test 3 Flashcards
Users are reporting that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com. You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign-on (SSO) to access Azure resources. What should you do first?
From the on-premises network, deploy Active Directory Federation Services in a clustered environment.
From Azure AD, add and verify a custom domain name.
From the on-premises network, request a new certificate that contains the Active Directory domain name.
From the server that runs Azure AD Connect, modify the filtering options.
From Azure AD, add and verify a custom domain name.
The issue arises because users are being forced to use the default onmicrosoft.com domain rather than their actual email UPN (User Principal Name) in the on-premises Active Directory, likely due to a mismatch between the on-premises UPN and the Azure AD UPN. Adding and verifying the custom domain name in Azure AD (e.g., company.com) allows users to log in with their UPNs that match their primary email addresses in the on-premises Active Directory. This helps ensure that users can authenticate seamlessly and use SSO without needing to use the onmicrosoft.com domain.
Which of the following Network watcher feature would you use for the following requirement?
Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network.
IP Flow Verify
Next Hop
Traffic Analysis
Packet Capture
IP Flow Verify
IP Flow Verify is specifically designed to check if traffic is allowed or denied by network security group (NSG) rules. You input the source and destination IP addresses, ports, and protocol, and IP Flow Verify will determine if a security rule is blocking the traffic. This makes it the best tool for diagnosing if a network security rule is preventing a network packet from reaching a virtual machine in Azure.
A company needs to create a storage account that must follow the requirements below:
- Users should be able to add files, such as images and videos.
- Ability to store archive data.
- File shares need to be in place, which can be accessed across several VM’s.
- The data needs to be available, even if a region goes down.
- The solution needs to be cost-effective.
What is the type of replication they need to implement for the storage account?
A. Read-access geo-redundant storage (RA-GRS)
B. Locally redundant storage (LRS)
C. Zone-redundant storage (ZRS)
D. Geo-redundant storage (GRS)
Read-access geo-redundant storage (RA-GRS):
Correct Choice: RA-GRS provides geo-redundancy by replicating data to a secondary region, ensuring data availability even if the primary region goes down. It also allows read access to the data in the secondary region, which is beneficial for disaster recovery scenarios. This option meets the requirement for data availability across regions and is cost-effective compared to other geo-redundant options.
Geo-redundant storage (GRS):
Incorrect Choice: GRS provides geo-redundancy by replicating data to a secondary region, similar to RA-GRS. However, it does not allow read access to the secondary region, which can be a limitation for certain disaster recovery scenarios. RA-GRS is a more suitable choice when read access to the secondary region is needed.
Option RA-GRS is incorrect because additional read access to data in another region is not mentioned, and we also have to keep the cost to a minimum.
You need to allow traffic onto certain FQDN’s via the Azure Firewall. Which of the following rules would you create for this requirement?
A. NAT collections rules
B. Network collection rules
C. Application collection rules
D. FQDN collection rules
Application collection rules
Correct. Application collection rules in Azure Firewall are specifically designed to control outbound HTTP/S traffic based on Fully Qualified Domain Names (FQDNs). These rules allow you to specify FQDNs that users can access, making it ideal for allowing traffic to certain FQDNs. Application rules provide Layer 7 (application layer) filtering, which is needed for FQDN filtering, and allow for both wildcard and specific domain matching.
A. NAT collection rules
Incorrect. NAT (Network Address Translation) rules are used for inbound and outbound traffic translation between private and public IP addresses. They don’t provide filtering based on FQDNs and are not suitable for allowing traffic to specific domains.
B. Network collection rules
Incorrect. Network rules operate at Layer 4 (transport layer) and allow traffic based on IP addresses, protocols, and port numbers. They don’t support FQDN filtering, which is a Layer 7 function. Therefore, they are not suitable for controlling access to specific FQDNs.
D. FQDN collection rules
Incorrect. There is no “FQDN collection rules” option in Azure Firewall. FQDN filtering is part of Application collection rules in Azure Firewall, making this option invalid.
Which of the following can be used to organize resources for cost reporting? Choose the most complete answer.
A. Resource groups and tags
B. Tags
C. Cost Center, subscriptions, resource groups, and tags
D. Subscriptions, resource groups, and tags
C: Cost Center, subscriptions, resource groups, and tags
Correct because it includes all key elements used in Azure for cost management and reporting.
Cost Centers are logical units that help allocate costs based on departments, projects, or teams.
Subscriptions separate resources for billing and access control, making it easier to track costs across different teams or environments.
Resource Groups help group related resources, simplifying management and cost allocation.
Tags allow additional metadata to be applied across resources for flexible, detailed reporting.
You need to deploy two Azure virtual machines named VM1 and VM2 based on the Windows server 2016 image. The deployment must meet the following requirements:
- Provide a Service Level Agreement (SLA) of 99.95 percent availability.
- Use managed disks.
You propose a solution to create a scale set for the requirement. Would the solution meet the goal?
