Review Mode Set 2 Dojo

Question 1

Which Azure service can you use to send alerts when the CPU utilization of a virtual machine reaches 80%?

Microsoft Defender for Cloud
Azure Bastion
Azure Monitor
Azure Service Health

Answer 1

Azure Monitor

Explanation:
Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues affecting them and the resources they depend on.

With Azure Monitor, you can:

– Detect and diagnose issues across applications and dependencies with Application Insights.

– Correlate infrastructure issues with VM insights and Container insights.

– Drill into your monitoring data with Log Analytics for troubleshooting and deep diagnostics.

– Support operations at scale with smart alerts and automated actions.

– Create visualizations with Azure dashboards and workbooks.

– Collect data from monitored resources using Azure Monitor Metrics.

Metric alerts in Azure Monitor work on top of multi-dimensional metrics. These metrics could be platform metrics, custom metrics, popular logs from Azure Monitor converted to metrics, and Application Insights metrics.

Metric alerts evaluate at regular intervals to check if conditions on one or more metric time series are true and notify you when the evaluations are met. Metric alerts are stateful by default, that is, they only send out notifications when the state changes (fired, resolved).

You can alert on metrics and logs, as described in monitoring data sources. Signals include but aren’t limited to: Metric values

– Log search queries

– Activity log events

– Health of the underlying Azure platform

– Tests for website availability

Hence, the correct answer is: Azure Monitor.

Azure Bastion is incorrect because this is only a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.

Microsoft Defender for Cloud is incorrect because this service is simply a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud. It is not designed for sending alerts when certain VM metrics have been breached.

Azure Service Health is incorrect because this service is just a personalized dashboard in the Azure portal for receiving notifications, guidance, and technical support when Azure service issues, updates, or planned maintenance affect your Azure resources.

Question 2

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Questions 	Yes 	No	  1.    Azure network security groups can encrypt all the network traffic between your Azure resources and on-premises network via the public Internet.	

2. You can set up a Point-to-Site VPN connection that uses Internet Protocol Security (IPsec) to connect to your Azure virtual network using your home computer via the public Internet.
3. Azure Firewall uses Internet Protocol Security (IPsec) to encrypt all the network traffic between your Azure resources and on-premises network via the public Internet.

Answer 2

1. No
2. Yes
3. No

Explanation:
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

Hence, this statement is true: You can set up a Point-to-Site VPN connection that uses Internet Protocol Security (IPsec) to connect to your Azure virtual network using your home computer via the public Internet.

The statement that says: Azure Firewall uses Internet Protocol Security (IPsec) to encrypt all the network traffic between your Azure resources and on-premises network via the public Internet is incorrect because Azure Firewall doesn’t use IPSec and can’t be used to connect Azure resources and your on-premises network. It is just a fully stateful firewall-as-a-service that allows you to centrally create, enforce, and log application and network connectivity policies across subscriptions and Azure virtual networks.

The statement that says: Azure network security groups can encrypt all the network traffic between your Azure resources and on-premises network via the public Internet is incorrect because a network security group is primarily used to filter network traffic to and from Azure resources in an Azure virtual network. You have to establish a VPN connection if you need to connect between the Azure virtual network and your home computer via IPSec.

Question 3

A company has several Azure resources across different regions. The support engineers need to manage the Azure cloud environments of the company using the Azure CLI.

Which tools below can the engineers use to install and run the Azure CLI? (Select TWO.)

Microsoft Entra Seamless SSO
Azure Storage Explorer
Azure Resource Explorer
Windows PowerShell
Windows Command Prompt (CMD)

Answer 3

Windows PowerShell
Windows Command Prompt (CMD)

Explanation:
The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation.

Azure CLI capabilities make it easy to work with different programming languages and software environments. For example, Azure CLI:

– Is available to install in Windows, macOS, and Linux environments.
– Can also be run in Docker and Azure Cloud Shell.

– Offers command-line flexibility when managing an Azure solution.

– Supports long-running operations.

– Has the ability to use one subscription for all commands or vary subscriptions per command.

– Allows for querying of command-line results with query output returned in your format of choice.

– Has the flexibility to work with multiple clouds.

