test11 Flashcards

Question 1

Q

HOTSPOT -
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
PS Azure:> az vm availability-set list -g RG1
[
{
“id”: “/subscriptions/8372f433-2dcd-4361-b5ef-5b188fed87d0/resourceGroups/
RG1/providers/Microsoft.Compute/availabilitySets/WEBPROD-AS-USE2”,
“location”: “eastus2”,
“name”: “WEBPROD-AS-USE2”,
“platformFaultDomainCount”: 2,
“platformUpdateDomainCount”: 10,
“proximityPlacementGroup”: null,
“resourceGroup”: “RG1”,
“sku”: {
},
“capacity”: null,
“name”: “Aligned”,
“tier”: null,
“statuses”: null,
“tags”: {},
“type”: “Microsoft.Compute/availabilitySets”,
“virtualMachines”: []
}
]
Azure:/
You add 14 virtual machines to WEBPROD-AS-USE2.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
When Microsoft performs planned maintenance in East US
2, the maximum number of unavailable virtual machines will
be [answer choice].
2
7
10
14
If the server rack in the Azure datacenter that hosts
WEBPROD-AS-USE2 experiences a power failure, the
maximum number of unavailable virtual machines will be
[answer choice].
2
7
10
14

Answer

A

The correct answers are:

For planned maintenance: 2 virtual machines

For power failure (fault domain): 7 virtual machines

Here’s why:

For Planned Maintenance:

The Availability Set has platformUpdateDomainCount = 10

With 14 VMs distributed across 10 update domains

VMs are distributed as evenly as possible across update domains

14 VMs ÷ 10 update domains ≈ 1.4 VMs per update domain

This means each update domain will have 1-2 VMs

During planned maintenance, Microsoft updates one update domain at a time

Therefore, maximum 2 VMs can be unavailable during planned maintenance

For Power Failure:

The Availability Set has platformFaultDomainCount = 2

Fault domains represent different physical hardware/rack infrastructure

14 VMs distributed across 2 fault domains

14 VMs ÷ 2 fault domains = 7 VMs per fault domain

If a rack (fault domain) experiences power failure

Therefore, maximum 7 VMs can be unavailable during a rack failure

Question 2

Q

Existing Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD)
tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD
tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
follow
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
ing table.
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown
https://www.certification-questions.com
Microsoft AZ-104
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-access for
storage1 Storage (general purpose v1) West US sharea Azure Active Domain Ser (Azure AD D
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Domain Ser (Azure AD D
Requirements
Planned Changes
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the follow
Priority Port Protocol Source Destination
500 3389 TCP 10.0.2.0/24 Any
1000 Any ICMP Any Virtual Network
ing
table.
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

n the
following table.

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to
VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only
permissions to the Azure file shares.
HOTSPOT -
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Recovery Services vaults
1
2
3
4
7
Backup policies
1
2
3
4
5
6

Answer

A

For this scenario, the correct answers are:

Recovery Services vaults: 3
Backup policies: 3 [1]

Here’s why:

Recovery Services Vaults (3 needed):

Based on the locations of resources that need backup:

West US (VM1, VM2)

Central US (VM3, storage4/shared)

East US (storage2/shareb, sharec)

Recovery Services vaults must be in the same region as the resources they protect. You cannot back up resources from one region to a vault in another region.

Backup Policies (3 needed):

You need different backup policies for:

Azure VMs (one policy)

Azure Files in StorageV2 accounts (one policy for storage2 shares)

Azure Files in FileStorage accounts (one policy for storage4 share)

The reason for 3 policies:

Different resource types (VMs vs. File Shares) require different backup policies

Different storage account kinds (StorageV2 vs. FileStorage) may have different backup requirements

All VMs can share the same backup policy since they have similar requirements

This configuration:

Meets the technical requirement to “Back up the Azure file shares and virtual machines using Azure Backup”

Follows best practices for regional data residency

Provides appropriate separation of backup policies for different resource types

Is the minimum required number while still meeting all requirements

Question 3

Q

You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?

A. Modify the size of VM1.
B. Reset the password for the built-in administrator account.
C. Add a data disk.
D. Copy Budget.xls to Data.

Answer

A

D. Copy Budget.xls to Data.

Reasoning:
When you restore an Azure virtual machine using the Replace existing option in Azure Backup, the following applies:

VM Size Changes:

The VM size is automatically restored to the size it had at the time of the backup. Any subsequent size changes will be lost after restoration.
Why incorrect: Since the VM size is restored, you don’t need to manually reapply the size change.
Built-in Administrator Password Reset:

Azure Backup does not capture OS-level settings like password resets for the built-in administrator account. However, after the restore, you can use Azure VM access reset tools if needed.
Why incorrect: This change is not stored in the backup, but Azure tools can reset it later.
Data Disk Addition:

Additional disks attached to a VM after the backup are not included. You would need to reattach them manually after restoration.
Why incorrect: The question asks specifically about changes to VM1. Attaching a new data disk is external to the VM’s original backup configuration.
File Copying (Correct Answer):

Azure VM backups capture the contents of the OS and data disks present during the backup. Files added after the backup are not included.
Why correct: Since Budget.xls was copied after the backup, it will not be restored and must be manually copied again.
Key Takeaways:
Azure Backup captures: VM configuration, OS disk, and attached data disks at the time of backup.
Not captured: Password resets, files added after the backup, and data disks attached later.

Question 4

Q

You have an Azure subscription that contains an Azure Backup vault named Backup1, a Recovery Services vault named Recovery1, and the resources shown in the
following table.

You plan to back up the resources.

Which resource can be backed up to Backup1, and which resource can be backed up to Recovery1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer Area
Backup1:
App1
DB1
Disk1
VM1
Recovery1:
App1
DB1
Disk1
VM1

Name | Type |
|—|—|
| VM1 | Virtual machine |
| Disk1 | Disk |
| App1 | Azure App Service web app |
| DB1 | Azure SQL Database |

Answer

A

For this scenario, the correct selections for each vault are:

Backup1 (Azure Backup vault):

VM1

Recovery1 (Recovery Services vault):

DB1

Let me explain why these are the single best answers for each vault:

For Backup1 (Azure Backup vault):

VM1 is the best choice because:

Azure Backup vault is optimized for VM backups

It provides better performance for VM backups

It’s the newer, recommended solution for VM protection

While Disk1 can also be backed up here, VM backup includes the disks automatically

For Recovery1 (Recovery Services vault):

DB1 is the best choice because:

Azure SQL Database can ONLY be backed up to Recovery Services vault

It’s the traditional and proven solution for database workloads

SQL Database backup is a core functionality of Recovery Services vault

Why other options are not the best choice:

App1 (App Service) has its own native backup functionality

Disk1 is better protected as part of VM backup

While VM1 can be backed up to Recovery Services vault, Azure Backup vault is the newer, recommended solution

This answer focuses on the most appropriate and optimized choice for each vault type, considering:

Best practices

Microsoft recommendations

Optimal performance

Specific workload requirements

Question 5

Q

You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?

A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. Modify the locks of each virtual machine.
D. From the Recovery Service vault, stop the backup of each backup item.

Answer

A

D. From the Recovery Service vault, stop the backup of each backup item.

To delete an Azure Recovery Services vault, you must first remove all dependencies. This includes stopping backup for each backup item (protected VM or other resources) and deleting backup data if needed.

Stop Backup of Each Backup Item:

Before deleting the vault, you must stop the backup of each item in the Recovery Services vault. This action removes the association between the VMs and the vault.
Why Not the Other Options?

A. Delete the backup data:

This is only allowed after stopping the backup. You cannot delete backup data while backups are still enabled.
B. Modify the disaster recovery properties of each VM:

Disaster recovery properties are unrelated to the deletion of the Recovery Services vault.
C. Modify the locks of each VM:

VM locks are related to preventing deletion or changes at the VM level, not to the vault itself.

Question 6

Q

You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the following table:

Name Operating system Auto-shutdown
VM1 Windows Server 2012 R2 Off
VM2 Windows Server 2016 19:00
VM3 Ubuntu Server 18.04 LTS Off
VM4 Windows 10 19:00
You plan to schedule backups to occur every night at 23:00.
Which virtual machines can you back up by using Azure Backup?
A. VM1 and VM3 only
B. VM1, VM2, VM3 and VM4
C. VM1 and VM2 only
D. VM1 only

Answer

A

B. VM1, VM2, VM3 and VM4

Question 7

Q

Overview -

ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.

Existing Environment -

Azure Environment -

ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.

