test 10

Question 1

Which of the following are file formats not recommended for compression?

MP3

JPG

Text/HTML

Text/CSS

Answer 1

MP3
JPG

Question 2

You are developing a storage plan that includes Premium storage.Which storage redundancy type is

available to use? Select one.

Locally redundant storage

RA Geo redundant Storage

Zone Redundant Storage

Geo Redundant Storage

Answer 2

Locally redundant storage

Question 3

What is the PowerShell command to add the image information to the virtual machine’s configuration?

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

Get-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Sku “2012-R2-Datacenter” -Version “current”

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName WindowsServer -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest

Answer 3

Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “latest”

Question 4

For Linux, which of the CLI commands will open up port 80?

az vm open-port –port 80 –resourcegroup myResourceGroup –name myVM

az vm open-port –port 80 –resource-group myResourceGroup –name myVM

az vm set-port –port 80 –resource-group myResourceGroup –name myVM

None of these commands are needed because port 80 is open by default.

Answer 4

az vm open-port –port 80 –resource-group myResourceGroup –name myVM

Question 5

We are trying to apply a tag to a resource group and need the appropriate permissions using the philosophy of least privileges. Which answer below would be the most appropriate?

You are assigned the Contributor role in RBAC.

You are assigned the Owner role in RBAC.

We are assigned the Reader role in RBAC.

We are assigned the Administrator role in RBAC.

Answer 5

You are assigned the Contributor role in RBAC.

Question 6

Which account will be able to reset the password regardless of whether the Azure Active Directory password reset enabled option is selected?

An account with Owner permissions.

An account with Contributor permissions.

Azure Administrator

An account with Reader permissions.

Answer 6

Azure Administrator

Question 7

You want Azure Active Directory’s Application Proxy feature at the lowest price possible. You also want to to make sure you have the enterprise-level SLA of 99.9 percent uptime. Which of the following would be the best option?

Azure Active Directory - Free

Azure Active Directory - Basic

Azure Active Directory - Premium P1

Azure Active Directory - Premium P2

Answer 7

Azure Active Directory - Premium P1

Question 8

One of your teammates on the IT team is trying to change the size of a VM but can’t seem to do so. They are able to set off the job, but it fails immediately. What is one possible reason why they can’t perform this action?

The subscription doesn’t support this size of VM.

The resource has already reached its maximum size.

The resource is locked.

The user is logged into the classic portal.

Answer 8

The resource is locked.

Question 9

You are an IT Administrator, and you are concerned about protecting corporate assets and devices meeting standards for security and compliance. What options are available to get a device under the control of Azure AD?

Using Identity Protection.

Registering the device to Azure AD.

Joining a device.

Using the Conditional Access Rule.

Answer 9

Registering the device to Azure AD.

Question 9

You have a MySQL database that you want to keep secure and prevent access to the public internet. Which of these options would you use? Select 3

Service Endpoint

VNet Peering

NSG

Private IP Address

Answer 9

Service Endpoint
NSG
Private IP Address

Question 9

The shared access signature (SAS) URI consists of which of the following?

SAS Token

Access Key 2

Access Key 1

Storage Resource

Answer 9

SAS Token
Storage Resource

Question 9

Which of the following settings are not not swapped when you swap an an app? Select three.

General settings, such as framework version, 32/64-bit, web sockets

Handler mappings

Always On

Correct selection
Custom domain names

Publishing endpoint

Answer 9

Always On
Custom domain names
Publishing endpoints

Question 9

You are backing up your App Service. Which of the following is included in the backup? Select two.

Files and database content totalling 15GB

SSL enabled Azure Database for MySQL

Firewall enabled-storage account

App configuration

Azure database for MySQL

Answer 9

App configuration

Azure database for MySQL

Question 10

You want to utilize Azure Identity Protection, which one of the editions below supports this feature?

Free

Basic

Premium P2

Premium P1

Answer 10

Premium P2

Question 11

You are having problems with the installation of Azure File Sync on your server. What action could you take to get more details on possible issues?

Check the Diagnostics Logs.

Check the Activity Log.

Check the Azure File Sync error log on the local file system.

Run the command StorageSyncAgent.msi /l*v AFSInstaller.log.

Answer 11

Run the command StorageSyncAgent.msi /l*v AFSInstaller.log.

