MS AZ-104 WL.pdf Flashcards
Question 2
Domain: Manage Azure identities and governance
Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups:
Name || Region || Lock type
rg-staging-1 || West Europe || None
rg-staging-2 ||West Europe || Read-only
The company has deployed a storage account stwhizlabs to the rg-staging-1 resource group.
The “Production” subscription has the following resource groups.
Name || Region || Lock type
rg-production-3 || East Asia || Delete
rg-production-4 || Central US || None
Would you be able to move stwhizlabs resource to the rg-production-3 resource group?
Yes
No
Yes
We can move resources from one resource group to another, and in this case the source resource group does not have any lock defined and receiving
resource group has got delete lock, which stops from deleting of resources. Below is the further explanation of what delete lock does.
Delete lock on a resource group means that any resource which is contained by a resource group cannot be deleted. The idea behind delete lock is to
avoid any resource deletion even by mistake. A resource group can be deleted by a user by mistake, in case, there is no lock on the resource group. A
malicious user can also delete a group, without delete lock. This can cause serious problem in production system, and may even impact the end user.
Delete lock puts no other restrictions. Resources can always be added to a resource group with delete lock.
From this explanation it is clear that A (yes) is the correct answer, all other answers are wrong.
Note - below screenshots are added for reference purposes.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
Question 2
Domain: Manage Azure identities and governance
Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups:
Name || Region || Lock type
rg-staging-1 || West Europe || None
rg-staging-2 ||West Europe || Read-only
The company has deployed a web application (app-whizlabsweb) within the App Service plan (ASP-whizlabsrg1-ba8c) to the resource group (rg- staging-1).
The “Production” subscription has the following resource groups.
Name || Region || Lock type
rg-production-3 || East Asia || Delete
rg-production-4 || Central US || None
Also, the company provisioned a web application (app-prod-web) in the resource group (rg-production-4). Would you be able to move App Service resources from rg-staging-1 to the rg-production-4 resource group?
Yes
No
No
Moving a resource from one Resource Group results in metadata changes, and it does not have any effect on resources. Both rg-staging-1 & rg- production-4 do not have any locks. But, we still cannot move App Service resources from resource group”rg-staging-1” to the target resource group “rg-production-4” because it already contains web resources.
The destination resource group must not have any existing App Service resources. App Service resources include Web Apps, App Service plans, etc. Here, rg-staging-1 –> has web application (app-whizlabsweb) with the App Service plan (ASP-whizlabsrg1-ba8c), and the target resource group (rg-
production-4) —> has a web application (app-prod-web).
As per Microsoft Documentation, Web resources in the destination group violate the rules for moving App Service resources from one subscription to
another.
It is clear that B is the correct answer and A is the wrong answer.
For more information on resource locks, please visit the following URL-
Move Azure App Service resources across resource groups or subscriptions - Azure Resource Manager | Microsoft Docs
Question 4
Domain: Implement and manage storage
Whizlabs Inc. is a multinational company having offices in multiple countries. The company is planning on moving their on-premises file servers to Azure Files. While setting up identity-based access for Azure Files, which of the following mechanism enforces granular access control for files and directories within a share?
A. Azure Active Directory Domain Services
B. Role-Based Access Control (RBAC) right
C. Shared Key Authentication
D. Virtual Network Service Endpoints
B. Role-Based Access Control (RBAC) right C. Shared Key Authentication
Role-Based Access Control (RBAC) for Azure Files allows you to manage and control access to your Azure File shares and their associated resources in a fine-grained manner. RBAC is a crucial component of Azure’s access control and authorization system, and it helps ensure that users and services have the right permissions to perform specific actions within Azure Files.
Option A is incorrect because Azure Active Directory Domain Services (Azure AD DS) is a managed domain service that integrates with Azure AD for identity and authentication in Azure environments.
Option B is correct because Role-Based Access Control (RBAC) for Azure Files allows you to manage and control access to your Azure File shares in a granular level and their associated resources in a fine-grained manner.
