test 6 Flashcards
You have below Azure VM in your subscription.
You need to create 10 more VMs based on the same configuration. Which blade will you use so that you can use the existing ARM template and modify it according to your requirements?
A. Serial console
B. Redeploy + reapply
C. Boot diagnostics
D. Export template
D. Export template.
Explanation: The “Export template” blade in the Azure portal allows you to export the ARM (Azure Resource Manager) template of an existing resource. You can then use this template to create additional resources with the same configuration. By exporting the template of the existing VM, you can modify it as needed and deploy it to create 10 more VMs with the same configuration.
B. Redeploy + reapply: This option is used to move a VM to a new Azure host or to reapply the VM’s state to resolve issues. It is not used for creating new VMs.
Your organization has hired a new cloud engineer and he should be able to manage cloud engineer’s access as well. You also need to follow Microsoft principle of least privilege.
Which role should be assigned to cloud engineer ?
A. User Access Administrator
B. Owner
C. User Administrator
D. Contributor
A. User Access Administrator.
Why correct: The “User Access Administrator” role allows the cloud engineer to manage user access to Azure resources. This role is specifically designed to grant permissions to manage access without giving full control over the resources themselves, aligning with the principle of least privilege.
Why wrong:
B. Owner: This role grants full access to all resources, including the ability to manage access. It does not follow the principle of least privilege as it provides more permissions than necessary.
C. User Administrator: This role is primarily used for managing user accounts and groups in Azure Active Directory, not for managing access to Azure resources.
D. Contributor: This role allows the user to create and manage all types of Azure resources but does not grant permissions to manage access to resources.
To migrate from on-premises file servers, your organization is considering Azure Premium File Shares.
You have the storage account in your Azure Subscription as shown below.
Storage acount name Prod-storage-01 has account type general-purpose storage V2
Select Yes if the statement is True. Otherwise select No.
Statement: You should create a new premium storage account since existing storage accounts will not allow you to create premium file share
A. No
B. Yes
B. Yes.
Why correct: Azure Premium File Shares require a storage account that supports premium performance. The existing storage account “Prod-storage-01” with account type general-purpose storage V2 does not support premium file shares. Therefore, you need to create a new premium storage account to use Azure Premium File Shares.
Your organization has deployed Microsoft 365 Business Standard licenses and has implemented Azure Active Directory self-service password reset. Now, you aim to establish a hybrid environment that connects your on-premises Active Directory Domain Services to Azure AD. As part of this setup, you must enable password writeback from Azure AD to your on-premises network.
Select Yes if the statement is True. Otherwise, select No.
Statement: Microsoft 365 Business Standard License supports password writeback.
A. Yes
B. No
B. No.
Why correct: Microsoft 365 Business Standard licenses do not include the necessary features to support password writeback. Password writeback is a feature that requires Azure AD Premium P1 or P2 licenses. Therefore, to enable password writeback from Azure AD to your on-premises network, you would need to upgrade to a license that includes Azure AD Premium P1 or P2.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active
Directory domain. The domain contains the users shown in the following table.
SecAdmin1 role Security Administrator
BillAdmin1 role Billing Administrator
USer1 role reports reader
You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2
✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?
✑ In what city was your first job?
✑ What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statement:
SecAdmin1 must answer the following question during the self-service password reset:
In what city was your first job?
BillAdmin1 must answer the following question during the self-service password reset:
What is your favorite food?
User1 must answer the following question during the self-service password reset:
What was the name of your first pet?
SecAdmin1 must answer the following question during the self-service password reset:
In what city was your first job?
No.
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD. An administrator cannot use secret
Questions & Answers as a method to reset password.
BillAdmin1 must answer the following question during the self-service password reset:
What is your favorite food?
Yes.
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.
User1 must answer the following question during the self-service password reset:
What was the name of your first pet?
Yes
You have an Azure subscription, and below is the hub and spoke topology given.
HUB-VNET is connected to on-premises using a site-to-site VPN, and SPOKE-VNET is peering into HUB-VNET.
How VM1 can communicate with On-premises using the same HUB-VNET virtual network gateway.
SPOKE-VNET has vnet 10.0.0.0/16 has subnet 10.0.0.0/24 including VM1
HUB-VNET has vnet 172.16.0.0/16 has subnet 172.16.0.0/24 including VM2
Select yes if the statement is true. Otherwise, select no.
Statement: You are planning to use Gateway Transit.
A. Yes
B. No
Yes. In a hub and spoke topology, Gateway Transit allows the spoke virtual networks to use the virtual network gateway in the hub to communicate with on-premises networks. This setup enables VM1 in the SPOKE-VNET to communicate with on-premises networks through the HUB-VNET’s virtual network gateway.
Hub and Spoke Topology: Familiarize yourself with this network architecture where the hub VNet acts as a central point of connectivity to on-premises networks, and the spoke VNets are peered with the hub.
VNet Peering: Learn how VNet peering allows VNets to communicate with each other through private IP addresses, and how it is used in hub and spoke topologies.
Virtual Network Gateway: Understand the role of a virtual network gateway in providing connectivity between Azure VNets and on-premises networks, typically through VPN or ExpressRoute.
Gateway Transit: Know how Gateway Transit allows spoke VNets to use the virtual network gateway in the hub VNet for communication with on-premises networks.
You have migrated your on-premises web application to the Azure web app, prod-webapp. After migration, it has been observed that the website is not accessible using the old domain name, https://www.cloudfinanceportal.com.
You need to configure DNS to resolve this issue.
Which two DNS records are needed to resolve this issue?
A. Create PTR record and map it to prod-webapp.azurewebsites.net.
B. Create Name server (NS) record and map it to IP address of prod-webapp.
C. Create A record and map it to IP address of prod-webapp.
D. Create CNAME record and map it to prod-webapp.azurewebsites.net.
D. Create CNAME record and map it to prod-webapp.azurewebsites.net.
CNAME records are used to map an alias name to a true or canonical domain name. In this case, you would map the old domain name to the Azure web app’s domain name (prod-webapp.azurewebsites.net), allowing users to access the web app using the old domain name.
C. Create A record and map it to IP address of prod-webapp.
An A record maps a domain name to an IP address. If you have a static IP address for your Azure web app, you can create an A record to map the old domain name directly to this IP address, ensuring that users can access the web app using the old domain name.
These two records will ensure that the old domain name resolves to the new Azure web app, making it accessible to users
Let’s examine the following situation:.
The resource group includes:
· Virtual Machine A
· Storage account B
· Virtual network C
You are trying to deploy the below resource using the ARM template:
· Network security group D
Below is the PowerShell cmdlet you are using to deploy the template.
New-AzResourceGroupDeployment -Mode Complete -Name ExampleDeployment `
-ResourceGroupName ExampleResourceGroup `
-TemplateFile c:\MyTemplates\storage.json
As you can see in the above cmdlet, we are using mode as complete. When deploying resources with Azure Resource Manager templates (ARM templates), you have two options for deployment mode: incremental or complete. What will happen if we use mode as complete?
A. The Resource Manager leaves unchanged resources in the resource group that aren’t defined in the template - that means virtual machine A, Storage account B, Virtual Network C will not be deleted.
B. Resource Manager deletes resources in the resource group that aren’t specified in the template. – that means virtual machine A, Storage account B, Virtual Network C will be deleted since these are not defined in ARM template.
B. When using the “complete” mode in Azure Resource Manager (ARM) template deployment, the Resource Manager deletes resources in the resource group that aren’t specified in the template. This means that any resources not defined in the ARM template, such as Virtual Machine A, Storage account B, and Virtual Network C, will be deleted from the resource group. The “complete” mode ensures that the resource group matches exactly what is defined in the template, removing any resources not included.
The policy must be configured to require members of the Global Administrators group to use multi-factor authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You can access the multi-factor authentication page to alter the user settings. Does the solution meet the goal?
A. Yes
B. No
B. No. Accessing the multi-factor authentication page to alter user settings alone does not meet the goal. To require members of the Global Administrators group to use multi-factor authentication and an Azure AD-joined device when connecting from untrusted locations, you need to configure a Conditional Access policy in Azure AD. This policy should specify the conditions under which multi-factor authentication and device compliance are required, such as when accessing from untrusted locations.
You want to implement Azure file share on your on-premises Windows server. What is the recommended Windows OS required?
A. Windows server 2012
B. Windows server 2016
C. Windows server 2019 and above.
C. Windows Server 2019 and above. The recommended Windows OS for implementing Azure file share on an on-premises Windows server is Windows Server 2019 and above. This is because newer versions of Windows Server provide better integration with Azure services, improved security features, and enhanced support for cloud-based file sharing solutions like Azure File Sync, which allows you to centralize your file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server.
You have an Azure Resource Manager (ARM) template designed to deploy 10 virtual machines, and you want to automate the deployment. Identify one PowerShell and one Azure CLI command for this task. What are the two commands you would select?
A. New-AzResourceGroupDeployment
B. New-AzVM
C. az vm list
D. az deployment group create
A. New-AzResourceGroupDeployment
This PowerShell command is used to deploy resources defined in an ARM template to a resource group. It is suitable for deploying multiple virtual machines as specified in the template.
D. az deployment group create
This Azure CLI command is used to create a deployment at the resource group level using an ARM template. It is also suitable for deploying multiple virtual machines as defined in the template.
Your organization has an Azure subscription.
You are planning to create a virtual machine scale set (VMSS) that has the following settings:.
· Resource group name: RG1
· Region: West US
· Orchestration Mode: uniform
· Security type: Standard
· OS disk type: SSD standard
You need to add custom virtual machines to VMSS.
Which settings do you need to modify?
A. Security Type
B. OS disk Type
C. Orchestration Mode
C. Orchestration Mode. To add custom virtual machines to a Virtual Machine Scale Set (VMSS), you need to modify the Orchestration Mode. The “uniform” orchestration mode does not allow for custom virtual machines, as it is designed for identical instances managed by the scale set. To add custom VMs, you would need to use the “flexible” orchestration mode, which allows for more diverse configurations within the scale set.