– Provides configurable settings for logging, data collection, and default argument values.

– Is deployed with Resource Manager deployment templates.

For Windows, the Azure CLI is installed via an MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell. The packages are also available for your Linux distribution if you are using Windows Subsystem for Linux (WSL).

Hence, the correct answers are:

– Windows Command Prompt (CMD)

– Windows PowerShell

Microsoft Entra Seamless SSO is incorrect because you can’t use this service to run Azure CLI. It’s just an identity service that automatically signs users in when they are on their corporate devices connected to their corporate network.

Azure Storage Explorer is incorrect because this is simply a cross-platform, standalone application that you can use to manage your Azure cloud storage resources. It’s not capable of installing or running the Azure CLI.

Azure Resource Explorer is incorrect because this is primarily used to view the available Azure Resource Management APIs and make actual API calls directly to your own Azure subscriptions.

Question 4

For security reasons, you need to recommend a solution that will automatically block new network security group security rules that contains port 22, 80 and 3389.

What should you include in your recommendation?

Azure Monitor
Azure Service Trust Portal
Azure Resource Manager
Azure Policy

Answer 4

Azure Policy

Explanation:
Azure Policy helps to enforce organizational standards and to assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Policy evaluates resources in Azure by comparing the properties of resources to the business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative.

Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded if necessary.

Hence, the correct answer is: Azure Policy.

Azure Monitor is incorrect because it just helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. You cannot use this to block new security rules.

Azure Service Trust Portal is incorrect because this is simply Microsoft’s public site for publishing audit reports and other compliance-related information associated with Microsoft’s cloud services.

Azure Resource Manager is incorrect because it is used for the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

Question 5

What is the customer responsible for when using a software as a service (SaaS) solution?

Installing its custom applications
Configuring and using the provided cloud-based application
Ensuring high availability of its applications.
Ensuring the scalability of its cloud-based applications

Answer 5

Configuring and using the provided cloud-based application

Explanation:

Question 6

Your company stores its media assets in a storage account located in the Singapore region.

You need to recommend a solution to ensure that if the Singapore region fails, the data can still be accessed. The solution should also be cost-effective.

Solution: Configure your storage account to use zone-redundant storage (ZRS) option.

Does this meet the goal?

No
Yes

Answer 6

No

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Data in an Azure Storage account is always replicated three times in the primary region.

Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.

The primary difference between GRS and GZRS is how data is replicated in the primary region. Within the secondary region, data is always replicated synchronously three times using LRS. LRS in the secondary region protects your data against hardware failures.

Take note, the requirements state that you need the media assets must be accessible if the Singapore region fails and that the solution must also be cost-effective. Although Geo-zone-redundant storage satisfies the requirement of data availability, it does not satisfy the requirement of cost-effectiveness because geo-zone-redundant storage is costlier than geo-redundant storage.

Hence, the correct answer is: No.

Question 7

Your company stores its media assets in a storage account located in the Singapore region.

You need to recommend a solution to ensure that if the Singapore region fails, the data can still be accessed. The solution should also be cost-effective.

Solution: Configure your storage account to use geo-redundant storage (GRS) option.

Does this meet the goal?

Yes
No

Answer 7

Yes

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Data in an Azure Storage account is always replicated three times in the primary region.

Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.

Take note, the requirements state that you need the media assets must be accessible if the Singapore region fails. With Geo-redundant storage, your media assets are stored in multiple availability zones and a secondary region. Remember, you can only use the secondary region when you initiate a failover. After the failover has been completed, the secondary region becomes the primary region, and you can again read and write data.

Hence, the correct answer is: Yes.

Question 8

Which Azure service lets you provision Windows desktops that can host desktop applications in just a few minutes, scale easily and allow users to connect with any device over the internet?

Azure Batch
Azure Dedicated Host
Azure Virtual Desktop
Azure Functions

Answer 8

Azure Virtual Desktop

Explanation:
Windows Virtual Desktop on Azure is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux. It works with apps that you can use to access remote desktops and apps. You can also use most modern browsers to access Windows Virtual Desktop-hosted experiences.

