test 5

Question 1

You’ve been tasked with enhancing the redundancy of Azure Files NFSv4.1 shares within a storage account, currently configured with Locally Redundant Storage (LRS). Your company aims to migrate the existing file storage to Zone-Redundant Storage (ZRS).

What is the supported method to carry out this migration?

A. Perform the migration via Azure Portal

B. Request a live migration

C. Perform a manual migration

D. Perform the migration using AzureCli

Answer 1

Perform a manual migration

You can Choose manual migration or request a live migration. But, Live migration is not supported in below case.

NFSv3 protocol support is enabled for Azure Blob Storage

The storage account contains Azure Files NFSv4.1 shares

Question 2

You have an Azure subscription, which contains the following resources:

Prod-VM1 (virtual machine)

Prod-Webapp1 (app service)

Contoso.com (Azure AD domain services)

All the resources connect to prod-vnet1. You are planning to deploy an Azure Bastion host from Prod-Bastion1 to Prod-Vnet1.

Which resources can be protected by Prod-Bastion1?

A. Contoso.com only

B. Prod-VM1 and Prod-Webapp1

C. Prod-VM1 only

D. All of the resources

Answer 2

Prod-VM1 only

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network on which it is provisioned.

Question 3

Which PowerShell cmdlet allows you to create a new Virtual machine scale set?

New-AzVM

Set-AzVmss

New-AzVmss

Answer 3

New-AzVmss

Question 4

In the Azure Recovery Services vault, if you delete any data mistakenly, it goes to soft delete to protect your data and recover backups. For how many days is the data retained before being permanently deleted?

90 days

30 days

14 days

Infinite

Answer 4

14 days

Question 5

You need to create a Network Security group using the PowerShell cmdlet and configure NSG rules to allow RDP and HTTP traffic.

$rule1 = New-AzNetworkSecurityRuleConfig -Name rdp-rule -Description “Allow RDP” `

-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `

Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389

$rule2 = New-AzNetworkSecurityRuleConfig -Name web-rule -Description “Allow HTTP” `

-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix `

Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80

New-AzNetworkSecurityGroup -ResourceGroupName TestRG -Location westus -Name `

“NSG-FrontEnd” -SecurityRules $rule1, $rule2

You executed the above PowerShell cmdlet; is it correct?

Yes

No

Answer 5

Yes

Question 6

You have an Active Directory Forest named contoso.com. You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled. You review the synchronization results and discover that the

Synchronization Service Manager does not display any sync jobs.

You need to ensure that the synchronization completes successfully, and that exports, imports and synchronization could run.

What should you do?

A. From Azure PowerShell, run start-AdSyncSyncCycle policy type initial.

B. Run Azure AD connect and disable staging mode.

C. Run Azure AD connect and set the SSO method to pass-through Authentication.

Answer 6

Run Azure AD connect and disable staging mode.

Staging mode must be disabled. If the Azure AD connect is in staging mode, password hash synchronization will not work.

Question 7

In your Azure subscription, there is a highly important resource group named “Prod-rg1.” The subscription owner intends to prevent the deletion of the resource group itself or any resources contained within it.

Which solution would you recommend. You also want to use a minimal amount of administrative effort.

Add a delete lock on individual resources inside the resource group.

Add a delete lock on the resource group.

Add a read-only lock on the subscription level.

Answer 7

Add a delete lock on the resource group.

Add a delete lock on the resource group itself. We can also place a lock on the resources inside a resource group as well, but it involves more administrative effort. Since our requirement is to use a minimal amount of administrative effort, we should place a lock on the resource group itself.

Question 8

Your Azure subscription contains 10 virtual machines. You need to enable alerts if any virtual machine restarts, stops, or delocalizes. Alerts must be sent to three administrators by email and Azure App push notifications.

You need to create alert rules, action groups, and actions in the Azure portal.

What are the minimum number of alert rules, action groups, and actions you should create?

Alert Rules = 2; Action groups = 3; Actions = 1

Alert Rules = 3; Action groups = 1; Actions = 1

Alert Rules = 3; Action groups = 1; Actions = 3

Alert Rules = 1; Action groups = 1; Actions = 1

Answer 8

Alert Rules = 3; Action groups = 1; Actions = 3

You need to establish three alert rules, each corresponding to a specific condition: restarting a virtual machine, powering off a virtual machine, and deallocating a virtual machine.

Additionally, you should create a single action group, which can be linked to multiple alert rules. Within this action group, you will define multiple actions.

To cater to three administrators, you must create three distinct actions within the action group.

Question 9

You plan to use a deployment template to deploy 6 instances of web app in east us region.

You need to ensure that you have met minimum prerequisites for deployment. Your solution must minimize costs in Azure.

Deploy Azure application gateway.

Deploy one Azure App service plan.

Deploy Azure Load Balancer.

Deploy five Azure app service plans.

Answer 9

Deploy One Azure App Service Plan:

Cost-Effective: This option is typically the most cost-effective because you only need one App Service Plan to host all six web app instances.

