Practice Assessment for Exam AZ-104: Microsoft Azure Administrator Flashcards

1
Q

You have an Azure subscription.

You plan to create a storage account named storage1.

You need to ensure that storage1 provides POSIX-compliant access control lists (ACLs).

Which option should you configure when creating storage1?
Select only one answer.

A. hierarchical namespace
B. access tier
C. version-level immutable support
D. SFTP

A

A. hierarchical namespace

Explanation:
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace must be used. The remaining options are valid for a storage account, but do not provide the POSIX-compliant feature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You need to generate the shared access signature (SAS) token required to authorize a request to a resource.

Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Select all answers that apply.

A. SignedStart (st)
B. SignedIP (sip)
C. SignedServices (ss)
D. SignedResourceTypes (srt)

A

C. SignedServices (ss)
D. SignedResourceTypes (srt)

Explanation:

SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept requests.

Create an account SAS - Azure Storage | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your need to create an Azure Storage account that meets the following requirements:

Stores data in a minimum of two availability zones
Provides high availability

Which type of storage redundancy should you use?
Select only one answer.

A. geo-redundant storage (GRS)
B. read-access geo-redundant storage (RA-GRS)
C. zone-redundant storage (ZRS)
D. locally-redundant storage (LRS)

A

C. zone-redundant storage (ZRS)

Explanation:

Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also replicating to a secondary region.

Data redundancy - Azure Storage | Microsoft Learn

Determine replication strategies - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have an Azure Storage account named corpimages and an on-premises shared folder named \server1\images.

You need to migrate all the contents from \server1\images to corpimages.

Which two commands can you use? Each correct answer presents a complete solution?
Select all answers that apply.

A. Azcopy copy \server1\images https://corpimages.blog.core.windows.net/public -recursive
B. Azcopy sync \server1\images https://corpimages.blog.core.windows.net/public -recursive
C. Set-AzStorageBlobContent -Container “ContosoUpload” -File “\server1\images” -Blob “ corporateimages “
D. Get-ChildItem -Path \server1\images -Recurse | Set-AzStorageBlobContent -Container “ corpimages”

A

A. Azcopy copy \server1\images https://corpimages.blog.core.windows.net/public -recursive

D. Get-ChildItem -Path \server1\images -Recurse | Set-AzStorageBlobContent -Container “ corpimages”

Explanation:

The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.

Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn

Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn

Configure Azure Storage with tools - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure subscription that contains the following StorageV2 (general purpose v2) storage accounts:

store1 is a Premium account that uses geo-redundant storage (GRS) redundancy.
store2 is a Standard account that uses locally-redundant storage (LRS) redundancy.
store3 is a Premium account that uses read-access geo-redundant storage (RA-GRS) redundancy.
store4 is a Premium account that uses RA-GRS redundancy.

You need to identify which storage account can be converted to zone-redundant replication (ZRS) for live migration.

Which storage account should you identify?
Select only one answer.

A. store1
B. store2
C. store3
D. store4

A

B. store2

Explanation:

Only zone-redundant replication (ZRS) supports StorageV2, FileStorage, and BlockBlobStorage accounts. Live migration is not supported for read-access geo-redundant storage (RA-GRS) and only standard storage accounts can be used.

Data redundancy - Azure Storage | Microsoft Learn

Determine replication strategies - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You plan to configure object replication between two Azure Storage accounts.

The Blob service of the source storage account has the following settings:

Hierarchical namespace: Disabled

Default access tier: Hot

Blob public access: Enabled

Blob soft delete: Enabled (7 days)

Container soft delete: Enabled (7 days)

Versioning: Disabled

Change feed: Enabled

NFS v3: Disabled

Allow cross-tenant replication: Enabled

Which setting should be modified on the source storage account to support object replication?
Select only one answer.

A. Change feed
B. Blob soft delete
C. Hierarchical namespace
D. Versioning

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have an Azure AD tenant named contoso.com. Azure AD Connect is configured to import users to the tenant.

You need to assign licenses to the users based on Azure AD attributes. The attribute values will be set by the HR department.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. Create dynamic groups.
B. Assign the licenses to the dynamic groups.
C. Create security groups.
D. Assign the licenses to the security groups.
E. Create an automatic assignment policy.

A

A. Create dynamic groups.
B. Assign the licenses to the dynamic groups.

Explanation:

To assign licenses to users based on Azure AD attributes, you must create a dynamic security group and configure rules based on custom attributes. The dynamic group must be added to a license group for automatic synchronization. All users in the groups will get the license automatically. Azure AD evaluates the users in the organization that are in scope for an assignment policy rule and creates assignments for the users who don’t have assignments to an access package; automatic assignment policies are not used for licensing.

Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn

Configure user and group accounts - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure AD tenant that uses Azure AD Connect to sync with an Active Directory Domain Services (AD DS) domain.

You need to ensure that users can reset their AD DS password from the Azure portal. The users must be able to use two methods to reset their password.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. Run Azure AD Connect and select Password writeback.
B. From Password reset in the Azure portal, configure the Authentication methods settings.
C. From Password reset in the Azure portal, configure the Notifications settings.
D. From Password reset in the Azure portal, configure the Registration settings.
E. Run Azure AD Connect and select Device writeback.