Question 12

Which series would we choose if we had a virtual machine used for Artificial Intelligence (AI)?

F-Series

A-Series

H-Series

L-Series

Answer 12

H-Series

Question 12

The Contoso Company would like policies implemented to enforce a standard for how their infrastructure is built. Which of the following RBAC roles will they need to have to view these policies?

Domain Administrator

Security Admin

Security Reader

Security Contributor

Answer 12

Security Reader

Question 13

You configured a routing table which should be forcing all outgoing traffic from one virtual machine to go through a firewall appliance. However, the traffic is not going through the firewall appliance. Which one of the following would be an effective diagnostic tool?

Create a Log Analytics workspace.

Install Network Monitoring Agent

Network Watcher

Activate Resource Diagnostic Settings

Answer 13

Network Watcher

Question 13

You have a MySQL database on a Linux instance. The MySQL database is in development and being worked on by your developers. Only the developers should have access to this database while it is in the development stage. Which of the following actions will ensure that only the developers can access the database?

Using the Azure Application Gateway.

Using an NSG rule that has the source: IP addresses identified (outbound rule).

Setting the NSG rules that only allow traffic from the developers.

Using an NSG rule that has the source port range (inbound rule).

Answer 13

Setting the NSG rules that only allow traffic from the developers.

Question 14

If you wanted to gain insight into your on-premises identity infrastructure that is used to access Azure AD applications and also monitors the synchronizations that occur between your on-premises Azure Directory Domain Services (AD DS) and Azure AD, which of the following tools would you use?

Azure AD Connect Health

Activity Report

This information is not captured within the Azure environment.

Security reports

Answer 14

Azure AD Connect Health

Question 15

Which of the following is not a recommended protocol to access Azure File Sync from your Windows Server?

nfs

SMB

http

FTPS

Answer 15

http

Question 16

Your company previously did not allow employees to use their own devices to access company resources for security reasons. However, management is now considering allowing employees to use their own devices in conjunction with AD join. What are the potential security benefits that may persuade management to allow employees to use their own devices?

Organizations can restrict access to apps from only the devices that meet the compliance policy.

Organizations can use Windows Hello support for convenient access to work resources.

Enterprise compliant roaming of user’s settings across joined devices for users with Microsoft accounts.

Organizations can still use on-premise AD to manage security protocols.

Organizations can use single sign-on functionality as long as the employees are connected to the domain network.

Answer 16

Organizations can restrict access to apps from only the devices that meet the compliance policy.

Organizations can use Windows Hello support for convenient access to work resources.

Question 17

What PowerShell command prompts the user for either a password or a username and password?

Put-Credential

Get-PsCredential

Set-Credential

Get-Credential

Answer 17

Get-Credential

Question 18

What is the limit on the total number of VNet service endpoints in a virtual network?

25,000

5

500

There is no limit on the total number of VNet service endpoints in a virtual network.

Answer 18

There is no limit on the total number of VNet service endpoints in a virtual network.

Question 19

We have reached the CPU quota in the West US 2 region. What two options do we have to move forward when creating this virtual machine?

Delete other running VMs.

Give the user admin rights.

Click Ok to charge the subscription.

Request a quota increase.

Answer 19

Delete other running VMs.

Request a quota increase.

Question 20

Your current virtual machine which is currently running has a size of standard DS2_V2, this plan does not allow more than two NICs and you need to add a third NIC. What are the steps you would take to add the additional NIC (assuming the NIC already exists)?

1) Shut down the machine 2) Go to the network blade of the VM 3) Click on Attach Network Interface. 4) Select the existing network interface 5) Select existing NIC and click okay. 6) Start the machine.

1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the network blade of the VM. 4) Go into the NSG blade. 5) Click attach network interface, 6) Select the existing NIC, and then click okay. 7) Start the machine.

1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the networking blade of the VM 4) Click Attach Network Interface. 5) Select the existing NIC, and then click okay. 6) Start the machine.

1) Upgrade the grade plan size to DS3_v2. 2) Go to the network security group blade. 3) Click Attach Network Interface. 4) Select the existing NIC, and then click okay. 5) Reboot the machine for the new NIC to be seen.

Answer 20

1) Shut down the machine. 2) Increase the plan size to DS3_v2. 3) Go into the networking blade of the VM 4) Click Attach Network Interface. 5) Select the existing NIC, and then click okay. 6) Start the machine.