Option C is incorrect because Shared Key Authentication is a method to authenticate access to Azure Storage resources using an account’s access key securely.
Option D is incorrect because Virtual Network Service Endpoints in Azure extend private network connectivity to Azure services, enabling secure access without public internet exposure, enhancing security, and reducing latency.
Reference: Control access to Azure file shares by assigning share-level permissions | Microsoft Learn
Question 7
Domain: Manage Azure identities and governance
Your company has a Microsoft Entra tenant named whizlabs.com.
The following users are defined in the tenant.
Name || Role
whizlabusr1 || Cloud device administrator
whizlabusr2 || User administrator
The tenant also consists of the following Windows 10 devices.
Name || Join type
whizlabvm1 || Microsoft Entra ID registered
whizlabvm2 || Microsoft Entra ID joined
The tenant also has the following groups defined.
Name || Join Type || Owner
whizlabgrp1 || Assigned || whizlabusr1
whizlabgrp2 || Dynamic Device || whizlabusr2
Would the user whizlabusr2 be able to add the device whizlabvm1 to the group whizlabgrp1?
Yes
No
Yes
Since whizlabusr2 holds the role of “User Administrator” he/she can update the membership of any assigned group, regardless of whether they are the owner of the group or not because of the role associated with it. He/She can add users, and devices, to any assigned group in Microsoft Entra ID.
References:
Manage devices in Microsoft Entra ID using the Microsoft Entra admin center | Microsoft Learn
Question 8
Domain: Manage Azure identities and governance
Your company has a Microsoft Entra tenant named whizlabs.com.
The following users are defined in the tenant.
Name || Role
whizlabusr1 || Cloud device administrator
whizlabusr2 || User administrator
The tenant also consists of the following Windows 10 devices.
Name || Join type
whizlabvm1 || Microsoft Entra ID registered
whizlabvm2 || Microsoft Entra ID joined
The tenant also has the following groups defined.
Name || Join Type || Owner
whizlabgrp1 || Assigned || whizlabusr1
whizlabgrp2 || Dynamic Device || whizlabusr2
Would the user whizlabusr2 be able to add the device whizlabvm2 to the group whizlabgrp2?
Yes
No
No
Since the group is Dynamic in nature, you won’t be able to add users or devices to a group manually. Device whizlabvm2 shall be governed by Rules and automatically removed or added dynamically.
Membership types:
Assigned: Lets you add specific users as members of a group and have unique permissions.
Dynamic user: Lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Dynamic device: Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Important
You can create a dynamic group for either devices or users, but not for both. You can’t create a device group based on the device owners’ attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see Create a dynamic group and check status
The device WhizlabVM2 is already “Microsoft Entra ID joined”. Hence WhizlabVM2 will be governed by the AD rule
References:
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#group-and-membership-types
https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups
https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule
Question 9
Domain: Implement and manage virtual networking
A company has deployed the following Azure Load Balancer resources to their Azure subscription
Name || SKU
whizlabload1 || Basic
whizlabload2 || Standard
Each load balancer would have to load balance requests across three virtual machines.
You want to ensure that whizlabload1 can load balance requests across the three virtual machines. Which of the following has to be implemented?
A. Ensure the virtual machines are created in the different regions.
B. Ensure the virtual machines are created in the same resource group.
C. Ensure the virtual machines are created in the same virtual network.
D. Ensure the virtual machines are created in the same availability set or virtual machine scale set
D. Ensure the virtual machines are created in the same availability set or virtual machine scale set
You look at the comparison between the Standard and the Basic Load Balancer in the Microsoft documentation. It clearly mentions that the virtual machines need to be part of an availability set or a virtual machine scale set.