Here’s what you can do when you run Windows Virtual Desktop on Azure:

– Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability

– Virtualize Microsoft 365 Apps for enterprise and optimize it to run in multi-user virtual scenarios

– Provide Windows 7 virtual desktops with free Extended Security Updates

– Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer

– Virtualize both desktops and apps

– Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience

Users have the freedom to connect to Windows Virtual Desktop with any device over the Internet. They use a Windows Virtual Desktop client to connect to their published Windows desktop and applications. This client could either be a native application on the device or the Windows Virtual Desktop HTML5 web client.

You can provide individual ownership through personal (persistent) desktops. For example, you might want to provide personal remote desktops for members of an engineering team. Then they can add or remove programs without impacting other users on that remote desktop.

You can also quickly virtualize and deploy modern and legacy desktop applications to the cloud in minutes with unified management in the Azure portal.

Hence, the correct answer is: Azure Virtual Desktop.

Azure Functions is incorrect because this is just an event-driven, compute-on-demand service that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party service as well as on-premises systems.

Azure Dedicated Host is incorrect because this service simply provides physical servers that are able to host one or more virtual machines dedicated to a single customer.

Azure Batch is incorrect because this service only creates and manages a pool of compute nodes (virtual machines), installs the applications you want to run, and schedules jobs to run on the nodes.

Question 9

You have an Azure subscription that contains multiple virtual machines.
You have been tasked with connecting your virtual network containing the virtual machines to your on-premises data center. Traffic must not pass through the public internet.
Solution: Create a virtual network peering.

No
Yes

Answer 9

No

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Office 365.

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.

Virtual network peering allows you to connect virtual networks to each other only. You won’t be able to connect your on-premises datacenter to Azure.

Hence, the correct answer is: No.

Question 10

What service enables you to evaluate regulatory compliance as well as improve the compliance posture of your Azure environment?

Azure Blueprints
Azure Advisor
Microsoft Defender for Cloud
Azure Policy

Answer 10

Microsoft Defender for Cloud

Explanation:
Microsoft Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.

Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyberattacks, and streamline security management. Because it’s natively integrated, deployment of Defender for Cloud is easy, providing you with simple auto-provisioning to secure your resources by default.

With Microsoft Defender for Cloud, you can do the following:

– Evaluate your regulatory compliance using the Regulatory compliance dashboard

– Improve your compliance posture by taking action on recommendations

Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements using the regulatory compliance dashboard. In the dashboard, Defender for Cloud provides insights into your compliance posture based on continuous assessments of your Azure environment. Defender for Cloud analyzes risk factors in your hybrid cloud environment according to security best practices.

Hence, the correct answer is: Microsoft Defender for Cloud.

Azure Advisor is incorrect because this service just analyzes your configurations and usage telemetry and offers personalized, actionable recommendations to help you optimize your Azure resources for reliability, security, operational excellence, performance, and cost.

Azure Blueprints is incorrect because this simply defines a repeatable set of Azure resources that implement and adhere to your organization’s standards, patterns, and requirements and rapidly build new environments with a set of built-in components to speed up development and delivery.

Azure Policy is incorrect because this service is primarily used to manage and prevent IT issues with policy definitions that enforce rules and effects for your resources.

Question 11

You need to configure a network security group in your Azure subscription that restricts Remote Desktop Protocol access to your virtual machines.

Which resources can be attached to your network security group? (Select TWO.)

Subnet
Route Table
Virtual Network
Network interface
DNS servers

Answer 11

Subnet Network interface

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Network Security Groups can be attached to subnets and/or network interfaces. Unless you have a specific reason to, it is recommended that you associate a network security group to a subnet or a network interface, but not both. Since rules in a network security group associated with a subnet can conflict with rules in a network security group associated with a network interface, you can have unexpected communication problems that require troubleshooting.

It’s important to note that security rules in an NSG associated with a subnet can affect connectivity between virtual machines within it. For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. Another rule would have to be added specifically to allow this.

Hence, the correct answers are:

– Subnet

– Network Interface

Virtual Network, Route Table, and DNS Server are incorrect because you will not be able to attach these resources to a network security group. You can only attach a subnet and/or a network interface to your network security group.