The subscription contains the storage accounts shown in the following table.
|—|—|—|—|—|—|
| storage1 | StorageV2 | West US | Yes | cont1 | share1 |
| storage2 | StorageV2 | West US | No | cont2 | share2 |

The subscription contains the virtual machines shown in the following table.

The subscription has an Azure container registry that contains the images shown in the following table.

The subscription contains the resources shown in the following table.

Azure Key Vault -

The subscription contains an Azure key vault named Vault1.

Vault1 contains the certificates shown in the following table.

| Name | Content type | Key type | Key size |
|—|—|—|—|
| Cert1 | PKCS#12 | RSA | 2048 |
| Cert2 | PKCS#12 | RSA | 4096 |
| Cert3 | PEM | RSA | 2048 |
| Cert4 | PEM | RSA | 4096 |

Vault1 contains the keys shown in the following table.

| Name | Type | Description |
|—|—|—|
| Key1 | RSA | Has a key size of 4096 |
| Key2 | EC | Has Elliptic curve name set to P-256 |
Microsoft Entra Environment -

ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.

Planned Changes -

ADatum plans to implement the following changes:

Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.

Technical Requirements -

ADatum must meet the following technical requirements:

Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You need to configure Azure Backup to meet the technical requirements for cont1 and share1.

To what should you set the backup frequency for each resource? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.
Answer area:
cont1 <answer>
Every hour
Every 4 hours
Every 6 hours
Every 12 hours
Daily</answer>

share1 <answer>
Every hour
Every 4 hours
Every 6 hours
Every 12 hours
Daily</answer>

Name | Size | Operating system | Description |
|—|—|—|—|
| VM1 | A | Red Hat Enterprise Linux (RHEL) | Uses ephemeral OS disks |
| VM2 | D | Windows Server 2022 | Has a basic volume |
| VM3 | B | Red Hat Enterprise Linux (RHEL) | Uses a standard SSDs |
| VM4 | M | Windows Server 2022 | Uses Write Accelerator disks |
| VM5 | E | Windows Server 2022 | Has a dynamic volume |

Answer

A

For this scenario, the correct backup frequencies are: [1]

cont1: Every 4 hours
share1: Daily

Here’s why:

For cont1 (Container):

Azure Backup for blob containers supports backup frequency as frequent as every 4 hours

The requirement states “as frequently as possible”

Therefore, Every 4 hours is the most frequent option available for blob containers

This provides the best possible RPO (Recovery Point Objective) for blob storage

For share1 (File Share):

Azure File Share backup only supports daily backup frequency

Even though the requirement asks for “as frequently as possible”

Daily is the only available option for Azure File Shares

This is a platform limitation for Azure File Share backups

Key considerations:

Platform limitations:

Blob containers: Minimum interval is 4 hours

File shares: Only supports daily backups

Technical requirements state:

“Use Azure Backup to back up cont1 and share1 as frequently as possible”

Must work within the platform limitations

Must be supported by Azure Backup service

Best practices:

Choose the most frequent backup option available for each resource type [2]

Consider the recovery point objectives (RPO)

Work within service limitations

Therefore, selecting “Every 4 hours” for cont1 and “Daily” for share1 represents the most frequent possible backup schedule while staying within Azure Backup service limitations.

Question 8

Q

You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?

A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. Modify the locks of each virtual machine.
D. From the Recovery Service vault, stop the backup of each backup item.

Answer

A

The correct answer is D: From the Recovery Service vault, stop the backup of each backup item.
Here’s why this is the correct first step to delete a Recovery Services vault: [1]
Required Sequence to Delete a Recovery Services Vault:

Step 1: Stop backup for all protected items (This is option D)
Step 2: Delete the backup data/recovery points
Step 3: Delete the vault

Copy
Insert at cursor
plaintext
Why Option D is Correct:
You must first stop protection for all backup items
This removes the backup policy association
This is a prerequisite before you can delete backup data
This ensures a controlled decommissioning of backup protection
Important Notes:
You cannot delete a vault that contains protected items
Stopping backup is a prerequisite for all other deletion steps
This is a safety measure to prevent accidental data loss
The process must be done in the correct order
Therefore, option D is the correct first step as it’s the necessary prerequisite for deleting a Recovery Services vault.

Question 9

Q

You purchase a new Azure subscription named Subscription1.
You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup.
You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer Area

Location in which to store the backups:

A blob container
A file share
A Recovery Services vault
A storage account
Object to use to configure the protection for VM1:

A backup policy
A batch job
A batch schedule
A recovery plan

Answer

A

Location to store the backups:
A Recovery Services vault
Object to use to configure the protection for VM1:
A backup policy
Why correct:
Purpose-built for Azure Backup
Provides secure storage for backups
Supports VM backup natively
Includes built-in management features
Handles retention policies automatically

Object - Backup policy:
Why correct:

Defines backup schedule (01:00)
Sets retention period (30 days)
Can be applied to multiple VMs
Manages backup consistency
Handles automated backups
Why other options are incorrect:
Location options:
Blob container: Not designed for VM backups
File share: Cannot store VM backups
Storage account: No built-in backup management
Object options:
Batch job: For compute operations, not backup
Batch schedule: Not related to backup
Recovery plan: For disaster recovery scenarios
The combination of Recovery Services vault and backup policy provides: [2]
Proper storage location for backups
Scheduling capability (01:00)
Retention management (30 days)
Built-in security and management
Compliance with Azure Backup best practices

Question 10

Q

You have an Azure subscription that contains a virtual machine named VM1. You need to back up VM1. The solution must ensure that backups are stored across three availability zones in the primary region.

Question: Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Actions:

Configure a replication policy.
Set Replication to Zone-redundant storage (ZRS).
For VM1, create a backup policy and configure the backup.
Set Replication to Locally-redundant storage (LRS).
Create a Recovery Services vault.
Answer Area:

Answer

A

Answer Area:

Action 1: Create a Recovery Services vault.
Action 2: Set Replication to Zone-redundant storage (ZRS).
Action 3: For VM1, create a backup policy and configure the backup.
Explanation:
Create a Recovery Services vault: The first step is always to create a Recovery Services vault, which is required to manage the backup and restore operations for Azure resources, including virtual machines.

Set Replication to Zone-redundant storage (ZRS): To meet the requirement of ensuring backups are stored across three availability zones, you should configure the replication type to Zone-redundant storage (ZRS). This ensures the backup data is replicated across multiple zones in the primary region.

For VM1, create a backup policy and configure the backup: After setting up the vault and replication settings, the final step is to configure a backup policy for VM1, which includes defining the backup schedule and retention policy.

Question 11

Q

You have an Azure subscription that contains the resources shown in the following table.
Name Type Resource group Location
Vault1 Recovery services vault RG1 East US
VM1 Virtual machine RG1 East US
VM2 Virtual machine RG1 West US
All virtual machines run Windows Server 2016.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
Schedule Backup Wizard
Specify Backup Schedule (Files and Folders)
Getting started Define a schedule when you want to create a backup copy for
Select Items to Backup selected files and folders
Specify Backup Schedu… Schedule a backup every
Select Retention Policy… * Day ○ Week
Choose Initial Backup T…
Confirmation
Modify Backup Progress
At following times (Maximum allowed is three times a day)
6:00 AM 10:00 PM None
You plan to restore the backup to a different virtual machine.
You need to restore the backup to VM2.
What should you do first?
A. From VM1, install the Windows Server Backup feature.
B. From VM2, install the Microsoft Azure Recovery Services Agent.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
D. From VM2, install the Windows Server Backup feature.

Answer

A

The correct answer is B. From VM2, install the Microsoft Azure Recovery Services Agent.
Explanation:
To restore a backup from Azure Recovery Services Vault to a different virtual machine (in this case, VM2), you need to have the Microsoft Azure Recovery Services Agent installed on the target virtual machine (VM2). This agent is responsible for communicating with the Recovery Services Vault and managing the restore process.
Here’s a brief overview of why the other options are not correct:
A. From VM1, install the Windows Server Backup feature.
This option is not relevant because the Windows Server Backup feature is not needed on VM1 for restoring backups to VM2.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
This option is also incorrect because installing the agent on VM1 does not help in restoring the backup to VM2. The agent needs to be on the machine where the restore is taking place.
D. From VM2, install the Windows Server Backup feature.
While having Windows Server Backup can be useful for local backups, it is not necessary for restoring from Azure Recovery Services Vault. The Azure Recovery Services Agent is required instead.

