Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ500 > Reviewnprep 1 > Flashcards

Reviewnprep 1 Flashcards

1
Q

Your network contains an on premises Active Directory domain named corp.contoso.com.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory tenant named contoso.com.
You sync all on premises identities to Azure AD. You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize administrative effort. What should you use?

A. Synchronization Rules Editor
B. Web Service Configuration Tool
C. The Azure AD Connect Wizard
D. Active Directory Users and Computers
E. None of these

A

A. Synchronization Rules Editor

Explanation:
Use the Synchronization Rules Editor and write attribute based filtering rules
The Synchronization Rules Editor is used to see and change the default configuration. You can find it on the Start menu under the Azure AD Connect group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD Authentication.
Database developers must connect to the SQL Database by using Microsoft SQL server Management Studio (SSMS) and authenticate by using their on premises Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?

A. SQL Login
B. Active Directory - Universal with MFA support
C. Active Directory - Integrated
D. Active Directory - Password

A

C. Active Directory - Integrated

Explanation:
Use this method if you are logged into Windows using your Azure Active Directory credentials from a federated domain, or a managed domain that is configured for seamless single sign on for pass through and password hash authentication. No password is needed or can be entered because your existing credentials will be presented for the connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have an Azure subscription. You configure the subscription to use a different Azure Active Directory (Azure AD) tenant. What are two possible effects of the change? Each correct answer presents a complete solution

A. Role assignments at the subscription level are lost
B. Virtual machine managed identities are lost
C. Virtual machine disk snapshots are lost
D. Existing Azure resources are deleted

A

A. Role assignments at the subscription level are lost
B. Virtual machine managed identities are lost

Explanation:
Because you can associated or add an Azure subscription to your Azure Active Directory tenant, do the following:

  1. Users that have been assigned roles using Azure RBAC will lose their access
  2. Service Administrator and Co Administrators will loss access
  3. If you have any key vaults, they will be inaccessible and you will have to fix them after association
  4. If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re enable or recreate them after the associations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have an Azure subscription that contains an Azure key vault named Vault1
In Vault1, you create a secret named Seecret1
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1. What should you do?

A. in Azure AD, create a role
B. In Azure Key Vault, create a key
C. In Azure Key Vault, create an access policy
D. In Azure AD, enable Azure AD application proxy

A

C. In Azure Key Vault, create an access policy

Explanation:
Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys and certs.
Access policy is for data plane, which require here for accessing the secret.
You may need to configure the target resource to allow access from your application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are troubleshooting a security issue for an Azure Storage account. You enable the diagnostic logs for the storage account. What should you use to retrieve the diagnostics logs?

A. The Security and Compliance Admin Center
B. Azure Security Center
C. Azure Cosmos DB Explorer
D. AzCopy

A

D. AzCopy

Explanation:
Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best effort basis. To view and analyze your log data, you should download the blobs that contain the log data you are interested in to a local machine. Many storage browsing tools enables you to download blobs from your storage account; you can also use the Azure Storage team provided command line Azure Copy Tool AzCopy to download your log data. AzCopy is a command line utility that you can use to copy blobs or files to or from a storage account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults. You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters. What should you use to construct the resource ID?

A. A key vault access policy
B. A linked template
C. A parameters file
D. An automation account
E. A configuration file

A

B. A linked template

Explanation:
You can dynamically generate the resource ID for a key vault secret by using a linked template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You use Azure Security Center for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. You create an initiative and an assignment that is scoped to a management group. Does this meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than on Azure subscription simultaneously. You need to use an initiative to bundle the policy definitions into a group that can be applied to the management group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1. You enable content trust for ContReg1. You need to ensure that User1 can create trusted images in ContReg1.
The solution must use the principle of least privilege. Which two roles should you assign to user1?