Question 12

A company has hundreds of virtual machines that are dispersedly hosted across multiple virtual networks and subscriptions. You are tasked to limit the amount of outbound HTTPS traffic to a specified list of fully qualified domain names (FQDN) as well as limit the inbound traffic to the virtual networks.

What must be done to satisfy the above requirement?

Integrate Azure Firewall to your network architecture.
Integrate Azure virtual network TAP (Terminal Access Point) to your network architecture.
Launch a single Azure ExpressRoute connection.
Launch a single network security group.

Answer 12

Integrate Azure Firewall to your network architecture.

Explanation:
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

The Azure Firewall service complements network security group functionality. Together, they provide better “defense-in-depth” network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.

Hence, the correct answer is: Integrate Azure Firewall to your network architecture.

The option that says: Integrate Azure virtual network TAP (Terminal Access Point) to your network architecture is incorrect because this just allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool.

The option that says: Launch a single Azure ExpressRoute connection is incorrect because this service is primarily used to create private connections between Azure and your on-premises network or in a colocation environment.

The option that says: Launch a single network security group is incorrect because a network security group simply provides a distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Remember that it’s mentioned in the scenario that the virtual machines are dispersedly hosted across multiple virtual networks and subscriptions.

Question 13

You were tasked to look for a document sharing solution that you can map or mount in your on-premises Windows servers. What Azure service should you use?

Azure Blob
Azure Cosmos DB
Azure Managed Disks
Azure Files

Answer 13

Azure Files

Explanation:
Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.

File shares can be used for many common scenarios:

1. Many on-premises applications use file shares. This feature makes it easier to migrate those applications that share data to Azure. If you mount the file share to the same drive letter that the on-premises application uses, the part of your application that accesses the file share should work with minimal, if any, changes.
2. Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them and that they use the same version.
3. Resource logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

About Azure file share backup - Azure Backup | Microsoft Docs

The correct answer is: Azure Files.

Azure Cosmos DB is incorrect because this service is Microsoft’s globally distributed, multi-model database service for mission-critical applications.

Azure Managed Disks is incorrect because these are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but virtualized. However, this can’t be mounted to your on-premises servers, unlike Azure Files.

Azure Blob storage is incorrect because this service is an object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data, such as text or binary data. Objects in Blob storage can be accessed from anywhere in the world via HTTP or HTTPS. You cannot mount this to your on-premises servers

Question 14

Which Azure service provides recommendations on how you can optimize and improve the efficiency of your workloads by identifying idle and underutilized resources?

Azure Portal
Azure Blueprints
Azure Cost Management + Billing
Azure Monitor

Answer 14

Azure Cost Management + Billing

Explanation:
Azure Cost Management + Billing is a suite of tools provided by Microsoft that help you analyze, manage, and optimize the costs of your workloads. Using the suite helps ensure that your organization is taking advantage of the benefits provided by the cloud.

With Azure products and services, you only pay for what you use. As you create and use Azure resources, you’re charged for the resources. Because of the deployment ease for new resources, the costs of your workloads can jump significantly without proper analysis and monitoring. You use Azure Cost Management + Billing features to:

– Conduct billing administrative tasks such as paying your bill
– Manage billing access to costs
– Download cost and usage data that was used to generate your monthly invoice
– Proactively apply data analysis to your costs
– Set spending thresholds
– Identify opportunities for workload changes that can optimize your spending

The ways that Cost Management helps you plan for and control your costs include:

– You use cost analysis to explore and analyze your organizational costs.

– Budgets help you plan for and meet financial accountability in your organization.

– Recommendations show how you can optimize and improve efficiency by identifying idle and underutilized resources.

Hence, the correct answer is: Azure Cost Management + Billing.

Azure Blueprints is incorrect because this only enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. It is not capable of analyzing your Azure spending, unlike Azure Cost Management + Billing.

Azure Portal is incorrect because this is simply a web-based, unified console that provides an alternative to command-line tools that you can use to access Azure Cost Management + Billing service.

Azure Monitor is incorrect because this service primarily helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. You cannot use this to show recommendations on how to optimize your Azure spending.