Question 21

Which of the following items can be associated with a Network Security Group (NSG)?

Security Rule

Subnets

NIC

Virtual Machine

Answer 21

Security Rule
Subnets
NIC

Question 22

You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge? Select one

Master node

Node virtual machines

Tables

Pods

Answer 22

Node virtual machines

Question 23

What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an app? Select one.

synchronization of accounts across providers

pass-through authentication

credentials that are stored in the browser

redirection to a provider endpoint

Answer 23

redirection to a provider endpoint

Question 24

You are the new administrator of an organization, and one of the changes that you want to implement is multi-factor authentication (MFA). How would you be able to get a count of how many users have not registered for multi-factor authentication?

This information is not collected.

Security Alerts from Privileged Identity Management

Users page, within the MFA Settings site.

Identity Protection within the MFA report.

Answer 24

Users page, within the MFA Settings site.

Question 25

You have four different storage accounts. If you want to limit access to a team of people within the organization to just one storage service on one storage account, with the least amount of work, which of the following would be used to accomplish this goal?

SAS service.

SAS account.

Azure Traffic Manager

NSG

Answer 25

SAS service.

Question 26

Can you add an existing VM to an availability set?

Only when the VM has been suspended.

No, you can only add a VM to an availability set when creating the VM.

Only when the VM has been shutdown.

Yes, you can add an existing VM to an availability set at any time.

Answer 26

No, you can only add a VM to an availability set when creating the VM.

Question 27

You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming direct traffic to the pods? Select one.

Load Balancer

ClusterIP

NodePort

† AKS node

Answer 27

NodePort

Question 28

Which of the following is not true about container groups? Select one.

Is assigned a DNS name label.

Exposes a single public IP address, with one exposed port.

Includes two Azure file shares as volume mounts.

Consists of two containers.

Is scheduled on a multiple host machines.

Answer 28

Is scheduled on a multiple host machines.

Question 29

You have an existing virtual machine that is currently running, and you need to add an existing custom data disk. What are the steps you would take?

A. Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK.
Restart the machine in order for the additional disk to be seen

B. A shutdown of the machine.
Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK

C. Select the VM you are trying to attach the existing disk.
Click Attach new to attach the available disk to the VM.
Select your disk, and then click OK.

D. Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK

Answer 29

D. Select the VM you are trying to attach the existing disk.
Click Attach existing to attach the available disk to the VM.
From the existing disk pane, select your disk, and then click OK

Question 30

Which of the following built-in roles has the required Microsoft Authorization permissions that will allow a user account to create a cloud endpoint?

Reader and Data Access

Contributor

Owner

User Access Administrator

Answer 30

Owner
User Access Administrator

Question 31

You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.
Name Resource Group Daily Cost
VM1 RG1 20 euros
VM2 RG2 30 euros
You create the budget shown in the following exhibit.
Budget1

Resource Group

Current Spend: 5.93 EUR
Budget: 1,000.00 EUR
BUDGET SUMMARY
Name: Budget1
Scope: RG1 (Resource Group)
Filters: –
Amount: 1,000.00 EUR
Budget Period: Resets billing month
Start Date: 6/20/2019
End Date: 6/19/2021
BUDGET ALERTS
Alert Conditions % of Budget Amount Action Group Action Group
50% €500 AG1 1 Email
70% €700 AG2 1 SMS
100% €1,000 AG3 1 Azure App
Alert Recipients (email): User1@Contoso.com

The AG1 action group contains a user named admin@contoso.com only.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Hot Area:
Answer Area
When the maximum amount in Budget1 is reached, [answer choice]:

VM1 and VM2 are turned off
VM1 and VM2 continue to run
VM1 is turned off, and VM2 continues to run
Based on the current usage costs of the virtual machines, [answer choice]:

No email notifications will be sent each month
One email notification will be sent each month
Two email notifications will be sent each month
Three email notifications will be sent each month

Answer 31

Let me analyze each question:

“When the maximum amount in Budget1 is reached, answer choice Answer: VM1 and VM2 continue to run Reason:

Azure budgets are monitoring tools that can trigger alerts but do not automatically take action on resources

While there are action groups configured (AG1, AG2, AG3), they only send notifications (email, SMS, Azure App)