Question 12

Q

You have an Azure subscription that contains a virtual machine name VM1.
VM1 has an operating system disk named Disk1 and a data disk named Disk2.
You need to back up Disk2 by using Azure Backup.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:
Actions
Configure a managed identity
Create an Azure Backup vault
Create a Recovery Services vault
Delegate permissions for the vault
Create a backup policy and configure the backup
Answer Area

Answer

A

Create a Recovery Services vault
Create a backup policy and configure the backup
Configure a managed identity
Explanation:
1. Create a Recovery Services vault:
This is the first step because the Recovery Services vault is required to store the backup data. You need to create this vault before you can perform any backup operations
2. Create a backup policy and configure the backup:
Once the vault is set up and permissions are delegated, you can create a backup policy that defines how and when the backups will occur. This policy is essential for configuring the backup of Disk2.

Question 13

Q

Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company’s virtual machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.

A. VMs that run Windows 10.
B. VMs that run Windows Server 2012 or higher.
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down.

Answer

A

The correct options for VMs that can be backed up using Azure Backup are:
Correct Answers:
B. VMs that run Windows Server 2012 or higher.
D. VMs that run Debian 8.2+.
C. VMs that have NOT been shut down.
E. VMs that have been shut down.
Explanation:
B. VMs that run Windows Server 2012 or higher:
Azure Backup supports backing up Windows Server operating systems starting from Windows Server 2012 and later versions (e.g., 2016, 2019, 2022). This option is valid.
D. VMs that run Debian 8.2+:
Azure Backup also supports backing up certain Linux distributions, including Debian 8.2 and later versions. Therefore, this option is valid as well.
C. VMs that have NOT been shut down:
Azure Backup can back up VMs whether they are running or stopped. Therefore, this option is valid because it indicates that VMs can be backed up while they are running.
E. VMs that have been shut down:
Azure Backup can also back up VMs that are stopped (shut down). This option is valid as well, as it indicates that VMs can be backed up regardless of their power state.
Incorrect Answer:
A. VMs that run Windows 10:
Azure Backup does not support backing up Windows 10 VMs. It is primarily designed for server operating systems, not client operating systems like Windows 10.
Summary:
The valid options for VMs that can be backed up using Azure Backup are those running Windows Server 2012 or higher, those running Debian 8.2 or later, and VMs that can be in either running or stopped states.

Question 14

Q

HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area

To add a backend pool to LB1:
Contributor on LB1
Network Contributor on LB1
Network Contributor on RG1
Owner on LB1

To add a health probe to LB2:
Contributor on LB2
Network Contributor on LB2
Network Contributor on RG1
Owner on LB2

Answer

A

To ensure that Admin1 can manage the internal load balancer (LB1) and the public load balancer (LB2) while following the principle of least privilege, we need to assign the most appropriate roles for each task.
Answer Area
1. To add a backend pool to LB1:
Correct Option: Network Contributor on LB1
Reason: The Network Contributor role allows the user to manage network resources, including load balancers, without granting full access to the resource group or the ability to delete the load balancer. This is the least privilege required to add a backend pool specifically to LB1.
To add a health probe to LB2:
Correct Option: Network Contributor on LB2
Reason: Similar to LB1, the Network Contributor role on LB2 allows Admin1 to manage the health probes and other network-related settings for the public load balancer without giving broader permissions that are not necessary for this task.

Question 15

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:

Create an access review

Access reviews enable reviewers to attest user’s membership in a group or access to an application.
* Review name Review1
Description
* Start date 2018-11-22
Frequency One time
Duration (in days)
End Never End by Occurrence
Number of times 0
* End date 2018-12-22
Users
Users to review Members of a group
Scope Guest users only
Everyone
* Group Group1
Reviewers
Reviewers Group owners
Programs
Link to program
Default program
Upon completion settings
Advanced settings

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Statements
User3 can perform an access review of User1? yes/no
User3 can perform an access review of UserA ? yes/no
User3 can perform an access review of UserB? yes/no

Answer

A

To determine whether User3 can perform an access review of the specified users, we need to consider the roles and group memberships in the context of the access review configuration.
Access Review Configuration:
Review Name: Review1
Group: Group1
Scope: Guest users only
Reviewers: Group owners (User3 is the owner of Group1)
Answer Area
1. User3 can perform an access review of User1?
Answer: No
Reason: User1 is a member of Group1, but the access review is scoped to “Guest users only.” Since User1 is not a guest user, User3 cannot perform an access review on User1.
2. User3 can perform an access review of UserA?
Answer: No
Reason: UserA is a member of Group2, which is a member of Group1. However, UserA is not a guest user, and the access review is limited to guest users only. Therefore, User3 cannot perform an access review on UserA.
3. User3 can perform an access review of UserB?
Answer: Yes
Reason: UserB is a guest user and is a member of Group2, which is part of Group1. Since the access review is scoped to guest users, User3 can perform an access review on UserB.
Summary of Correct Selections:
User3 can perform an access review of User1? No
User3 can perform an access review of UserA? No
User3 can perform an access review of UserB? Yes

Question 16

Q

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

In storage1, you create a blob container named blob1 and a file share named share1.
Which resources can be backed up to Vault1 and Vault2? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Can use Vault1 for backups:
VM1 only
VM1 and share1 only
VM1 and SQL1 only
VM1, storage1, and SQL1 only
VM1, blob1, share1, and SQL1
Can use Vault2 for backups:
storage1 only
share1 only
VM1 and share1 only
blob1 and share1 only
storage1 and SQL1 only
which option is correct in per question on answer area? why correct?

Answer

A

Correct Answers:
Can use Vault1 for backups:
VM1 only

Can use Vault2 for backups:
share1 only

Explanation:
Understanding Recovery Services Vaults:
A Recovery Services vault in Azure is used for backing up supported workloads such as:
Virtual Machines (VMs)
Azure File Shares
Azure SQL databases
Backups are location-specific, meaning the Recovery Services vault must be in the same region as the resource being backed up.
Resources:
Vault1

Location: Central US
Eligible Resources for Backup: Only resources in Central US can be backed up to Vault1.
From the table:

VM1: Central US → Eligible for backup.
storage1 and its containers (blob1 and share1): Located in West US → Not eligible.
SQL1: Located in East US → Not eligible.
Therefore, only VM1 can use Vault1.

Vault2

Location: West US
Eligible Resources for Backup: Only resources in West US can be backed up to Vault2.
From the table:

storage1: West US → Can back up the Azure File Share (share1) but not blob storage because Azure Backup does not back up blob storage.
share1: Located in storage1 (West US) → Eligible.
VM1: Central US → Not eligible for Vault2 (region mismatch).
SQL1: East US → Not eligible.
Therefore, share1 only and VM1 are valid. Thus, the correct choice is share1.

Question 17

Q

You have an Azure subscription.

You plan to migrate 50 virtual machines from VMware vSphere to the subscription.

You create a Recovery Services vault.

What should you do next?

A. Configure an extended network.
B. Create a recovery plan.
C. Deploy an Open Virtualization Application (OVA) template to vSphere.
D. Configure a virtual network.
which option is correct? why?

Answer

A

To migrate virtual machines from VMware vSphere to an Azure subscription using a Recovery Services vault, the next step after creating the vault is to ensure that the virtual machines can communicate with Azure and are properly configured for migration.
Correct Option:
D. Configure a virtual network.
Explanation:
1. Configure a Virtual Network: Before migrating virtual machines to Azure, you need to set up a virtual network in Azure. This virtual network will provide the necessary network infrastructure for the migrated VMs to communicate with each other and with other Azure resources. It is essential to have a virtual network configured to ensure that the VMs can be properly integrated into the Azure environment.
Other Options:
A. Configure an extended network: This step is typically part of the migration process but is not the immediate next step after creating a Recovery Services vault.
B. Create a recovery plan: This is relevant for disaster recovery scenarios and is not the first step in the migration process.
C. Deploy an Open Virtualization Application (OVA) template to vSphere: This option is not applicable in the context of migrating VMs to Azure. OVA templates are used for packaging and distributing virtual appliances, not for migrating to Azure.