A. ArcQuarantineReader
B. Contributor
C. AcrPush
D. ArcImageSigner
E. ArcQuarantineWriter

A

C. AcrPush
D. ArcImageSigner

Explanation:
The ability to sign images usually assigned to an automated process, which would use a service principal. This permission is typically combined with push image to allow pushing a trusted image to a registry. This allows the user to sign and push trusted images. Only the users or systems you have granted permission can push trusted images to your registry. To grant trusted image push permission to a user (or a system using a service principal), grant their Azure AD identities the AcrimageSigner role. This is in addition to the AcrPush role required for pushing images to the registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You use Azure Security Center for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the definitions as a group to all three subscriptions. You create a resource graph and an assignment that is scoped to a management group. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
Management groups in Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.. However, you need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be applied to the management group. You bundle up policies into initiatives and apply the initiatives to the management groups, not resource graph
Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You use Azure Security Center for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. You create a policy definition and assignments that are scoped to resource groups. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group. Management groups in Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously. You can only group multiple subscriptions in a management groups, NOT in resource groups which is meant for multiple resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You plan on configuring your Azure SQL deployment such that users can authenticate to it using their Azure AD credentials. What must be done first to allow this?

A. Set an Azure AD admin account for SQL
B. Register SQL as an Azure AD enterprise app
C. Configure Azure AD connect
D. Local Active Directory Domain sync with Azure AD Connect
E. Users must be configure to use MFA

A

A. Set an Azure AD admin account for SQL

Explanation:
In order to integrate Azure SQL Servers with Azure Active Directory, an Active Directory Admin must be assigned to the SQL server. This account can then log into the SQL server using SMSS and assign other AD user and group principals to the server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which AAD Connect service allows us to override the default synchronization behavior by creating custom criteria?

A. Synchronization Service
B. Synchronization Rules Editor
C. AAD Connect Wizard
D. Start-ADSyncSyncCycle

A

B. Synchronization Rules Editor

Explanation:
To create custom rules that modify the behavior of AAD connect object synchronization, we can use the Synchronization Rules Editor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1. You perform the following actions:
1. Push a Windows image named Image1 to Registry1
2. Push a Linux image named Image2 to Registry1
3. Push a Windows image named Image3 to Registry1
4. Modify Image1 and push the new image as Image4 to Registry1
5. Modify Image2 and push the new image as Image5 to Registry1

A. Image4
B. Image2
C. Image1
D. Image3
E. Image5

A

B. Image2
E. Image5

Explanation:
Only Linux images are scanned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which statement regarding SQL auditing configurations is correct?

A. Server-level Blob auditing flows down to databases
B. After auditing is enabled, the server must be retsrated
C. Server-level Blob auditing does not flow down to databases
D. Database auditing is enabled by default

A

A. Server-level Blob auditing flows down to databases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which statement regarding multiple Azure AD tenants in the same Azure account are true?

A. Switching to a different AD tenant shows the same deployed cloud resources
B. Switching to a different AD tenant shows different deploy cloud resources
C. Switching to a different AD tenant shows only a subset of deployed cloud resources
D. An Azure account can have only one Azure AD tenant

A

B. Switching to a different AD tenant shows different deploy cloud resources

Explanation:
Switching to a different AD tenant shows different deployed cloud resources under that directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebAPp1 that uses Azure Application Insights. WebApp1 requires users to authenticate by using OAuth 2.0 client secrets. Developers at the company plan to create a multi step web test app that performs synthetic transactions emulating user traffic to Web App1. You need to ensure that web tests can run unattended. What should you do first?

A. In Microsoft Visual Studio, modify the .webtest file
B. Upload the .webtest file to Application Insights
C. Register the web test app in Azure AD
D. Add a plug in to the web test app

A

B. Upload the .webtest file to Application Insights

Explanation:
You can monitor a recorded sequence of URLs and interactions with a website via multi step web tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You have an Azure subscription. You create an Azure web app named Contoso1812 that uses an S1 app service plan. You create a DNS record for www.contoso.com that points to the IP address of Contoso1812. You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL. Which two actions should you perform?