Question 10

You have a subnet named Subnet1 that contains Azure virtual machines. A network security group (NSG) named NSG1 is associated to Subnet1. NSG1 only contains the default rules.
You need to create a rule in NSG1 to prevent the hosts on Subnet1 form connecting to the Azure portal. The hosts must be able to connect to other internet hosts.
To what should you set Destination in the rule?

Application security group

IP Addresses

Service Tag

Any

Answer 10

Service Tag

Explanation
You can use service tags.

Question 11

You have an Azure subscription that contains a virtual machine named VM1.

To VM1, you plan to add a 1-TB data disk that meets the following requirements:

• Provides data resiliency in the event of a datacenter outage.
• Provides the lowest latency and the highest performance.
• Ensures that no data loss occurs if a host fails.

You need to recommend which type of storage and host caching to configure for the new data disk.

Storage Type: Premium SSD that uses locally-redundant storage(LRS)
Host caching: None

Storage Type: Premium SSD that uses Zone-redundant storage(ZRS)
Host caching: Read-only

Storage Type: Premium SSD that uses Zone-redundant storage(ZRS)
Host caching: Read/Write

Answer 11

Storage Type: Premium SSD that uses Zone-redundant storage(ZRS)
Host caching: Read-only

Explanation
Configuring the data disk with Premium SSD that uses Zone-redundant storage (ZRS) ensures data resiliency in the event of a datacenter outage by replicating data across multiple availability zones. Setting the host caching to read-only can improve performance by caching read operations, providing lower latency, and ensuring no data loss if a host fails.

Ensures that no data loss occurs if a host fails.

• Write caching can pose a risk of data loss in the event of a host failure. Thus, we need to be careful when enabling write caching.

Question 12

You are managing your company’s virtual networks (VNets) in Azure.

Your company has Azure Virtual Machines (VMs) across three VNets:

• Prod-VNET1 has the address space 10.0.0.0/16.
• Prod-VNET2 has the address space 10.1.0.0/16.
• Prod-VNET3 has the address space 10.2.0.0/16.

You configure virtual network peering on the following networks:

• Prod-VNET1 network peering allows virtual network access to Prod-VNET2.
• Prod-VNET2 network peering allows virtual network access to Prod-VNET3.
• Prod-VNET3 network peering allows virtual network access to Prod-VNET2.

You need to determine if Azure VMs in a specific virtual network can communicate with Azure VMs in other virtual networks.

Azure VMs on VNET2 can connect to Azure VMs on which VNET?

A. VNET3 only

B. VNET1 only

C. VNET1 and VNET2

Answer 12

Why VNET3 only is correct:

VNet Peering Rules:

Peering is not transitive
Each peering connection is bilateral
Requires explicit configuration
Current Configuration:

VNET1 -> VNET2 (One-way)
VNET2 <-> VNET3 (Two-way)
Connectivity Analysis:
VNET2 can reach VNET3 (direct peering)
VNET1 can reach VNET2 but not vice versa
No transitive connectivity

Question 13

Which Microsoft Entra ID role is automatically assigned to whoever creates the tenant first?

A. Global Administrator

B. Owner

C. Account Administrator

D. Service Administrator

Answer 13

A. Global Administrator

Question 14

At network setting of a VM if the NIC public IP isn’t display. Which main is it?

Answer 14

Public IP is not available which means VM is not running.

Question 15

Which Azure built-in role has full access to all resources including the right to delegate access to others ?

A. Reader

B. Owner

C. Contributor

D. User Access Administrator

Answer 15

B. Owner
Owner role has full access to all resources in Azure including the right to delegate access to others.

Question 16

Under Azure RBAC, collection of permission is called as ________ ?

A. Role

scope

Security principal

Answer 16

A. Role

Question 17

You are trying to assign an Azure Microsoft Entra ID P2 License to a user but getting error ? What could be the possible cause of the error ?

A. From users profile section, modify the usage location.

B. From the directory blade, modify the directory role.

Answer 17

A. From users profile section, modify the usage location.

Let me explain why this is correct and provide examples of how to fix it:

Using Azure Portal:

PowerShell commands to set usage location
Set-AzureADUser -ObjectId “user@contoso.com” -UsageLocation “US”

Then assign license
Set-AzureADUserLicense -ObjectId “user@contoso.com” -AssignedLicenses $license
Using Microsoft Graph API:

// PATCH request to update usage location
PATCH https://graph.microsoft.com/v1.0/users/{user-id}
Content-Type: application/json

{
“usageLocation”: “US”
}
Why Usage Location is Important:

License Requirements:

Usage location is mandatory for licensing
Determines service availability
Ensures compliance with regional regulations
Common Error Messages:

“License cannot be assigned to the user because the user is missing usage location”
“Unable to assign license - usage location required”
Regulatory Compliance:
Different services available in different regions
Data residency requirements
Compliance with local laws

Question 18

You need to move some of the blueprint files to Azure. What should you do?
A. Generate an access key. Map a drive, and then copy the files by using File Explorer.