The budget is scoped to RG1, but this only affects monitoring, not resource control

Therefore, reaching the budget limit will not automatically stop any VMs

“Based on the current usage costs of the virtual machines, answer choice Answer: Two email notifications will be sent each month Reason:

VM1 costs 20 euros/day in RG1 (the budget scope)

Monthly cost for VM1 = 20 euros × 30 days = 600 euros

Budget alerts are set at:
50% (500 euros) - Will trigger email via AG1 [1]
70% (700 euros) - Will trigger SMS via AG2
100% (1000 euros) - Will trigger Azure App via AG3
With VM1’s monthly cost of 600 euros:
The 50% threshold (500 euros) will be triggered
The 70% threshold (700 euros) will not be triggered
The 100% threshold (1000 euros) will not be triggered

Note: VM2’s costs (30 euros/day) are not considered since it’s in RG2, which is outside the budget scope
Two notifications will be sent:
One to admin@contoso.com (via AG1)
One to User1@Contoso.com (default budget recipient)
Therefore, two email notifications will be sent each month when the 50% threshold is crossed.

Question 32

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?

A. Yes
B. No

Answer 32

The answer is No
To meet the requirement, you should:

Create a Custom Policy Definition that:

Targets the Microsoft.Network/networkSecurityGroups resource type

Uses the deployIfNotExists or modify effect

Includes a policy rule that adds the required NSG rule for port 8080

Here’s an example policy definition:

{
“mode”: “All”,
“policyRule”: {
“if”: {
“field”: “type”,
“equals”: “Microsoft.Network/networkSecurityGroups”
},
“then”: {
“effect”: “modify”,
“details”: {
“roleDefinitionIds”: [
“/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7”
],
“operations”: [{
“operation”: “add”,
“field”: “properties.securityRules”,
“value”: {
“name”: “Block8080”,
“properties”: {
“protocol”: “TCP”,
“sourcePortRange”: “*”,
“destinationPortRange”: “8080”,
“sourceAddressPrefix”: “VirtualNetwork”,
“destinationAddressPrefix”: “VirtualNetwork”,
“access”: “Deny”,
“priority”: 100,
“direction”: “Inbound”
}
}
}]
}
}
}
}

Copy

Insert at cursor
json
Steps to implement the solution:
Create the custom policy definition using the above JSON
Assign the policy to the subscription
Set the policy assignment to use the “modify” effect
Ensure the policy has the necessary permissions through role assignment
This solution will:
Automatically add the required rule to any new NSG created in the subscription
Block TCP port 8080 between virtual networks
Apply consistently across all resource groups in the subscription
Work with the existing 10 virtual networks and any new ones created
The custom policy approach is required because:
It allows for specific rule configuration
It can automatically modify resources upon creation
It ensures consistent security rule implementation
It works at scale across the subscription

Question 33

You have an Azure subscription that contains the hierarchy shown in the following exhibit.

(Tenant Root Group → ManagementGroup1 → Subscription1 → RG1 → VM1)

You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area

Answer Area
You can assign Policy1 to:

Subscription1 and RG1 only
ManagementGroup1 and Subscription1 only
Tenant Root Group, ManagementGroup1, and Subscription1 only
Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only
Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
You can exclude Policy1 from:

VM1 only
RG1 and VM1 only
Subscription1, RG1, and VM1 only
ManagementGroup1, Subscription1, RG1, and VM1 only
Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
which option is correct in per question on Answer area? why?

Answer 33

Let me analyze each part of the question:
“You can assign Policy1 to:” [1] Answer: Tenant Root Group, ManagementGroup1, Subscription1, and RG1 only
Reason:
Azure Policy assignments can be made at the following levels:
Management Groups (including Tenant Root Group)
Subscriptions
Resource Groups
Individual resources (like VM1) cannot be direct targets for policy assignments [2]
The hierarchy allows for assignment at any level except individual resources
Therefore, you can assign to all levels except VM1
You can exclude Policy1 from:
ManagementGroup1, Subscription1, RG1, and VM1 only
Exclusions can be specified for any resource or resource group within the scope of the policy assignment. However, you cannot exclude the Tenant Root Group itself because it is the top-level scope12.

So, the correct options are:

You can assign Policy1 to: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1
You can exclude Policy1 from: ManagementGroup1, Subscription1, RG1, and VM1 only

Question 34

You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table:

Name Type
RG1 Resource group
storage1 Storage account
VNET1 Virtual network
You assign an Azure policy that has the following settings:

Scope: Sub1
Exclusions: Sub1/RG1/VNET1
Policy definition: Append a tag and its value to resources
Policy enforcement: Enabled
Tag name: Tag4
Tag value: value4
You assign tags to the resources as shown in the following table:

Resource Tag
Sub1 Tag1:subscription
RG1 Tag2:IT
storage1 Tag3:value1
VNET1 Tag3:value2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hot Area

Answer Area

Statements:

RG1 has the Tag2:IT tag assigned only.

Yes
No
Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned.

Yes
No
VNET1 has the Tag2:IT and Tag3:value2 tags assigned only.

Yes
No

Answer 34

Let’s analyze each statement based on the given information:

RG1 has the Tag2:IT tag assigned only.

RG1 is assigned the tag Tag2:IT.
The policy to append Tag4:value4 does not apply to RG1 because VNET1 (which is in RG1) is excluded from the policy.
Therefore, RG1 has the Tag2:IT
Answer: Yes
Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned.

Storage1 is assigned the tag Tag3:value1.
The policy to append Tag4:value4 applies to Storage1 because it is within the scope of Sub1 and not excluded.
However, Storage1 does not have Tag1:subscription or Tag2:IT assigned.
Answer: No
VNET1 has the Tag2:IT and Tag3:value2 tags assigned only.

VNET1 is assigned the tag Tag3:value2.
The policy to append Tag4:value4 does not apply to VNET1 because it is explicitly excluded.
VNET1 does not have Tag2:IT assigned.
Answer: No
So, the correct answers are:

RG1 has the Tag2:IT tag assigned only: Yes
Storage1 has the Tag1:subscription, Tag2:IT, Tag3:value1, and Tag4:value4 tags assigned: No
VNET1 has the Tag2:IT and Tag3:value2 tags assigned only: No

Question 35

You have an Azure subscription that contains the virtual networks shown in the following table:

Name Location
VNet1 West Europe
VNet2 Southeast Asia
VNet3 South Central US
The subscription contains the subnets shown in the following table:

Name Virtual network Service endpoint
Subnet1 VNet1 None
Subnet2 VNet2 Microsoft.Storage
Subnet3 VNet3 Microsoft.Storage
Subnet4 VNet4 None
The subscription contains the storage accounts shown in the following table:

Name Location Kind
storage1 West Europe StorageV2
storage2 South Central US BlobStorage
storage3 Southeast Asia StorageV2
You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the subscription.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer Area
Statements:

Policy1 can be applied to Subnet3.
[Yes] [No]

Only storage1 and storage2 can be accessed from VNet2.
[Yes] [No]

Only storage2 can be accessed from VNet3.
[Yes] [No]
which option is correct in per question on answer area? why?

Answer 35

I’ll help you with each statement.

Statement 1: Policy1 can be applied to Subnet3.

Correct answer: Yes

Why: Policy1 is created in the South Central US Azure region, which is the same region as VNet3 (where Subnet3 is located). Service endpoint policies can be applied to subnets in the same region.

Statement 2: Only storage1 and storage2 can be accessed from VNet2.

Correct answer: No

Why: VNet2 has a service endpoint for Microsoft.Storage, which allows access to all storage accounts in the subscription, not just storage1 and storage2. There is no restriction mentioned that would prevent access to storage3 from VNet2.

Statement 3: Only storage2 can be accessed from VNet3.

Correct answer: Yes

Why: Similar to Statement 2, VNet3 has a service endpoint for Microsoft.Storage, which allows access to all storage accounts in the subscription, due to location match, So the statement is correct.

Question 36

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
which one is correct? why correct?

Answer 36

To configure a point-to-site (P2S) connection from an on-premises computer to VNet1, you need to perform the following actions:

Create a route-based virtual network gateway (C): Point-to-site VPN connections require a route-based VPN gateway, not a policy-based one. This is because route-based gateways support IKEv2 and OpenVPN protocols, which are necessary for P2S connections.

Delete GW1 (E): Since you currently have a policy-based virtual network gateway (GW1), you need to delete it before you can create a new route-based virtual network gateway. Azure does not allow changing the type of an existing gateway; you must delete the existing one and create a new one.

