need to add an Inbound security rule. An example is shown below
Option A is incorrect since this is the port for HTTP traffic
Options C and D are incorrect since you need to modify the Inbound security rule
For more information on security groups, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
View Case Study:
Overview:
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
* An Active directory setup using Windows Server 2012 R2
Proposed Environment:
* skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
* They want to migrate their web and database workloads to the cloud
* They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* A custom domain of skillcertlabs.com also needs to be setup in Azure
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* An SLA of 99.5% needs to be guaranteed for the availability of the Virtual Machines
* Storage replication needs to be in place to ensure that data is available even in the case of a data centre failure
* Wherever possible costs should be minimized
You need to ensure that Internet Information Services is automatically installed on the web tier Virtual Machines. You also need to ensure that Internet Information Services is always available on these machines. Which of the following can help achieve this requirement?
A. Use the Azure DSC extension
B. Use the Network Watcher agent
C. Create an availability set
D. Create a scale set
A. Use the Azure DSC extension
This is also given as an example in the Microsoft documentation
Option B is invalid since this is used as a network performance monitoring, diagnostic, and analytics service
Option C is invalid since this is used to create a high availability solution
Option D is invalid since this is used to scale your solution
For more information on Overview of DSC for Azure Virtual Machines, one can go to the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
Your company has an Azure account and an Azure subscription. They have created a Virtual Network named skillcertpro-net. The following users have been setup
User Role
skillcertpro-usr1 Owner
skillcertpro-usr2 Security admin
skillcertpro-usr3 Network Contributor
Which of the following users would be able to add a subnet to the Virtual Network?
A. skillcertpro-usr1 only
B. skillcertpro-usr2 only
C. skillcertpro-usr3 only
D. skillcertpro-usr1 and skillcertpro-usr2 only
E. skillcertpro-usr1 and skillcertpro-usr3 only
F. skillcertpro-usr2 and skillcertpro-usr3 only
E. skillcertpro-usr1 and skillcertpro-usr3 only
If you look at the Network Contributor Role, they have access to manage Virtual Networks. And then by default the Owner will have all privileges over Azure resources.
For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your company has an Azure account and an Azure subscription. They have created a Virtual Network named skillcertpro-net. The following users have been setup
User Role
skillcertpro-usr1 Owner
skillcertpro-usr2 Security admin
skillcertpro-usr3 Network Contributor
Which of the following users would be able to add the Reader role access for a user to the Virtual Network?
A. skillcertpro-usr1 only
B. skillcertpro-usr2 only
C. skillcertpro-usr3 only
D. skillcertpro-usr1 and skillcertpro-usr2 only
E. skillcertpro-usr1 and skillcertpro-usr3 only
F. skillcertpro-usr2 and skillcertpro-usr3 only
A. skillcertpro-usr1 only
The Network Contributor does not have access to assign roles. And if you look at the Security admin role, it only has the privilege to work with Security Center.
For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You work as an Azure Administrator for a company. You have to ensure that a role can be in place that would have the following requirements
View all the resources in the Azure subscription
Issue support requests to Microsoft.
Use the principle of least privilege.
You have to complete the below JSON role definition (see image)
Which of the following would go into Slot1?
A. “Microsoft.Authorization//”
B. “Microsoft.Authorization//read”
C. “ Microsoft.Authorization/read/”
D. 0
B. “Microsoft.Authorization/*/read”
If you look at the Microsoft documentation for the role definition, you can see that the correct action is “Microsoft.Authorization/*/read”
For more information on the built-in roles, please go to the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
View Case Study:
Overview
skillcertlabs is an online training provider.
Existing Environment:
skillcertlabs currently has an on-premise environment that consists of the following
* A set of Virtual machines that host web-based application workloads
* A set of Virtual machines that host database workloads
Below are the servers present on the on-premise environment
Name – Environment
skillcertlabs-serverA – Hyper-V on Windows Server 2016
skillcertlabs-serverB – VMWare vCenter Server 6.5
The database virtual machines are set on skillcertlabs-serverA
An Active directory setup using Windows Server 2012 R2
Proposed Environment:
skillcertlabs has recently setup an Azure Active Directory (Azure AD) tenant
The following network has been setup in Azure
Name – Type – Address space
skillcertlabs-net – Virtual Network – 10.0.0.0/16
SubnetA – Subnet – 10.0.1.0/24
SubnetB – Subnet – 10.0.2.0/24
They want to migrate their web and database workloads to the cloud
They also want to setup a document store where users will be able to upload and download files
Infrastructure changes:
* There is a need to setup Azure AD and ensure users from their On-premise Active directory is synced up to Azure AD
* Users from the Finance group need to use MFA during the login process
* The web apps should be deployed using the Azure Web app service
* Developers should have the ability to publish their changes to slots in the main production application
* A Site-to-Site connection needs to be established with the on-premise network
* The web based Virtual Machines in Azure should only allow HTTPS traffic for the Internet based users
Non-Functional requirements:
* The database servers
* Should be made highly available
* Should not be accessible from the Internet
* Traffic should be distributed across multiple instances of the database server
* Custom code needs to be executed automatically whenever a document is added to the document store
* Wherever possible costs should be minimized
Which of the following needs to be setup in Azure for the Site-to-Site VPN connection?