A. Turn on the system assigned managed identity for Contoso1812
B. Add a hostname to Contoso1812
C. Scale out the App Service plan of Contoso1812
D. Add a deployment slot to Contoso1812
E. Scale up the App Service plan of Contoso1812
F. Upload a PFX file to Contoso1812

A

B. Add a hostname to Contoso1812
F. Upload a PFX file to Contoso1812

Explanation:
You can configure Azure DNS to a host custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.contoso.com or contoso.com as a FQDN. To do this, you have to create three records:
A root “A” record pointing to contoso.com
A root “TXT” record for verification
A CNAME record for www name that points to the A record
To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL cert required for HTTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an Azure subscription named Sub1. You have an Azure Storage account named Sa1 in a resource group named RG1. Users and applications access the blob service and the file service in Sa1 by using several shared access signature (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to Sa1. You generate new SASs. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
As per the question, the SAS with a stored access policy, so this is a service SAS and it can be revoked only by modifying/deleting stored access policy. Creating new SAS has no affect on already available SAS. For Account level SAS, regenerating the access key is the only possibility. Just creating a new one does not effect the currently created SASs so either delete, rename as stated or you could also regenerate the KEY used to create the SAS which would have the effect of disabling all SASs created with that previously generated key. Instead you should create a new access policy.

19
Q

You have an Azure Active Directory (Azure AD) tenant name contoso.com. You need to configure diagnostic settings for contoso.com. The solution must meet the following requirements:

  1. Retain logs for two years
  2. Query logs by using the Kusto Query Language (KQL)
  3. Minimize administrative effort

Where should you store logs?
A. An Azure event hub
B. An Azure Log Analytics workspace
C. An Azure Storage account

A

B. An Azure Log Analytics workspace

Explanation:
Use the Log Analytics workspaces menu to create a log analytics workspace using the Azure portal. A Log Analytics workspace is a unique environment for Azure Monitoring log data. Each workspace has its own data repo and configuration and data sources and solutions are configured to store their data in a particular workspace. You require a Log Analytics workspace if you intend on collecting data from the following sources:
Azure resources in your subscription
On premises computers monitored by System Center Operations Manager
Device collections from Configuration manager
Diagnostics or log data from Azure storage

20
Q

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on premises Active Directory credentials. You need to configure the environment to support the planned authentication. You deploy Azure Active Directory Domain Services (Azure AD DS) to the Azure Subscription. Does this meet the goal?

A. Yes
B. No
C. None of these

A

B. No

Explanation:
If you want to use on premises DC, the correct way to set up a VPN gateway so that the authentication is done through a site to site VPN connectivity. Azure AD DS can be used as well in this case it is not required. Move over, you have hybrid environment so AD DS is already in place, you would need site to site VPN

21
Q

You have a web app named WebApp1. You create a web application firewall policy named WAF1. You need to protect WebApp1 by using WAF1. What should you do first?

A. Deploy an Azure Front Door
B. Add an extension to WebApp1
C. Deploy Azure Firewall

A

A. Deploy an Azure Front Door

Explanation:
WAF can be deployed with Azure Application Gateway, Azure Front Door and Azure Content Delivery Network (CDN).

22
Q

You have an Azure SQL database and implement Always Encrypted. You need to ensure that application developers can retrieve and decrypt data in the database. Which two pieces of information should you provide the developers?

A. A stored access policy
B. A shared Access Signature (SAS)
C. The column encryption key
D. User credentials
E. The column master key

A

C. The column encryption key
E. The column master key

Explanation:
Always Encrypted uses two types of keys: column encryption keys and column master keys. A column encryption key is used to encrypt data in an encrypted column. A column master key is a key protecting key that encrypts one or more column encryption keys

23
Q

You have an Azure Subscription named Sub1. You have an Azure Storage account named Sa1 in a resource group named RG1. Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies. you discover that unauthorized users have accessed both the file service and the blob service. You need to revoke all access to Sa1 so you create a new stored access policy. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
A stored access policy provides an additional level of control over service level shared access signatures (SASS) on the server side. Establishing a stored access policy servers to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time or permissions for a signature to revoke it after it has been issued.