B. Use Azure Storage Explorer to copy the files.

C. Use the Azure Import/Export service.

D. Generate a shared access signature (SAS).

Answer 18

B: Use Azure Storage Explorer to copy the files.

Here’s why:

Azure Storage Explorer is the most appropriate tool because:
It’s specifically designed for managing Azure Storage resources
It provides a user-friendly graphical interface
It’s secure and supports all Azure authentication methods
It allows for easy drag-and-drop file transfers
It’s free and officially supported by Microsoft
It works efficiently for moving files of various sizes
Why other options are less suitable:

Option A (Generate an access key and map drive):
Less secure as access keys provide full access to the storage account
Mapping drives can be unreliable and may disconnect
Not recommended for production environments
Option C (Azure Import/Export service):
This service is meant for very large datasets (terabytes)
Requires physical hard drives to be shipped to Microsoft
Overkill for blueprint files
More time-consuming and expensive
Option D (Generate a SAS):
A SAS alone is just an access token
You still need a tool to actually transfer the files
It’s only part of a solution, not a complete answer

Question 19

Site to Site VPN connections provide connectivity between an On-prem network and Azure Virtual Network using an encrypted tunnel over the public internet.

Is the above statement correct ?

A. Yes

B. No

C. Site to Site VPN connections provide connectivity between an On-prem network and Azure Virtual Network using an encrypted tunnel over the public internet.

Answer 19

A: Yes

Here’s why the statement is correct:

Site-to-Site VPN Connection Components:
Creates an encrypted tunnel between on-premises network and Azure VNet
Uses the public internet as the transport medium
Requires a VPN gateway in Azure
Requires a VPN device on-premises
Uses IPsec/IKE protocols for encryption
Key Characteristics:
Secure: Traffic is encrypted
Cost-effective: Uses existing internet connection
Public internet: Doesn’t require dedicated private lines
Always-on connection: Provides continuous connectivity
Supports hybrid cloud scenarios
Why it’s different from other connectivity options:
ExpressRoute uses private connectivity (not public internet)
Point-to-Site VPN connects individual devices (not entire networks)
VNet Peering connects Azure VNets (not on-premises)
Benefits:
More economical than dedicated lines
Relatively easy to set up
Good for hybrid scenarios
Suitable for most business needs
Provides secure communication

Question 20

You create an Azure storage account.

You need to create a lifecycle management rule to move blobs to cool storage if the blobs have not been used for 30 days.

What should you do first?

A. Enable access tracking.

B. Refresh the blob inventory.

C. Enable versioning for blobs.

D. Rotate the storage account keys.

Answer 20

A. Enable access tracking.

Question 21

How can you resolve the issue where Admin1, who has the User administrator role in the Azure Active Directory (Azure AD) tenant cloudportalfinance.onmicrosoft.com, is encountering a “Generic authorization exception” error while trying to invite an external partner with the Microsoft account user2@outlook.com?

A. Adjust the External collaboration settings in the Users settings blade.

B. Add a custom domain in the Custom domain names blade.

C. Include an identity provider in the Organizational relationships blade.

D. Assign the Security administrator role to Admin1 in the Roles and administrators blade.

Answer 21

A. Adjust the External collaboration settings in the Users settings blade is the correct answer.

Here’s a detailed explanation of why this is the correct solution:

Root Cause:

The “Generic authorization exception” error typically occurs when there are restrictions on external collaboration at the tenant level

Even though Admin1 has the User administrator role, they still need proper external collaboration settings to be enabled

Why Option A is Correct:

External collaboration settings directly control who can invite external users

These settings are tenant-wide and override individual role permissions

The settings determine:

Whether external invitations are allowed

Who can send invitations

Which domains are allowed/blocked for collaboration

Question 22

You are planning the deployment of a custom ASP.NET application that will run on Internet Information Server (IIS). The application will be hosted on four Azure virtual machines. The virtual machines will belong to the same virtual network and subnet and have a private IP address. The application will use a Microsoft SQL Server database to store content.

You need to configure load balancing for the application. The solution must ensure that the application is safe from any attacks, such as SQL injection or cross-site scripting (XSS) attacks.

What should you configure?

A. an Azure application gateway

B. an internal Azure load balancer

C. a network security group (NSG)

D. a public Azure load balancer

Answer 22

A. An Azure Application Gateway is the correct answer.
Here’s why this is the best solution:
Security Features:
Application Gateway is a Layer 7 (application layer) load balancer
Includes Web Application Firewall (WAF) capabilities that can protect against:
SQL injection attacks
Cross-site scripting (XSS) attacks
Other common web vulnerabilities
Provides TLS/SSL termination
Can inspect HTTP traffic and apply security rules
Load Balancing Capabilities:
Distributes incoming web traffic across multiple VMs [1]
Supports URL-based routing
Provides session affinity
Can handle SSL termination at the gateway level
Why Other Options are Inadequate:

B. Internal Azure Load Balancer:
Operates at Layer 4 (transport layer) only
Cannot inspect HTTP traffic
No built-in security features against SQL injection or XSS
No WAF capabilities

C. Network Security Group (NSG):
Only provides basic network-level security
Cannot perform application-level filtering
No load balancing capabilities
Cannot protect against application-level attacks

D. Public Azure Load Balancer:
Like internal load balancer, operates at Layer 4 only
No application-level security features
Cannot protect against SQL injection or XSS
No WAF capabilities

Question 23

You create a new VM with a single OS disk and a single data disk.