A. An additional address space for the Virtual Network
B. A service endpoint
C. A gateway subnet
D. A gateway Virtual Machine
C. A gateway subnet
This is also given in the Microsoft documentation
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on creating a Site-to-Site VPN connection, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-
portal
“Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table (see image1)
The subscription also contains the virtual machines in the following table (see image2)
The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table. (see image3)
For each of the following statements, select Yes if the statement is true
VM1 can ping VM3
A.Yes
B.No
A.Yes
So, if you look at the overall picture for the VNET peerings , below is the diagram that we have
Now since there are peerings in both directions for VNET1 and VNET3 , the VM’s can ping each other.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table
The subscription also contains the virtual machines in the following table
The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table.
VM2 can ping VM3
A.Yes
B.No
B.No
So, if you look at the overall picture for the VNET peerings , below is the diagram that we have
In order for peering to work, you have to create peerings in both directions , so this will not work.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Your company has an Azure account and a subscription. The subscription contains the virtual networks in the following table
The subscription also contains the virtual machines in the following table
The firewalls on all the virtual machines are configured to allow all ICMP traffic
You add the peerings in the following table.
VM2 can ping VM1
A.Yes
B.No
B.No
So, if you look at the overall picture for the VNET peerings , below is the diagram that we have
VNET1 and VNET2 don’t have any peering connection , so this will not work.
For more information on VNET peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
A company has setup their Azure account. They have also setup different Azure AD groups and assigned the appropriate roles to the groups. There is a requirement to ensure that the Security department gets notified if any of the following actions are taken
If anybody creates a new role assignment
If anybody deletes an existing role assignment
Which of the following can help accomplish this requirement?
A. Diagnostic logs for the resource groups.
B. Azure Advisor
C. Activity logs in Azure Monitor
D. Azure Security Center
C. Activity logs in Azure Monitor
You can view the relevant activities in Azure Monitor. You can also create alerts based on Activity Log.
The Microsoft documentation mentions the following
The other services mentioned in the other options will not provide the facility to view the relevant RBAC changes.
For more information on Activity logs for RBAC changes, one can go to the following link
https://docs.microsoft.com/en-us/azure/role-based-access-control/change-history-report
A company has a storage account named skillcertprotore1 defined as part of their Azure subscription. It needs to be ensured that only IP addresses within the range of 15.16.7.0/24 have access to the storage account. Which of the following powershell command could be used for this purpose?
A. Add-AzStorageAccountNetworkRule
B. Set-AzStorageAccountNetwork
C. Update-AzStorage
D. Set-AzRmStorageAccountNetwork
A. Add-AzStorageAccountNetworkRule
An example of this is given in the Microsoft documentation. The Add-AzStorageAccountNetworkRule is used to add an IP address or an IP address range to have access to the storage account.
Since this is clearly given in the documentation, all other options are incorrect
For more information on network security for the storage account, one can go to the following link
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
A team needs to deploy a set of Windows virtual machines to Azure. Below are the key requirements when it comes to the storage needs for the data disks attached to the virtual machines
Should have the ability to store at least 10TB of data
Have the ability to support a maximum IOPS of 10,000
Minimize storage cost
Which of the following would you choose as the disk type, if you were considering using managed disks for the virtual machines?
A. Standard HDD
B. Standard SSD
C. Premium SSD
D. Primary SSD
C. Premium SSD
Now even though Premium SSD is a costly option, you still need to use that disk type if you need to fulfill all the requirements. Premium SSD has the capability to support an IOPS up to 20,000. The Microsoft documentation mentions the aspects of the different types of disks
Since this is clearly given in the documentation, all other options are incorrect
For more information on disks types of Windows, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types
A company has the following windows virtual machines deployed to their subscription in Azure
skillcertprovm1
skillcertprovm2
The Monitoring department needs to collect certain performance-based counters from the virtual
machines. Which of the following could help accomplish this?