Since this is clearly mentioned in the documentation, all other options are incorrect. For more information on the Azure Load Balancer, please visit the following URL-
What is Azure Load Balancer? - Azure Load Balancer | Microsoft Learn Azure Load Balancer SKUs | Microsoft Learn
Question 10
Domain: Implement and manage virtual networking
A company has deployed the following Azure Load Balancer resources to their Azure subscription
Name || SKU
whizlabload1 || Basic
whizlabload2 || Standard
Each load balancer would have to load balance requests across three virtual machines.
You want to ensure that whizlabload2 can load balance requests across the three virtual machines. Which of the following has to be implemented?
A. Ensure the virtual machines are created in the different regions.
B. Ensure the virtual machines are created in the same resource group.
C. Ensure the virtual machines are created in the same virtual network.
D. Ensure the virtual machines are created in the same availability set or virtual machine scale set
C. Ensure the virtual machines are created in the same virtual network.
You look at the comparison between the Standard and the Basic Load Balancer in the Microsoft documentation. It clearly mentions that the virtual machines need to be part of a single virtual network.
Since this is clearly mentioned in the documentation, all other options are incorrect. For more information on the Azure Load Balancer, please visit the following URL-
https://docs.microsoft.com/en-us/azure/load-balancer/skus
Question 13
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)
The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsecnic in the wl-rg2 resource group and the West US region. Would this fulfill the requirement?
Yes
No
Yes
In order to attach a network interface to a virtual machine, it must be created in the same region as the virtual machine. It also is a part of the same virtual network hosting the virtual machine.
Hence here, the requirements for ensuring the network interface can be attached to the virtual machine are met.
Below is an excerpt from the Microsoft documentation on the creation of a network interface.
For more information on network interfaces, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Question 14
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)
The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsecnic in the wl-rg1 resource group and the West US region. Would this fulfill the requirement?
Yes
No
Yes
First, we need to understand the difference between data and metadata. Metadata is not the actual data, but additional useful information about the data. A resource group contains metadata regarding azure resources, not the actual resources. A resource group contains the list of resources and some additional useful information like the region in which resources exist., components of each resource, etc… In view of this, a resource group and actual resources contained by the resource group can be in a different regions. The basic constraint here is that a VM and all its components should be in the same network and in the same region.
In the given scenario, we are asked to create a new network interface wlsecnic and attached it to wlvm1, which resides in wl-network2. Since all these resources are in the West US region, it is possible to do so although wl-rg2 is a separate region (West Europe)
Here it should be noted that it is a good practice to create a resource group and its resources, in the same region. Sometimes, data residency and compliance requirements will also force us to create both in the same region.
Question 15
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)
The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsenic in the wl-rg2 resource group and in Central US region. Would this fulfill the requirement?
Yes
No
No
In order to attach a network interface to a virtual machine, it must be created in the same region as the virtual machine. It also is a part of the same virtual network hosting the virtual machine.
Here the virtual machine is in the West US region and the network interface is being created in the Central US region. For more information on network interfaces, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Question16
Domain: Monitor and maintain Azure resources
A company has the following resources defined as part of its Azure subscription. (see image)
A blob container named “whizlabdata” and a file share named “whizlabfiledata” are created in the storage account whizlabstore1. Which of the following resources can be backed up with the help of the recovery services vault whizlabvault1?
A. whizlabvm1 only
B. whizlabvm1 and whizlabfiledata only
C. whizlabvm1 and whizlabdb only
D. whizlabvm1, whizlabstore1 and whizlabdb
E. whizlabvm1, whizlabdata, whizlabfiledata and whizlabdb
A. whizlabvm1 only
Here the recovery services vault (whizlabvault1) is located in the Central US region. This means that only resources in this region can be backed up in the recovery services vault. And for this, we have only the virtual machine located in this region.
Since this is the only approach for backing up data in the recovery services vault, all other options are incorrect. For more information on the recovery services vault, please visit the following URLs-
https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
Question17
Domain: Monitor and maintain Azure resources
A company has the following resources defined as part of its Azure subscription. (see image)
A blob container named “whizlabdata” and a file share named “whizlabfiledata” are created in the storage account whizlabstore1 . Which of the following resources can be backed up with the help of the recovery services vault whizlabvault2?