You use all the default options while creating the VM, and you have no Azure Key vault.

Which option describes the encryption state of those disks ?

A. OS disk is encrypted but data disk is unencrypted.

B. Both disks are encrypted using Storage Server Encryption.

C. Both disks are unencrypted.

Answer 23

B. Both disks are encrypted using Storage Server Encryption (SSE) is the correct answer.

Here’s why:

Default Encryption Behavior:
All Azure managed disks (both OS and data disks) are automatically encrypted using Storage Service Encryption (SSE) [1]
This is enabled by default and cannot be disabled
Uses industry-standard AES-256 encryption
Managed by Microsoft using platform-managed keys
Important Points:
This encryption happens at the storage level (infrastructure)
It’s different from Azure Disk Encryption (ADE) which encrypts at the OS level
No key vault is required for SSE as it uses platform-managed keys
Applies to both Premium and Standard managed disks
Why Other Options are Incorrect:

A. “OS disk is encrypted but data disk is unencrypted”:
Incorrect because all managed disks get SSE by default
There’s no scenario where only OS disk would be encrypted under default settings
C. “Both disks are unencrypted”:
Incorrect because SSE is automatically applied
Cannot have unencrypted managed disks in Azure
Azure ensures all managed disks are encrypted at rest

Question 24

You have an Azure Active Directory (Azure AD) tenant named cloudportalfinance.onmicrosoft.com that contains 100 user accounts.

You purchase 10 Azure AD Premium P2 licenses for the tenant.

You need to ensure that 10 users can use all the Azure AD Premium features.

What should you do in this case?

A. From the Azure AD domain, add an enterprise application.

B. From the Directory role blade of each user, modify the directory role.

C. From the Groups blade of each user, invite the users to a group.

D. From the Licenses blade of Azure AD, assign a license.

Answer 24

D. From the Licenses blade of Azure AD, assign a license is the correct answer.

Here’s why:
License Assignment Process:
Azure AD Premium P2 features require explicit license assignment
Licenses must be assigned directly to users or through group-based licensing
The Licenses blade in Azure AD is specifically designed for this purpose
Steps to Implement:
Navigate to Azure AD portal
Go to Licenses blade
Select Azure AD Premium P2 licenses
Assign licenses to specific users or groups
Users will then have access to Premium features
Why Other Options are Incorrect:
A. “Add an enterprise application”:
Enterprise applications are for integrating third-party apps
Not related to license management
Doesn’t enable Premium features
B. “Modify the directory role”:
Directory roles control administrative permissions
Not related to Premium feature access
Changing roles doesn’t grant license features

C. “Invite users to a group”:
Simply adding users to a group doesn’t grant licenses
While you can use group-based licensing, you still need to assign the license to the group first
Group membership alone doesn’t enable Premium features

Question 25

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.VM1 hosts a frontend application that connects to VM2 to retrieve data. Users report that the frontend application is slower than usual. You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.

Which Azure Network Watcher feature should you use?

A. Network Security Groups flow logs

B. Connection troubleshoot

C. IP flow verify

D. Connection monitor

Answer 25

D. Connection monitor is the correct answer.

Here’s why Connection Monitor is the best solution:
Key Features of Connection Monitor:
Measures real-time network performance metrics including:
Round-trip time (RTT)
Packet loss [1]
Latency
Network topology
Provides continuous monitoring between VMs
Can track performance over time
Supports monitoring across virtual networks
Specific Benefits for This Scenario:
Directly measures RTT between VM1 and VM2
Provides historical data to analyze performance trends
Can set up alerts for performance thresholds
Helps identify network performance bottlenecks

Question 26

You have an Azure subscription that contains the resources shown in the following table:
Name Type Resource group Tag
RG7 Resource group N/A None
VNET1 Virtual Network RG7 Department: D2

You assign a policy to RG7 as shown in the following table:
Section Setting Value
Scope Scope Subscription1/RG7
Exclusions None
Basics Policy definition Append a tag and its value to resources
Assignment Name Append a tag and its value to resources
Parameters Tag name Label
Tag Value Value1

To RG7, you apply the Tag RGroup: RG7

You deploy a virtual network named VNET2 to RG7

Which tags apply to VNET1 and VNET2.

A. VNET1- Department: D2 and Label: Value1

VNET2- Label: Value1

B. VNET1- Department: D2

VNET2- Label: Value1

C. VNET1 - VNET1- Department: D2 and Label: Value1

VNET2 – RGroup: RG7 and Label: Value1

Answer 26

B.
VNET1- Department: D2

VNET2- Label: Value1

Question 27

Your company has a Microsoft Azure subscription.