A

A. Run Azure AD Connect and select Password writeback.
B. From Password reset in the Azure portal, configure the Authentication methods settings.

Explanation:

You must run the Azure AD Connect Wizard to enable Password writeback. You must configure the authentication option to enable the two methods required to reset a password.

Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft Learn

Implement Azure AD self-service password reset - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an Azure AD tenant.

Your company has several offices in the same region. Each office has a dedicated IT staff.

You need to ensure that the IT staff in each office can manage passwords for their users and administrators.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. From the Azure portal, add administrative units.
B. Assign the Helpdesk administrator role.
C. Assign the Password administrator role
D. From the Azure portal, create a new custom role.

A

A. From the Azure portal, add administrative units.
B. Assign the Helpdesk administrator role.

Explanation:

You must create an administrative unit and the Helpdesk role assignment allows members to change password for both users and other administrators.

Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn

Configure user and group accounts - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure subscription that contains multiple users and administrators.

You are creating a new custom role by using the following JSON.

{

“Name”: “Custom Role”,

“Id”: null,

“IsCustom”: true,

“Description”: “Custom Role description”,

“Actions”: [

"Microsoft.Compute/*/read", 

“Microsoft.Compute/snapshots/write”, 

“Microsoft.Compute/snapshots/read”, 

"Microsoft.Support/*" 

],

“NotActions”: [

“Microsoft.Compute/snapshots/delete”

],

“AssignableScopes”: [

"/subscriptions/00000000-0000-0000-0000-000000000000", 

"/subscriptions/11111111-1111-1111-1111-111111111111" 

]

}

Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a complete solution.
Select all answers that apply.

A. Read all virtual machine settings.
B. Call Microsoft Support.
C. Create and read a snapshot.
D. Create and delete a snapshot.
E. Create virtual machines.

A

A. Read all virtual machine settings.
B. Call Microsoft Support.
C. Create and read a snapshot.

Explanation:

The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a snapshot.

Azure custom roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have the following resource groups, management groups, and Azure subscriptions:

Two resource groups named RG1 and RG2 that are associated with a subscription named 111-222-333 and a management group named MG1
Two resource groups named RG3 and RG4 that are associated with a subscription named 777-888-999 and a management group named MG1
Two resource groups named RG5 and RG6 that are associated with a subscription named 444-555-666 and a management group named MG1
Two resource group named RG10 and RG11 that are associated with a subscription named 222-333-444 and a management group named MG2
Two resource group named RG11 and RG12 that are associated with a subscription named 555-666-888 and a management group named MG2

You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution must use the principle of least privilege.

Which role should you assign?
Select only one answer.

A. the Reader role for MG1 and MG2
B. the Billing Reader role for MG1 and MG2
C. the Billing Reader role for all the subscriptions
D. the Contributor role for MG1 and MG2

A

A. the Reader role for MG1 and MG2

Explanation:

Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access to all resources is to assign a role at the management group level.

Steps to assign an Azure role - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs daily reports.

You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the allocated budget.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A, From Cost Management + Billing, modify the Budgets settings.
B. Create an action group of type Runbook, and then select Stop VM as an action.
C. Create an action group of type Runbook, and then select Scale Up VM.
D. From Cost Management + Billing, create a new cost analysis.

A

A, From Cost Management + Billing, modify the Budgets settings.
B. Create an action group of type Runbook, and then select Stop VM as an action.

Explanation:

You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the resource group resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.

Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn

Configure subscriptions - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local datacenter.

You need to identify which virtual machines are underutilized.

Which Azure Advisor settings should you use?
Select only one answer.

A. Cost
B. Performance
C. High Availability
D. Operational Excellence

A

A. Cost

Explanation:

The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency, resource manageability, and deployment best practices.

Introduction to Azure Advisor - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You have an Azure subscription that contains 25 virtual machines.

You need to ensure that each virtual machine is associated to a specific department for reporting purposes.

What should you use?
Select only one answer.

A, tags
B. administrative units
C. management groups
D. storage accounts

A

A, tags

Explanation:

Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as virtual machines and associating each resource to a department for billing and reporting purposes.

Administrative units are containers used for delegating administrative roles to manage a specific portion of Azure AD. Administrative units cannot contain Azure virtual machines.

Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure subscriptions.

Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A storage account cannot contain virtual machines.

Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager | Microsoft Learn

Configure virtual machines - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have an Azure subscription that contains 200 virtual machines.

You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.

You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must minimize administrative effort.

What should you configure?
Select only one answer.

A. an Azure Automation account
B. an action group
C. an application security group
D. a capacity reservation group

A

B. an action group

Explanation:

Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log. You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource group to specify the resources for which you want to receive alerts. You also need to create an action group that will contain all the users to be notified.

Create action groups - Training | Microsoft Learn

Create Azure Advisor alerts for new recommendations using Azure portal - Azure Advisor | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure subscription.

You plan to create an Azure Policy definition named Policy1.

You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and Compliance.