A. whizlabstore1 only
B. whizlabfiledata only
C. whizlabvm1 and whizlabfiledata only
D. whizlabdata and whizlabfiledata only
E. whizlabstore1 and whizlabdb only
B. whizlabfiledata only
In Azure recovery service vault (RSV), we can backup only those resources, which are in same region as of RSV region. In the current scenario the RSV (whizlabvault2) region is west us. Storage account whizlabstore1 is also in the same region. Whizlabstore1 have two resource — A blob container named “whizlabdata” and a file share named “whizlabfiledata”. Azure blob data cannot be backup in RSV (it requires a backup vault). In RSV, However, azure file share can be backup. There are no other resources in the same region other than these two.
It is clear that B is the correct answer and all other answers are wrong.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview
Question 18
Domain: Manage Azure identities and governance
A company has a Microsoft Entra ID that contains the following users. (see image)
The Microsoft Entra Tenant has the following device settings. Users can join devices to Microsoft Entra ID.
Additional local administrators on Microsoft Entra joined devices are set to None.
The user whizlabusr1 goes ahead and joins a Windows 10 computer to the Microsoft Entra tenant.
You need to identify those users that would be added to the local Administrators group on the computer.
A. whizlabusr1 only
B. whizlabusr2 only
C. whizlabusr1, whizlabusr2 and whizlabusr3 only
D. whizlabusr1 and whizlabusr2 only
E. whizlabusr1, whizlabusr2, whizlabusr3 and whizlabusr4
D. whizlabusr1 and whizlabusr2 only
When a device is joined to Microsoft Entra ID, the user who joins the computer to the domain is added as the local administrator. Also, the Global Administrator will be added as an administrator to the system.
Hence D is the correct answer and all other answers are wrong. This is also mentioned in the Microsoft documentation.
How it works
At the time of Microsoft Entra join, we add the following security principals to the local administrators group on the device:
*The Microsoft Entra Global Administrator role
*The Microsoft Entra Joined Device Local Administrator role
*The user performing the Microsoft Entra join
Note
This is done during the join operation only. If an administrator makes changes after this point they will need to update the group membership on the device.
Note: Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID
For more information on managing the local administrators in the Microsoft Entra join process, please visit the following URL-
How to manage local administrators on Microsoft Entra joined devices | Microsoft Learn Microsoft Entra built-in roles | Microsoft Learn
Question 19
Domain: Deploy and manage Azure compute resources
You need to increase the number of CPU cores and memory for running Azure Container Instance.
What 2 steps do you take to carry out this task?
A. Stop the ACI
B. Redeploy ARM ACI deployment template
C. In Azure portal, select the Scale up for ACI container
D. Update Dockerfile
E. Delete the ACI
B. Redeploy ARM ACI deployment template
E. Delete the ACI
Unfortunately, Azure does not allow to scale Azure Container Instances. You need to delete the current ACI and create a new instance with the new resource requirements. The most convenient way is to reuse and run the ARM template from the previous ACI deployment. You can find the template under the Deployments section on the ACI’s resource group blade. When you select the deployment template and click on the Redeploy button on the top bar, the Azure portal opens the Custom deployment screen (Number 1). Here you click on the “Edit Parameters (Number 2) and can change the number of CPU cores, memory, restart policy, etc. (Number 4). If you have not deleted the previous ACI and keep the same name for the new instance (Number 3), you will get a deployment failed error when you click on the Create button after a review.
you must delete the old ACI or change the name of the new ACI.
All other options are incorrect.
For more information about creating and updating the ACI using the ARM templates, please visit the below URLs:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-update#properties-that-require-container-delete https://docs.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-template
Question 20
Domain: Deploy and manage Azure compute resources You create an ACI multi-container group.
Please select three correct statements about the ACI group.