The company has datacenters in Los Angeles and New York.

You are configuring the two datacenters as geo-clustered sites for site resiliency.

You need to recommend an Azure storage redundancy option.

You have the following data storage requirements:

✑ Data must be stored on multiple nodes.

✑ Data must be stored on nodes in separate geographic locations.

✑ Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

A. Geo-redundant storage

B. Read-only geo-redundant storage

C. Zone-redundant storage

D. Locally redundant storage

Answer 27

B. Read-only geo-redundant storage

Question 28

You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.

You receive a notification that VM1 will be affected by maintenance.

You need to move VM1 to a different host immediately.

Solution: From the Redeploy blade, you click Redeploy.

Does this meet the goal?

A. Yes

B. No

Answer 28

A. Yes

Explanation
When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.

Question 29

You need to connect Azure resources like Azure virtual machines across geographical regions. Which Azure networking option should you use?

Azure ExpressRoute

A. VPN Gateway

C. Virtual network peering

Answer 29

C. Virtual network peering. Let me explain why and compare the options:

Virtual Network Peering (Option C):

Key Characteristics:

Enables direct connectivity between virtual networks across regions

Low latency, high bandwidth connection

Traffic stays on Microsoft’s backbone network

No additional gateway required

Non-transitive by default

Benefits:

Simplest and most cost-effective for cross-region connectivity

No data encryption overhead (traffic stays private) [1]

No public internet exposure

Lower latency compared to VPN solutions

No single point of failure

Azure ExpressRoute (Option A):

Key Characteristics:

Dedicated private connection from on-premises to Azure [2]

Higher bandwidth (up to 100 Gbps)

Requires physical infrastructure and carrier relationship

Benefits:

Consistent network performance

Better for hybrid cloud scenarios

More suitable for connecting on-premises to Azure, not for connecting Azure regions

VPN Gateway (Option B):

Key Characteristics:

Site-to-site or point-to-site connectivity

Encrypted traffic over public internet

Limited bandwidth (up to 10 Gbps)

Benefits:

Good for secure connectivity over internet

Lower cost than ExpressRoute

Better suited for hybrid connectivity, not optimal for cross-region Azure connections

Question 30

You have set up a computer named getcloudskillsclient1 that has a point-to-site VPN connection to an Azure virtual network named getcloudskillsnetwork. The point-to-site connection makes use of a self-signed certificate. You now have to establish a point-to-site VPN connection to the same virtual network from another computer named getcloudskillsclient2. The VPN client configuration package is downloaded and installed on the getcloudskillsclient2 computer.

You decide to join the getcloudskillsclient2 computer to Azure AD.

Would this fulfill the requirement?

A. Yes

B. No

Answer 30

B. No.

Here’s why joining getcloudskillsclient2 to Azure AD alone would not fulfill the requirement:

Explanation:

Certificate Requirement:

The existing point-to-site VPN connection uses a self-signed certificate [1]

Each client that connects via point-to-site VPN needs the appropriate certificate [2]

Azure AD join alone does not provide the required certificate

What’s Actually Needed:

The self-signed certificate used by getcloudskillsclient1 needs to be:

Exported from getcloudskillsclient1

Imported to getcloudskillsclient2

Or a new client certificate needs to be:

Generated from the same root certificate

Installed on getcloudskillsclient2

VPN Authentication Process:

Point-to-site VPN using certificates requires:

Root certificate uploaded to Azure VPN Gateway

Client certificate derived from the root certificate

Client certificate installed on each connecting device

Azure AD Join vs VPN Authentication:

Azure AD join provides:

Device authentication to Azure AD

Access to Azure AD-integrated resources

But does NOT provide:

VPN certificates

VPN authentication credentials

Question 31

Your company needs to deploy an application to a set of three virtual machines. You have to ensure that two virtual machines are always available in the event of a data center failure at any point in time.

You decide to deploy the virtual machines as part of an Availability Set.

Would this fulfill the requirement?

A. Yes

B. No

Answer 31

B. No

Availability sets can’t protect virtual machines from a data center-level failure. Availability zones protect VMs from data center failure.

You need to distribute your virtual machines across three Availability Zones.

Question 32

In order to get diagnostics from an Azure virtual machine you own, what is the first step to doing that?

A. A diagnostics agent needs to be installed on the VM

B. You need to grant RBAC permissions to the user requesting diagnostics

C. You need to create a storage account to store it

Answer 32

C. You need to create a storage account to store it

Question 33

Your company has the following resources deployed to Azure:
Name IP address Connected to
getcloudskillsvm1 10.1.0.4 getcloudskillnetwork1\Subnet1
getcloudskillsvm2 10.1.10.4 getcloudskillnetwork1\Subnet2
getcloudskillsvm3 172.16.0.4 getcloudskillnetwork2\SubnetA
getcloudskillsvm4 10.2.0.8 getcloudskillnetwork2\SubnetB

You install a DNS service on virtual machine getcloudskillsvm1.