To which definition section should you add remediation information for Policy1?
Select only one answer.

A. metadata
B. parameters
C. policyRule
D. mode

A

A. metadata

Explanation:
You must use the RemediationDescription field in the metadata section from properties to specify a custom recommendation. The remaining options are Azure policies, but do not allow specific custom remediation information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine named VM1.

You need to use VM1 as a template to create a new Azure virtual machine.

Which three methods can you use to complete the task? Each correct answer presents a complete solution.
Select all answers that apply.

A. From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-AzResourceGroupDeployment cmdlet.
B. From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-AzResourceGroupDeployment cmdlets.
C. From VM1, select Export template, and then select Deploy.
D. From Azure Cloud Shell, run the Save-AzDeploymentScriptLog and New-AzResourceGroupDeployment cmdlets.

A

A. From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-AzResourceGroupDeployment cmdlet.
B. From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-AzResourceGroupDeployment cmdlets.
C. From VM1, select Export template, and then select Deploy.

Explanation:

From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM) template from the resource group properties. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.

By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.

From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual machine and use the configuration of VM1 as the template.

The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution.

The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.

Export template in Azure portal - Azure Resource Manager | Microsoft Learn

Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn

Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an Azure subscription that contains a resource group named RG1.

You have an Azure Resource Manager (ARM) template for an Azure virtual machine.

You need to use PowerShell to provision a virtual machine in RG1 by using the template.

Which PowerShell cmdlet should you run?
Select only one answer.

A. New-AzVM
B. New-AzManagementGroupDeployment
C. New-AzSubscriptionDeployment
D. New-AzResourceGroupDeployment

A

D. New-AzResourceGroupDeployment

Explanation:

Virtual machines are deployed to resource groups, so you must run the New-AzResourceGroupDeployment cmdlet. You can deploy virtual machines to subscriptions or management groups directly, therefore, New-AzManagementGroupDeployment and New-AzSubscriptionDeployment cannot be used. New-AzVM can be used to provision a new virtual machine, but without using a template.

Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn

Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage container.

You plan to deploy the template by running the New-AzDeployment cmdlet.

Which parameter should you use to reference the template?
Select only one answer.

A. -Tag
B. -Templatefile
C. -TemplateUri
D. -TemplateSpecId

A

C. -TemplateUri

Explanation:

The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file. You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.

Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn

Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource group named app-grp1 by using Azure Resource Manager (ARM) templates.

You need to verify the date and the time that the resources in app-grp1 were created.

Which blade should you review for app-grp1 in the Azure portal?
Select only one answer.

A. Metrics
B. Deployments
C. Policy
D. Diagnostics setting

A

B. Deployments

Explanation:

Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration, are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource group.

Azure AD deployment checklist - Microsoft Entra | Microsoft Learn

Configure Azure resources with tools - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You are creating an Azure virtual machine that will run Windows Server.

You need to ensure that VM1 will be part of a virtual machine scale set.

Which setting should you configure during the creation of the virtual machine?
Select only one answer.

A. Azure Spot instance
B. Region
C. Availability options
D. Management

A

C. Availability options

Explanation:
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add virtual machines with a discounted price. Region will not affect the configuration of the availability options. The management setting allows you to configure the monitoring and management options for the virtual machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You have an Azure virtual machine.

You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on the physical infrastructure.

You need to move the virtual machine to a different host to avoid a service interruption.

What should you do?
Select only one answer.

A. Apply an Azure tag.
B. Move the virtual machine to another Azure subscription.
C. Apply an Azure policy.
D. Redeploy the virtual machine

A

D. Redeploy the virtual machine

Explanation:

You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down the virtual machine and move the virtual machine to a new node within the Azure infrastructure.

Redeploy Windows virtual machines in Azure - Virtual Machines | Microsoft Learn

Configure virtual machines - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You plan to deploy an Azure virtual machine.

You are evaluating whether to use an Azure Spot instance.

Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution.
Select all answers that apply.

A. the time of day
B. the Azure capacity needs
C. the current price of the instance
D. the average CPU usages of the instance

A

B. the Azure capacity needs
C. the current price of the instance

Explanation:

Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for workloads that do not require any specific SLA.

Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn

Configure virtual machine availability - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Your company has an Azure subscription and an Azure AD tenant.

You need to limit access to the Kubernetes API server.

Which two components should you use? Each correct answer presents a complete solution.
Select all answers that apply.

A. API server authorized IP ranges
B. a public cluster
C. a private cluster
D. Azure tags

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. The autoscaling feature is enabled.

You need to configure the minimum and maximum node counts for AKS1.

Which cmdlet should you run?
Select only one answer.

A. Set-AzAksCluster
B. Start-AzAksCluster
C. Update-AzAksNodePool
D. Set-AzAksClusterCredential

A

A. Set-AzAksCluster

Explanation:

Set-AzAKsCluster: Configures minimum and maximum node values for AKS autoscaling

Start-AzAksCluster: Starts a stopped managed cluster

Update-AzAksNodePool: Updates a node pool in a managed cluster

Set-AzAksClusterCredential: Resets the service principal of an existing AKS cluster

Use the cluster autoscaler in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn

Set-AzAksCluster (Az.Aks) | Microsoft Learn

Configure Azure Kubernetes Service - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

You have an Azure subscription that contains multiple resource groups and Azure App Service web apps. A resource group named RG1 hosts a web app named appservice1. The App Service uses an imported SSL certificate.