Why the other options are incorrect:
A. Add a service endpoint to VNet1: Service endpoints are used to secure Azure service resources to your virtual network, but they are not related to configuring VPN connections.
B. Reset GW1: Resetting the gateway does not change its type from policy-based to route-based, which is necessary for P2S connections.
D. Add a connection to GW1: Adding a connection to the existing policy-based gateway will not help because P2S connections require a route-based gateway.
F. Add a public IP address space to VNet1: While a public IP address is necessary for the VPN gateway, this option is not relevant to the specific requirement of changing the gateway type to support P2S connections.

Question 36

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?

A. Yes
B. No

Answer 36

The answer is A. Yes

Here’s why this solution meets the goal:
Azure Policy capabilities:
Azure Policies allow you to enforce rules and compliance across your Azure resources
They can be used to automatically enforce standards when new resources are created
Policies can be applied at subscription level, which affects all resource groups within that subscription
Custom Policy for NSGs:
A custom policy definition can be created to define rules for NSG creation
The policy can specify that any new NSG must include a security rule blocking TCP port 8080
When assigned at the subscription level, it will apply to all resource groups in that subscription
Policy enforcement:
The policy will automatically enforce the rule when new NSGs are created
It ensures consistency across all NSGs in the subscription
It prevents creation of NSGs that don’t comply with the port 8080 blocking requirement
Benefits of this approach:
Centralized control: Manages security rules across multiple virtual networks from one policy
Automated enforcement: No need for manual intervention when new NSGs are created
Consistent security: Ensures uniform security rules across all virtual networks
Scalable: Automatically applies to new NSGs as they are created
This solution is particularly effective because:
It’s preventive rather than reactive
It ensures compliance by default
It reduces administrative overhead
It eliminates the risk of human error in implementing the security rule

Question 37

You have an Azure subscription that contains the resources shown in the following table:

Name Type Resource group
VNET1 Virtual network RG1
VM1 Virtual machine RG1
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:

Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2 and then connect VM2 to VNET1.

What should you do first?

A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template.
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.

Answer 37

The correct answer is A: Remove Microsoft.Compute/virtualMachines from the policy.

Question 38

HOTSPOT
Overview

ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.

Existing Environment

Azure Environment

ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.

The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2

The subscription contains the virtual machines shown in the following table.

Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume

The subscription has an Azure container registry that contains the images shown in the following table.

Name Operating system
Image1 Windows Server
Image2 Linux

The subscription contains the resources shown in the following table.

Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3

The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.

Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096

Vault1 contains the keys shown in the following table.

Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256

ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group

The adatum.com tenant has a custom security attribute named Attribute1.

ADatum plans to implement the following changes:

• Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
• In storage1, create a new container named cont2 that has the following access policies:
  o Three stored access policies named Stored1, Stored2, and Stored3
  o A legal hold for immutable blob storage
• Whenever possible, use directories to organize storage account content.
• Grant User1 the permissions required to link Zone1 to VNet1.
• Assign Attribute1 to supported adatum.com resources.
• In storage2, create an encryption scope named Scope1.
• Deploy new containers by using Image1 or Image2.

ADatum must meet the following technical requirements:

• Use TLS for WebApp1.
• Follow the principle of least privilege.
• Grant permissions at the required scope only.
• Ensure that Scope1 is used to encrypt storage services.
• Use Azure Backup to back up cont1 and share1 as frequently as possible.
• Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.

You implement the planned changes for cont2.

What is the maximum number of additional access policies you can create for cont2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.
Answer Area
Stored access policies:
0
1
2
3
4
5
Immutable blob storage policies:
0
1
2
3
4
5

Answer 38

To determine the maximum number of additional policies you can create for cont2, we need to analyze two aspects: stored access policies and immutable blob storage policies.

Stored Access Policies
Azure Storage accounts have a limit on the number of stored access policies you can create per container. The limit is five stored access policies per container.

In the case study, cont2 already has three stored access policies created: Stored1, Stored2, and Stored3. Therefore, the number of additional stored access policies you can create is:

MaxPolicies
(
5
)
−
ExistingPolicies
(
3
)
=
2
MaxPolicies(5)−ExistingPolicies(3)=2
Immutable Blob Storage Policies
Azure Storage accounts allow the use of immutable blob storage policies to enforce legal holds and time-based retention policies. A container can have:

One legal hold policy (already applied in this case).
Multiple time-based retention policies, but the total combined limit of immutable blob storage policies is two per container.
Since cont2 already has one immutable blob storage policy (the legal hold), you can create one additional immutable blob storage policy.

Correct Answer
Stored access policies: 2
Immutable blob storage policies: 1

Explanation
Stored Access Policies: The total allowed is five, and three are already in place, leaving space for two more.
Immutable Blob Storage Policies: A container can have a maximum of two, and one is already in place (the legal hold), leaving space for one additional policy.

Question 39

Overview -

ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.

Existing Environment -

Azure Environment -

ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.

The subscription contains the storage accounts shown in the following table.
| Name | Kind | Location | Hierarchical namespace | Container | File share |
|—|—|—|—|—|—|
| storage1 | StorageV2 | West US | Yes | cont1 | share1 |
| storage2 | StorageV2 | West US | No | cont2 | share2 |

The subscription contains the virtual machines shown in the following table.

The subscription has an Azure container registry that contains the images shown in the following table.

| Name | Operating system |
|—|—|
| Image1 | Windows Server |
| Image2 | Linux |

The subscription contains the resources shown in the following table.

| Name | Description | In resource group |
|—|—|—|
| Workspace1 | Log Analytics workspace | RG1 |
| WebApp1 | Azure App Service web app | RG1 |
| VNet1 | Virtual network | RG2 |
| zone1.com | Azure Private DNS zone | RG3 |

Azure Key Vault -

The subscription contains an Azure key vault named Vault1.

Vault1 contains the certificates shown in the following table.

| Name | Content type | Key type | Key size |
|—|—|—|—|
| Cert1 | PKCS#12 | RSA | 2048 |
| Cert2 | PKCS#12 | RSA | 4096 |
| Cert3 | PEM | RSA | 2048 |
| Cert4 | PEM | RSA | 4096 |

Vault1 contains the keys shown in the following table.

| Name | Type | Description |
|—|—|—|
| Key1 | RSA | Has a key size of 4096 |
| Key2 | EC | Has Elliptic curve name set to P-256 |
Microsoft Entra Environment -

ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.

Planned Changes -

ADatum plans to implement the following changes:

• Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
• In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage
• Whenever possible, use directories to organize storage account content.
• Grant User1 the permissions required to link Zone1 to VNet1.
• Assign Attribute1 to supported adatum.com resources.
• In storage2, create an encryption scope named Scope1.
• Deploy new containers by using Image1 or Image2.

Technical Requirements -

ADatum must meet the following technical requirements:

• Use TLS for WebApp1.
• Follow the principle of least privilege.
• Grant permissions at the required scope only.
• Ensure that Scope1 is used to encrypt storage services.
• Use Azure Backup to back up cont1 and share1 as frequently as possible.
• Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.

You need to implement the planned changes for the storage account content.

Which containers and file shares can you use to organize the content?

A. share1 only
B. cont1 and share1 only
C. share1 and share2 only
D. cont1, share1, and share2 only
E. cont1, cont2, share1, and share2

Name | Size | Operating system | Description |
|—|—|—|—|
| VM1 | A | Red Hat Enterprise Linux (RHEL) | Uses ephemeral OS disks |
| VM2 | D | Windows Server 2022 | Has a basic volume |
| VM3 | B | Red Hat Enterprise Linux (RHEL) | Uses a standard SSDs |
| VM4 | M | Windows Server 2022 | Uses Write Accelerator disks |
| VM5 | E | Windows Server 2022 | Has a dynamic volume |

Answer 39

The correct answer is D: cont1, share1, and share2.

Here’s why:

Based on the storage account details provided:

storage1 has both cont1 (container) and share1 (file share)

storage2 has both cont2 (container) and share2 (file share)

The planned changes state: “Whenever possible, use directories to organize storage account content.”

Both containers and file shares can be used to organize storage content:

Azure Storage containers can organize blob storage using virtual directory hierarchy

Azure Files shares support proper directory structures

All three existing storage components (cont1, share1, and share2) can be used because:

Containers (cont1) support blob storage organization through virtual directories

File shares (share1 and share2) natively support directory structures

Both storage accounts (storage1 and storage2) are StorageV2, which supports modern storage features