Question 18

Q

HOTSPOT -
You have an Azure App Service app named WebApp1 that contains two folders named Folder1 and Folder2.
You need to configure a daily backup of WebApp1. The solution must ensure that Folder2 is excluded from the backup.
What should you create first, and what should you use to exclude Folder2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
First create:
A Backup vault
A Recovery Services vault
A resource group

To exclude Folder2, use:
An Azure Storage account
A_backup.filter file
A backup policy
A lock
A WebJob

Answer

A

To configure a daily backup of an Azure App Service app (WebApp1) while excluding a specific folder (Folder2), you need to consider the Azure services and features available for backup and exclusion.
Answer Area:
First create:
A Recovery Services vault
To exclude Folder2, use:
A_backup.filter file
Explanation:
1. First create: A Recovery Services vault
Reason: A Recovery Services vault is specifically designed for managing backups and recovery of Azure resources, including Azure App Services. It provides the necessary infrastructure to configure and manage backups for your app. A Backup vault is typically used for virtual machines and other resources, but for App Services, the Recovery Services vault is the correct choice.
To exclude Folder2, use: A_backup.filter file
Reason: The _backup.filter file is used to specify which files or folders should be included or excluded from the backup process. By creating this file and placing it in the root of your app’s directory, you can define the exclusion of Folder2 from the backup. This is the standard method for excluding specific content in Azure App Service backups.
Summary:
First create: A Recovery Services vault to manage the backup of WebApp1.
To exclude Folder2: Use A_backup.filter file to specify the exclusion of that folder from the backup process.

Question 19

Q

DRAG DROP -
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.
Which of the following objects that must be created to achieve this goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Options Answer
Hyper-V site
Storage account
Azure Recovery
Services Vault
Azure Traffic
Manager instance
Replication policy
Endpoint

Answer

A

Correct Answer:
Azure Recovery Services Vault
Hyper-V site
Replication policy
Explanation:
To replicate an on-premises Hyper-V VM (VM1) to Azure, you need to configure Azure Site Recovery (ASR). ASR allows you to replicate on-premises virtual machines to Azure for disaster recovery purposes. Below are the key components required to achieve this:

Steps and Why They Are Correct
Azure Recovery Services Vault

This is the first component required because the Recovery Services vault acts as the central location for managing and storing replication data.
All replication and recovery-related configurations are stored in this vault.
Without the Recovery Services vault, you cannot enable or manage replication for on-premises VMs.
Hyper-V Site

In ASR, you need to configure an on-premises Hyper-V site.
The Hyper-V site represents the collection of Hyper-V servers that are part of the replication process.
The VM (VM1) must be associated with this site to enable replication to Azure.
Replication Policy

A replication policy defines how the replication will occur. It includes settings like recovery point retention, app-consistent snapshots, and frequency of replication.
You need this policy to control how the Hyper-V VM data is replicated to Azure.
Why the Other Options Are Incorrect
Storage account: While Azure Site Recovery uses storage to hold replication data, the storage is configured automatically as part of the Recovery Services vault setup. You do not manually create a storage account for replication.

Azure Traffic Manager instance: Traffic Manager is used for DNS-based traffic routing and is not involved in replicating on-premises VMs to Azure.

Endpoint: Endpoints are used for communication between VMs and the network. They are not required for configuring replication of on-premises Hyper-V VMs to Azure.

Summary of Correct Steps:
Azure Recovery Services Vault: Central management and storage for replication data.
Hyper-V site: Represents the on-premises Hyper-V servers.
Replication policy: Defines the settings and behavior for replication.

Question 20

Q

A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1
B. Remove the resource lock from VNET1 and delete all data in Vault1
C. Turn off VM1 and remove the resource lock from VNET1
D. Turn off VM1 and delete all data in Vault1

Answer

A

Option B: “Remove the resource lock from VNET1 and delete all data in Vault1” is the correct answer.

Here’s why:

Resource Lock Issue:
VNET1 has a Delete lock, which prevents the deletion of the resource
The resource lock must be removed first because you cannot delete a resource group if any of its resources have a delete lock [1]
Resource locks take precedence over permissions
Recovery Services Vault Issue:
VM1 has backups stored in Vault1
You cannot delete a Recovery Services vault that contains backup data
All backup data must be deleted from the vault before the vault itself can be deleted
The presence of backup data will prevent the deletion of both the vault and, by extension, the resource group
Why other options are incorrect:
Option A is incorrect because:
Just modifying the backup configuration wouldn’t remove existing backups
Modifying the lock type wouldn’t help; the lock needs to be removed completely
Option C is incorrect because:
While removing the resource lock is necessary
Simply turning off VM1 doesn’t address the backup data in Vault1
The vault with backup data would still prevent resource group deletion
Option D is incorrect because:
While deleting vault data is necessary
The delete lock on VNET1 would still prevent resource group deletion
Turning off VM1 is not necessary for deletion
The correct sequence would be:
Remove the delete lock from VNET1
Delete all backup data from Vault1
Then you can proceed with deleting the resource group TestRG [2]
This approach addresses both blocking issues: the resource lock and the backup data, which are the main obstacles preventing the resource group deletion.

Question 21

Q

You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2.
VM2 is backed up to RSV1.
You need to back up VM2 to RSV2.
What should you do first?

A. From the RSV1 blade, click Backup items and stop the VM2 backup
B. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job

Answer

A

A. From the RSV1 blade, click Backup items and stop the VM2 backup

Explanation:
In Azure, a virtual machine (VM) can only be backed up to one Recovery Services vault (RSV) at a time. If you need to back up a VM to a different vault, you must stop the existing backup in the current vault first and then reconfigure the backup in the new vault.

Here’s why each option is correct or incorrect:

Option A: Correct
To back up VM2 to a different vault (RSV2), you first need to stop the existing backup configuration in the current vault (RSV1).
Once the backup is stopped and the configuration is removed, you can reconfigure the VM backup to point to the new Recovery Services vault (RSV2).
Steps:

Go to the RSV1 blade.
Stop the backup for VM2 under Backup items.
Reconfigure the backup for VM2 to point to RSV2.
Option B: Incorrect
The Backup blade on the RSV2 vault does not allow you to take over or migrate an existing backup configuration from another vault.
You cannot back up a VM to RSV2 while it is already registered with RSV1. The existing backup must be stopped first.
Option C: Incorrect
The Disaster Recovery and Replication settings options are part of Azure Site Recovery (ASR), which is for replication and disaster recovery, not for backups.
This does not apply when configuring backups in Recovery Services vaults.
Option D: Incorrect
Backup Jobs are logs of backup activities (e.g., success, failure) for existing backups. Exporting a job log does not stop or move the backup configuration.
This does not allow you to reconfigure VM2 to back up to RSV2.
Why Option A is Correct:
Azure does not allow a VM to be associated with two Recovery Services vaults simultaneously.
Stopping the existing backup in RSV1 frees up VM2, so you can configure a new backup to RSV2.
Final Steps After Choosing Option A:
Stop the backup in RSV1.
Go to the RSV2 blade.
Configure a new backup for VM2 in RSV2.
This ensures the VM is properly associated with the new Recovery Services vault.

Question 22

Q

You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?

A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. From the Recovery Service vault, stop the backup of each backup item.
D. Modify the locks of each virtual machine.

Answer

A

C. From the Recovery Service vault, stop the backup of each backup item.

Question 23

Q

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.
Does the solution meet the goal?

A. Yes
B. No
which is correct? why correct?

Answer

A

B: No is the correct answer.
Here’s why this solution does not meet the goal:
The scenario involves DirSync (Directory Synchronization) between on-premises Active Directory and Azure AD, and the requirement is to force immediate synchronization of a new user account to Azure AD.
Why forcing Global Catalog replication is not the correct solution:
Global Catalog replication only affects the replication between on-premises domain controllers
It doesn’t trigger synchronization to Azure AD
This only ensures the user is replicated within the on-premises Active Directory infrastructure
The correct approach would be to:
Use the Start-ADSyncSyncCycle cmdlet with the -PolicyType Delta parameter
This PowerShell command forces an immediate synchronization between the on-premises AD and Azure AD
It can be run on the DirSync server (DirSync1)
Key points about Azure AD Connect synchronization:
Normal synchronization occurs automatically every 30 minutes by default
Delta synchronization can be forced when immediate replication is needed
The sync process is separate from regular AD replication
The proper command would be:
Start-ADSyncSyncCycle -PolicyType Delta

Question 24

Q

You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
| Name | Role |
|—|—|
| User1 | None |
| User2 | Global administrator |
| User3 | Cloud device administrator |
| User4 | Intune administrator |
Adatum.com has the following configurations:
✑ Users may join devices to Azure AD is set to User1.
✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?