You create a resource group named RG2.

You plan to move all the resources in RG1 to RG2.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. Delete the SSL Certificate from RG1 and upload it to RG2.
B. Move all the resources from RG1 to RG2.
C. Create a new App Service plan in RG2.
D. Create a new web app in RG2.

A

A. Delete the SSL Certificate from RG1 and upload it to RG2.
B. Move all the resources from RG1 to RG2.

Explanation:

The SSL certificate must be deleted. You cannot move the load balancer and it must be removed before you move the resources. You will have to move all other resources to RG2.

Move Azure App Service resources across resource groups or subscriptions - Azure Resource Manager | Microsoft Learn

Configure Azure App Service - Training | Microsoft Learn

27
Q

You have an Azure subscription.

You plan to deploy a web app to a Linux-based Docker container.

You need to recommend a solution for the deployment of the web app that meets the following requirements:

Supports a custom domain name
Provides the ability to scale out automatically based on demand.
Minimizes administrative effort
Minimizes costs

Which solution should you recommend?
Select only one answer.

A. Azure Virtual Machine Scale Sets
B. Azure App Service
C. Azure Container Instances
D. Azure Kubernetes Service (AKS)

A

B. Azure App Service

Explanation:
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure Kubernetes Service (AKS), and Azure Container Instances are more difficult to administer and more costly.

28
Q

You have an Azure virtual network named VNet1.

You deploy an Azure App Service web app named WebApp1.

You need to ensure that you can access WebApp1 by using an IP address from VNet1.

What should you do?
Select only one answer.

A. Add a peering to VNet1.
B. Deploy Azure Bastion to VNet1.
C. Add VNet integration to WebApp1.
D. Add a private endpoint connection to WebApp1.

A

D. Add a private endpoint connection to WebApp1.

Explanation:

A private endpoint connection will expose a web app on a virtual network and provide the web app with an IP address on the virtual network. The web app can then be accessed through the virtual network instead of using the public endpoint.

VNet integration provides web app outbound access to a virtual network. Azure Bastion provides administrative RDP/SSH access to virtual machines through the Azure portal. Peering provides connections between virtual networks.

Connect privately to an Azure Web App using Private Endpoint | Microsoft Learn

Host a web application with Azure App Service - Training | Microsoft Learn

29
Q

You have an Azure AD tenant named contoso.com. Azure AD Connect is configured to import users to the tenant.

You need to assign licenses to the users based on Azure AD attributes. The attribute values will be set by the HR department.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. Create dynamic groups.
B. Assign the licenses to the dynamic groups.
C. Create security groups.
D. Assign the licenses to the security groups.
E. Create an automatic assignment policy.

A

A. Create dynamic groups.
B. Assign the licenses to the dynamic groups.

Explanation:

To assign licenses to users based on Azure AD attributes, you must create a dynamic security group and configure rules based on custom attributes. The dynamic group must be added to a license group for automatic synchronization. All users in the groups will get the license automatically. Azure AD evaluates the users in the organization that are in scope for an assignment policy rule and creates assignments for the users who don’t have assignments to an access package; automatic assignment policies are not used for licensing.

Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn

Configure user and group accounts - Training | Microsoft Learn

30
Q

You have an Azure AD tenant.

You need to prevent users from registering custom applications in the tenant.

What should you do in Azure AD?
Select only one answer.

A. From Users setting, configure the App registrations settings.
B. From Registrations, run Troubleshooting.
C. From Enterprise applications, configure the Users settings.
D. Configure the External Identities settings.

A

A. From Users setting, configure the App registrations settings.

Explanation:

You must configure User settings to block custom app registrations in Azure. App registration troubleshooting, configuring external identities, and the Enterprise application Users settings will not disable custom app registrations.

Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra | Microsoft Learn

Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn

31
Q

Your Azure AD tenant and on-premises Active Directory domain contain multiple users.

You need to configure self-service password reset (SSPR) password writeback functionality. The solution must minimize costs.

Which Azure AD edition should you use?
Select only one answer.

A. Azure AD Free
B. Azure AD Premium P1
C. Azure AD Premium P2

A

B. Azure AD Premium P1

Explanation:
Only Azure AD Premium P1 and P2 support SSPR, but Azure AD Premium P1 is the lower cost option.

32
Q

You have an Azure subscription that contains multiple users and administrators.

You are creating a new custom role by using the following JSON.

{

“Name”: “Custom Role”,

“Id”: null,

“IsCustom”: true,

“Description”: “Custom Role description”,

“Actions”: [

"Microsoft.Compute/*/read", 

“Microsoft.Compute/snapshots/write”, 

“Microsoft.Compute/snapshots/read”, 

"Microsoft.Support/*" 

],

“NotActions”: [

“Microsoft.Compute/snapshots/delete”

],

“AssignableScopes”: [

"/subscriptions/00000000-0000-0000-0000-000000000000", 

"/subscriptions/11111111-1111-1111-1111-111111111111" 

]

}

Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a complete solution.
Select all answers that apply.