24
Q

You have an Azure Subscription named Sub1 and a storage account named SA1 in a resource group named RG1. Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to Sa1 and so you create a lock on SA1. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
As an admin, you may need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read only respectively. CanNotDelete means authorized users can still read and modify a resource, but they cannot delete the resource. With this information, lock cannot revoke access

25
Q
  1. You can configure multiple AD Connect connectors for the same Active Directory Domain
  2. You can configure multiple domains to sync with AD Connect
  3. Azure firewall supports inbound and outbound filtering

A. Yes Yes Yes
B. No No Yes
C. No Yes No
D. No Yes Yes
E. No No No

A

D. No Yes Yes

Explanation:
1. Multiple connectors for the same AD domain are not support however you can configure a secondary connector in staging mode for DR puposes
2. You can configure multiple domains to sync with Azure AD via AD Connect
3. Azure firewall supports inbound and outbound filtering, however inbound filtering is for non HTTP/S protocols such as RDP SSH and FTP are supported.

26
Q

You have an Azure virtual machine named VM1. From Azure Security Center, you get the following high severity recommendation:
Install endpoint protection solutions on virtual machine. You need to resolve the issue causing the high severity recommendation. What should you do?

A. Add the Microsoft Anti-malware extension to VM1
B. Install Microsoft System Center Security Management Pack for endpoint protection on VM1
C. Add the Network Watcher Agent for Windows extension to VM1
D. Onboard VM1 to Microsoft Defender Advanced Threat protection

A

A. Add the Microsoft Anti-malware extension to VM1

Explanation:
Microsoft Antimalware for Azure is free real time protection capability that helps identify and remove viruses, spyware and other malicious software with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. The solution is built on the same antimalware platform as Microsoft Security Essentials, Microsoft Forefront Endpoint protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8 and higher. Microsoft Antimalware for Azure is a single agent solution for applications and tenant environments, designed to run in the background without human intervention

27
Q

You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center. You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort. What should you create?

A. An alert rule
B. A playbook
C. A function app
D. A runbook

A

B. A playbook

Explanation:
Use security playbooks in Azure Sentinel to set automated threat responses to security relayed issues detected by Azure Sentinel

28
Q

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on premises Active Directory credentials. You need to configure the environment to support the planned authentication. You create a site to site VPN between the virtual network and the on premises network. Does this meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
You can connect HDInsight to your on premises network by using Azure Virtual Networks and a VPN gateway. HDInsight relies on a popular identity provide - Active Directory - in a managed way. By integrating HDInsight with Azure Active Directory Domain Services (Azure AD DS), you can access the clusters by using your domain credentials. To join HDInsights cluster to your AD DS servers (domain join) you need connectivity to your domain controllers. As the environment is hybrid there is almost certainly DCs on premises so even if there are DCs on that VNet there needs to be a VPN or express route circuit to support AD Integrated authentication this way we can configure the environment to support the planned authentication as asked in the question

29
Q

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on premises Active Directory credentials. You need to configure the environment to suport the planned authentication. You deploy the on premises data gateway to the on premises network. Does this meet thee goal?

A. Yes
B. No

A

B. No

Explanation:
The on premises data gateway acts as a bridge. It provides quick and secure data transfer between on premises data, which is data that is not in the cloud and several Microsoft services such as Power BI, Power Apps, Power Automate, Azure Analysis Services and Azure Logic Apps. By using a gateway, organizations can keep databases and other data sources on their on premises networks while securely using that on premises data in cloud services. This is not used for authentication

30
Q

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on premises Active Directory credentials. You need to configure the environment to support the planned authentication so you deploy an Azure AD Application Gateway. Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
Application Gateway is a feature of Azure AD that enables users ot access on premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud and the Application Proxy Connector which runs on an on premises server. Azure AD, The Application Proxy Service and the Application Proxy Connector work together to securely pass the user sign on token from Azure AD to the web application. Instead, you connect HDInsight to your on premises network by using Azure Virtual Networks and a VPN Gateway to achieve this goal.