A. Enable base collection of metrics
B. Enable collection of boot diagnostics
C. Enable collection of performance diagnostics
D. Enable collection of guest OS diagnostics data
Incorrect
If you enable collection of guest OS diagnostics data, you will have the ability to collect data on the performance counters on Windows based virtual machines. The Microsoft documentation mentions the following
The other options are invalid, because they won’t provide the ability to collect performance counters for Windows based virtual machines.
For more information on monitoring Windows machines, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor
A company needs to deploy the following architecture to Azure (see image)
The architecture would consist of a load balancer that should only accept request via private IP addresses and should not flow via the internet. The Load balancer would direct requests to database servers hosted on Virtual machines.
Which of the following load balancer type should be implemented for this architecture?
A. Public Load balancer
B. Private Load balancer
C. Internal Load balancer
D. External Load balancer
C. Internal Load balancer
Since we don’t want requests to flow via the Internet, we should create an Internal load balancer. The Microsoft documentation mentions the following
Option A is incorrect since this is created when requests need to flow via the Internet
Option B and D are incorrect terms when it comes to the load balancer.
For more information on the Azure Load balancer, one can go to the following link
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
A company needs to deploy the following architecture to Azure (see image)
The architecture would consist of a load balancer that should only accept request via private IP addresses and should not flow via the internet. The Load balancer would direct requests to database servers hosted
on Virtual machines.
You need to ensure that all requests for the Remote Desktop protocol for the virtual machine are accepted on a custom port number of 3400. Which of the following is the right powershell command to execute for this requirement?
A. New-AzLoadBalancerInboundNatRuleConfig
B. New-AzLoadBalancerProbeConfig
C. New-AzLoadBalancerRuleConfig
D. New-AzLoadBalancer
A. New-AzLoadBalancerInboundNatRuleConfig
For the requirement, we have to create a NAT rule. An example of this is also given in the Microsoft documentation
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on configuring the Azure Load balancer via powershell, one can go to the following link
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-arm-ps
Your company currently has an on-premise Active directory setup with a domain of skillcertpro.com. The company has also setup an Azure AD tenant of skillcertpro.onmicrosoft.com. They now want to use Azure AD connect to synchronize the users from the on-premise Active Directory to Azure AD. Which of the following must be done as a pre-requisite on the side on Azure AD?
A. Run the IdFix tool
B. Ensure that the forest functional level is Windows 2003 or greater
C. Ensure to add and verify the domain
D. Setup the Azure AD connect server
C. Ensure to add and verify the domain
In order to ensure that users from the skillcertpro.com domain is synchronized to Azure AD you have to ensure first that the domain is setup in Azure. The Microsoft documentation mentions the following
All other options are incorrect because these are all settings that need to be carried out on the on-premise server.
For more information on the pre-requisites for Azure AD connect, one can go to the following link
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites
A team has a set of Linux Virtual Machines defined in Azure. The size of one of the Virtual machines needs to be changed. You have to write an Azure CLI script for this. Which of the following should ideally be part of the first steps in the script?
A. Deallocate the virtual machine first
B. Restart the virtual machine first
C. Check the list of VM sizes on the hardware cluster
D. Detach the primary network interface
C. Check the list of VM sizes on the hardware cluster
First you have to check the availability of the required VM size on the hardware cluster. The Microsoft documentation mentions the following
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on a tutorial to resize a Linux VM, one can go to the following link
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/change-vm-size
A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was
generated and installed on “WorkstationB”. You need to ensure you can create a successful point to site VPN connection.
You decide to join “WorkstationB” to the Azure AD tenant.
Would this solution fulfil the requirement?
A.Yes
B.No
B.No
Joining devices to Azure AD reaps other benefits as shown below. But it does not fulfil the current requirement.
For more information on Azure AD Join, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-
with-azure-ad-join
A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was
generated and installed on “WorkstationB”. You need to ensure you can create a successful point to site VPN connection.
You decide to export and install the client certificate on “WorkstationB”
Would this solution fulfil the requirement?
A.Yes
B.No
A.Yes
Yes, this is one of the requirements. This is also mentioned in the Microsoft documentation
For more information on creating point-to-site VPN connections, please visit the below URL
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-
portal