  1. Read all virtual machine settings.
  2. Call Microsoft Support.
  3. Create and read a snapshot.
  4. Create and delete a snapshot.
  5. Create virtual machines.
A
  1. Read all virtual machine settings.
  2. Call Microsoft Support.
  3. Create and read a snapshot.

Explanation:

The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a snapshot.

Azure custom roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

33
Q

You have an Azure subscription that contains multiple virtual machines.

You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use the principle of least privilege.

Which role should you assign to User1?
Select only one answer.

A. Contributor
B. Billing Reader
C. Tag Contributor
D. Reader

A

D. Reader

Explanation:

The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.

Azure built-in roles - Azure RBAC | Microsoft Learn

Configure role-based access control - Training | Microsoft Learn

34
Q

You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local datacenter.

You need to identify which virtual machines are underutilized.

Which Azure Advisor settings should you use?
Select only one answer.

A. Cost
B. Performance
C. High Availability
D. Operational Excellence

A

A. Cost

Explanation:
The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency, resource manageability, and deployment best practices.

35
Q

You have several management groups and Azure subscriptions.

You want to prevent the accidental deletion of resources.

To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Select all answers that apply.

A. subscriptions
B. storage account data
C. virtual machines
D. management groups
E. resource groups

A

A. subscriptions
C. virtual machines
E. resource groups

Explanation:
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use delete locks on management groups or storage account data.

36
Q

You have an Azure subscription that contains 25 virtual machines.

You need to ensure that each virtual machine is associated to a specific department for reporting purposes.

What should you use?
Select only one answer.

A. tags
B. administrative units
C. management groups
D. storage accounts

A

A. tags

Explanation:

Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as virtual machines and associating each resource to a department for billing and reporting purposes.

Administrative units are containers used for delegating administrative roles to manage a specific portion of Azure AD. Administrative units cannot contain Azure virtual machines.

Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure subscriptions.

Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A storage account cannot contain virtual machines.

Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager | Microsoft Learn

Configure virtual machines - Training | Microsoft Learn

37
Q

You have an Azure subscription that contains 200 virtual machines.

You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.

You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must minimize administrative effort.

What should you configure?
Select only one answer.

A. an Azure Automation account
B. an action group
C. an application security group
D. a capacity reservation group

A

B. an action group

Explanation:

Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log. You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource group to specify the resources for which you want to receive alerts. You also need to create an action group that will contain all the users to be notified.

Create action groups - Training | Microsoft Learn

Create Azure Advisor alerts for new recommendations using Azure portal - Azure Advisor | Microsoft Learn

38
Q

You have an Azure subscription.

You plan to create an Azure Policy definition named Policy1.

You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and Compliance.

To which definition section should you add remediation information for Policy1?
Select only one answer.

A. metadata
B. parameters
C. policyRule
D. mode

A

A. metadata

Explanation:

You must use the RemediationDescription field in the metadata section from properties to specify a custom recommendation. The remaining options are Azure policies, but do not allow specific custom remediation information.

Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn

Configure Azure Policy - Training | Microsoft Learn

39
Q

You need to create Azure alerts based on metric values and activity log events.

The solution must meet the following requirements:

Set a limit on how many times an alert notification is sent.

Call an Azure function when an alert is triggered.

Configure the alert to have a severity of warning when triggered.

Which two resources should you create? Each correct answer presents part of the solution.
Select all answers that apply.

A. a notification
B. an action group
C. a secure webhook
D. an alert rule

A

B. an action group
D. an alert rule

Explanation:

You must create an action group to set up an action and create an alert rule to set the severity of the errors. A notification is only used to send email and you do not need to call a webhook.

Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn

Configure Azure alerts - Training | Microsoft Learn

40
Q

You have an Azure virtual machine that hosts a third-party application named App1.

Users report that they experience performance issues when they use the application.

You need to find the root cause of the performance issue.

What should you use?
Select only one answer.

A. Azure Monitor
B. activity logs
C. Azure Advisor
D. Azure Cost

A

A. Azure Monitor

Explanation:

Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. Activity logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.

Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn

Configure Azure alerts - Training | Microsoft Learn

41
Q

You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts configured for CPU and memory utilization for the virtual machines.

You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines.

What can cause the alert state to be Closed?
Select only one answer.

A. The alerts are older than 60 days.
B. The conditions that caused the alerts are no longer present.
C. An administrator manually changed the state of the alerts.
D. The alert rule contains an action group that remediates the alert conditions.

A

C. An administrator manually changed the state of the alerts.

Explanation:

The alert state is manually set by the user and does not have any automated logic behind it. The alert state can be either New, Acknowledged, or Closed.

Manage Azure Monitor alerts - Training | Microsoft Learn

Configure Azure alerts - Training | Microsoft Learn

42
Q

You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with the default backup policy.

What is the retention period of virtual machine backups in the default backup policy?
Select only one answer.

A. 7 days
B. 14 days
C. 30 days
D. 90 days

A

C. 30 days

Explanation:

By default, backups of virtual machines are kept for 30 days.

Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn

Configure virtual machine backups - Training | Microsoft Learn

43
Q

You have an Azure subscription that contains two protected virtual machines named VM1 and VM2. VM1 and VM2 are backed up to a Recovery Service vault named Vault1 by using the same backup policy.

Your company plans to create additional virtual machines and Recovery Services vaults. During this process, Vault1 will be decommissioned.

You need to delete Vault1.

Which three actions should you perform before you can delete Vault1? Each correct answer presents part of the solution.
Select all answers that apply.

  1. Stop the backup of VM1 and VM2.
  2. Disable the soft delete feature and delete all data.
  3. Permanently remove any items in the soft delete state.
  4. Delete VM1 and VM2.
  5. Enable a Read lock on Vault1.
A
  1. Stop the backup of VM1 and VM2.
  2. Disable the soft delete feature and delete all data.
  3. Permanently remove any items in the soft delete state.

Explanation:

You must stop the backups so that you can prepare to move to the new policy. The soft delete feature is enabled by default, so it must be disabled. You must remove all the items that are in the soft delete state. Deleting the virtual machines is not required. You cannot delete the policy without deleting the vault and backup, and a new policy is not required.

Overview of Recovery Services vaults - Azure Backup | Microsoft Learn

Delete a Microsoft Azure Recovery Services vault - Azure Backup | Microsoft Learn

Configure virtual machine backups - Training | Microsoft Learn

44
Q

You plan to create an alert in Azure Monitor that will have an action group to send SMS messages.

What is the maximum number of SMS messages that will be sent every hour if the alert gets triggered every minute?
Select only one answer.

A. 4
B. 6
C. 12
D. 60

A

C. 12

Explanation:

A maximum of one SMS message can be sent every five minutes. Therefore, a maximum of 12 messages will be sent per hour.

Rate limiting for SMS, emails, push notifications - Azure Monitor | Microsoft Learn

Configure Azure alerts - Training | Microsoft Learn

45
Q

You have an Azure subscription.

You plan to implement four Azure virtual networks that will be peered. All virtual machines will use a DNS suffix of contoso.com.

You need to configure name resolution for the virtual networks to ensure that all the virtual machines can communicate by using their FQDNs. The solution must minimize administrative effort.

What should you use?
Select only one answer.

A. a DNS server on an Azure virtual machine
B. Azure-provided name resolution
C. an Azure Private DNS zone
D. an Azure public DNS zone

A

C. an Azure Private DNS zone

Explanation:

Azure Private DNS allows for private name resolution between Azure virtual networks. Azure public DNS provides DNS for public access, such as name resolution for a publicly accessible website. Azure-provided name resolution does not support user-defined domain names and only supports a single virtual network. A DNS server on a virtual machine can also be used to achieve the goal but involves much more administrative effort to implement and maintain than using Azure Private DNS.

Name resolution for resources in Azure virtual networks | Microsoft Learn

Host your domain on Azure DNS - Training | Microsoft Learn

46
Q

You have an Azure subscription that contains an Azure DNS zone named contoso.com.

You add a new subdomain named test.contoso.com.

You plan to delegate test.contoso.com to a different DNS server.

How should you configure the domain delegation?
Select only one answer.

A. Add an NS record set named test to the contoso.com zone.
B. Create the SOA record for test.contoso.com.
C. Add an A record for test.contoso.com.
D. Modify the A record for contoso.com.

A

A. Add an NS record set named test to the contoso.com zone.

Explanation:

You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be created in contoso.com. You do not need to create or modify the DNS A record.

Delegate a subdomain - Azure DNS | Microsoft Learn

Host your domain on Azure DNS - Training | Microsoft Learn

47
Q

You have an Azure subscription that contains network security groups (NSGs).

Which two resources can be associated with a NSG? Each correct answer presents a complete solution.
Select all answers that apply.

A. network interfaces
B. subnets
C. Azure Network Watcher
D. Azure Monitor

A

A. network interfaces
B. subnets

Explanation:

You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the access control list (ACL) rules apply to all virtual machine instances of that subnet.

Azure network security groups overview | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

48
Q

You have an Azure subscription that contains two resource groups named RG1 and RG2.

RG1 contains the following resources:

A virtual network named VNet1 located in the East US Azure region
A network security group (NSG) named NSG1 located in the West US Azure region

RG2 contains the following resources:

A virtual network named VNet2 located in the East US Azure region
A virtual network named VNet3 located in the West US Azure region

You need to apply NSG1.

To which subnets can you apply NSG1?
Select only one answer.

A. the subnets of VNet1 only
B. the subnets of VNet3 only
C. the subnets of all the virtual networks
D. the subnets of VNet1 and VNet2

A
49
Q

You have an Azure subscription that contains a network security group (NSG) named NSG1.

You plan to configure NSG1 to allow the following types of traffic:

Remote Desktop Management
Secured HTTPS

Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Select all answers that apply.

A. 80
B. 25
C. 443
D. 587
E. 3389

A

C. 443
E. 3389

Explanation:

You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.

Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

50
Q

You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines.

You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual machines on each subnet. The NSG will be associated to each subnet.

You need to recommend a solution to configure the inbound access by using the fewest number of NSG rules possible.

What should you use as the destination in the NSG?
Select only one answer.

A. an application security group
B. the subnets of the virtual machines
C. a service tag

A

A. an application security group

Explanation:

Application security groups allow you to group together the network interfaces from multiple virtual machines, and then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual network.

You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual machine.

Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets.

Service tags are for specific Azure services, such as Azure App Service or Azure Backup.

Azure application security groups overview | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

51
Q

You have a virtual machine named VM1 that is assigned to a network security group (NSG) named NSG1.

NSG1 has the following outbound security rules:

Rule1:

Priority: 900
Name: BlockInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Block

Rule2:

Priority: 1000
Name: AllowInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Allow

You need to ensure that internet access to VM1 on port 80 is allowed.

What should you do?
Select only one answer.

A. Change the priority of Rule2.
B. Change the name of Rule1.
C. Change the action of Rule2.
D. Change the source of Rule 2.

A

A. Change the priority of Rule2.

Explanation:

Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2, decrease the priority of Rule1, or change the action of Rule1 to achieve the goal.

Azure network security groups overview | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

52
Q

You create several Azure virtual machines that run Windows Server.

You need to connect to the virtual machines without exposing RDP ports over the internet.

Which Azure service should you deploy?
Select only one answer.

A. Azure Front Door
B. Azure Network Watcher
C. Azure Bastion
D. Azure Virtual Desktop

A

C. Azure Bastion

Explanation

Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without exposing RDP and SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect to a server from the internet.

About Azure Bastion | Microsoft Learn

Configure virtual networks - Training | Microsoft Learn

53
Q

You have three network security groups (NSGs) named NSG1, NSG2, and NSG3. Port 80 is blocked in NSG3 and allowed in NSG1 and NSG2.

You have four Azure virtual machines that have the following configurations:

VM1:

Subnet: Subnet1
Network card: NIC1
NIC1 is assigned to NSG2.

VM2:

Subnet: Subnet1
Network card: NIC2
NIC2 is assigned to NSG3.

VM3:

Subnet: Subnet3
Network card: NIC3
NIC3 is assigned to NSG3.

VM4:

Subnet: Subnet2

You have the following subnets:

Subnet1 is assigned to NSG1.
Subnet2 is assigned to NSG3.
Subnet 3 does not have an NSG assigned.

Which virtual machine will allow traffic from the internet on port 80?
Select only one answer.

A. VM1
B. VM2
C. VM3
D. VM4

A

A. VM1

Explanation:

On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow traffic on port 80. On VM2, NSG1 allows traffic, but NSG3 blocks traffic for the network interface. On VM3 and VM4, NSG3 blocks traffic.

Network security group - how it works | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

54
Q

Your company plans to migrate servers from on-premises to Azure. There will be dev, test, and production virtual machines on a single virtual network.

You need to restrict traffic between the dev, test, and production virtual machines to specific ports.

What should you use?
Select only one answer.

A. a network security group (NSG)
B. an Azure firewall
C. an Azure load balancer
D. an Azure VPN gateway

A

A. a network security group (NSG)

Explanation:

Must configure network security group (NSG) rules to allow TCP or ICMP traffic for specific ports. Azure Firewall is a managed service that protects your Azure services across multiple virtual networks. Load balancers are used to distribute incoming traffic to available backend servers. Azure VPN is used to have a connection establishment between on-premises and Azure.

Azure network security groups overview | Microsoft Learn

Configure network security groups - Training | Microsoft Learn

55
Q

You have an Azure subscription that contains an ASP.NET application. The application is hosted on four Azure virtual machines that run Windows Server 2022.

You have a load balancer named LB1 to load balances requests to the virtual machines.

You need to ensure that site users connect to the same web server for all requests made to the application.

Which two actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.

A. Set Session persistence to Client IP.
B. Set Session persistence to Protocol.
C. Set Session persistence to None.
D. Configure an inbound NAT rule.

A

A. Set Session persistence to Client IP.
B. Set Session persistence to Protocol.

Explanation:]

By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the same web server for all requests made to the application. Setting Session persistence to None disables sticky sessions and an inbound NAT rule is used to forward traffic from a load balancer frontend to a backend pool.

Azure Load Balancer distribution modes | Microsoft Learn

Configure Azure Load Balancer - Training | Microsoft Learn

56
Q

You have an Azure subscription that contains multiple virtual machines and a public load balancer named PLB1. PLB1 is configured to balance ports 80 and 443 on the virtual machines.

A virtual machine named VM1 will be used to connect to all other virtual machines by using RDP.

You need to forward all RDP requests to VM1 only.

What should you do?
Select only one answer.

A. Configure an inbound NAT rule.
B. Configure a public IP address.
C. Add a load balancer named LB1 to VM1.

A

A. Configure an inbound NAT rule.

Explanation:

Configuring an inbound NAT rule allows you to connect to virtual machines on an Azure virtual network by using the Azure Load Balancer IP address and port number.