The DNS server settings are then configured for each virtual network, as shown below:
DNS Service type Custom has a IP address 10.1.0.4

You have to ensure that all virtual machines in your vnet can resolve DNS names by using the DNS service on the virtual machine getcloudskillsvm1. Which of the following would you implement for this requirement?

A. Configure a conditional forwarder for the getcloudskillsvm1 virtual machine.

B. Add a service endpoint for the virtual network getcloudskillsnetwork1.

C. Configure virtual network peering connections between all virtual networks.

D. Add service endpoints for the virtual network getcloudskillsnetwork2 and getcloudskillsnetwork3.

Answer 33

C. Configure virtual network peering connections between all virtual networks.

Explanation:
Why C is correct:

Virtual network (VNet) peering enables seamless connectivity between two VNets in Azure. It allows virtual machines in different VNets to communicate directly with each other as if they were part of the same network.
Since getcloudskillsvm1 (hosting the DNS service) is in getcloudskillnetwork1, machines in other VNets (like getcloudskillnetwork2) cannot resolve DNS queries via getcloudskillsvm1 unless they have connectivity.
By configuring VNet peering, all VNets can use the DNS server at 10.1.0.4 as long as their DNS settings are configured to point to this IP address.

Why the other options are wrong:
A. Configure a conditional forwarder for the getcloudskillsvm1 virtual machine.

A conditional forwarder is a DNS server configuration to forward queries for specific domains to another DNS server. This doesn’t address the issue of connecting virtual machines across different VNets. Without VNet peering, virtual machines in other VNets cannot even reach getcloudskillsvm1.
B. Add a service endpoint for the virtual network getcloudskillsnetwork1.

Service endpoints are used to secure traffic to specific Azure services like Azure Storage or Azure SQL within a virtual network. They are not designed to facilitate VNet-to-VNet communication or DNS resolution.
D. Add service endpoints for the virtual network getcloudskillsnetwork2 and getcloudskillsnetwork3.

Similar to option B, adding service endpoints does not enable connectivity between VNets. It only secures access to Azure platform services.

Question 34

You have an Azure subscription.

You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.

You need to restrict network traffic between the pods.

What should you configure on the AKS cluster?

A. the azure network policy

C. pod security policies

D. an application security group

B. the Calico network policy
Which one is correct? why correct? why wrong?

Answer 34

B. Calico network policy (CORRECT) [1]

This is correct because:

Calico network policies work with Kubenet networking (specified in the question)

Calico is supported in both Kubenet and Azure CNI networking

It’s an open-source network policy solution that can effectively restrict traffic between pods

Calico provides fine-grained network policy control for pod-to-pod communication

A. Azure network policy (WRONG)

This is incorrect because:

Azure network policies only work with Azure CNI networking

The question specifically states the cluster uses Kubenet networking

Azure network policies cannot be implemented with Kubenet networking

C. Pod security policies (WRONG)

This is incorrect because:

Pod security policies are about pod security settings (like running as root, privileged containers)

They don’t control network traffic between pods

They focus on pod-level security configurations rather than network traffic control

They are being deprecated in favor of Pod Security Admission

D. Application security group (WRONG)

This is incorrect because:

Application Security Groups are an Azure networking feature for Azure VMs

They are not designed for controlling traffic between Kubernetes pods

They work at the Azure infrastructure level, not at the Kubernetes pod level

Question 35

You have an Azure subscription.

You create the following file named Deploy.json.
{
“$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“location”: {
“type”: “string”,
“defaultValue”: “westus”
}
},
“resources”: [
{
“apiVersion”: “2019-04-01”,
“type”: “Microsoft.Storage/storageAccounts”,
“name”: “[concat(copyIndex(), ‘storage’, uniqueString(resourceGroup().id))]”,
“location”: “[resourceGroup().location]”,
“sku”: {
“name”: “Premium_LRS”
},
“kind”: “StorageV2”,
“properties”: {},
“copy”: {
“name”: “storagecopy”,
“count”: 3
}
}
]
}

You connect to the subscription and run the following commands.
New-AzResourceGroup -Name RG1 -Location “centralus”
New-AzResourceGroupDeployment -ResourceGroupName RG1 -TemplateFile “deploy.json”

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

The commands will create storage accounts in the west us azure region? yes or no? why?

Answer 35

No, the storage accounts will not be created in the West US Azure region.

Let’s analyze why:

Looking at the template parameters:

“parameters”: {
“location”: {
“type”: “string”,
“defaultValue”: “westus”
}
}

Copy

Insert at cursor
json
While there is a parameter with default value “westus”

This parameter is never actually used in the template

Looking at the storage account location:

“location”: “[resourceGroup().location]”

Copy

Insert at cursor
json
The storage accounts’ location is set to use resourceGroup().location

This means it will use the location of the resource group

It does NOT use the location parameter defined in the template

Looking at the resource group creation command:

New-AzResourceGroup -Name RG1 -Location “centralus”

Copy

Insert at cursor
powershell
The resource group is explicitly created in “centralus”

All storage accounts will inherit this location

Therefore:

The storage accounts will be created in Central US (not West US)

The location parameter in the template is unused

The storage accounts inherit the location from the resource group (centralus)

Even though “westus” is defined as a default value in parameters, it’s not referenced anywhere in the resource definition

Question 36

You have an Azure Linux virtual machine that is protected by Azure Backup.

One week ago, two files were deleted from the virtual machine.

You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:
1. Download and run the script to mount a drive on the local computer
2. Select a restore point that contains the deleted files
3. From the Azure portal, click Restore VM from the vault
4. From the Azure portal, click File Recovery from the vault
5. Mount a VHD
6. Copy the files by using AZCopy
7. Copy the files by using File Explorer

Answer 36

step1 From the Azure portal, click File Recovery from the vault [1]

This is the starting point for file-level recovery

File Recovery option is specifically for recovering individual files

Not “Restore VM” as that would restore the entire VM

step2 Select a restore point that contains the deleted files

Choose the backup point from before the files were deleted

In this case, you’ll need a restore point from over a week ago

This will ensure the files you need are available

step3 Download and run the script to mount a drive on the local computer

This script creates a local mount point

For Linux VM backups, this step is necessary to access the backup

The script will make the backup appear as a local drive

step4 Copy the files by using File Explorer

Once mounted, you can use File Explorer to copy the files

This is the simplest method to copy files to Windows Server 2016

Provides familiar interface for file selection and copying

Question 37

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.

VM1 runs services that will be used to deploy resources to RG1.

You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

Question:
What should you do first?
A. From the Azure portal, modify the Managed Identity settings of VM1.
B. From the Azure portal, modify the Access control (IAM) settings of RG1.
C. From the Azure portal, modify the Access control (IAM) settings of VM1.
D. From the Azure portal, modify the Policies settings of RG1.

Answer 37

A. Modify the Managed Identity settings of VM1 (CORRECT)

This is the correct first step because:

Before assigning any permissions, VM1 needs a system-assigned managed identity

Managed identity must be enabled first before it can be used for authentication

This creates an identity for VM1 in Azure AD that can be used to access resources

Without this step, VM1 has no identity to assign permissions to

B. Modify the Access control (IAM) settings of RG1 (WRONG)

While this is necessary, it’s the second step, not the first

You need to:

Enable managed identity first (Step 1)

Then assign permissions to that identity (Step 2)

Cannot assign permissions to a managed identity that doesn’t exist yet

C. Modify the Access control (IAM) settings of VM1 (WRONG)

This is incorrect because:

IAM settings on VM1 control who can access VM1

Does not help VM1 access other resources

Does not create an identity for VM1

D. Modify the Policies settings of RG1 (WRONG)

This is incorrect because:

Policies define compliance rules and standards

Does not provide authentication or authorization

Does not create an identity for VM1

The correct sequence would be:

Enable system-assigned managed identity on VM1 (Answer A)

Assign appropriate RBAC roles to VM1’s managed identity on RG1 (through IAM settings)

This enables VM1 to:

Have an identity in Azure AD

Use this identity to authenticate to Azure services

Access resources in RG1 based on assigned permissions

Question 38

Your company has a set of Azure virtual machines named appvm1 and appvm2. The machines are independent machines that are part of an Azure virtual network named app-network. You deploy an Azure Load Balancer of the Basic SKU in the same region as the Azure virtual machines. Can the Azure Load Balancer be used to load balance traffic between appvm1 and appvm2?

A. Yes

B. No

Answer 38

B. No
For the Load Balancer of the Basic SKU, the machines need to be part of an Availability set or scale set.

Question 39

Your company has the following Azure virtual machines deployed as part of the Azure subscription
appvm1 in the resource group app-grp in location UK South
appvm2 in the resource group app-grp in location North Europe
Currently appvm1 is being backed up to an Azure Recovery Services vault. You also need to perform the backup of appvm2. Which of the following needs to be done first for this requirement?

A. Create a new backup policy for appvm2

B. Create a new Recovery Services Vault

C. Enable the backup of appvm2

D. Disable the backup of appvm1

Answer 39

B. Create a new Recovery Services Vault

The Recovery Services Vault and the virtual machine need to be in the same location. Here appvm2 is in another location, hence we need to create a Recovery Services Vault in this location as well.

Question 40

Your team has a web application running in an Azure Web App. You have to understand the details of the HTTP errors that are faced when connections are made to the web app. Which of the following can be implemented for this requirement?

A. Turn on Application Logging for the Azure Web App

B. Get a report on the metrics for the Azure Web App

C. Turn on Web Server Logging for the Azure Web App

D. Get a report on the Activity Log for the Azure Web App

Answer 40

C. Turn on Web Server Logging for the Azure Web App

You can turn on Web Server Logging. This will give a detail of all of the web server requests being made to the Azure Web App.

For more information on Azure Web App logging , one can visit the below URL

https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

Question 41

Your company has the following Azure virtual networks defined as part of their Azure subscription
appnetwork1 address space 10.0.0.0/24 location East US
appnetwork2 address space 192.168.0.0.0/16 location West US
appnetwork3 address space 10.0.128.0/17 location North Europe

Can you add virtual network peering connections between app-network1 and app-network2?

A. Yes

B. No

Answer 41

A. Yes

Since the IP address ranges of the virtual networks don’t clash, you can add the virtual network peering connection. Also, you can peer virtual networks that are across regions.

Question 42

Your team has created the below Azure Load Balancers

app-balancer1 Sku basic region East US
app-balancer2 Sku Standard region East US

You have to create Azure virtual machines that need to be added to the backend pool of the load balancers.

Which of the following needs to be considered when deploying virtual machines that need to be added to app-balancer1?

A. They need to be part of the same resource group

B. They need be part of an Availability set

C. The underlying operating system needs to be Windows Server 2019

D. They need to be part of the same virtual network

Answer 42

B. They need be part of an Availability set

For the Basic Load Balancer the machines need to be part of a virtual machine scale set or an Availability set.

Question 43

Your team has created the below Azure Load Balancers

app-balancer1 Sku basic region East US
app-balancer2 Sku Standard region East US

You have to create Azure virtual machines that need to be added to the backend pool of the load balancers.

Which of the following needs to be considered when deploying virtual machines that need to be added to app-balancer2?

A. They need to be part of the same resource group

B. They need be part of an Availability set

C. The underlying operating system needs to be Windows Server 2019

D. They need to be part of the same virtual network

Answer 43

D. They need to be part of the same virtual network

For the Standard Load Balancer the machines need to be part of the same Azure virtual network.

Question 44

Your company has an Azure subscription and an Azure AD tenant. The company has several office locations. They want to assign permissions to the administrator assigned for each office. The administrator will be responsible for managing users. Which of the following can be used when granting the required permissions?

A. Azure policies

B. Azure Identity Management

C. Administrative Units

D. Azure resource tags

Answer 44

C. Administrative Units

You can have Administrative Units and assign the administrators privilege over each unit. You can have one unit for each office.

For more information on Administrative Units, one can refer to the URL

https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

Question 45

You need to use the Bulk feature in Azure Active Directory to delete a set of users. Which of the following needs to be specified for each user for the Bulk delete operation?

A. The user principal name and the user type

B. The user principal name only

C. The user type only

D. The user principal name and the Issuer

Answer 45

B. The user principal name only

You just need to specify the user principal name for each user in the list when submitted for the Bulk delete operation.

Question 46

Your company currently has the following structure when it comes to Management Groups and Subscriptions

Tenant Root Group > Information technology > Azure Subscription 1
A storage account named appstore1000 is a part of a resource named app-grp. app-grp is created under Azure subscription1.

Can you add a resource lock to Azure subscription1?

A. Yes

B. No

Answer 46

A. Yes

Yes, you can add a resource lock at a subscription level.

Question 47

Your company currently has the following structure when it comes to Management Groups and Subscriptions

Tenant Root Group > Information technology > Azure Subscription 1
A storage account named appstore1000 is a part of a resource named app-grp. app-grp is created under Azure subscription1.

Can you add a resource tag to Information Technology?
A. Yes

B. No

Answer 47

B. No
You cannot add a resource tag at a Management Group Level.

Question 48

Your company has an Azure subscription and an Azure AD tenant. They want to make use of Azure Conditional Access Policies. They have setup the appropriate licenses to use this feature. They want to ensure that users of an Administrators Group go through the process of Multi-Factor Authentication when they connect to Azure AD from untrusted locations.

Which of the following would you configure to ensure the setting for Multi-Factor Authentication?

A. Cloud apps or actions

B. Conditions

C. Access Control – Grant

D. Access Control – Session

Answer 48

C. Access Control – Grant

Question 49

Your company has an Azure subscription and an Azure AD tenant. They want to make use of Azure Conditional Access Policies. They have setup the appropriate licenses to use this feature. They want to ensure that users of an Administrators Group go through the process of Multi-Factor Authentication when they connect to Azure AD from untrusted locations.

Which of the following would you configure to ensure the setting is applied for untrusted locations?

A. Cloud apps or actions

B. Conditions

C. Access Control – Grant

D. Access Control – Session

Answer 49

B. Conditions

Question 50

Your company has created an Azure public DNS zone named cloudportalhub.com. They also have the domain name registered as part of an external domain registrar. They want to ensure that records from the Internet get routed to their Azure DNS zone. Which of the following must they do for this requirement?

A. Create an A record in the external domain registrar

B. Create an A record in the Azure DNS Zone

C. Modify the NS records in the external domain registrar

D. Modify the NS records in the Azure DNS Zone

Answer 50

C. Modify the NS records in the external domain registrar

You have to modify the Name server records in the external domain registrar to reflect the Name server records provided in the Azure DNS zone.