A. ACI group is similar to the AKS node
B. Containers in the ACI group share the same resources
C. You can add new containers to the already running ACI group
D. You can select different VM size for each container in a group
E. ACI group can include the init containers
F. You can create multi-container ACI groups on Linux only
B. Containers in the ACI group share the same resources
C. You can add new containers to the already running ACI group
E. ACI group can include the init containers
You can create the groups of the ACI containers. These ACI groups are similar to AKS pods. The group is a collection of containers that runs or schedules on the same host machine. It shares the host’s resources, local network, and storage volumes. You can deploy the multi-container group only on Linux using ARM templates, YAML scripts, or Docker Compose. Option B is correct because the containers in the ACI group share the same resources of the host machine. The containers share not only the same resources but also local network and storage volumes. Option E is correct because the ACI group can include the init containers. This container type prepares the run of your application. They set up accounts, databases, or running scripts. Only after the init containers finish their jobs the application containers start. Option F is correct because currently, you can create multi-container ACI groups on Linux only. Option A is incorrect because the ACI group is similar to the AKS pods but not to the AKS nodes. Option C is incorrect because you need to delete the old ACI group and create a new one with additional containers. Usually, you can deploy a multi-container group using ARM templates or YAML scripts. The Docker Compose can also be used. Option D is incorrect because the ACI multi-container group shares the same host machine, and you cannot dedicate any VMs to a particular container. For more information about Azure Container Instance groups, please visit the below URLs: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups https://docs.microsoft.com/en-us/azure/container-instances/container-instances-multi-container-group https://docs.microsoft.com/en-us/azure/container-instances/container-instances-init-container
Question 21
Domain: Implement and manage storage
Whizlabs Inc. is an accounting company and have cloud-only infrastructure. They use Azure storage to retain their business-critical data. The company would like to put their data in a WORM (Write Once, Read Many) state. Which of the two following features you must enable to support the WORM functionality?
A. Enable version-level immutability
B. Enable soft delete
C. Enable blob versioning
D. Enable point-in-time restore
A. Enable version-level immutability right
C. Enable blob versioning right
Immutable storage functionality for Azure Blob Storage empowers users to securely store vital business data in a Write Once, Read Many (WORM) states. When data is in the WORM state, it remains impervious to modifications or deletions for a duration specified by the user. By establishing immutability policies for blob data, you establish a safeguard against unintended overwrites and deletions.
In order to set up retention policies based on versions and time, it’s necessary to have blob versioning activated for the respective storage account. It’s important to note that enabling blob versioning could potentially have an impact on billing.
Option A is correct because version level immutability provides functionality of writing once and read many. This protects data from being altered. Option B is incorrect because soft-delete keeps the data for another 14 days which protect resources from accidental deletion by retaining the
data for the extended period.
Option C is correct because one of the prerequisites for enabling version immutability is to have blob versioning enabled for the storage account.
Option D is incorrect Point-in-time restore offers a safety net against inadvertent deletions or corruption by granting you the capability to revert block blob data to a previous state. This feature proves invaluable in situations where data has been unintentionally deleted by a user or application, or in cases where data corruption results from application errors.
Reference:
Configure immutability policies for blob versions - Azure Storage | Microsoft Learn
Question 23
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)
The administrator has enabled self-service password reset (SSPR) for all users.
The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3
The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?
Would whizlabadmin1 be required to answer the security question “In what city was your first job?” to reset their password?
A. Yes
B. No
No
For administrators, the password reset policy is different, wherein they are not asked for security questions. The Microsoft documentation mentions the following.
Administrator reset policy differences
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID.
A two-gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Microsoft Entra Joined Device Local Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator
For more information on the password reset policy for administrators, please visit the following URL-
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
Question 24
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)
The administrator has enabled self-service password reset (SSPR) for all users.
The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3
The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?
Would whizlabadmin2 be required to answer the security question “What was the name of the first school you attended?” to reset their password?