A. User1 only
B. User2 only
C. User1 and User2 only
D. User1, User2, and User3 only
E. User1, User2, User3, and User4

Answer

A

Answer: C. User1 and User2 only

Explanation:
When a Windows 10 device is joined to Azure Active Directory (Azure AD), the local Administrators group on that device gets specific user memberships by default. Let’s break this down based on the scenario:

User1 - Device Joiner:

Since “Users may join devices to Azure AD” is set to User1, they are allowed to join the device to Azure AD.
The user who joins the device to Azure AD automatically becomes a member of the local Administrators group on that device.
Thus, User1 is a local administrator on Computer1.

User2 - Global Administrator:

Global administrators in Azure AD are automatically added to the local Administrators group on any Azure AD-joined devices.
This ensures that global administrators have administrative control over all Azure AD-joined devices.
Thus, User2 is also a local administrator on Computer1.

User3 - Cloud Device Administrator:

The Cloud Device Administrator role allows management of devices in Azure AD, such as joining and deleting devices.
However, this role does not automatically grant local administrator privileges on Azure AD-joined devices.
Therefore, User3 is not a local administrator.

User4 - Intune Administrator:

The Intune Administrator role allows management of devices through Intune (device configuration, policies, etc.), but it does not grant local administrator privileges on Azure AD-joined devices.
Therefore, User4 is not a local administrator.

Summary of Local Administrators Group Membership:
User1: Joins the device → Added to the local Administrators group.
User2: Global Administrator → Automatically added to the local Administrators group.
User3 and User4: Their roles do not include local administrator rights → Not part of the group.

Question 25

Q

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

A. From the Licenses blade, assign a new license
B. From the Directory role blade, modify the directory role
C. From the Groups blade, invite the user account to a new group

Answer

A

B. From the Directory role blade, modify the directory role

Question 26

Q

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
Does the solution meet the goal?

A. Yes
B. No
which option is correct? why correct?

Answer

A

B: No is the correct answer.
Here’s why this solution is not the best approach:
While Start-ADSyncSyncCycle can force synchronization, using -PolicyType Initial is not the optimal choice because:
It performs a full synchronization of all objects
Takes longer to complete than necessary
Uses more system resources
Could impact performance
The better solution would be:
Start-ADSyncSyncCycle -PolicyType Delta
Copy
Insert at cursor
powershell
Key differences between Initial and Delta sync:
Initial sync:
Performs a complete synchronization of all objects
Takes longer to complete
More resource-intensive
Usually only needed for first-time setup or major changes
Delta sync:
Only synchronizes changes since the last sync
Much faster and more efficient
Uses fewer system resources
Ideal for synchronizing new or modified objects
In this scenario:
Only one new user account needs to be synchronized
A delta sync is sufficient to replicate the new user
No need for a full initial sync
Delta sync will accomplish the goal more efficiently
Therefore, while running Start-ADSyncSyncCycle with -PolicyType Initial would eventually synchronize the new user, it’s not the optimal solution. Using -PolicyType Delta is the more appropriate and efficient approach for this specific requirement.

Question 27

Q

You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?

A. Device settings from the Devices blade
B. Providers from the MFA Server blade
C. User settings from the Users blade
D. General settings from the Groups blade

Answer

A

A: “Device settings from the Devices blade” is the correct answer.
Here’s why:
To add an administrator for Azure AD joined devices: [1]
Navigate to Azure Active Directory in Azure portal
Go to Devices blade
Select Device settings
Under “Additional local administrators on Azure AD joined devices”
Add the user admin1@contoso.com
Why this is the correct location:
Device settings specifically controls device-related configurations
Contains the setting “Additional local administrators on Azure AD joined devices”
This setting allows you to specify users who will have local admin rights on all Azure AD joined devices
Changes apply to all future and existing Azure AD joined devices
Why other options are incorrect:
Option B (Providers from the MFA Server blade):
Related to Multi-Factor Authentication configuration
Not related to device administration rights
Cannot be used to set device administrators
Option C (User settings from the Users blade):
Manages general user-related settings
Cannot configure device-wide administrative access
Focused on user creation, licensing, and general user properties
Option D (General settings from the Groups blade):
Manages group-related settings and policies
While groups can be used for various permissions
Not the correct location for configuring device administrators
Key points:
Device settings is the specific location for managing device-related configurations
Additional local administrators setting is only available in the Devices blade
This setting affects all Azure AD joined devices
Changes apply organization-wide
Requires appropriate Azure AD Premium licensing (which is satisfied by P2 in this scenario)

Question 28

Q

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.
Name User type On-premises sync enabled
User1 Member No
User2 Member Yes
User3 Guest No
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer Area
JobTitle:
User1 only
User1 and User2 only
User1 and User3 only
User1, User2, and User3
UsageLocation:
User1 only
User1 and User2 only
User1 and User3 only
User1, User2, and User3
which option is correct? why?

Answer

A

JobTitle:
User1 and User3 only
UsageLocation:
User1, User2, and User3
Here’s why:
JobTitle attribute:
Can be modified for:
User1: Yes (cloud-only member user)
User2: No (synced from on-premises)
User3: Yes (guest user)
Reasoning:
For synced users (User2), JobTitle must be modified in on-premises AD first
Cloud-only users (User1) can have JobTitle modified directly in Azure AD
Guest users (User3) can have JobTitle modified in Azure AD
Synced attributes like JobTitle are mastered on-premises and can’t be modified in Azure AD
UsageLocation attribute:
Can be modified for:
User1: Yes (cloud-only member user)
User2: Yes (synced user)
User3: Yes (guest user)
Reasoning:
UsageLocation is a cloud-only attribute
Can be modified for all user types regardless of sync status
Not affected by directory synchronization
Required for assigning licenses
Can be modified directly in Azure AD for any user type
Key points:
Synced attributes for directory-synced users must be modified on-premises
Cloud-only attributes can be modified for any user type in Azure AD
Guest users can have their attributes modified in Azure AD
UsageLocation is always modifiable in Azure AD as it’s a cloud-only attribute
JobTitle for synced users must be managed through on-premises AD

Question 29

Q

DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions
Add a record to the public contoso.com
DNS zone
Add an Azure AD tenant
Configure company branding
Create an Azure DNS zone
Add a custom name
Verify the domain
Answer Area

Answer

A

The correct sequence of actions is:
Add a custom name
Add a record to the public contoso.com DNS zone [1]
Verify the domain
Here’s why this is the correct sequence:
Add a custom name:
First step is to add the custom domain (contoso.com) to Azure AD
Done through Azure AD’s “Custom domain names” section [2]
This initiates the domain verification process
Azure AD will provide the DNS record information needed for verification
Add a record to the public contoso.com DNS zone:
After adding the custom domain, Azure AD provides a TXT record
This record must be added to your domain’s DNS zone at the third-party registrar
Proves domain ownership
Usually involves adding a TXT or MX record
Verify the domain:
Final step after DNS record is added
Azure AD checks for the presence of the verification record
Confirms ownership of the domain
Once verified, you can start using @contoso.com for user accounts
Why other options are incorrect:
“Add an Azure AD tenant”:
Already exists (contoso.onmicrosoft.com is mentioned)
Not needed as part of this process
“Configure company branding”:
Not related to domain name configuration
Optional feature for customizing Azure AD login pages
“Create an Azure DNS zone”:
Not necessary since the domain is managed by a third-party registrar
Only needed if you want to manage DNS records in Azure
Key points:
The process verifies domain ownership
Allows creation of users with @contoso.com
Must have access to modify DNS records at the registrar
Sequence ensures proper verification and setup
No need for additional Azure services

Question 30

Q

You have an Azure subscription.

You create a routing table named RT1.

You need to add a route to RT1 that specifies the next hop IP address.

Which next hop type should you select?

A. Internet
B. Virtual network gateway
C. Virtual network
D. Virtual appliance
which one is correct? why?

Answer

A

The correct answer is D. Virtual appliance.
Here’s why:
When you need to specify a specific next hop IP address in an Azure route table, you must use the “Virtual appliance” next hop type. Here’s the explanation for each option:
D. Virtual appliance (CORRECT)
This is the only next hop type that allows you to specify a custom IP address
Used when you want to route traffic through a network virtual appliance (NVA) like a firewall, load balancer, or other networking device
You can specify the private IP address of the appliance in your virtual network
A. Internet (INCORRECT)
This type automatically routes traffic to the internet
You cannot specify a custom IP address
Used for routing traffic to public IP addresses
B. Virtual network gateway (INCORRECT)
Routes traffic to a VPN gateway [1]
Cannot specify a custom IP address
Used for hybrid connectivity scenarios
C. Virtual network (INCORRECT)
Routes traffic within the virtual network
Cannot specify a custom IP address
Used for routing between subnets in the same VNet
In summary, when you need to specify a next hop IP address in a route table, you must choose “Virtual appliance” as the next hop type. This is commonly used in scenarios where you want to direct traffic through a specific network appliance or service within your virtual network.

Question 31

Q

You have an Azure subscription that contains the resources shown in the following table.
Name Location Description
VNet1 East US Virtual network
Subnet1 East US Subnet on VNet1
NIC1 East US Network interface
You create a route table named RT1 in the East US Azure region.

To which resources can you associate RT1?

A. VNet1 only
B. Subnet1 only
C. VNet1 and NIC1 only
D. Subnet1 and NIC1 only
E. VNet1, Subnet1, and NIC1

Answer

A

The correct answer is B. Subnet1 only. [1]
Here’s why:
B. Subnet1 only (CORRECT)
In Azure, route tables can ONLY be associated with subnets
You cannot associate a route table directly with a virtual network (VNet) or a network interface card (NIC) [2]
Each subnet can be associated with only one route table
One route table can be associated with multiple subnets
A. VNet1 only (INCORRECT)
Route tables cannot be directly associated with virtual networks
Routing is controlled at the subnet level, not the VNet level
C. VNet1 and NIC1 only (INCORRECT)
Neither VNets nor NICs can be associated with route tables
Route tables work at the subnet level only
D. Subnet1 and NIC1 only (INCORRECT)
While Subnet1 can be associated with the route table
NICs cannot be associated with route tables
E. VNet1, Subnet1, and NIC1 (INCORRECT)
Only Subnet1 can be associated with the route table
Neither VNet1 nor NIC1 can be associated with route tables
Key Points to Remember:
Route tables in Azure are always associated with subnets
The routes in a route table apply to all resources deployed in that subnet
If you need different routing rules for specific resources, you would need to place them in different subnets with different route tables
This design follows Azure’s networking architecture where routing decisions are made at the subnet level

Question 32

Q

You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network.
Which tunneling protocol should you use?

A. IKEv1
B. PPTP
C. IKEv2
D. L2TP
which one is correct? why?

Answer

A

The correct answer is C. IKEv2.
Here’s why:
C. IKEv2 (CORRECT)
IKEv2 is the recommended protocol for route-based Site-to-Site VPN connections in Azure [1]
Benefits of IKEv2:
More secure than IKEv1
Simpler and more robust protocol
Better performance and reliability
Supports faster reconnection times
Uses fewer resources
Provides native support for modern authentication methods
Supports Always On VPN
A. IKEv1 (INCORRECT)
While IKEv1 can work with Site-to-Site VPNs, it’s an older protocol
Has known limitations and security concerns
Should only be used if your on-premises VPN device doesn’t support IKEv2
Less efficient than IKEv2
B. PPTP (INCORRECT)
Point-to-Point Tunneling Protocol is an obsolete and insecure protocol
Not supported for Site-to-Site VPN connections in Azure
Has serious security vulnerabilities
Generally used for legacy client-to-site connections
D. L2TP (INCORRECT)
Layer 2 Tunneling Protocol is typically used for client-to-site VPN connections
Not used for Azure Site-to-Site VPN connections
Usually paired with IPSec (L2TP/IPSec) for client VPN connections
Not suitable for route-based Site-to-Site VPN configurations [2]
Key Points:
For Azure Site-to-Site VPN connections, IKEv2 is the strongly recommended protocol
IKEv2 provides the best combination of security, performance, and reliability
When configuring your on-premises VPN device, ensure it supports IKEv2
Only fall back to IKEv1 if your on-premises equipment absolutely cannot support IKEv2

Question 33

Q

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU
which one is correct? why?

Answer

A

The correct answers are:
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
Why These Are Correct:
A. Create a connection:
You need to create a connection between the VPN gateway in Azure and the on-premises VPN device. This establishes the Site-to-Site VPN tunnel.
B. Create a local site VPN gateway:
A local site VPN gateway represents the on-premises VPN device in Azure. It includes the public IP address of the on-premises device and the address space of the on-premises network.
C. Create a VPN gateway that uses the VpnGw1 SKU:
You need a VPN gateway to support the Site-to-Site VPN connection. The VpnGw1 SKU is the lowest supported SKU for production scenarios, including high availability with ExpressRoute failover. Azure doesn’t allow ExpressRoute coexistence with the Basic SKU.
Why the Other Options Are Incorrect:
D. Create a gateway subnet:
This option would be correct if you were deploying the VPN gateway from scratch, but the question assumes VNet1 already exists. We can assume the gateway subnet is already in place for ExpressRoute, so this step isn’t needed again.
E. Create a VPN gateway that uses the Basic SKU:
The Basic SKU does not support coexistence with ExpressRoute, so it cannot be used in this scenario.

Question 34

Q

HOTSPOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:

Name IP address
VM1 10.0.1.4
VM2 10.0.2.4
VM3 10.0.3.4

Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:

Name Address space Connected virtual machine
Subnet1 10.0.1.0/24 VM1
Subnet2 10.0.2.0/24 VM2
Subnet3 10.0.3.0/24 VM3

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:

Address prefix Next hop type Next hop address
10.0.1.0/24 Virtual appliance 10.0.3.4
10.0.2.0/24 Virtual appliance 10.0.3.4

You apply RT1 to Subnet1 and Subnet2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area

Statements Yes No
VM3 can establish a network connection to VM1. ○ ○
If VM3 is turned off, VM2 can establish a network ○ ○
connection to VM1.
VM1 can establish a network connection to VM2. ○ ○
which one is correct? why?

Answer

A

Let me analyze each statement:
VM3 can establish a network connection to VM1: YES [1]
VM3 is not affected by the route table RT1
VM3 can use the default system routes to reach VM1
The route table only affects traffic originating from Subnet1 and Subnet2
If VM3 is turned off, VM2 can establish a network connection to VM1: NO
Traffic from VM2 to VM1 must go through VM3 (10.0.3.4) according to RT1
If VM3 is turned off, the virtual appliance (VM3) is not available
Without the virtual appliance working, traffic cannot be routed between VM2 and VM1
VM1 can establish a network connection to VM2: NO
RT1 is applied to both Subnet1 and Subnet2
Traffic from VM1 to VM2 must go through VM3 (10.0.3.4) according to RT1
This creates an indirect route through the virtual appliance (VM3)
The direct path between VM1 and VM2 is overridden by the custom routes in RT1
Key Points:
The route table RT1 affects traffic originating from Subnet1 and Subnet2
All traffic between Subnet1 and Subnet2 must go through VM3 (virtual appliance)
VM3 can communicate directly with other VMs as it’s not affected by RT1
When VM3 is off, routing between Subnet1 and Subnet2 fails
IP forwarding is enabled on NIC3 and routing is enabled on VM3, allowing it to function as a virtual appliance
Therefore:
Statement 1: YES
Statement 2: NO
Statement 3: NO

Question 35

Q

You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the VPN Gateway and subnets in the following table:

Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer Area
Address prefix:
10.0.0.0/16
10.0.1.0/24
10.0.254.0/24

Next hop type:
Virtual appliance
Virtual network
Virtual network gateway

Assigned to:
GatewaySubnet
Subnet0
Subnet1 and Subnet2

Name | IP address range |
|—|—|
| Subnet0 | 10.0.0.0/24 |
| Subnet1 | 10.0.1.0/24 |
| Subnet2 | 10.0.2.0/24 |
| GatewaySubnet | 10.0.254.0/24 |

Answer

A

The correct configuration for RT1 should be:
First Row:
Address prefix: 10.0.0.0/16
Next hop type: Virtual appliance
Assigned to: GatewaySubnet
This is the ONLY configuration needed because:
Address prefix (10.0.0.0/16):
Covers the entire VNet1 address space
Will catch all traffic destined for any subnet in VNet1
Ensures all inbound VPN traffic is routed through VM1
Next hop type (Virtual appliance):
Routes traffic through VM1 which acts as the router
VM1 must have IP forwarding enabled
Ensures all traffic goes through the virtual appliance [1]
Assigned to (GatewaySubnet):
Must be assigned to GatewaySubnet since this is where VPN traffic enters [2]
Catches traffic as soon as it enters through the VPN gateway
Controls routing at the entry point
The other options are incorrect or unnecessary:
10.0.1.0/24 route is not needed (covered by the main route)
10.0.254.0/24 route is not needed (GatewaySubnet routing is handled automatically)
Virtual network as next hop type wouldn’t route through VM1
Virtual network gateway as next hop type would route traffic out of the VNet
Assigning to Subnet0 or Subnet1 and Subnet2 wouldn’t affect inbound VPN traffic
Requirements for this to work:
VM1 must have IP forwarding enabled on its NIC
VM1 must be properly configured for routing
VM1 must be in Subnet1 and operational
The route table must be associated with GatewaySubnet

Question 36

Q

You have an Azure subscription that contains two peered virtual networks named VNet1 and VNet2.

You have a Network Virtual Appliance (NVA) named NetVA1.

You need to ensure that the traffic from VNet1 to VNet2 is inspected by using NetVA1.

What should you use?

A. a local network gateway
B. a route table that has custom routes
C. a service endpoint
D. IP address reservations

Answer

A

B. a route table that has custom routes

Question 37

Q

HOTSPOT-
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
Name Type Member of
User1 Member Group1
User2 Guest Group1
User3 Member None
UserA Member Group2
UserB Guest Group2
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
Create an access review
Access reviews enable reviewers to attest user’s membership in a group or access to an application.
*Review name Review1
Description
* Start date 2018-11-22
Frequency One time
Duration (in days) 1
End Never End by Occurrence
* Number of times 0
* End date 2018-12-22
Users
Users to review Members of a group
Scope Guest users only
Everyone
* Group Group1
Reviewers
Reviewers Group owners
Programs
Link to program Default program
Upon completion settings
Advanced settings
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Statements Yes No
User3 can perform an access review of User1 Ο Ο
User3 can perform an access review of UserA Ο Ο
User3 can perform an access review of UserB Ο Ο

Answer

A

Access Review Configuration Recap:
Review Name: Review1
Scope: Guest users only
This means only guest users in Group1 will be included in the access review.
Group: Group1
This specifies that the scope applies to the users in Group1.
Reviewers: Group owners
The owner(s) of Group1 can perform the access review.
Group1 Owner: User3
Group2: Group2 is a member of Group1.
Table Recap of Users:
Name Type Member of
User1 Member Group1
User2 Guest Group1
User3 Member None
UserA Member Group2
UserB Guest Group2
User3 is the owner of Group1.
Group2 is a member of Group1, and Group2 includes UserA and UserB.
Statement Analysis
User3 can perform an access review of User1
No
User1 is a member of Group1, but the access review scope is for guest users only. Since User1 is not a guest user, they are not included in the review.
User3 can perform an access review of UserA
No
UserA is a member of Group2. While Group2 is a member of Group1, UserA is a member (not a guest user).
Since the scope is limited to guest users only, UserA will not be included in the access review.
User3 can perform an access review of UserB
Yes
UserB is a guest user in Group2. Since Group2 is a member of Group1, UserB inherits membership in Group1.
The scope of the access review includes guest users only in Group1, so UserB qualifies.
Additionally, User3, as the owner of Group1, is a reviewer and can perform the access review.
Final Answers:
Statements Yes No
User3 can perform an access review of User1 X
User3 can perform an access review of UserA X
User3 can perform an access review of UserB X

Question 38

Q

You have an Azure subscription that contains the resources shown in the following table.

You need to manage outbound traffic from VNET1 by using Firewall1.

What should you do first?

A. Configure the Hybrid Connection Manager.
B. Upgrade ASP1 to the Premium SKU.
C. Create a route table.
D. Create an Azure Network Watcher.

Answer

A

C. Create a route table.

Question 39

Q

Answer

A

The correct answer is D: User1 and User2 only.
Let’s analyze why:
The alert rule Alert1 uses action group AG1, which is configured to email users with the Monitoring Reader role.
Let’s examine who has the Monitoring Reader role:
User1 (directly assigned)
Principal1 (directly assigned)
Group1 (directly assigned)
User2 (inherited through Group1 membership)
Principal2 (inherited through Group1 membership)
However, when using the “Email Azure Resource Manager Role” notification type:
Only human users (User accounts) can receive email notifications
Managed identities (Principal1 and Principal2) cannot receive emails
Group members inherit the role permissions and notification capabilities
Therefore:
User1 will receive emails (direct role assignment)
User2 will receive emails (inherited role through Group1)
Principal1 and Principal2 cannot receive emails (they are managed identities)
Why other options are incorrect:
A. User1 and Principal1 only
Incorrect because Principal1 cannot receive emails
Misses User2 who inherits the role through Group1
B. User1, User2, Principal1, and Principal2
Incorrect because managed identities (Principal1 and Principal2) cannot receive emails
C. User1 only
Incorrect because it misses User2 who inherits the role through Group1
Therefore, D (User1 and User2 only) is the correct answer because:
Only human users can receive email notifications
Both User1 (direct) and User2 (inherited) have the Monitoring Reader role
Managed identities are excluded from email notifications

Question 40

Q

HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
Name Member of
User1 Group1
User2 Group2
User3 Group1
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
Name Type Users to notify
Ingress Metric User1 and User3 only
Egress Metric User1 only
Delete storage account Activity log User1, User2, and User3
Restore blob ranges Activity log User1 and User3 only
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Alert rules:
1
2
3
4
Action groups:
1
2
3
4
which option is correct in per question in answer area? why yes? why no?

Answer

A

Let’s analyze the requirements:
Signals to monitor:
Ingress (Metric) - notify User1 and User3
Egress (Metric) - notify User1 only
Delete storage account (Activity log) - notify User1, User2, and User3
Restore blob ranges (Activity log) - notify User1 and User3
Alert Rules needed: 4
Why 4?
Each signal requires its own alert rule because:
They monitor different metrics/activities
They have different conditions
They need to trigger different notifications
You can’t combine different types of signals (Metric vs Activity log) in one rule
Action Groups needed: 3
Why 3?
You need separate action groups for different notification patterns:
User1 and User3 (for Ingress and Restore blob ranges)
User1 only (for Egress)
User1, User2, and User3 (for Delete storage account)
Why not other options:
Alert Rules: [2]
1: Too few - can’t combine different signals into one rule
2: Too few - can’t combine metric and activity log alerts
3: Too few - need one rule per signal
Action Groups:
1: Too few - can’t handle different notification patterns
2: Too few - need three different combinations of users
4: Too many - only three unique combinations of users needed
Therefore, the correct answer is:
Alert rules: 4
Action groups: 3

Question 41

Q

You have an Azure subscription that contains the vaults shown in the following table.
Name Type
Recovery1 Recovery Services vault
Backup1 Azure Backup vault
You deploy the virtual machines shown in the following table.
Name Operating system Security Configuration
VM1 Windows Server Azure Disk Encryption
VM2 Linux Trusted launch
You have the backup policies shown in the following table.
Name Type In vault
Policy1 Standard Recovery1
Policy2 Enhanced Recovery2
Policy3 Not applicable Backup1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements Yes No
VM1 can be backed up by using Policy1.
VM2 can be backed up by using Policy3.
VM2 can be backed up by using Policy2.

Answer

A

Let me analyze each statement and explain why the answer is Yes or No:
“VM1 can be backed up by using Policy1” [1] Answer: YES
Why Yes:
VM1 is a Windows Server VM with Azure Disk Encryption
Policy1 is a Standard policy in Recovery1 (Recovery Services vault)
Recovery Services vaults support:
Windows Server VMs
VMs with Azure Disk Encryption
Standard backup policies [2]
All components are compatible and available
“VM2 can be backed up by using Policy3” Answer: YES
Why Yes:
VM2 is a Linux VM with Trusted launch
Policy3 is in Backup1 (Azure Backup vault)
Azure Backup vaults support:
Linux VMs
Trusted launch enabled VMs
All required components exist and are compatible
“VM2 can be backed up by using Policy2” Answer: NO
Why No:
Policy2 is specified to be in Recovery2 vault
Looking at the vault table, Recovery2 vault doesn’t exist
Only Recovery1 and Backup1 vaults are available
Cannot use a backup policy from a non-existent vault
The policy type (Enhanced) is irrelevant since the vault doesn’t exist

Question 42

Q

You have an Azure subscription that contains the vaults shown in the following table.

You create a storage account that contains the resources shown in the following table.

To which vault can you back up cont1 and share1? To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.

Answer Area

cont1:
Backup1 only
Recovery1 only
Backup1 or Recovery1
Cannot be backed up to Backup1 or Recovery1

share1:
Backup1 only
Recovery1 only
Backup1 or Recovery1
Cannot be backed up to Backup1 or Recovery1

| Name | Type |

Answer

A

cont1: Recovery1 only
share1: Recovery1 only

Question 43

Q

HOTSPOT -
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)
Policy1
Associated items
Delete Save X Discard
Backup schedule
*Frequency
*Time
*Timezone
Daily
2:00 AM
(UTC) Coordinated Universal Time
Retention range
Retention of daily backup point.
At
For
2:00 AM
5
Day(s)
Retention of weekly backup point.
On
At
For
Sunday
2:00 AM
20
Week(s)
Retention of monthly backup point.
Week Based Day Based
On
At
For
2
2:00 AM
24
Month(s)
Retention of yearly backup point.
Week Based Day Based
In
On
At
For
January
9
2:00 AM
5
Year(s)
You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
January 8 at 2:00 PM (14:00):
5
6
8
9
January 15 at 2:00 PM (14:00):
5
8
17
19
which option is correct in per question in answer area? why?

Answer

A

For January 8 at 2:00 PM:
Answer: 6 recovery points
Why:
Policy started January 1 at 1:00 AM
Daily backups occur at 2:00 AM
By January 8 at 2:00 PM, we have:
January 4 backup (within 5-day retention)
January 5 backup
January 6 backup
January 7 backup
January 8 backup
January 5 weekly backup (Sunday) Total: 6 recovery points
For January 15 at 2:00 PM:
Answer: 8 recovery points
Why:
By January 15, we have:
January 11 backup (within 5-day retention)
January 12 backup
January 13 backup
January 14 backup
January 15 backup
January 5 weekly backup (Sunday)
January 12 weekly backup (Sunday)
January 2 monthly backup (on 2nd of month) Total: 8 recovery points
Why other options are incorrect:
For January 8:
5: Misses the weekly backup
8: Too many points for this early date
9: Too many points for this early date
For January 15:
5: Too few points, misses weekly and monthly backups
17: Too many points, exceeds retention policy
19: Too many points, exceeds retention policy
The calculation considers:
Daily backup retention (5 days)
Weekly backup retention (20 weeks)
Monthly backup retention (24 months)
Yearly backup retention (5 years)

Question 44

Q

Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.
Which of the following actions should you take?

A. You should restore the VM after deleting the infected VM.
B. You should restore the VM to any VM within the company’s subscription.
C. You should restore the VM to a new Azure VM.
D. You should restore the VM to an on-premise Windows device.
which option is correct? why correct?

Answer

A

The correct answer is C: You should restore the VM to a new Azure VM.
Why this is correct:
Security Best Practices:
When dealing with ransomware infections, it’s recommended to restore to a new VM
This ensures a clean environment without any potential remnants of the infection
Reduces the risk of reinfection from any persistent malware
Azure Backup Capabilities:
Azure Backup supports creating a new VM during restore
This is a built-in feature specifically designed for such scenarios
Maintains all the configurations while providing a fresh instance
Data Protection:
Creating a new VM ensures the backup data isn’t compromised
Provides isolation from the infected environment
Allows for testing the restored VM before replacing production workloads [1]
Why other options are incorrect:
A. “Restore the VM after deleting the infected VM”
Not necessary to delete the infected VM first
Could lose valuable forensic information
Adds unnecessary steps to the recovery process
B. “Restore the VM to any VM within the company’s subscription”
Risky to restore to an existing VM
Could potentially spread the infection
May cause conflicts with existing configurations
D. “Restore the VM to an on-premise Windows device”
Azure Backup is designed to restore within Azure
Would require additional complexity and tools
Not a supported direct restore option
Could cause compatibility issues
Best practices for ransomware recovery:
Create a new VM
Verify the restored data
Scan for malware
Ensure security measures are in place
Migrate workloads once verified clean

Question 45

Q

A. Delete VM1
B. Stop VM1
C. Stop the backup of SQLDB01
D. Delete sa001

Answer

A

The correct answer is C: Stop the backup of SQLDB01
Why this is correct:
Recovery Services Vault Behavior:
When a database is backed up to a Recovery Services vault, it creates a backup protection policy
This protection policy creates a soft lock on both the resource and the resource group
You cannot delete a resource group that contains a Recovery Services vault with active backup items
Deletion Process Requirements:
Before deleting a resource group containing a Recovery Services vault
You must first stop/disable backup and delete backup data
This removes the soft lock on the resources
Order of Operations:
Stop the backup of SQLDB01
Delete the backup data
Then you can proceed with deleting RG26
Why other options are incorrect:
A. “Delete VM1”
Not necessary as the primary blocker
VM deletion alone won’t resolve the backup lock issue
The Recovery Services vault protection is the main blocker
B. “Stop VM1”
Stopping the VM doesn’t affect backup policies
Doesn’t remove the soft lock from the Recovery Services vault
Won’t allow resource group deletion
D. “Delete sa001”
Storage account isn’t preventing the resource group deletion
Doesn’t address the backup protection issue
Can be deleted as part of resource group deletion
Best practice steps to delete RG26:
Stop backup and delete backup data for SQLDB01
Remove the backup policy from RGV1
Delete the Recovery Services vault
Then proceed with deleting RG26
This ensures proper cleanup of backup dependencies before resource group deletion.

Question 46

Q

You have an Azure subscription that contains the storage accounts shown in the following table.

The subscription contains the vaults shown in the following table.

The subscription contains the Azure Virtual Desktop host pools shown in the following table.

NOTE: Each correct selection is worth one point.
The FSlogix user profiles in Pool1 can be backed up to Vault1? yes/no
The FSlogix user profiles in Pool2 can be backed up to Vault2? yes/no
P3-0 can be backed up to Vault4? yes/no
which option is correct? why yes? why no?

Answer

A

Let me analyze each statement:
“The FSlogix user profiles in Pool1 can be backed up to Vault1” Answer: NO
Why No:
Pool1 uses share1 in storage1, which is in West US
Vault1 is in East US
Azure File Shares must be backed up to a vault in the same region
Cross-region backup is not supported for Azure Files
“The FSlogix user profiles in Pool2 can be backed up to Vault2” Answer: YES
Why Yes:
Pool2 uses share2 in storage2, which is in West US
Vault2 is also in West US
Recovery Services vaults can back up Azure File Shares
Same region requirement is met
“P3-0 can be backed up to Vault4” Answer: YES
Why Yes:
P3-0 is a session host (VM) in West US
Vault4 is a Backup vault in West US
Azure Backup vaults can back up virtual machines
Both resources are in the same region
Azure Backup vaults support VM backups
Key considerations:
Region matching is required for backups
Recovery Services vaults and Backup vaults can both protect VMs
Azure File Shares must be backed up to vaults in the same region
The type of vault (Recovery Services or Backup) must support the resource type being backed up

Question 47

Q

A. storage1 only
B. storage1 and storage2 only
C. storage3 and storage4 only
D. storage1, storage2, and storage3 only
E. storage1, storage2, storage3, and storage4
Which option is correct? why correct?

Answer

A

The correct answer is D: storage1, storage2, and storage3 only
Why this is correct:
Storage1 (StorageV2, Standard):
Supports lifecycle management rules
General-purpose v2 (StorageV2) accounts fully support blob lifecycle management
Can manage both standard and premium performance tiers
Storage2 (BlobStorage, Standard):
Supports lifecycle management rules
Blob storage accounts are specifically designed for blob storage
Lifecycle management is a key feature for blob storage [1]
Storage3 (BlockBlobStorage, Premium):
Supports lifecycle management rules
Premium block blob storage accounts support lifecycle management
Can manage premium block blobs
Why storage4 is excluded:
FileStorage with Premium performance is for Azure Files
Lifecycle management rules are not supported on Azure Files storage accounts
Only applies to blob storage
Why other options are incorrect:
A. “storage1 only”
Too restrictive
Excludes other valid storage account types that support lifecycle management
B. “storage1 and storage2 only”
Misses storage3 which also supports lifecycle management
BlockBlobStorage accounts can use lifecycle management
C. “storage3 and storage4 only”
Incorrectly includes storage4 (FileStorage)
Excludes storage1 and storage2 which support lifecycle management
E. “storage1, storage2, storage3, and storage4”
Incorrectly includes storage4
FileStorage accounts don’t support lifecycle management rules
Lifecycle Management Rules can:
Move data between tiers
Delete expired data
Manage blob versions
Delete blob snapshots
Optimize storage costs
Key Points:
Lifecycle management is primarily for blob storage
Works with both standard and premium performance tiers
Not supported on FileStorage accounts
Available for general-purpose v2, blob storage, and premium block blob storage accounts

Brainscape's Knowledge GenomeTM

test11 Flashcards

Brainscape's Knowledge Genome^TM