Question 15

Your on-premises Active Directory forest currently has 3000 users.

You plan to decommission the on-premises server that hosts the Active directory. You need to recommend a solution to migrate the users the quickest way to Microsoft Entra ID with minimal impact on users.

What should you recommend?

Implement Azure Multi-Factor Authentication.
Manually create the users in Microsoft Entra ID.
Migrate the on-premises Active Directory server to Azure virtual machines.
Sync the on-premises Active Directory to Microsoft Entra ID using Microsoft Entra connect.

Answer 15

Sync the on-premises Active Directory to Microsoft Entra ID using Microsoft Entra connect.

Explanation:
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

– External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.

– Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Microsoft Online business services, such as Office 365 or Microsoft Azure, require Microsoft Entra ID for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Microsoft Entra ID with access to all the free features.

Microsoft Entra ID Connect installs an on-premises service that orchestrates synchronization between your on-premises Active Directory and Microsoft Entra ID. The Microsoft Entra ID Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements. These credentials are not used to connect to your on-premises forests or Microsoft Entra ID.

Hence, the correct answer is: Sync the on-premises Active Directory to Microsoft Entra ID using Microsoft Entra connect.

Manually creating the users in Microsoft Entra ID is incorrect because this will be a time-consuming process. Take note that the scenario is looking for a solution that will allow the company to migrate its Active Directory to Azure the quickest way.

Implementing Azure Multi-Factor Authentication is incorrect because this is just a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. It is not capable of syncing on-premises Active Directory to Microsoft Entra ID.

Migrating the on-premises Active Directory server to Azure virtual machines is incorrect because the scenario states that the users must be migrated to Microsoft Entra ID and not to Azure virtual machines. Migrating the on-premises active directory to the Azure virtual machine will not meet the scenario’s requirements.

Question 16

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Questions 	Yes 	No	 1.     Azure Advisor improves the security of your Microsoft Entra ID environment by calculating user risk levels, providing custom recommendations, and highlighting vulnerabilities.	

2. Your secure score in Microsoft Defender for Cloud will increase if you remediate all of the security recommendations provided by Azure Advisor.
3. Azure Advisor provides a list of Azure virtual machines that are backed up by the Azure Backup service.

Answer 16

1. No
2. Yes
3. No

Explanation:
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost-effectiveness, performance, Reliability (formerly called High availability), and security of your Azure resources.

With Advisor, you can:

– Get proactive, actionable, and personalized best practices recommendations.
– Improve the performance, security, and reliability of your resources as you identify opportunities to reduce your overall Azure spend.
– Get recommendations with proposed actions inline.

You can access Advisor through the Azure portal. Sign in to the portal, locate Advisor in the navigation menu, or search for it in the All services menu.

The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific subscriptions and resource types. The recommendations are divided into five categories:

– Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications.

– Security: To detect threats and vulnerabilities that might lead to security breaches.

– Performance: To improve the speed of your applications.

– Cost: To optimize and reduce your overall Azure spending.

– Operational Excellence: To help you achieve process and workflow efficiency, resource manageability, and deployment best practices.

Azure Advisor identifies the Azure virtual machines where the backup is not enabled. Setting up a virtual machine backup ensures the availability of your business-critical data and its protection against accidental deletion or corruption.

The security recommendations provided by Azure Advisor can improve your security score in Microsoft Defender for Cloud. Your security score will increase if you remediate the security vulnerabilities and act upon the recommended security configurations. Azure Advisor integrates with Microsoft Defender for Cloud to bring you security recommendations.

Hence, this statement is true: Your secure score in Microsoft Defender for Cloud will increase if you remediate all of the security recommendations provided by Azure Advisor.

The statement that says: Azure Advisor provides a list of Azure virtual machines that are backed up by the Azure Backup service is incorrect because Azure Advisor only provides a list of Azure VMs that are not properly backed up and not the other way around.

The statement that says: Azure Advisor improves the security of your Microsoft Entra ID environment by calculating user risk levels, providing custom recommendations, and highlighting vulnerabilities is incorrect because Azure Advisor can only provide limited security recommendations for Microsoft Entra ID. It is not capable of calculating user risk levels or providing custom Microsoft Entra ID recommendations. These functions can only be provided by Microsoft Entra ID Protection.

Question 17

You have an Azure subscription that contains multiple virtual machines.
You have been tasked with connecting your virtual network containing the virtual machines to your on-premises data center. Traffic must not pass through the public internet.
Solution: Create an ExpressRoute circuit.

Yes
No

Answer 17

Yes

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Office 365.

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.

Hence, the correct answer is: Yes.

Question 18

Your company is planning to migrate some of its servers to Azure. You need to recommend a solution wherein users can work remotely by having a secure connection to your Azure virtual machines.

What should you include in the recommendation?

Point-to-Site VPN Connection
Site-to-Site VPN Connection
ExpressRoute
Traffic Manager

Answer 18

Point-to-Site VPN Connection

Explanation:
Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

As part of the Point-to-Site configuration, you install a certificate and a VPN client configuration package, which contains the settings that allow your computer to connect to any virtual machine or role instance within the virtual network.

Hence, the correct answer is: Point-to-Site VPN connection.

ExpressRoute is incorrect because this service simply lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet and offer better reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet. You cannot use this to provide a secure connection to your virtual machines from a user working remotely.

Site-to-Site VPN Connection is incorrect because this is simply used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Traffic Manager is incorrect because this is primarily a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.

Question 19

Which of the following is a serverless compute service that lets you run event-triggered code without having to explicitly provision or manage infrastructure?

Azure Container Instances
Azure Virtual Machines
Azure Logic Apps
Azure Functions

Answer 19

Azure Functions

Explanation:
Azure Functions is an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services as well as on-premises systems. Azure Functions allow developers to take action by connecting to data sources or messaging solutions, thus making it easy to process and react to events.

Therefore, the correct answer is: Azure Functions.

Azure Virtual Machine is incorrect because this service just gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks such as configuring, patching, and installing the software that runs on it.

Azure Container Instances is incorrect because this simply offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.

Azure Logic Apps is incorrect because this service helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. It is not capable of running code that is triggered by events.

Question 20

Which Azure service is primarily designed to help organizations assess and migrate their on-premises workloads to Azure?

Azure Site Recovery
Azure DevOps
Azure Data Factory
Azure Migrate

Answer 20

Azure Migrate

Explanation:

Question 21

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Questions 	Yes 	No	 1.     A resource group’s permission will be inherited by the resources inside it.	

2. When you assign a tag to a resource group, the resources within that group will inherit the tag.
3. A resource group is a container that holds related resources for an Azure solution.

Answer 21

1. Yes
2. No
3. Yes

Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.

The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region, and when you apply a policy on the resource group, that policy is applied the resource group and all its resources.

Therefore the following statements are correct:

– A resource group is a container that holds related resources for an Azure solution.

– A resource group’s permission will be inherited by the resources inside it.

The statement that says: When you assign a tag to a resource group, the resources within that group will inherit the tags is incorrect because tags are not automatically inherited. However, Azure Policy can force resources within a resource group to inherit a tag using the “Inherit a tag from the resource group if it is missing” policy definition.

Question 22

Your company plans on migrating its application named TDojoApp1 to Azure.

TDojoApp1 has a high usage during the first and third weeks of the month and low usage during the 2nd and 4th weeks.

Which benefit of Azure Cloud Services supports cost management for this type of usage pattern?

Fault tolerance
Load balancing
High availability
Elasticity

Answer 22

Elasticity

Explanation:
Elasticity refers to the ability to automatically or dynamically increase or decrease resources as needed. Elastic resources match the current needs, and resources are added or removed automatically to meet future needs when it’s needed (and from the most advantageous geographic location). A distinction between scalability and elasticity is that elasticity is done automatically.

With cloud elasticity, a company avoids paying for unused capacity or idle resources and doesn’t have to worry about investing in the purchase or maintenance of additional resources and equipment.

Hence, the correct answer is: Elasticity.

Fault Tolerance is incorrect because this refers to the ability to remain up and running even in the event of a component (or service) no longer functioning. Typically, redundancy is built into cloud services architecture, so if one component fails, a backup component takes its place. This type of service is said to be tolerant of faults.

High Availability is incorrect because this refers to the ability to keep services up and running for long periods of time, with very little downtime, depending on the service in question.

Load balancing is incorrect because this refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers.

Question 23

You have several hundreds of servers in a single Azure region.

You need to recommend an Azure service that will automatically deploy the same set of servers to another region.

What Azure service should you use?

Azure Policy
Azure availability set
Azure scale set
Azure Resource Manager Templates

Answer 23

Azure Resource Manager Templates

Explanation:

Azure Resource Manager is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted. It provides a consistent management layer that allows you to automate the deployment and configuration of resources using different automation and scripting tools, such as Microsoft Azure PowerShell, Azure Command-Line Interface (Azure CLI), Azure portal, REST API, and client SDKs.

Instead of creating resources manually, you can automate deployments and use the practice of infrastructure as code. In code, you define the infrastructure that needs to be deployed. The infrastructure code becomes part of your project. Just like application code, you store the infrastructure code in a source repository and version it. Anyone on your team can run the code and deploy similar environments.

To implement infrastructure as code for your Azure solutions, use Azure Resource Manager (ARM) templates. The template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.

Azure Resource Manager allows you to repeatedly deploy your infrastructure throughout the development lifecycle and have confidence your resources are deployed in a consistent manner. Templates are idempotent, which means you can deploy the same template many times and get the same resource types in the same state. You can develop one template that represents the desired state, rather than developing lots of separate templates to represent updates.

Hence, the correct answer is: Azure Resource Manager Templates.

Azure availability set is incorrect because this feature simply is a logical grouping capability that ensures the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational.

Azure scale set is incorrect because this only lets you create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule and provides high availability to your applications. It is not capable of running (JSON) file that defines the infrastructure and configuration for your project.

Azure Policy is incorrect because this service just helps enforce organizational standards and assess compliance at scale. You cannot use this to deploy resources repeatedly.

Question 24

Which of the following allows you to group virtual machines that are hosted in the same virtual network and define network security policies based on those groups without manual maintenance of explicit IP addresses?

Azure Firewall
Azure virtual network TAP (Terminal Access Point)
Network Security Groups
Application Security Groups

Answer 24

Application Security Groups

Explanation:
Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

The rules that specify an application security group as the source or destination are only applied to the network interfaces that are members of the application security group. If the network interface is not a member of an application security group, the rule is not applied to the network interface, even though the network security group is associated with the subnet.

Hence, the correct answer is: Application Security Groups.

Network Security Groups is incorrect because this filters the network traffic to and from the Azure resources in your entire Azure virtual network, and not just on certain VMs or groups that you defined.

Azure virtual network TAP (Terminal Access Point) is incorrect because this just allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool.

Azure Firewall is incorrect because this is a managed, cloud-based network security service that protects your Azure resources hosted across multiple virtual networks and subscriptions. Note: it’s mentioned in the scenario that you have to group virtual machines hosted in the same virtual network.

Question 25

You plan on migrating several virtual machines to Azure for your frontend and backend applications. There is a compliance requirement wherein the back-end servers must be on a separate network segment.

What Azure solution should you implement?

One subscription each for frontend and backend servers
One virtual network each for frontend and backend servers
One resource group each for frontend and backend servers
One network security group each for frontend and backend servers

Answer 25

One virtual network each for frontend and backend servers

Explanation:
Azure Virtual Machines are image service instances that provide on-demand and scalable computing resources with usage-based pricing. More broadly, a virtual machine behaves like a server: it is a computer within a computer that provides the user with the same experience they would have on the host operating system itself.

In general, virtual machines are sandboxed from the rest of the system, meaning that the software inside a virtual machine can’t escape or tamper with the underlying server itself. Each virtual machine provides its own virtual hardware, including CPUs, memory, hard drives, network interfaces, and other devices.

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks.

By default, virtual networks cannot communicate with each other.

Therefore, the correct answer is: One virtual network each for frontend and backend servers.

One subscription each for frontend and backend servers is incorrect because it is only an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption. It is not capable of network segmentation.