A. Yes
B. No
No
For administrators, the password reset policy is different, wherein they are not asked for security questions. The Microsoft documentation mentions the following.
Administrator reset policy differences
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID.
A two-gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Microsoft Entra Joined Device Local Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator
For more information on the password reset policy for administrators, please visit the following URL-
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
Question 25
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)
The administrator has enabled self-service password reset (SSPR) for all users.
The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3
The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?
Would whizlabusr be required to answer the security question “In what city was your first job?” to reset their password?
A. Yes
B. No
Yes
Since self-service password reset (SSPR) has been enabled for all users. The user would need to answer the security-related question to reset their password.
Microsoft Entra Self-Service Password Reset (SSPR) provides users with the ability to change or reset their password, without administrator or help desk involvement. If a user’s account is locked or they forget their password, they can unblock themselves and follow the prompts to get back to work.
For more information on how password reset works, please visit the following URL-
Self-service password reset deep dive | Microsoft Learn
Question 26
Domain: Deploy and manage Azure compute resources
Please select four true statements that apply to the use of Azure Disk Encryption (ADE) for Azure VM disk protection.
A. ADE supports the encryption of Basic tier VMs
B. ADE encrypted VM must be backed up to the Recovery Service Vault
C. ADE is integrated with Azure Key Vault
D. ADE uses BitLocker for Windows VM-controlled disks
E. ADE uses DM-Crypt for Linux-based VMs
B. ADE encrypted VM must be backed up to the Recovery Service Vault
C. ADE is integrated with Azure Key Vault
D. ADE uses BitLocker for Windows VM-controlled disks
E. ADE uses DM-Crypt for Linux-based VMs
Azure Backup supports the backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE).
Azure Disk Encryption for Windows virtual machines (VMs) uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disk.
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription
Azure Disk Encryption uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs)k encryption keys and secrets.
References:
Back up and restore encrypted Azure VMs - Azure Backup | Microsoft Docs
Azure Disk Encryption scenarios on Windows VMs - Azure Virtual Machines | Microsoft Docs Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines | Microsoft Docs Enable Azure Disk Encryption for Linux VMs - Azure Virtual Machines | Microsoft Docs
Question 27
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription. (see image)
Currently, the whizlabvm1 virtual machine resides in the whizlabnetwork1 virtual network.
You need to ensure that the virtual machine resides in the whizlabnetwork2 virtual network.
You decide to create a new network interface and then add the network interface to the whizlabvm1 virtual machine. Would this fulfill the requirement?
A. Yes
B. No
No
In order to add the virtual machine to the virtual network, the virtual machine needs to be in the same region as the virtual network, which is not the case over here.
The virtual machine is in the West US region and the whizlabnetwork2 virtual network is in the East Asia region. For more information on virtual networks and virtual machines, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Question 30
Domain: Implement and manage virtual networking
Your company has the following resources deployed to Azure. (See image1)
You install a DNS service on the virtual machine whizlabvm1.
The DNS server settings are then configured for each virtual network, as shown below. (see image2)
You have to ensure that all virtual machines can resolve DNS names by using the DNS service on the virtual machine whizlabvm1. Which of the following would you implement for this requirement?
A. Add service endpoints for the virtual network whizlabnetwork2 and whizlabnetwork3.
B. Add a service endpoint for the virtual network whizlabnetwork1.
C. Configure a conditional forwarder for the whizlabvm1 virtual machine.
D. Configure virtual network peering connections between all virtual networks.
D. Configure virtual network peering connections between all virtual networks.
Since the networks are isolated from each other, you still need to ensure that the machines can communicate across the virtual networks. And this can be accomplished with the help of the virtual network peering connections.
Options A and B are incorrect since service endpoints should be used when you want to connect virtual networks securely to other Azure-based services.
Option C is incorrect since this should be used when you want to forward DNS requests to the Azure DNS servers. For more information on virtual network peering connections, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview