test 8 Flashcards
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
A. From the Licenses blade of Azure AD, assign a license
B. From the Groups blade of each user, invite the users to a group
C. From the Azure AD domain, add an enterprise application
D. From the Directory role blade of each user, modify the directory role
The correct answer is A. From the Licenses blade of Azure AD, assign a license.
Explanation:
Assigning Licenses:
To enable Azure AD Premium features for specific users, you need to assign the Azure AD Premium P2 licenses to those users. This is done through the Licenses blade in the Azure AD portal.
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?
A. Create an automation runbook
B. Deploy a function app
C. Deploy the IT Service Management Connector (ITSM)
D. Create a notification
The correct first step is C. Deploy the IT Service Management Connector (ITSM).
Explanation:
IT Service Management Connector (ITSM):
The ITSM Connector allows you to connect Azure with your IT Service Management solutions, such as Microsoft System Center Service Manager. This integration enables you to create work items in your ITSM tool based on alerts from Azure Monitor.
You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade
The correct option is A. Device settings from the Devices blade.
Explanation:
Device Settings in Azure AD:
To add a user as an administrator on all computers that will be joined to the Azure AD domain, you need to configure the device settings in Azure AD. This is done by specifying additional local administrators for Azure AD joined devices.
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Remove User1 from the Security Reader and Reader roles for Subscription1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Assign User1 the Network Contributor role for VNet1.
D. Assign User1 the Network Contributor role for RG1.
The correct option is B. Assign User1 the User Access Administrator role for VNet1.
Explanation:
User Access Administrator Role:
The User Access Administrator role allows a user to manage user access to Azure resources. This includes assigning roles to other users for specific resources.
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
A. MX
B. NSEC
C. PTR
D. RRSIG
To verify a custom domain name in Azure Active Directory, you need to create a TXT record in your DNS zone. However, since TXT is not listed as an option, the closest and most commonly used alternative for domain verification is an MX record. Therefore, the correct choice from the given options is A. MX.
Explanation:
Domain Verification Process:
When you add a custom domain to Azure AD, Azure provides a unique value that you need to add to your DNS records. This is typically done using a TXT record, but an MX record can also be used if TXT is not available.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
A. Yes
B. No
B. No
Explanation:
DevTest Labs User Role:
The DevTest Labs User role is designed for users who need to manage DevTest Labs environments. It does not provide permissions to create Azure Logic Apps.
Correct Role for Creating Logic Apps:
To allow the Developers group to create Azure Logic Apps in the Dev resource group, you should assign a role that includes permissions for managing Logic Apps. The appropriate role for this purpose is the “Contributor” role.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
Does this meet the goal?
A. Yes
B. No
B. No
Explanation:
Logic App Operator Role:
The Logic App Operator role allows users to manage and run logic apps but does not provide permissions to create new logic apps.
Correct Role for Creating Logic Apps:
To allow the Developers group to create Azure Logic Apps in the Dev resource group, you should assign a role that includes permissions for creating and managing Logic Apps. The appropriate role for this purpose is the “Contributor” role.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No
A. Yes
Explanation:
Contributor Role:
The Contributor role provides full access to manage all resources, including the ability to create and manage Azure Logic Apps within the assigned scope. This role includes permissions to create, update, and delete resources within the resource group.
You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway
To ensure that the connections to App1 are spread across all the virtual machines, you can use the following Azure services:
A. An internal load balancer
E. An Azure Application Gateway
Explanation:
Internal Load Balancer:
An internal load balancer distributes network traffic across multiple virtual machines within a virtual network. It is used for load balancing traffic within a private network, which is suitable for scenarios where users connect via VPN.
Azure Application Gateway:
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides application-level routing and is capable of distributing traffic across multiple virtual machines running your application.
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Monitor
B. Advisor
C. Metrics
D. Customer insights
The correct blade to use is B. Advisor.
Explanation:
Azure Advisor:
Azure Advisor provides personalized best practices and recommendations to help you optimize your Azure resources. It includes recommendations for cost optimization, which can help you identify underutilized virtual machines that can be resized to a less expensive service tier.
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user user1@outlook.com ” Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Users settings blade, modify the External collaboration settings.
B. From the Custom domain names blade, add a custom domain.
C. From the Organizational relationships blade, add an identity provider.
D. From the Roles and administrators blade, assign the Security administrator role to Admin1.
The correct option is A. From the Users settings blade, modify the External collaboration settings.
Explanation:
External Collaboration Settings:
The error message Generic authorization exception indicates that there might be restrictions on inviting external users. To resolve this, you need to modify the external collaboration settings in Azure AD to allow invitations to external users.
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.
The correct option is C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
Explanation:
Global Administrator Role:
The Global Administrator role in Azure Active Directory has the highest level of access and can manage all aspects of Azure AD and Azure resources. This role is necessary to assign policies at the tenant root management group level.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
A. Yes, is correct because the Network Contributor role provides the necessary permissions to manage network resources, including configuring diagnostics settings required for enabling Traffic Analytics. This role allows Admin1 to perform actions related to network resources, which includes enabling and configuring Traffic Analytics for the Azure subscription. Therefore, assigning the Network Contributor role at the subscription level to Admin1 meets the goal.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
B. No
Explanation:
Reader Role:
The Reader role provides read-only access to all resources within the subscription. It does not grant permissions to make changes or configure settings, such as enabling Traffic Analytics.
Why This Does Not Meet the Goal:
Enabling Traffic Analytics requires permissions to configure diagnostics settings on network resources, which the Reader role does not provide. Admin1 would need a role with more permissions, such as Network Contributor or Owner, to perform these actions.
Therefore, assigning the Reader role at the subscription level to Admin1 does not meet the goal of enabling Traffic Analytics for an Azure subscription.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
A. Yes
B. No
A. Yes
Explanation:
Owner Role:
The Owner role at the subscription level provides full access to all resources and permissions within the subscription. This includes the ability to manage network resources and configure diagnostics settings necessary for enabling Traffic Analytics.
Why This Meets the Goal:
By assigning the Owner role to Admin1, you ensure that Admin1 has comprehensive permissions to perform any action required to enable Traffic Analytics, including configuring necessary settings on network resources.
Therefore, assigning the Owner role at the subscription level to Admin1 does meet the goal of enabling Traffic Analytics for an Azure subscription.
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login
C. Contributor, is correct because the Contributor role provides the necessary permissions to deploy and manage all types of resources within an Azure subscription, including virtual machines and virtual networks. However, it is important to note that while the Contributor role allows User1 to perform these tasks, it may not strictly adhere to the principle of least privilege, as it grants broader permissions than specifically needed for managing virtual machines and networks. If strictly following the principle of least privilege, the Virtual Machine Contributor role might be more appropriate, but the Contributor role is often chosen for its comprehensive access capabilities.
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?
A. From the Azure portal, modify the Managed Identity settings of VM1
B. From the Azure portal, modify the Access control (IAM) settings of RG1
C. From the Azure portal, modify the Access control (IAM) settings of VM1
D. From the Azure portal, modify the Policies settings of RG1
A. From the Azure portal, modify the Managed Identity settings of VM1, is correct because enabling a managed identity for VM1 is the first step to allow it to authenticate and manage resources in Azure. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure AD authentication. By enabling the managed identity for VM1, you allow it to authenticate to Azure services without needing to manage credentials, which is essential for managing resources in RG1 using VM1’s identity.
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
Name Type Description
VM1 Virtual Machine VM1 is running and configured to back up to Vault1 daily.
Vault1 Recovery Services Vault Vault1 includes all backups of VM1.
VNET1 Virtual Network VNET1 has a resource lock of type Delete.
You need to delete TestRG.
What should you do first?
A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1
B. Remove the resource lock from VNET1 and delete all data in Vault1, is correct because:
Resource Lock on VNET1: If VNET1 has a resource lock, it prevents the deletion of the resource group TestRG. Removing the resource lock is necessary to allow the deletion process to proceed.
Data in Vault1: Deleting all data in Vault1 is required because the presence of data in the vault can prevent the deletion of the resource group. Azure does not allow the deletion of a resource group if it contains a vault with data.
Therefore, the correct steps to delete TestRG are to first remove the resource lock from VNET1 and delete all data in Vault1. This ensures that there are no restrictions or dependencies preventing the deletion of the resource group.
You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
A. Create an NS record named research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an A record named *.research in the adatum.com zone.
A. Create an NS record named research in the adatum.com zone, is correct because:
NS Record for Delegation: To delegate a subdomain to a different DNS server, you need to create a Name Server (NS) record in the parent domain’s DNS zone. This NS record specifies the DNS servers that are authoritative for the subdomain. By creating an NS record named “research” in the adatum.com zone, you effectively delegate the subdomain research.adatum.com to the specified DNS servers.
You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the internet.
What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.
D. Modify the NS records in the DNS domain registrar, is correct because:
NS Records in Domain Registrar: To ensure that DNS records created in the Azure DNS zone contoso.com are resolvable from the internet, you need to update the Name Server (NS) records at your domain registrar. This involves replacing the existing NS records with the Azure DNS name servers provided when you created the Azure DNS zone. This change delegates the DNS resolution responsibility to Azure DNS.