A. Yes
B. No
B. No
Explanation:
A scale set is generally used to deploy and manage a group of identical virtual machines, mainly for load balancing and scaling purposes. However, in this scenario, a scale set is not the correct solution because it doesn’t align with the requirements to meet the SLA of 99.95% availability for two individual VMs.
Here’s why each part of the requirements does not match the scale set solution:
99.95% Availability SLA:
Azure provides a 99.95% SLA for availability if two or more virtual machines are deployed in an availability set within the same region. This SLA is achieved by spreading the VMs across multiple fault and update domains, minimizing downtime during maintenance or failures.
Scale sets do provide high availability and scalability but are mainly intended for stateless applications that can scale in and out based on demand. For just two VMs requiring 99.95% SLA, the better solution is an availability set rather than a scale set.
Managed Disks:
Managed disks can be used with both availability sets and scale sets. Therefore, using a scale set does not specifically impact the managed disk requirement.
Solution Recommendation:
To meet the requirements, you should deploy VM1 and VM2 in an availability set with managed disks. This approach will ensure the required 99.95% SLA and support for managed disks.
Your company has the following resources created as part of its Azure subscription:
- 100 Azure virtual machines
- 10 Azure SQL databases
- 50 Azure file shares
You need to create a daily backup of all resources by using Azure Backup. What is the minimum number of backup policies you have to create for this requirement?
160
2
100
1
3
2
In this task, there are three types of resources that require a backup. One of them is the Azure SQL database. We don’t need to create a daily backup for Azure SQL Database because Azure provides a backup as an automatic service for every database by default.
A company has an Azure subscription. They want to transfer around 6 TB of data to the subscription. They plan to use the Azure Import/Export service. Which of the following can they use as the destination for the imported data?
A. Azure SQL Database
B. Azure Data Lake Storage
C. Azure Blob storage
D. Azure File Sync Storage
Azure Blob storage
Azure Import/Export service supports transferring data directly to Azure Blob storage. The service is commonly used to import large datasets (like 6 TB) into Blob storage by shipping hard drives to Azure data centers.
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. Getcloudskillsusr1 has the Reports Reader role assigned.
The administrator has enabled self-service password reset (SSPR) for all users.
- The administrator has enabled the following SSPR settings:
- Number of methods required to reset – 2
- Methods available to users – Mobile phone and Security questions
- Number of questions to register – 3
- Number of questions to reset – 3
The following security questions are chosen:
- In what city was your first job?
- What was the name of the first school you attended?
Would Getcloudskillsusr1 be required to answer the security question “In what city was your first job?” to reset their password?
A. Yes
B. No
A. Yes
Yes, here, since SSPR has been enabled for all users, the user would need to answer the security-related question to reset their password.
You create Azure AD administrative units for the subsidiaries of your organization. Each of the subsidiaries includes several hundred employees. You need to add these employees as administrative unit members. Select the tool you can use to achieve your goal.
A. Microsoft Office Admin center
B. PowerShell
C. Microsoft Graph
D. Azure CLI
E. Azure AD Portal
Azure AD Portal
Microsoft Office Admin center, Microsoft Graph, and PowerShell are incorrect because the Microsoft Office Admin center, Microsoft Graph, and PowerShell can manage individual users in the administrative units but not the list of the users in a bulk manner.
Azure CLI is incorrect because the Azure CLI does not have the functionality to create and manage administrative units.
What benefit does a Content Delivery Network (CDN) provide its users?
A. Allows you to store data that can be retrieved later in an extremely fast and inexpensive manner
B. Allows you to keep temporarily session information on the web visitor such as their login ID or their name
C. Allows you to reduce the traffic coming into a web server for static, unchanging files such as images, videos, and PDFs
D. For a small fee, Azure will take over management of your virtual machine, perform OS updates and ensure it’s running well
Allows you to reduce the traffic coming into a web server for static, unchanging files such as images, videos, and PDFs
Explanation:
Content Delivery Networks (CDNs) are specifically designed to optimize the delivery of static content to users by caching it on servers distributed across various geographic locations. This reduces latency and offloads the traffic from the main web server, thereby improving the performance and reliability of serving static assets.
You have an application in the East US region, running on a virtual network also in the East US region. You need to establish an encrypted, private connection to a data source that exists in Azure’s Japan region, and that data source does not have a public endpoint. Attempting to connect with the Japanese data source from East US results in an error. What is the best way to establish a connection between the two regions?
A. Use Global VNet Peering.
B. Install Gateway devices in both the East US and Japan regions, and connect the gateways together.
C. Install a Network Gateway in the Japan region. And have the East US application establish a private point-to-site VPN to Japan.
Use Global VNet Peering.
Global VNet Peering allows direct, private, and encrypted connectivity between virtual networks in different Azure regions (e.g., East US and Japan regions). This type of peering provides a low-latency connection between the VNets and enables resources in one VNet to communicate with resources in the other VNet as if they are on the same network.