Configure VPN NAT rules for your gateway - Azure Virtual WAN | Microsoft Learn

Configure Azure Load Balancer - Training | Microsoft Learn

57
Q

You have an Azure subscription that contains 20 virtual networks and 500 virtual machines.

You deploy a new virtual machine named VM501.

You discover that VM501 is unable to communicate with a virtual machine named VM20 in the subscription. You suspect that a network security group (NSG) is the cause of the issue.

You need to identify whether an NSG is blocking communications. The solution must minimize administrative effort.

What should you use?
Select only one answer.

A. NSG flow logs
B. packet capture
C. IP flow verify
D. diagnostic logs

A

C. IP flow verify

Explanation:

IP flow verify lets you specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify can identify the specific network security group (NSG) that prevents communication. NSG flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Although the logs may help you identify the source of the issue, it requires much more configuration and manual evaluation. Packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture may help narrow down the scope of the issue, but it will not identify the specific NSG that prevents communication.

Azure Network Watcher | Microsoft Learn

Configure Network Watcher - Training | Microsoft Learn

58
Q

You need to generate the shared access signature (SAS) token required to authorize a request to a resource.

Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Select all answers that apply.

A. SignedStart (st)
B. SignedIP (sip)
C. SignedServices (ss)
D. SignedResourceTypes (srt)

A

C. SignedServices (ss)
D. SignedResourceTypes (srt)

Explanation:

SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept requests.

Create an account SAS - Azure Storage | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn

59
Q

You need to create an Azure Storage account that meets the following requirements:

Stores data in multiple Azure regions
Supports reading the data from primary and secondary regions

Which type of storage redundancy should you use?
Select only one answer.

A. geo-redundant storage (GRS)
B. read-access geo-redundant storage (RA-GRS)
C. zone-redundant storage (ZRS)
D. locally-redundant storage (LRS)

A

B. read-access geo-redundant storage (RA-GRS)

Explanation:

Since you must ensure that data can be read from a secondary region, you must choose read-access geo-redundant storage (RA-GRS).

Data redundancy - Azure Storage | Microsoft Learn

Determine replication strategies - Training | Microsoft Learn

60
Q

You have an Azure subscription that contains the following StorageV2 (general purpose v2) storage accounts:

store1 is a Premium account that uses geo-redundant storage (GRS) redundancy.
store2 is a Standard account that uses locally-redundant storage (LRS) redundancy.
store3 is a Premium account that uses read-access geo-redundant storage (RA-GRS) redundancy.
store4 is a Premium account that uses RA-GRS redundancy.

You need to identify which storage account can be converted to zone-redundant replication (ZRS) for live migration.

Which storage account should you identify?
Select only one answer.

A. store1
B. store2
C. store3
D. store4

A

B. store2

Explanation:

Only zone-redundant replication (ZRS) supports StorageV2, FileStorage, and BlockBlobStorage accounts. Live migration is not supported for read-access geo-redundant storage (RA-GRS) and only standard storage accounts can be used.

Data redundancy - Azure Storage | Microsoft Learn

Determine replication strategies - Training | Microsoft Learn

61
Q

You have two premium block blob Azure Storage accounts named storage1 and storage2.

You need to configure object replication from storage1 to storage2.

Which three features should be enabled before configuring object replication? Each correct answer presents part of the solution.
Select all answers that apply.

A. change feed for storage1
B. change feed for storage2
C. blob versioning for storage1
D. blob versioning for storage2
E. point-in-time restore for the containers on storage1
F. point-in-time restore for the containers on storage2

A

A. change feed for storage1
C. blob versioning for storage1
D. blob versioning for storage2

Explanation:

Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.

Configure object replication - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

62
Q

You have an Azure subscription that contains multiple storage accounts.

A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the assigned storage is used.

You need to ensure that the file share can support large files and store up to 100 TiB.

Which two PowerShell commands should you run? Each correct answer presents part of the solution.
Select all answers that apply.

A. Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -EnableLargeFileShare
B. Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400
C. Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -Type ”Standard_RAGRS”
D. New-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName Storage1 -Name Share1 -QuotaGiB 100GB

A

A. Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -EnableLargeFileShare
B. Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400

Explanation:

You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You do not need to change the type of storage account, and you are updating the existing share.

Object replication overview - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

63
Q

You create an Azure Storage account.

You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been used for 30 days.

What should you do first?
Select only one answer.

A. Enable access tracking.
B. Refresh the blob inventory.
C. Enable versioning for blobs.
D. Rotate the storage account keys.

A

A. Enable access tracking.

Explanation:
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the access time, access tracking must be enabled. This can incur additional storage costs.

64
Q

You have an Azure Storage account that contains a file share.

Several users work from a secure location that limits outbound traffic to the internet.

You need to ensure that the users at the secure location can access the file share in Azure.

Which outbound port should you allow from the secure location?
Select only one answer.

A. 80
B. 443
C. 445
D. 5671

A

C. 445

Explanation:

For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Azure AD. It is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs) to verify TLS/SSL certificates. Port 443 is used to sync with Azure AD.

Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn