test 9 Flashcards

Question

Blob Containers in the Azure Subscription cont1 in storage1 contains blob1. cont2 in storage2 contains blob2. cont3 in storage3 contains blob3. Conditions Condition1 plaintext Copy code ( ( !ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} ) OR ( @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'cont1' ) ) Grants access only to read actions for cont1. Condition2 plaintext Copy code ( ( !ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} ) OR ( @Resource[Microsoft.Storage/storageAccounts/blobServices/blobs:path] StringLike '*2*' ) ) Grants access only to write actions for blob paths containing 2. Role Assignments User1 Role: Storage Blob Data Reader Scope: sub1 Condition: Condition1 User2 Role: Storage Blob Data Owner Scope: storage1 Condition: Condition2 User1 can read blob2? Y / N User2 can read blob3? Y / N User3 can read blob1? Y / N

Answer 1

As of the latest updates, Azure role-based access control (RBAC) with conditions is supported for certain Azure Storage services. The correct answer is E. containers and queues only.

Answer 2

B. Assign Group1 the User Access Administrator role for the root management group.

Answer 3

1. An Azure Key Vault 4. An Access Policy Step 2: Add the Password as a Secret in Azure Key Vault Go to your newly created Key Vault in the Azure Portal. Under Settings, click Secrets. Click + Generate/Import. Fill in the following details: Name: Provide a name for the secret (e.g., AdminPassword). Value: Enter the administrative password you want to store securely. Click Create. Step 3: Configure Access Policies for the Key Vault In the Key Vault settings, select Access Policies. Click + Add Access Policy. In the Permissions dropdown: For Secret Permissions, select Get (to allow the ARM template to retrieve the password). Under Select principal, choose the identity of the service or user that will access the Key Vault (e.g., the service principal used by the ARM template deployment). Click Add and then Save. Step 4: Reference the Secret in Your ARM Template Modify your ARM template to reference the Key Vault secret. Use the following JSON snippet to retrieve the secret from Key Vault: json Copy code { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2021-03-01", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "properties": { "osProfile": { "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'YourKeyVaultName', 'AdminPassword'), '2019-09-01').value]" }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" } } } Replace YourKeyVaultName and AdminPassword with your Key Vault's name and secret name, respectively. Step 5: Grant Permissions to the ARM Template Ensure that the Azure Resource Manager (ARM) deployment has access to the Key Vault by assigning the appropriate role (e.g., Key Vault Reader) to the service principal or identity used for deployment.

Answer 4

The Answer is correct . - Select Users & Groups : Where you have to choose all users. - Select Cloud apps or actions: to specify the Azure portal - Grant: to grant the MFA.

Answer 5

The correct answer is C. Guest accounts. Explanation: Scenario Summary: App1 in Sub1 uses Azure Active Directory (Azure AD) in the East.contoso.com tenant for user authentication. Users from West.contoso.com need access to App1. App1 uses the Microsoft identity platform (v2.0), which supports multi-tenant applications. Azure AD B2B Collaboration: To allow users from another Azure AD tenant (West.contoso.com) to access resources in East.contoso.com, you can use guest accounts. Azure AD B2B (Business-to-Business) collaboration allows users from external tenants to be invited as guest users into the primary tenant (East.contoso.com) without creating additional accounts. Steps for Implementation: Admins from East.contoso.com invite users from West.contoso.com to the East.contoso.com tenant as guest users. Once added as guest users, they can authenticate using their existing credentials from West.contoso.com to access App1. Why Other Options Are Incorrect: A. A conditional access policy: Conditional Access is used to enforce access policies (e.g., MFA or blocking certain conditions) but does not enable cross-tenant authentication. B. Pass-through authentication: This allows users in an on-premises directory to authenticate directly against Azure AD but is not applicable here since the two divisions have separate tenants. D. An app registration: While App1 uses an app registration in Azure AD, this does not resolve the need for users in a separate tenant to authenticate. Multi-tenancy or B2B collaboration is the correct approach.

Answer 6

Let me help evaluate each statement: "NSG1 limits VM1 traffic" Answer: No Reason: Looking at the NSG1 rules, while VM1's subnet (172.16.1.0/24) is mentioned in rule 100 as a source, this rule is actually allowing traffic from VM1 to VM2's subnet (172.16.2.0/24). The NSG is not limiting VM1's traffic - it's explicitly allowing it. "NSG1 applies to VM2" Answer: Yes Reason: Looking at the NSG rules, we can see that NSG1 has rules that affect traffic to 172.16.2.0/24 (VM2's subnet). Both rules 100 and 101 have destinations set to 172.16.2.0/24, which is VM2's subnet. The NSG is controlling traffic to VM2's subnet, therefore it applies to VM2. "VM1 and VM2 connect to the same virtual network" Answer: Yes Reason: Several pieces of evidence support this: The Network Watcher test shows direct communication between VM1 and VM2 The hop count shows direct routing between the VMs (just one hop) The RTT (Round Trip Time) of 0 indicates they're in the same network The subnets (172.16.1.0/24 and 172.16.2.0/24) are part of the same private IP address space, suggesting they're in the same virtual network but different subnets The Network Watcher results also show that while port 8080 is unreachable, other TCP ports are reachable between the VMs, which is consistent with them being in the same virtual network but controlled by the NSG rules.