One resource group each for frontend and backend servers is incorrect because a resource group is simply a container that holds related resources for an Azure solution. Virtual network connectivity is not affected by having different resource groups.

One network security group each for frontend and backend servers is incorrect because this is primarily used for filtering network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. By default, network security groups allow traffic that originates and terminates in a virtual network.

Question 26

A company has a Windows Server running in an Azure Virtual Machine hosted in the South Central US Azure region. You have to view the planned maintenance, incidents, and other service outages in Azure that may affect your virtual machine and other related services.

What service should you use to accomplish the above requirement?

Azure Advisor
Azure Service Health
Azure Monitor
Azure Service Fabric

Answer 26

Azure Service Health

Explanation:
Azure offers a suite of experiences to keep you informed about the health of your cloud resources. This information includes current and upcoming issues such as service-impacting events, planned maintenance, and other changes that may affect your availability.

Azure Service Health is a combination of three separate smaller services: Azure Status, Service Health, and Resource Health.

Azure Status informs you of service outages in Azure on the Azure Status page. The page is a global view of the health of all Azure services across all Azure regions. The status page is a good reference for incidents with widespread impact, but we strongly recommend that current Azure users leverage Azure service health to stay informed about Azure incidents and maintenance.

Service Health provides a personalized view of the health of the Azure services and regions you’re using. This is the best place to look for service-impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Service Health experience knows which services and resources you currently use. The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.

Resource Health provides information about the health of your individual cloud resources, such as a specific virtual machine instance. Using Azure Monitor, you can also configure alerts to notify you of availability changes to your cloud resources. Resource Health along with Azure Monitor notifications, will help you stay better informed about the availability of your resources minute by minute and quickly assess whether an issue is due to a problem on your side or related to an Azure platform event.

Together, these experiences provide you with a comprehensive view into the health of Azure, at the granularity that is most relevant to you.

Therefore, the correct answer is: Azure Service Health.

Azure Advisor is incorrect because this service only analyzes your configurations and usage telemetry to offer personalized and actionable recommendations to help you optimize your Azure resources for reliability, security, operational excellence, performance, and cost. It doesn’t provide information about the planned maintenance, incidents, and other service outages in Azure that may affect your virtual machine and other related services.

Azure Service Fabric is incorrect because this is just a distributed systems platform in Azure that makes it easy for you to package, deploy, and manage scalable and reliable microservices and containers.

Azure Analysis Services is incorrect because this is simply a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud and not a monitoring service.

Question 27

Which Azure service is designed for the offline transfer of large volumes of data to Azure storage services by shipping physical devices?

Azure Data Box
Azure Storage Explorer
Azure File Sync
AzCopy

Answer 27

Azure Data Box

Explanation:
Azure Data Box is a physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device with a maximum usable storage capacity of 80 terabytes. The Data Box is transported to and from your data center via a regional carrier. A rugged case protects and secures the Data Box from damage during transit.

You can order the Data Box device via the Azure portal to import or export data from Azure. Once the device is received, you can quickly set it up using the local web UI and connect it to your network. Once you’re finished transferring the data (either into or out of Azure), simply return the Data Box. If you’re transferring data into Azure, the data is automatically uploaded once Microsoft receives the Data Box back. The entire process is tracked end-to-end by the Data Box service in the Azure portal.

Data Box is ideally suited to transfer data sizes larger than 40 TBs in scenarios with no to limited network connectivity. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers.

Here are the various scenarios where Data Box can be used to import data to Azure.

– Onetime migration – when a large amount of on-premises data is moved to Azure.

– Moving a media library from offline tapes into Azure to create an online media library.

– Migrating your VM farm, SQL server, and applications to Azure.

– Moving historical data to Azure for in-depth analysis and reporting using HDInsight.

– Initial bulk transfer – when an initial bulk transfer is done using Data Box (seed) followed by incremental transfers over the network.

– Periodic uploads – when a large amount of data is generated periodically and needs to be moved to Azure.

Hence, the correct answer is: Azure Data Box.

The following options are incorrect because these services require an internet connection. The question requirement states that an offline migration option must be used.

– AzCopy

– Azure File Sync

– Azure Storage Explorer