31
Q

What must you select when configuring Azure Security Center file integrity monitoring?

A. Log analytics workspace
B. Load balancer
C. Network Security Group
D. Policy

A

A. Log analytics workspace

Explanation:
FIM uploads data to the Log Analytics workspace.

32
Q

Which AAD authentication method allows for on premises authentication without the need for additional infrastructure (outside of agents)? The solution allows for a single point of authentication

A. Active Directory Federation Services
B. Pass through Authentication
C. Seamless Single Sign On (SSSO)
D. Password Hash Synchronization

A

B. Pass through Authentication

Explanation:
Pass through authentication (PTA) is an agent based authentication method which allows users to sign in both on premises and cloud based applications using the same passwords. Authentication occurs against local AD domain controllers. The PTA agent can be installed on any server running Windows server 2012 R2 or later

33
Q

What is required to authenticate to an Azure container registry?

A. username, encryption key
B. username, password, registry passphrase
C. username, PIN
D. server, username, password

A

D. server, username, password

34
Q

Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory tenant named contoso.com. The company develops an application named App1. App is registered in Azure AD. You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users. What should you configure?

A. An application permission without admin consent
B. A delegated permission without admin consent
C. A delegated permission that requires admin consent
D. An application permission that requires admin consent

A

B. A delegated permission without admin consent

Explanation:
Delegated permissions are used by apps that have a signed in user present. For these apps, either the use ror an admin consents to the permissions that the app requests, and the app is delegated permission to act as the signed in user when making calls to the target resource. Some delegated permissions can be consented by non administrative users, but some higher privileged permissions require admin consent. In this case, we need just access to the key vault, so no admin consent is needed

35
Q

You have 10 virtual machines on a single subnet that has a single network security group (NSG). You need to log the network traffic to an Azure Storage account. Which two actions should you perform? Each correct answer presents part of the solution

A. Install the Network Performance Monitor solution
B. Enable Azure Network Watcher
C. Enable diagnostic logging for the NSG
D. Enable NSG flow logs
E. Create an Azure Log Analytics workspace

A

B. Enable Azure Network Watcher
D. Enable NSG flow logs

Explanation:
A NSG enables you to filter inbound traffic to and outbound traffic from a virtual machine. You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.
1. Create a VM with a network security group
2. Enable network watcher and register the Microsoft.Insights provider
3. Enable a traffic flow log for an NSG, using Network Watchers NSG flow log capability
4. Download logged data
5. View data

36
Q

You have an Azure subscription that contains virtual machines. you enable just in time VM access to all the virtual machines. You need to connect to a virtual machine by using RDP. What should you do first?

A. From Azure AD Privileged Identity Management, activate the Security administrator user role
B. From Azure AD Privileged Identity Management, activate the Owner role for the virtual machine
C. From the Azure portal, select the virtual machine, select Connect and then select Request access
D. From the Azure portal, select the virtual machine and add the network watcher agent virtual machine extension

A

C. From the Azure portal, select the virtual machine, select Connect and then select Request access

Explanation:
On the connect to virtual machine page, select RDP and then select the appropriate IP address and port number. In most cases, the default IP address and port should be used. Select download RDP file

37
Q

Your network contains an AD forest named contoso.com. The forest contains a single domain. You have an Azure subscription named Sub1 that is associated to an Azure AD tenant named contoso.com. You plan to deploy Azure AD connect and to integrate Active Directory and the Azure AD tenant. You need to recommend an integration solution that meets the following requirements:

  1. Ensure that password policies and user logon restrictions apply to user accounts that are synced to the tenant
  2. Minimizes the number of servers required for the solution.

Which authentication method should you include in the recommendation?

A. Federated identity with Active Directory Federation Services (AD FS)
B. Password hash sync with seamless single sign on (SSO)
C. pass through authentication with seamless single sign on (SSO)

A

C. pass through authentication with seamless single sign on (SSO)

Explanation:
The simplest solution that allows for enforcing on premise password policies and logon restrictions is pass through authentication with seamless SSO. Option B could work but you cannot enforce local password policies and logon restrictions using password hash sync

38
Q

You have an Azure web app named WebApp1. You upload a cert to WebApp1. You need to make the cert accessible to the app code off WebApp1. What should you do?

A. Add a user assigned managed identity to WebApp1
B. Add an app setting to the WebApp1 configuration
C. Enable system assigned managed identity for the WebApp1
D. Configure the TLS/SSL binding for WebApp1

A

B. Add an app setting to the WebApp1 configuration

Explanation:
To access a certificate in your app code, add its thumbprint to the WEBSITE_LO)AD_CERTIFICATES app setting, by running the following command in the Cloud Shell:

‘az webapp config appsettings set –name–resource-group –settings WEBSITE_LOAD_CERTIFICATES=

The WEBSITE_LOAD_CERTIFICATES app setting makes the specified certificates accessible to your Windows hosted app in the Windows certificate store, and the location depends on the pricing tier

The command makes the cert available to the app code by adding the thumbprint off the cert. The app setting is WEBSITE_LOAD_CERTIFICATES and it is configured in the command using the parameter ‘appsettings’

39
Q

You deploy a Linux virtual machine to subscription1. You need to monitor the metrics and the logs of VM1. What should you use?

A. AzurePerformanceDiagnostics extension
B. Azure HDInsight
C. Linux Diagnostic Extension 3.0
D. Azure Analysis Services

A

C. Linux Diagnostic Extension 3.0

Explanation:
Use this to monitor metrics and logs. This helps a user monitor the health of a Linux VM running on Azure.

40
Q

You have an Azure AD tenant named contoso.comonmicrosoft.com./ The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the user1@outlook.com sign in. Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message:

“Unable to invite user user1@outlook.com Generic authorization exception

You need to ensure that Admin1 can invite the external partner to sing into the Azure AD tenant.
What should you do?

A. From the roles and administrators blade, assign the Security administrator role to Admin1
B. From the organizational relationships, add an identity provider
C. From the custom domain names blade, add a custom domain
D. From the users blade, modify the external collab settings

A

D. From the users blade, modify the external collab settings

Explanation:
Generic authorization error means you dont have the permission to invite. Change the user settings option in the Azure AD Portal. Admins and users in Guest user role can invite.

41
Q

You are using the Point in time Restore (PiTR) feature to restore Azure SQL database. Which statement regarding this scenario is correct?

A. Cross region restore is supported
B. PiTR allows only restoration from weekly backups
C. The restore can occur into a new database
D. PiTR requires the SQL server to be down

A

C. The restore can occur into a new database

Explanation:
Use point in time restore to create a database as a copy of another database from some time in the past
All basic, standard and premium databases are protected by automatic backups. Full backups are taken every week, differential backups every day and log backups every 5 minutes.

42
Q

You have configured an Azure SQL Failover Group and executed a forced failover. Which statement regarding this scenario is correct?

A. There could be some data loss
B. Databases in the group will be unavailable for the grace period
C. All databases in the failover group will be restored to new databases
D. There will not be any data loss since synchronization will occur first

A

A. There could be some data loss

Explanation:
Unplanned or forced failover immediately switches the secondary to the primary role without any sync with the primary. This operation will result in data loss. Unplanned failover is used as a recovery method during outages when the primary is not accessible. When the original primary is back online, it will automatically reconnect without a sync and become a new secondary

43
Q

You have an Azure Storage account named storage1 that has a container named container1. You need to prevent the blobs in container1 from being modified. What should you do?

A. From container1, change the access level.
B. From container,1 add an access policy
C. From container1, modify the Access Control (IAM) settings
D. From storag1, enable soft delete for blobs

A

B. From container,1 add an access policy

Explanation:
You can either set an immutable (read only) policy or a legal hold (cannot delete) policy. Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non erasable and non modifiable for a user specified interval

AZ500 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions