test 9 Flashcards

Question 1

Q

A team member has created a point to site VPN connection between a computer named “WorkstationA” and an Azure Virtual Network. Another point to site VPN connection needs to be created between the same Azure Virtual Network and a computer named “WorkstationB”. The VPN client package was generated and installed on “WorkstationB”.

You need to ensure you can create a successful point to site VPN connection. You decide to export and install the client certificate on “WorkstationB”

Would this solution fulfil the requirement?

A. Yes

No

Question 2

Q

Would Virtual Machines launched in the “CertGlobal-client” virtual network automatically get registered in the private domain of CertGlobals.local?

Yes

No

Question 3

Q

A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Role Based access policies

Does this fulfil the requirement?

A. Yes

B. No

Answer

A

B. No

Why “No” is correct:

RBAC (Role-Based Access Control) is not the right tool for restricting VM SKU sizes

RBAC only controls WHO can access resources and what actions they can perform

RBAC cannot enforce specific resource configurations or properties

The correct tool for this requirement would be Azure Policy

Here’s why RBAC won’t work for this requirement:

RBAC limitations:

Only controls permissions and access rights

Cannot restrict specific resource properties

Doesn’t enforce resource standards

Cannot limit VM sizes or SKUs

What should be used instead:

Azure Policy is the correct solution

Azure Policy can restrict VM SKU sizes

Can enforce compliance across the subscription

Can prevent creation of non-compliant VMs

Azure Policy benefits for this scenario:

Can define allowed VM sizes

Enforces standards across the organization

Prevents creation of non-compliant resources

Provides audit capabilities

Question 4

Q

A company has setup an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account. They decide to implement Azure policies

Does this fulfil the requirement?

A. Yes

B. No

Question 5

Q

A company plans to use Azure Network watcher to perform the following tasks

“Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”

“Find out if there is outbound connectivity between an Azure virtual machine and an external host”

Which of the following network watcher feature would you use for the following requirement?

” Find out if a network security rule is preventing a network packet from reaching a virtual machine hosted in an Azure virtual network”

IP Flow Verify

Next Hop

Packet Capture

Traffic Analysis

Answer

A

IP Flow Verify

Question 6

Q

Your company currently has a Site-to-Site connection with an Azure Virtual Private network. The VPN device that is allocated on the on-premise side is going to undergo a change in its public IP address. You have to ensure the Site-to-Site VPN connection continues to work after the change.

Which of the following steps would you need to carry out after the change in the public IP address on the on-premise VPN device ensuring minimum connection downtime?Choose 3 answers from the options given below

A. Remove the VPN connection

B. Stop the VPN connection

C. Modify the local gateway IP address

D. Modify the VPN gateway address

E. Recreate the VPN connection

F. Start the VPN connection

Answer

A

The correct answers are:

B. Stop the VPN connection [1]
C. Modify the local gateway IP address
F. Start the VPN connection

Let’s analyze each option:

CORRECT ANSWERS:

B. Stop the VPN connection

Correct because you need to stop the connection before making changes

Prevents connection errors during the modification

Ensures clean transition to new configuration

Minimizes potential issues during the update

C. Modify the local gateway IP address

Correct because this is the main change needed

The local gateway represents your on-premises VPN device

Updates the Azure configuration to point to the new public IP

Essential step to reflect the new on-premises VPN device IP

F. Start the VPN connection

Correct because after modifications, you need to restart the connection [2]

Establishes connection with new configuration

Completes the update process

Restores the Site-to-Site connectivity

INCORRECT ANSWERS:

A. Remove the VPN connection

Incorrect because removing the connection is unnecessary

Would cause longer downtime

Would require complete reconfiguration

More disruptive than necessary

D. Modify the VPN gateway address

Incorrect because the Azure VPN gateway address isn’t changing

Only the on-premises device IP is changing

Would cause unnecessary complications

Not related to the on-premises IP change

E. Recreate the VPN connection

Incorrect because recreation isn’t necessary

Would cause longer downtime

More complex than needed

Simple modification is sufficient

Question 7

Q

A company is planning on using the Azure Import/Export service to move data out of their Azure Storage account. Which of the following service could be used when defining the Azure Export job?

A. BLOB storage

B. File storage

C. Queue storage

D. Table storage

Answer

A

he correct answer is:

A. BLOB storage

Why A (BLOB storage) is correct:

Azure Import/Export service is specifically designed to work with Blob storage [1]

It supports exporting data from Blob storage to physical drives

Can handle large-scale data transfer from Blob storage

Perfect for scenarios requiring offline data transfer

Supports both block blobs and page blobs

Why other options are incorrect:

B. File storage

Incorrect because Azure Import/Export service doesn’t support File storage

File storage uses SMB protocol which isn’t compatible with Import/Export service

Cannot directly export data from Azure Files using Import/Export service [2]

Would need to copy to Blob storage first if export is needed

C. Queue storage

Incorrect because Queue storage is for messaging between application components

Not designed for bulk data transfer

Import/Export service doesn’t support Queue storage

Queue storage is for transient data, not bulk storage

D. Table storage

Incorrect because Table storage is not supported by Import/Export service

Table storage is for structured NoSQL data

Cannot directly export Table storage using Import/Export service

Not designed for bulk data transfer scenarios

Question 8

Q

You have an Azure virtual machine based on the Windows Server 2016 image. You implement Azure backup for the virtual machine. You want to restore the virtual machine by using the Replace existing option.

Which of the following needs to be done first before you go ahead and replace the virtual machine using the Azure Backup option?

A. Create a custom image

B. Stop the virtual machine

C. Allocate a new disk

D. Enable encryption on the disk

Answer

A

The correct answer is:

B. Stop the virtual machine

Why B (Stop the virtual machine) is correct:

The VM must be stopped before performing a restore with “Replace existing” option

This ensures data integrity during the restore process

Prevents any active writes or changes to the VM during restoration

Required to avoid potential data corruption

Ensures all system states are consistent during the restore

Why other options are incorrect:

A. Create a custom image

Incorrect because creating an image is not required for restore

Backup already contains the necessary VM data

Would be redundant since backup contains complete VM state

Not related to the restore process requirements

C. Allocate a new disk

Incorrect because new disk allocation isn’t needed

“Replace existing” option uses existing disk infrastructure

The restore process manages disk requirements automatically

Not a prerequisite for VM restore

D. Enable encryption on the disk

Incorrect because encryption is not required for restore

Can restore both encrypted and unencrypted VMs

Encryption status doesn’t affect restore process

Not a prerequisite for using “Replace existing” option

Question 9

Q

You have an Azure subscription named CertGlobalstaging. Under the subscription, you go ahead and create a resource group named CertGlobals-rg.

You then go ahead and create an Azure policy based on the “Not allowed resources types” definition. Here you define the parameters as Microsoft.Network.virtualNetworks as the not allowed resource type. You assign this policy to the Tenant Root Group.

Would you be able to create a virtual machine in the CertGlobals-rg resource group?

Yes

No

Answer

A

No

Here since the policy is applied at the Tenant Root Group, it would be applied to all subscriptions and resource groups. And since virtual networks are allowed for the creation of virtual machines, you won’t be able to create the virtual machines.

Question 10

Q

Your company has setup a storage account in Azure as shown below

The company needs to only allow connections to the storage account from an IP address range of 51.107.2.0 to 51.107.2.255. From which of the following section of the storage account would you modify to fulfil this requirement?

A. Firewall and virtual networks

B. Advanced security

C. Soft Delete

D. Lifecycle Management

Answer

A

A. Firewall and virtual networks

Question 11

Q

A team has setup Log Analytics for a virtual machine named demovm. They are running the following query in the Log Analytics Workspace
Perf
| where ObjectName == “Processor” and CounterName == “% Processor Time”
| where TimeGenerated between (startofweek(ago(9d)) .. endofweek(ago(2d)))
| summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5min)
| render timechart

If a query is run on Monday, then the query will return events from the last

A. 1 day

B. 7 days

C. 8 days

D. 14 days

Answer

A

The correct answer is D. 14 days.

Here’s why:

Breakdown of the Query:
Time Range (TimeGenerated clause):

kql
Copy code
TimeGenerated between (startofweek(ago(9d)) .. endofweek(ago(2d)))
ago(9d): Refers to 9 days ago from the current time when the query is run.
startofweek(ago(9d)): Adjusts to the beginning of the week 9 days ago (typically Sunday or Monday, depending on regional settings).
ago(2d): Refers to 2 days ago from the current time.
endofweek(ago(2d)): Adjusts to the end of the week 2 days ago (typically Saturday or Sunday).
This means the query fetches data starting from the beginning of the week 9 days ago to the end of the week 2 days ago.

Example for a Monday:

If the query is run on a Monday, the time range will include:

Start: Beginning of the week 9 days ago (the previous Sunday).
End: End of the week 2 days ago (the most recent Saturday).
This covers two full weeks of data (14 days):

Week 1: From the start of the week 9 days ago (Sunday) to the end of that week (Saturday).
Week 2: From the start of the following week to the end of the week 2 days ago.
Why Other Answers Are Incorrect:
A. 1 day:

Incorrect because the query explicitly spans a range across multiple days.
B. 7 days:

Incorrect because the query spans two weeks, not just one.
C. 8 days:

Incorrect because the query does not just span from 9 days ago to 2 days ago. It considers entire weeks, resulting in a 14-day span.
Why D. 14 days is Correct:
The query is designed to fetch data for two full weeks (14 days) because of the use of startofweek and endofweek. It ensures the time range includes complete weeks starting from the week 9 days ago to the week 2 days ago.

Question 12

Q

A team has setup Log Analytics for a virtual machine named demovm. They are running the following query in the Log Analytics Workspace
Perf
| where TimeGenerated between (startofweek(ago(9d)) .. endofweek(ago(2d)))
| summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5min)
| render timechart

In which of the below format will the data be displayed?
A. table that has 2 columns

B. table that has 3 columns

C. graph that has the Computer values on the Y axis

D. graph that has the avg(CounterValue) values on the Y axis

Answer

A

D. graph that has the avg(CounterValue) values on the Y axis

Explanation:
The query ends with the statement:

kql
Copy code
render timechart
render timechart: This specifies that the query results will be visualized as a timechart (graph).
In a timechart:
The X-axis represents time (bin(TimeGenerated, 5min) groups the data into 5-minute intervals).
The Y-axis represents the summarized average value of CounterValue (avg(CounterValue)).
Since the query calculates the average (avg(CounterValue)) and groups it by time and Computer, the Y-axis will display the avg(CounterValue) values for each computer over time.

Why Other Answers Are Incorrect:
A. table that has 2 columns:

Incorrect because the query does not use a tabular rendering method like render table or a simple summarize without rendering.
Additionally, the query groups by two fields (Computer and TimeGenerated), which results in more than 2 columns.
B. table that has 3 columns:

Incorrect because the query renders a graph (timechart), not a table.
While the intermediate result might have columns (e.g., Computer, TimeGenerated, avg(CounterValue)), the final visualization is a graph.
C. graph that has the Computer values on the Y axis:

Incorrect because the Computer field is not a numerical value. Instead, it is used to differentiate lines or series on the graph. Multiple computers may have their own lines, but the Y-axis will always display numerical avg(CounterValue) values.

Question 13

Q

As an IT admin you have to develop scripts that need to be used to add data disks to an existing virtual machine. Below is the incomplete script
$diskset = Slot1
Location = “EastUS”
CreateOption = “Empty”
DiskSizeGB = 128

$data = Slot2
ResourceGroupName = “CertGlobal-rg”
DiskName = “disknew”
Disk = $diskset

$CertGlobalvm = Slot3 -ResourceGroupName “CertGlobal-rg” -Name “demovm”

$CertGlobalvm= Slot4 -VM $CertGlobalvm -Name “datadisk” -CreateOption Attach -ManagedDiskId $data.Id -Lun 1

Slot5 -ResourceGroupName “CertGlobal-rg” -VM $CertGlobalvm

Which of the following would go into Slot1?
New-AzDisk

New-AzDiskConfig

Add-AzVMDataDisk

Set-AzDisk

Answer

A

New-AzDiskConfig

Question 14

Q

Which of the following would go into Slot2?
A. New-AzDisk

B. New-AzDiskConfig

C. Add-AzVMDataDisk

D. Set-AzDisk

Answer

A

A. New-AzDisk

Question 15

Q

Which of the following would go into Slot3?
Set-AzVM

UpdateAzVM

Get-AzVM

New-AzVM

Question 16

Q

Which of the following would go into Slot4?
New-AzDisk

New-AzDiskConfig

Add-AzVMDataDisk

Set-AzDisk

Answer

A

Add-AzVMDataDisk

Question 17

Q

Which of the following would go into Slot5?
Set-AzVM

Update-AzVM

Get-AzVM

New-AzVM

Answer

A

Update-AzVM

Question 18

Q

A company currently has the following networks defined in Azure
Name Address space
CertGlobal-vnet1 10.1.0.0/16
CertGlobal-vnet2 10.2.0.0/16
CertGlobal-vnet3 10.3.0.0/16

All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement You are going to create the virtual network peering connection for all of the virtual networks.

Which of the following is important to set for the virtual network peering connection?

Set the virtual network deployment model as Classic

Set the virtual network access settings as Disabled

Set the forwarded traffic settings as Enabled

Enable “Allow gateway transit”

Answer

A

Set the forwarded traffic settings as Enabled

Question 19

Q

A company currently has the following networks defined in Azure
Name Address space
CertGlobal-vnet1 10.1.0.0/16
CertGlobal-vnet2 10.2.0.0/16
CertGlobal-vnet3 10.3.0.0/16

All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement

Which of the following would you need to create additional to ensure traffic is sent via the virtual machine hosting the intrusion software?

A new route table

Add an address space

Add DNS servers

Add a service endpoint

Answer

A

A new route table

Question 20

Q

A company currently has the following networks defined in Azure

All virtual networks are hosting virtual machines with varying workloads. A virtual machine named “CertGlobal-detect” hosted in CertGlobal-vnet2. This virtual machine will have an intrusion detection software installed on it. All traffic on all virtual networks need to be routed via this virtual machine. You need to complete the required steps for implementing this requirement

Which of the following needs to be enabled on the virtual machine “CertGlobal-detect”?

Enable IP forwarding

Enable the identity for the virtual machine

Add an extension to the virtual machine

Change the size of the virtual machine

Answer

A

Enable IP forwarding

Question 21

Q

A company has the following resources deployed to their Azure subscription

The virtual machine “CertGlobalvm” is currently in the running state.

The company now assigns the below Azure policy

The Not Allowed resources types are

Microsoft.Network/virtualNetworks

Microsoft/Compute/virtualMachines

Would an administrator be able to move the virtual machine to another resource group?

Yes

No

Question 22

Q

A company has the following resources deployed to their Azure subscription

The virtual machine “CertGlobalvm” is currently in the running state.

The company now assigns the below Azure policy

The Not Allowed resources types are

Microsoft.Network/virtualNetworks

Microsoft/Compute/virtualMachines

Would the state of the virtual machine change to deallocated?

Yes

No

Question 23

Q

A company has the following resources deployed to their Azure subscription

The virtual machine “CertGlobalvm” is currently in the running state.

The company now assigns the below Azure policy

The Not Allowed resources types are

Microsoft.Network/virtualNetworks

Microsoft/Compute/virtualMachines

Would an administrator be able to modify the address space of CertGlobal-vnet2?

Yes

No

Question 24

Q

You have an Azure Storage account that contains 5,000 blobs accessed by multiple users.

You need to ensure that the users can view only specific blobs based on blob index tags.

What should you include in the solution?

A. a role assignment condition
B. a stored access policy
C. just-in-time (JIT) VM access
D. a shared access signature (SAS)

Answer

A

A. a role assignment condition

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=portal-visual-editor#example-read-blobs-with-a-blob-index-tag

Question 25

Q

Blob Containers in the Azure Subscription
cont1 in storage1 contains blob1.
cont2 in storage2 contains blob2.
cont3 in storage3 contains blob3.
Conditions
Condition1
plaintext
Copy code
(
(
!ActionMatches{‘Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read’}
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals ‘cont1’
)
)
Grants access only to read actions for cont1.
Condition2
plaintext
Copy code
(
(
!ActionMatches{‘Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write’}
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/blobs:path] StringLike ‘2’
)
)
Grants access only to write actions for blob paths containing 2.
Role Assignments
User1
Role: Storage Blob Data Reader
Scope: sub1
Condition: Condition1
User2
Role: Storage Blob Data Owner
Scope: storage1
Condition: Condition2

User1 can read blob2? Y / N
User2 can read blob3? Y / N
User3 can read blob1? Y / N

Question 26

Q

You have an Azure subscription that contains a storage account named storage1.

You plan to use conditions when assigning role-based access control (RBAC) roles to storage1.

Which storage1 services support conditions when assigning roles?

A. containers only
B. file shares only
C. tables only
D. queues only
E. containers and queues only
F. files shares and tables only

Answer

A

As of the latest updates, Azure role-based access control (RBAC) with conditions is supported for certain Azure Storage services. The correct answer is E. containers and queues only.

Question 27

Q

You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1.
You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements:
✑ Use the principle of least privilege.
✑ Minimize administrative effort.
What should you do?

A. Assign Group1 the Owner role for the root management group.
B. Assign Group1 the User Access Administrator role for the root management group.
C. Create a new management group and assign Group1 the User Access Administrator role for the group.
D. Create a new management group and assign Group1 the Owner role for the group.

Answer

A

B. Assign Group1 the User Access Administrator role for the root management group.

Question 28

Q

The image contains an Azure Resource Manager (ARM) template in JSON format, named deploy.json. Here’s its content, rewritten for clarity:

json
Copy code
{
“$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“obj1”: {
“type”: “object”,
“defaultValue”: {
“prop1”: “one”,
“prop2”: “two”,
“prop3”: “three”,
“propID”: {
“propID1”: “sub”,
“propID2”: “sub”
}
}
},
“part1”: {
“type”: “string”,
“allowedValues”: [
“centralus”,
“westus”,
“eastus”
],
“defaultValue”: “eastus”
}
},
“variables”: {
“var1”: [
“westus”,
“centralus”,
“eastus”
]
},
“resources”: [
{
“type”: “Microsoft.Resources/resourceGroups”,
“apiVersion”: “2018-05-01”,
“location”: “[parameters(‘part1’)]”,
“name”: “[concat(‘RGS’, copyIndex())]”,
“copy”: {
“name”: “copy”,
“count”: 2
}
},
{
“type”: “Microsoft.Resources/resourceGroups”,
“apiVersion”: “2018-05-01”,
“location”: “[last(variables(‘var1’))]”,
“name”: “[concat(‘ResGrp’, ‘8’)]”
},
{
“type”: “Microsoft.Resources/resourceGroups”,
“apiVersion”: “2018-05-01”,
“location”: “[parameters(‘part1’)]”,
“name”: “[concat(‘RGroup’, length(parameters(‘obj1’)))]”
}
],
“outputs”: {}
}
The deployment command shown is:

bash
Copy code
New-AzDeployment -Location westus -TemplateFile “deploy.json”

Three resource group are created when you run script? Y/N
A resource group name RGroup5 is created? Y/N
All resource group are created in the eastus azure region? Y/N

Question 29

Q

he image describes a question about securely managing an administrative password for an Azure Resource Manager (ARM) template that deploys virtual machines (VMs). The goal is to ensure that the password is not stored in plain text. The user is asked to select the necessary Azure component to achieve this.

Options:

An Azure Key Vault
An Azure Storage Account
Azure Active Directory (AD) Identity Protection
An Access Policy
An Azure Policy
A Backup Policy

Answer

A

An Azure Key Vault
An Access Policy

Step 2: Add the Password as a Secret in Azure Key Vault
Go to your newly created Key Vault in the Azure Portal.
Under Settings, click Secrets.
Click + Generate/Import.
Fill in the following details:
Name: Provide a name for the secret (e.g., AdminPassword).
Value: Enter the administrative password you want to store securely.
Click Create.
Step 3: Configure Access Policies for the Key Vault
In the Key Vault settings, select Access Policies.
Click + Add Access Policy.
In the Permissions dropdown:
For Secret Permissions, select Get (to allow the ARM template to retrieve the password).
Under Select principal, choose the identity of the service or user that will access the Key Vault (e.g., the service principal used by the ARM template deployment).
Click Add and then Save.
Step 4: Reference the Secret in Your ARM Template
Modify your ARM template to reference the Key Vault secret.

Use the following JSON snippet to retrieve the secret from Key Vault:

json
Copy code
{
“type”: “Microsoft.Compute/virtualMachines”,
“apiVersion”: “2021-03-01”,
“name”: “[parameters(‘vmName’)]”,
“location”: “[resourceGroup().location]”,
“properties”: {
“osProfile”: {
“adminUsername”: “[parameters(‘adminUsername’)]”,
“adminPassword”: “[reference(resourceId(‘Microsoft.KeyVault/vaults/secrets’, ‘YourKeyVaultName’, ‘AdminPassword’), ‘2019-09-01’).value]”
},
“hardwareProfile”: {
“vmSize”: “[parameters(‘vmSize’)]”
}
}
}
Replace YourKeyVaultName and AdminPassword with your Key Vault’s name and secret name, respectively.

Step 5: Grant Permissions to the ARM Template
Ensure that the Azure Resource Manager (ARM) deployment has access to the Key Vault by assigning the appropriate role (e.g., Key Vault Reader) to the service principal or identity used for deployment.

Question 30

Q

You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Answer Area:
Name:

Policy1 (with a green checkmark indicating a valid name).
Assignments:

Users and groups:
0 users and groups selected
Cloud apps:
0 cloud apps selected
Conditions:
0 conditions selected

Access controls:
Grant:
0 controls selected
Session:
No session controls configured

Answer

A

The Answer is correct .
- Select Users & Groups : Where you have to choose all users.
- Select Cloud apps or actions: to specify the Azure portal
- Grant: to grant the MFA.

Question 31

Q

Your company has the divisions shown in the following table:

Division Azure subscription Azure Active Directory (Azure AD) tenant
East Sub1 East.contoso.com
West Sub2 West.contoso.com
Sub1 contains an Azure web app that runs an ASP.NET application named App1.
App1 uses the Microsoft identity platform (v2.0) to handle user authentication.
Users from East.contoso.com can authenticate to App1.
Requirement:
You need to recommend a solution to allow users from West.contoso.com to authenticate to App1.

Question:
What should you recommend for the West.contoso.com Azure AD tenant?

Options:
A. A conditional access policy
B. Pass-through authentication
C. Guest accounts
D. An app registration

Answer

A

The correct answer is C. Guest accounts.

Explanation:
Scenario Summary:

App1 in Sub1 uses Azure Active Directory (Azure AD) in the East.contoso.com tenant for user authentication.
Users from West.contoso.com need access to App1.
App1 uses the Microsoft identity platform (v2.0), which supports multi-tenant applications.
Azure AD B2B Collaboration:

To allow users from another Azure AD tenant (West.contoso.com) to access resources in East.contoso.com, you can use guest accounts.
Azure AD B2B (Business-to-Business) collaboration allows users from external tenants to be invited as guest users into the primary tenant (East.contoso.com) without creating additional accounts.
Steps for Implementation:

Admins from East.contoso.com invite users from West.contoso.com to the East.contoso.com tenant as guest users.
Once added as guest users, they can authenticate using their existing credentials from West.contoso.com to access App1.
Why Other Options Are Incorrect:

A. A conditional access policy: Conditional Access is used to enforce access policies (e.g., MFA or blocking certain conditions) but does not enable cross-tenant authentication.
B. Pass-through authentication: This allows users in an on-premises directory to authenticate directly against Azure AD but is not applicable here since the two divisions have separate tenants.
D. An app registration: While App1 uses an app registration in Azure AD, this does not resolve the need for users in a separate tenant to authenticate. Multi-tenancy or B2B collaboration is the correct approach.

Question 32

Q

Azure Virtual Machines Table:
Name Connected to Subnet
VM1 172.16.1.0/24
VM2 172.16.2.0/24
Security Rules Added to NSG1 (Network Security Group):
Priority Source Destination Protocol Port Action
100 172.16.1.0/24 172.16.2.0/24 TCP Any Allow
101 Any 172.16.2.0/24 TCP Any Deny
Azure Network Watcher Configuration:
Source Configuration:

Resource group: RG1
Source type: Virtual Machine
Virtual machine: VM1
Destination Configuration:

Select Destination: Virtual Machine
Resource group: RG1
Virtual machine: VM2
Probe Settings:

Protocol: TCP
Destination port: 8080
Result:

Status: Unreachable
Source virtual machine: VM1
You run Network Watcher again as shown in the following exhibit.
Azure Network Watcher Configuration (Source to Destination)
Source Configuration:

Source type: Virtual machine
Virtual machine: VM1
Destination Configuration:

Destination: Virtual machine
Resource group: RG1
Virtual machine: VM2
Probe Settings:

Protocol: TCP
Destination port: Not specified
Result:

Status: Reachable
Agent extension version: 1.4
Source virtual machine: VM1
Network Watcher: Hops
Name IP Address Status Next Hop IP Address RTT from Source
VM1 172.16.1.4 Reachable 172.16.2.4 0
VM2 172.16.2.4 - - -
Answer Area (Statements to Evaluate)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NSG1 limits VM1 traffic
NSG1 applies to VM2
VM1 and VM2 connect to the same virtual network
Each correct selection is worth one point.

Answer

A

Let me help evaluate each statement:

“NSG1 limits VM1 traffic” Answer: No Reason: Looking at the NSG1 rules, while VM1’s subnet (172.16.1.0/24) is mentioned in rule 100 as a source, this rule is actually allowing traffic from VM1 to VM2’s subnet (172.16.2.0/24). The NSG is not limiting VM1’s traffic - it’s explicitly allowing it.

“NSG1 applies to VM2” Answer: Yes Reason: Looking at the NSG rules, we can see that NSG1 has rules that affect traffic to 172.16.2.0/24 (VM2’s subnet). Both rules 100 and 101 have destinations set to 172.16.2.0/24, which is VM2’s subnet. The NSG is controlling traffic to VM2’s subnet, therefore it applies to VM2.

“VM1 and VM2 connect to the same virtual network” Answer: Yes Reason: Several pieces of evidence support this:

The Network Watcher test shows direct communication between VM1 and VM2

The hop count shows direct routing between the VMs (just one hop)

The RTT (Round Trip Time) of 0 indicates they’re in the same network

The subnets (172.16.1.0/24 and 172.16.2.0/24) are part of the same private IP address space, suggesting they’re in the same virtual network but different subnets

The Network Watcher results also show that while port 8080 is unreachable, other TCP ports are reachable between the VMs, which is consistent with them being in the same virtual network but controlled by the NSG rules.

Question 33

Q

Virtual Network Information Table:
Name Location Peered with
VNet1 East US VNet2
VNet2 East US VNet1, VNet3
VNet3 West US VNet2
Virtual Machines Information Table:
Name Operating System Connected to
VM1 Windows VNet1
VM2 Linux VNet2
VM3 Windows VNet3
Note: Each virtual machine contains only a private IP address.
Azure Bastion Creation Details:
Basics Tab:

Subscription: MSDN Platforms
Resource Group: RG1
Instance Details:

Name: Bastion1
Region: East US
Tier: Basic
Instance Count: 2
Configure Virtual Networks:

Virtual Network: VNet1
Subnet: AzureBastionSubnet (10.0.2.0/24)
Public IP Address:

Option: Create new
Public IP Address Name: VNet1-ip
Public IP Address SKU: Standard
Assignment: Static
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.
Statements
The Remote Desktop Connection client (mstsc.exe) can be used to connect to VM1 through Bastion1? Yes/No
The Azure portal can use SSH to connect to VM2 through Bastion1.? Yes/No
The Azure portal can be used to connect to VM3 through Bastion1.? Yes/No

Answer

A

Let me evaluate each statement:

“The Remote Desktop Connection client (mstsc.exe) can be used to connect to VM1 through Bastion1” Answer: No Reason: Azure Bastion provides secure access to VMs through the Azure portal only. It doesn’t support direct RDP client connections using mstsc.exe. Bastion is specifically designed to provide RDP and SSH connectivity through the web browser in the Azure portal, eliminating the need for traditional RDP clients. [1]

“The Azure portal can use SSH to connect to VM2 through Bastion1” [2] Answer: Yes Reason: Even though VM2 is in VNet2, it can be accessed through Bastion1 because:

VNet1 (where Bastion1 is deployed) is peered with VNet2 (where VM2 is located)

Azure Bastion supports SSH connections to Linux VMs through the Azure portal

The peering connection allows the Bastion service to reach VM2

“The Azure portal can be used to connect to VM3 through Bastion1” Answer: No Reason: While VM3 is in VNet3, which is peered with VNet2, there is no direct peering between VNet1 (where Bastion1 is located) and VNet3. Azure VNet peering is not transitive, meaning that even though:

VNet1 is peered with VNet2

VNet2 is peered with VNet3 VNet1 cannot reach VNet3 through VNet2. Therefore, Bastion1 in VNet1 cannot reach VM3 in VNet3 without direct peering between VNet1 and VNet3.

Question 34

Q

You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:

Operating system: Windows Server 2016
Size: Standard_D1_v2
You run the Get-AzVmss cmdlet as shown in the following exhibit:

PowerShell Commands:
powershell
Copy code
PS Azure:> Get-AzVmss -Name WebProd -ResourceGroupName RG1 | Select -ExpandProperty VirtualMachineProfile.OsProfile.WindowsConfiguration

ProvisionVMAgent : True
EnableAutomaticUpdates : False
TimeZone :
AdditionalUnattendedContent :
WinRM :

PS Azure:> Get-AzVmss -Name WebProd -ResourceGroupName RG1 | Select -ExpandProperty UpgradePolicy

Mode : Automatic
RollingUpgradePolicy :
AutomaticOSUpgradePolicy : Microsoft.Azure.Management.Compute.Models.AutomaticOSUpgradePolicy
Instructions:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Hot Area (Answer Section):

When an administrator changes the virtual machine size, the size will be changed on up to [dropdown options: 0, 1, 2, 4] virtual machines simultaneously.

When a new build of the Windows Server 2016 image is released, the new build will be deployed to up to [dropdown options: 0, 1, 2, 4] virtual machines simultaneously.

Answer

A

Let me analyze each statement:

“When an administrator changes the virtual machine size, the size will be changed on up to 4 virtual machines simultaneously.” Answer: 4 virtual machines Reason:

The upgrade policy mode is set to “Automatic”

With automatic mode and no specific rolling upgrade policy defined, Azure will apply changes to all instances simultaneously

Since there are 4 instances in the scale set, all 4 will be updated at the same time

This is because there’s no RollingUpgradePolicy specified that would limit the number of simultaneous updates

“When a new build of the Windows Server 2016 image is released, the new build will be deployed to up to 0 virtual machines simultaneously.” Answer: 0 virtual machines Reason:

Looking at the configuration, EnableAutomaticUpdates is set to False

The AutomaticOSUpgradePolicy exists but without specific settings

When automatic updates are disabled, new OS builds won’t be automatically deployed

This means no instances will automatically receive new OS builds when they’re released

Any OS updates would need to be manually initiated by an administrator

The key factors here are:

The automatic mode applies to administrator-initiated changes

The disabled automatic updates prevent automatic OS image updates

The absence of a rolling upgrade policy means administrator-initiated changes affect all instances at once

Question 35

Q

HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following exhibit.

Storage accounts
Name Type Kind Resource Group Location
contoso101 Storage account StorageV2 RG1 East US
contoso102 Storage account Storage RG1 East US
contoso103 Storage account BlobStorage RG1 East US
contoso104 Storage account FileStorage RG1 East US
Instructions:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Answer Area:

You can create a premium file share in:
contoso101 only
contoso104 only
contoso101 or contoso104 only
contoso101, contoso102, or contoso104 only
contoso101, contoso102, contoso103, or contoso104

You can use the Archive access tier in:
contoso101 only
contoso101 or contoso103 only
contoso101, contoso102, and contoso103 only
contoso101, contoso102, and contoso104 only
contoso101, contoso102, contoso103, and contoso104

Answer

A

Let me explain the correct answers for both questions:

For Premium File Share creation: Correct answer: “contoso104 only”
Explanation:
Premium file shares can only be created in FileStorage account types
Looking at the storage accounts:
contoso101 (StorageV2): Supports standard file shares, not premium
contoso102 (Storage): Supports standard file shares, not premium
contoso103 (BlobStorage): Doesn’t support file shares
contoso104 (FileStorage): Specifically designed for premium file shares
For Archive Access Tier usage: Correct answer: “contoso101 or contoso103 only”

Explanation:
Archive access tier is only supported in:
StorageV2 accounts (contoso101)
BlobStorage accounts (contoso103)
It is not supported in:
Legacy Storage accounts (contoso102)
FileStorage accounts (contoso104)
Archive tier is specifically designed for blob storage and can only be used with block blobs
The key factors in these answers are:
FileStorage accounts are specifically optimized for premium file share workloads
Archive access tier is a blob-specific feature that requires modern storage account types (StorageV2 or BlobStorage)
Legacy Storage accounts and FileStorage accounts don’t support the Archive tier

Question 36

Q

You are creating an Azure Kubernetes Services (AKS) cluster as shown in the following exhibit.
Create Kubernetes Cluster

Basics:
Subscription: Visual Studio Premium with MSDN
Resource Group: RG1
Region: West Europe
Kubernetes Cluster Name: AKS1
Kubernetes Version: 1.20.9
Node Pools:
Node Pools: 1
Enable virtual nodes: Disabled
Enable auto-scaling: Enabled
Authentication:
Authentication Method: Service Principal
Role-Based Access Control (RBAC): Enabled
AKS-managed Azure Active Directory: Disabled
Encryption Type: (Default) Encryption at-rest with a platform-managed key
Networking:
Network Configuration: Kubenet
DNS Name Prefix: AKS1-dns
Load Balancer: Standard
Private Cluster: Disabled
Authorized IP Ranges: Disabled
Network Policy: None
HTTP application routing: No

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.
Answer Area:

To ensure that you can create Windows containers in AKS1, you must [answer choice].

Enable virtual nodes
Increase the number of node pools
Modify the Kubernetes version setting
Modify the Network configuration setting
To ensure that you can integrate AKS1 with an Azure container registry, you must modify the [answer choice] setting.

AKS-managed Azure Active Directory
Authentication method
Authorized IP ranges
Kubernetes version
Network configuration

Answer

A

Let me explain the correct answers for both questions:
To enable Windows containers in AKS1: [1] Correct answer: “Increase the number of node pools”
Explanation:
AKS clusters require at least two node pools to run Windows containers: [2]
The first (default) node pool must be Linux-based and runs system services
A second node pool is required for Windows containers
The current configuration shows only 1 node pool
The first node pool is always Linux-based and cannot be deleted unless the entire cluster is deleted
Adding an additional node pool is necessary to support Windows containers

To ensure integration with Azure Container Registry (ACR): [3] Correct answer: “Authentication method”
Explanation:
The cluster is currently configured to use Service Principal authentication
To enable ACR integration with AKS:
The Service Principal needs to have the proper permissions to pull images from ACR
Alternatively, using Managed Identity (instead of Service Principal) would provide automatic integration
The authentication method setting determines how the AKS cluster authenticates with other Azure services, including ACR
None of the other settings (Network configuration, Kubernetes version, etc.) affect ACR integration
Key points:
Windows containers require a dedicated node pool separate from the system node pool
ACR integration is handled through the cluster’s identity (Service Principal or Managed Identity)
The current Service Principal authentication method needs proper configuration for ACR access

Question 37

Q

Question: To implement network policies between pods in AKS1, you must modify the answer choice.

Options:

Network Policy setting

Network Configuration

Load Balancer type

Authorized IP Ranges

Private Cluster setting

Correct Answer: “Network Policy setting”
(Currently set to “None”, needs to be changed to Azure or Calico)

Question 38

Q

Question: To restrict access to the Kubernetes API server to specific IP ranges, you must enable answer choice.

Options:

Private Cluster

Authorized IP Ranges

Network Policy

RBAC

AKS-managed Azure Active Directory

Correct Answer: “Authorized IP Ranges”
(Currently disabled, needs to be enabled and configured)

Question 39

Q

Question: To ensure that the AKS cluster can automatically scale based on demand, you must have answer choice.

Options:

Virtual nodes enabled

Auto-scaling enabled

Multiple node pools

Standard load balancer

Private cluster enabled

Correct Answer: “Auto-scaling enabled”
(Already correctly configured as “Enabled”)

Question 40

Q

Question: To implement serverless container workloads in AKS1, you must modify the answer choice.

Options:

Enable virtual nodes

Network Configuration

Authentication Method

Node Pools count

Load Balancer type

Correct Answer: “Enable virtual nodes”
(Currently disabled, needs to be enabled for serverless containers)

Question 41

Q

Question: To ensure that users can authenticate to the cluster using their Azure AD credentials, you must modify the answer choice.

Options:

Authentication Method

AKS-managed Azure Active Directory

Role-Based Access Control

Encryption Type

Network Configuration

Correct Answer: “AKS-managed Azure Active Directory”
(Currently disabled, needs to be enabled for Azure AD authentication)

Question 42

Q

HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.

Storage Accounts Table:

Name Type Kind Resource Group Location Subscription Access Tier Replication
storageaccount1 Storage account Storage ContosoRG1 East US Subscription 1 - Read-access geo-redundant
storageaccount2 Storage account StorageV2 ContosoRG1 Central US Subscription 1 Hot Geo-redundant
storageaccount3 Storage account BlobStorage ContosoRG1 East US Subscription 1 Hot Locally-redundant
Question:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answer Area:

You can use [answer choice] for Azure Table Storage.

storageaccount1 only
storageaccount2 only
storageaccount3 only
storageaccount1 and storageaccount2 only
storageaccount2 and storageaccount3 only
You can use [answer choice] for Azure Blob Storage.

storageaccount3 only
storageaccount2 and storageaccount3 only
storageaccount1 and storageaccount3 only
All the storage accounts

Answer

A

Let me explain the correct answers for both questions:
For Azure Table Storage: Correct answer: “storageaccount1 and storageaccount2 only”

Explanation:
Looking at the storage account types: [1]
storageaccount1 (Storage/Classic): Supports Table Storage
storageaccount2 (StorageV2): Supports Table Storage
storageaccount3 (BlobStorage): Does NOT support Table Storage
BlobStorage account type is specialized for blob storage only
Both General Purpose v1 (Storage) and v2 (StorageV2) support Table Storage
For Azure Blob Storage: Correct answer: “All the storage accounts”

Explanation:
All three storage account types support Blob Storage:
storageaccount1 (Storage/Classic): Supports blobs
storageaccount2 (StorageV2): Supports blobs
storageaccount3 (BlobStorage): Specifically designed for blob storage [2]
Blob storage is a fundamental capability supported across all Azure storage account types
Even though storageaccount3 is specialized for blobs, all account types can store blob data

Key points:
General Purpose accounts (v1 and v2) support all storage services including blobs, files, queues, and tables
BlobStorage accounts are specialized and only support blob storage
StorageV2 is the recommended general-purpose account type for most scenarios
The access tier and replication settings don’t affect which storage services are available

Question 43

Q

HOTSPOT -
You have the App Service plan shown in the following exhibit.

Exhibit 1:
Default: Auto-created scale condition

Scale mode: Scale based on a metric -> Scale to a specific instance count

Rules:

Rule 1: When (Maximum) CPU Percentage > 85, Increase count by 1
Rule 2: When (Average) CPU Percentage < 30, Decrease count by 1
Instance limits:

Minimum: 1
Maximum: 5
Default: 1
Exhibit 2:
The scale-in settings for the App Service plan are configured as follows:

Operator: Less than 30
Metric threshold to trigger scale action: < 30
Duration (in minutes): 5
Time grain (in minutes): 1
Time grain statistic: Average
Action:
Operation: Decrease count by 1
Cool down (minutes): 5
The scale-out rule is configured with the same duration and cooldown as the scale-in rule.

Hot Area:

If after deployment CPU usage is 70 percent for one hour and then reaches 90 percent for five minutes, at that time the total number of instances will be [answer choice].

Options:
1
2
3
4
5
If after deployment the CPU maintains constant usage of 90 percent for one hour, and then the average CPU usage is below 25 percent for nine minutes, at that point the number of instances will be [answer choice].

Options:
1
2
3
4
5

Answer

A

Let me analyze each scenario and explain the correct answers:

First Scenario (70% for one hour, then 90% for five minutes): Correct answer: “2”

Explanation:
Initial state: Starts with 1 instance (default)
First hour at 70% CPU:
No scaling action as it’s between the scale-out (85%) and scale-in (30%) thresholds
Remains at 1 instance
When CPU hits 90% for five minutes:
Triggers scale-out rule (>85%)
Duration requirement (5 minutes) is met
Increases by 1 instance
Final count: 2 instances

Second Scenario (90% for one hour, then 25% for nine minutes): Correct answer: “4”
Explanation:
Initial state: Starts with 1 instance
One hour at 90% CPU:
Triggers scale-out rule repeatedly
With 5-minute duration and 5-minute cooldown:
Will scale out every 10 minutes
In one hour, can scale out 6 times maximum
However, limited by maximum instance count of 5
Reaches 5 instances
Nine minutes at 25% CPU:
Triggers scale-in rule (<30%)
Duration requirement (5 minutes) is met
Decreases by 1 instance
Final count: 4 instances
Key factors considered:
Scale rules require the condition to be met for the full duration (5 minutes)
Cooldown period (5 minutes) prevents multiple scaling operations too quickly
Instance limits (min: 1, max: 5) constrain the scaling operations
Scale-in and scale-out operations change instance count by 1 at a time

Question 44

Q

You have an Azure subscription linked to a hybrid Microsoft Entra tenant. The tenant contains the users shown in the following table.
User Table:
Name: User1
On-premises sync enabled: No
Name: User2
On-premises sync enabled: Yes
Azure File Shares Table:
Name: share1
Storage account: contoso2024
Name: share2
Storage account: contoso2024
Name: share3
Storage account: contoso2025
You configure identity-based access for contoso2024 as shown in the following exhibit.

Heading: contoso2024 | Active Directory
File Shares Section:
Step 1: Enable an Active Directory source
Choose the Active Directory source that contains the user accounts that will access a share in this storage account.
You can set up identity-based access control for user accounts located in either one of these three domain services:
Active Directory domain controller you host on a Windows Server (generally referred to as “on-premises AD” even though you might host these servers in Azure).
Azure Active Directory Domain Services (Azure AD DS): A platform as a service, hosted directory service and domain controller in Azure.
Azure AD Kerberos: Allows using Kerberos authentication from Azure AD-joined clients. In order to use Azure AD Kerberos, user accounts must be hybrid identities.

Active Directory is Enabled

Azure Active Directory Domain Services (not enabled)

Azure AD Kerberos Step 2: Set Share-Level Permissions (not enabled)

Description:
Once you have enabled the Active Directory source on your storage account, you must configure share-level permissions to get access to your file shares.
There are two ways you can assign share-level permissions:

Assign them to all authenticated identities as a default share-level permission.
Assign them to specific Azure AD users/user groups.
Permissions for all authenticated users and groups:

Default share-level permissions:
( ) Disable permissions, and no access is allowed to file shares.
(*) Enable permissions for all authenticated users and groups.
Selected appropriate role:

Storage File Data SMB Share Contributor

Answer Area:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Note: Each correct selection is worth one point.

Statements:

User1 can access the content in share1.

Yes
No
User2 can access the content in share2.

Yes
No
User2 can access the content in share3.

Yes
No
which option is correct for per question in Answer area? why?

Answer

A

Let me analyze each statement based on the updated configuration:

User1 can access the content in share1: Answer: No Reason:

Only “Active Directory” (on-premises AD) is enabled as the authentication source

User1 is a cloud-only user (On-premises sync enabled: No)

Azure AD Kerberos is not enabled, which would be required for cloud users

Therefore, User1 cannot authenticate to access share1

User2 can access the content in share2: Answer: Yes Reason:

Active Directory (on-premises AD) is enabled as the authentication source

User2 is synced from on-premises (On-premises sync enabled: Yes)

Default share-level permissions are enabled for all authenticated users

The role “Storage File Data SMB Share Contributor” is assigned

Therefore, User2 can authenticate and access share2

User2 can access the content in share3: Answer: No Reason:

share3 is in a different storage account (contoso2025)

We don’t have any information about the identity-based access configuration for contoso2025

Without knowing the authentication and authorization settings for contoso2025, we cannot assume User2 has access

Therefore, we cannot confirm User2 has access to share3

The key difference from the previous scenario is that only on-premises Active Directory is enabled as an authentication source, while Azure AD DS and Azure AD Kerberos are not enabled. This means only users synced from on-premises AD (like User2) can access the shares, while cloud-only users (like User1) cannot.

Question 45

Q

Scenario Overview
Azure Subscription: A pay-as-you-go subscription.
Virtual Machines and Costs:
VM1: Belongs to Resource Group RG1 with a daily cost of 20 euros.
VM2: Belongs to Resource Group RG2 with a daily cost of 30 euros.
Budget Setup
Budget Name: Budget1
Scope: RG1 (Resource Group)
Budget Details:
Amount: 1,000 EUR
Period: Resets each billing month
Start Date: 6/20/2019
End Date: 6/19/2021
Budget Alerts
Alerts are triggered at specific budget thresholds:
50% of Budget: 500 EUR
Action Group: AG1
Action: Sends 1 Email to User1@Contoso.com.
70% of Budget: 700 EUR
Action Group: AG2
Action: Sends 1 SMS.
100% of Budget: 1,000 EUR
Action Group: AG3
Action: Executes 1 Azure App.
Answer Area
Questions:

When the maximum amount in Budget1 is reached, [answer choice].

Options:
VM1 and VM2 are turned off.
VM1 and VM2 continue to run.
VM1 is turned off, and VM2 continues to run.
Based on the current usage costs of the virtual machines, [answer choice].

Options:
No email notifications will be sent each month.
One email notification will be sent each month.
Two email notifications will be sent each month.
Three email notifications will be sent each month.

Answer

A

Let me analyze each question based on the given scenario:

“When the maximum amount in Budget1 is reached…” Correct answer: “VM1 and VM2 continue to run”

Explanation:

Budget alerts are notifications only and don’t automatically stop resources

Even when 100% of the budget is reached:

The action only executes an Azure App

No automatic shutdown of VMs is configured

Budget alerts cannot automatically stop resources

Both VMs will continue to run and accrue costs

“Based on the current usage costs of the virtual machines…” Correct answer: “One email notification will be sent each month”

Explanation:
Let’s calculate monthly costs for RG1 (which is the scope of Budget1):

VM1 (in RG1): 20 euros/day × 30 days = 600 euros/month

VM2 (in RG2): Not included in this budget as it’s in a different resource group

Total monthly cost for RG1 = 600 euros

Alert thresholds:

50% (500 EUR) - Will trigger email notification as 600 > 500

70% (700 EUR) - Won’t trigger as 600 < 700

100% (1,000 EUR) - Won’t trigger as 600 < 1,000

Therefore:

Only the 50% threshold (500 EUR) will be exceeded

Only one email notification will be sent each month

The SMS and Azure App actions won’t be triggered

Key points:

Budget alerts are informational only [1]

Budget scope is limited to RG1

Only VM1’s costs count toward this budget

Only one threshold (50%) is exceeded based on current usage

Question 46

Q

You have an Azure Subscription with a storage account named storageacct1234 and two users named User1 and User2. User1 has been assigned the following roles:

Reader (scope: Resource group, inherited).
Storage Blob Data Contributor (scope: This resource).
Question:
Which two actions can User1 perform? Each correct answer presents a complete solution. Note: Each correct selection is worth one point.

Options:
A. Assign roles to User2 for storageacct1234.
B. Upload blob data to storageacct1234.
C. Modify the firewall of storageacct1234.
D. View blob data in storageacct1234.
E. View file shares in storageacct1234.

Answer

A

B. Upload blob data to storageacct1234
D. View blob data in storageacct1234

E. View file shares in storageacct1234
Incorrect: The Storage Blob Data Contributor role applies only to blob storage and does not include access to file shares. Viewing file shares would require a role like Storage File Data Reader or Contributor.

Question 47

Q

Scenario 1:
Active Directory: Enabled
Azure AD DS: Disabled
Azure AD Kerberos: Disabled
Results:

User1: No (Cloud-only user cannot access without Azure AD Kerberos)

User2: Yes (On-premises synced user can access via AD)

User3/share3: No (Different storage account, unknown configuration)

Scenario 2:
Active Directory: Disabled
Azure AD DS: Enabled
Azure AD Kerberos: Disabled
Results:

User1: Yes (Can access via Azure AD DS)

User2: Yes (Can access via Azure AD DS)