Answer 7

Let me evaluate each statement: "The Remote Desktop Connection client (mstsc.exe) can be used to connect to VM1 through Bastion1" Answer: No Reason: Azure Bastion provides secure access to VMs through the Azure portal only. It doesn't support direct RDP client connections using mstsc.exe. Bastion is specifically designed to provide RDP and SSH connectivity through the web browser in the Azure portal, eliminating the need for traditional RDP clients. [1] "The Azure portal can use SSH to connect to VM2 through Bastion1" [2] Answer: Yes Reason: Even though VM2 is in VNet2, it can be accessed through Bastion1 because: VNet1 (where Bastion1 is deployed) is peered with VNet2 (where VM2 is located) Azure Bastion supports SSH connections to Linux VMs through the Azure portal The peering connection allows the Bastion service to reach VM2 "The Azure portal can be used to connect to VM3 through Bastion1" Answer: No Reason: While VM3 is in VNet3, which is peered with VNet2, there is no direct peering between VNet1 (where Bastion1 is located) and VNet3. Azure VNet peering is not transitive, meaning that even though: VNet1 is peered with VNet2 VNet2 is peered with VNet3 VNet1 cannot reach VNet3 through VNet2. Therefore, Bastion1 in VNet1 cannot reach VM3 in VNet3 without direct peering between VNet1 and VNet3.

Answer 8

Let me analyze each statement: "When an administrator changes the virtual machine size, the size will be changed on up to 4 virtual machines simultaneously." Answer: 4 virtual machines Reason: The upgrade policy mode is set to "Automatic" With automatic mode and no specific rolling upgrade policy defined, Azure will apply changes to all instances simultaneously Since there are 4 instances in the scale set, all 4 will be updated at the same time This is because there's no RollingUpgradePolicy specified that would limit the number of simultaneous updates "When a new build of the Windows Server 2016 image is released, the new build will be deployed to up to 0 virtual machines simultaneously." Answer: 0 virtual machines Reason: Looking at the configuration, EnableAutomaticUpdates is set to False The AutomaticOSUpgradePolicy exists but without specific settings When automatic updates are disabled, new OS builds won't be automatically deployed This means no instances will automatically receive new OS builds when they're released Any OS updates would need to be manually initiated by an administrator The key factors here are: The automatic mode applies to administrator-initiated changes The disabled automatic updates prevent automatic OS image updates The absence of a rolling upgrade policy means administrator-initiated changes affect all instances at once

Answer 9

Let me explain the correct answers for both questions: For Premium File Share creation: Correct answer: "contoso104 only" Explanation: Premium file shares can only be created in FileStorage account types Looking at the storage accounts: contoso101 (StorageV2): Supports standard file shares, not premium contoso102 (Storage): Supports standard file shares, not premium contoso103 (BlobStorage): Doesn't support file shares contoso104 (FileStorage): Specifically designed for premium file shares For Archive Access Tier usage: Correct answer: "contoso101 or contoso103 only" Explanation: Archive access tier is only supported in: StorageV2 accounts (contoso101) BlobStorage accounts (contoso103) It is not supported in: Legacy Storage accounts (contoso102) FileStorage accounts (contoso104) Archive tier is specifically designed for blob storage and can only be used with block blobs The key factors in these answers are: FileStorage accounts are specifically optimized for premium file share workloads Archive access tier is a blob-specific feature that requires modern storage account types (StorageV2 or BlobStorage) Legacy Storage accounts and FileStorage accounts don't support the Archive tier

Answer 10

Let me explain the correct answers for both questions: To enable Windows containers in AKS1: [1] Correct answer: "Increase the number of node pools" Explanation: AKS clusters require at least two node pools to run Windows containers: [2] The first (default) node pool must be Linux-based and runs system services A second node pool is required for Windows containers The current configuration shows only 1 node pool The first node pool is always Linux-based and cannot be deleted unless the entire cluster is deleted Adding an additional node pool is necessary to support Windows containers To ensure integration with Azure Container Registry (ACR): [3] Correct answer: "Authentication method" Explanation: The cluster is currently configured to use Service Principal authentication To enable ACR integration with AKS: The Service Principal needs to have the proper permissions to pull images from ACR Alternatively, using Managed Identity (instead of Service Principal) would provide automatic integration The authentication method setting determines how the AKS cluster authenticates with other Azure services, including ACR None of the other settings (Network configuration, Kubernetes version, etc.) affect ACR integration Key points: Windows containers require a dedicated node pool separate from the system node pool ACR integration is handled through the cluster's identity (Service Principal or Managed Identity) The current Service Principal authentication method needs proper configuration for ACR access

Answer 11

Let me explain the correct answers for both questions: For Azure Table Storage: Correct answer: "storageaccount1 and storageaccount2 only" Explanation: Looking at the storage account types: [1] storageaccount1 (Storage/Classic): Supports Table Storage storageaccount2 (StorageV2): Supports Table Storage storageaccount3 (BlobStorage): Does NOT support Table Storage BlobStorage account type is specialized for blob storage only Both General Purpose v1 (Storage) and v2 (StorageV2) support Table Storage For Azure Blob Storage: Correct answer: "All the storage accounts" Explanation: All three storage account types support Blob Storage: storageaccount1 (Storage/Classic): Supports blobs storageaccount2 (StorageV2): Supports blobs storageaccount3 (BlobStorage): Specifically designed for blob storage [2] Blob storage is a fundamental capability supported across all Azure storage account types Even though storageaccount3 is specialized for blobs, all account types can store blob data Key points: General Purpose accounts (v1 and v2) support all storage services including blobs, files, queues, and tables BlobStorage accounts are specialized and only support blob storage StorageV2 is the recommended general-purpose account type for most scenarios The access tier and replication settings don't affect which storage services are available

Answer 12

Let me analyze each scenario and explain the correct answers: First Scenario (70% for one hour, then 90% for five minutes): Correct answer: "2" Explanation: Initial state: Starts with 1 instance (default) First hour at 70% CPU: No scaling action as it's between the scale-out (85%) and scale-in (30%) thresholds Remains at 1 instance When CPU hits 90% for five minutes: Triggers scale-out rule (>85%) Duration requirement (5 minutes) is met Increases by 1 instance Final count: 2 instances Second Scenario (90% for one hour, then 25% for nine minutes): Correct answer: "4" Explanation: Initial state: Starts with 1 instance One hour at 90% CPU: Triggers scale-out rule repeatedly With 5-minute duration and 5-minute cooldown: Will scale out every 10 minutes In one hour, can scale out 6 times maximum However, limited by maximum instance count of 5 Reaches 5 instances Nine minutes at 25% CPU: Triggers scale-in rule (<30%) Duration requirement (5 minutes) is met Decreases by 1 instance Final count: 4 instances Key factors considered: Scale rules require the condition to be met for the full duration (5 minutes) Cooldown period (5 minutes) prevents multiple scaling operations too quickly Instance limits (min: 1, max: 5) constrain the scaling operations Scale-in and scale-out operations change instance count by 1 at a time

Answer 13

Let me analyze each statement based on the updated configuration: User1 can access the content in share1: Answer: No Reason: Only "Active Directory" (on-premises AD) is enabled as the authentication source User1 is a cloud-only user (On-premises sync enabled: No) Azure AD Kerberos is not enabled, which would be required for cloud users Therefore, User1 cannot authenticate to access share1 User2 can access the content in share2: Answer: Yes Reason: Active Directory (on-premises AD) is enabled as the authentication source User2 is synced from on-premises (On-premises sync enabled: Yes) Default share-level permissions are enabled for all authenticated users The role "Storage File Data SMB Share Contributor" is assigned Therefore, User2 can authenticate and access share2 User2 can access the content in share3: Answer: No Reason: share3 is in a different storage account (contoso2025) We don't have any information about the identity-based access configuration for contoso2025 Without knowing the authentication and authorization settings for contoso2025, we cannot assume User2 has access Therefore, we cannot confirm User2 has access to share3 The key difference from the previous scenario is that only on-premises Active Directory is enabled as an authentication source, while Azure AD DS and Azure AD Kerberos are not enabled. This means only users synced from on-premises AD (like User2) can access the shares, while cloud-only users (like User1) cannot.

Answer 14

Let me analyze each question based on the given scenario: "When the maximum amount in Budget1 is reached..." Correct answer: "VM1 and VM2 continue to run" Explanation: Budget alerts are notifications only and don't automatically stop resources Even when 100% of the budget is reached: The action only executes an Azure App No automatic shutdown of VMs is configured Budget alerts cannot automatically stop resources Both VMs will continue to run and accrue costs "Based on the current usage costs of the virtual machines..." Correct answer: "One email notification will be sent each month" Explanation: Let's calculate monthly costs for RG1 (which is the scope of Budget1): VM1 (in RG1): 20 euros/day × 30 days = 600 euros/month VM2 (in RG2): Not included in this budget as it's in a different resource group Total monthly cost for RG1 = 600 euros Alert thresholds: 50% (500 EUR) - Will trigger email notification as 600 > 500 70% (700 EUR) - Won't trigger as 600 < 700 100% (1,000 EUR) - Won't trigger as 600 < 1,000 Therefore: Only the 50% threshold (500 EUR) will be exceeded Only one email notification will be sent each month The SMS and Azure App actions won't be triggered Key points: Budget alerts are informational only [1] Budget scope is limited to RG1 Only VM1's costs count toward this budget Only one threshold (50%) is exceeded based on current usage

Answer 15

B. Upload blob data to storageacct1234 D. View blob data in storageacct1234 E. View file shares in storageacct1234 Incorrect: The Storage Blob Data Contributor role applies only to blob storage and does not include access to file shares. Viewing file shares would require a role like Storage File Data Reader or Contributor.