Benefit: It’s the best option to establish a private, encrypted connection between Azure resources across regions without needing additional gateway devices or complex VPN configurations.
A company has set up a Virtual Machine in Azure. A web server listening on port 80 and a DNS server has been installed on the Virtual machine. A network security group is attached to the network interface for the virtual machine. The rules for the NSG are given below:
Select all server(s) that internet users will connect to on the Virtual machine if RuleB is deleted.
DNS server only
Both web and DNS servers
RDP, web, and DNS servers
Webserver only
RDP server only
RDP server only
If RuleB is deleted, users won’t be able to access port 80 and the webserver.
There is a Deny rule of RuleA for ports 50-60. Since DNS listens on port 53, you will not be able to access the DNS server. But you will still be able to connect to the virtual machine using RDP under the Allow_rdp rule.
Because of this logic, all other options are incorrect.
Your company has an Azure AD tenant named getcloudskills.com.
The following user is part of the tenant:
- Getcloudskillsusr1 is a User administrator.
The following VM is part of the tenant:
- Getclouskillsvm1 is a Windows 10 device that is AAD registered.
The following group is part of the tenant:
- Getcloudskillsgroup1 is a Dynamic Device group, Getcloudskillsusr1 is an owner of that group.
Would user Getcloudskillsusr1 be able to add device Getclouskillsvm1 to group Getcloudskillsgroup1?
A. Yes
B. No
No
Since the group is Dynamic in nature, you will not be able to add users or devices to a group manually.
Your company needs to deploy an application to a set of three virtual machines. You have to ensure that two virtual machines are always available in the event of a data center failure at any point in time.
You decide to deploy the virtual machines as part of an Availability Set.
Would this fulfill the requirement?
A. Yes
B. No
B. No
Availability sets can’t protect virtual machines from a data center-level failure. Availability zones protect VMs from data center failure.
You need to distribute your virtual machines across three Availability Zones.
A company is planning to deploy a set of virtual machines across different system tiers.
The following requirement needs to be met:
- Incoming requests to the Business Logic tier (50 VMs that are not accessible from the internet) from the web servers (5 VMs that are accessible from the internet) need to be spread equally across the virtual machines.
Which of the following would you implement?
An application gateway that uses the Standard tier
A network security group
An application gateway that uses the WAF tier
An Internal Load Balancer
A Public Load Balancer
An Internal Load Balancer
The Business Logic Tier has the requirement of NOT being accessible from the Internet. This means we should spin up an Internal Load Balancer.
You have defined an autoscale condition with four autoscale rules. The first rule scales out when the CPU utilization reaches 70 percent. The second rule scales back in when the CPU utilization drops below 50 percent. The third rule scales out if memory occupancy exceeds 75 percent. The fourth rule scales back in when memory occupancy falls below 50 percent. When will the system scale out?
When CPU utilization reaches 70 percent, or memory occupancy exceeds 75 percent
When CPU utilization reaches 70 percent, and memory occupancy exceeds 75 percent
You can’t do this with a single autoscale condition. An autoscale condition can only contain autoscale rules that use the same metric
When CPU utilization reaches 70 percent, or memory occupancy exceeds 75 percent
A company has an Azure subscription and an Azure tenant named getcloudskills.onmicrosoft.com. Getcloudskillsusr1 has Global Administrator permissions in Azure Active Directory.
The user getcloudskillsusr1 creates a new directory named staging.getcloudskills.onmicrosoft.com. New users need to be added to the new tenant. The company asks getcloudskillsusr1 to create user accounts.
Would this fulfill the requirement?
No
Yes
Yes
You need to connect Azure resources like Azure virtual machines across geographical regions. Which Azure networking option should you use?
VPN Gateway
Azure ExpressRoute
Virtual network peering
Virtual network peering
You have an Azure subscription named Getcloudskillsstaging. Under the subscription, you create a Resource group named Getcloudskillsrg.
You then create an Azure policy based on the “Not allowed resources types” definition. You define the parameters as Microsoft.Network. virtual networks as the not allowed resource type. You assign this policy to the Tenant Root Group. A Virtual Network does not already exist in this subscription.
Would you be able to create a virtual machine in the Getcloudskillsrg Resource group?
Yes
No
No
Since the policy is applied to the Tenant Root Group, it would be applied to all subscriptions and Resource groups. If you need to create a virtual machine, you must have permission to create virtual network resources required for VM provisioning. Hence the policy restricts the creation of the Vnet resources. You wouldn’t be able to create a new VM in this resource group.
You need to synchronize the files in the file share with an on-premise server named Getcloudskillsserver. Which of the following would you need to implement to fulfill this requirement? Choose 3 answers from the options given below.
Create a container instance
Download an automation script
Correct selection
Register Getcloudskillsserver
Create a sync group
Install the Azure File Sync agent on Getcloudskillsserver
Register Getcloudskillsserver
Create a sync group
Install the Azure File Sync agent on Getcloudskillsserver
