test12 Flashcards
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?
A. Yes
B. No
A. Yes
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Container blade.
Does the solution meet the goal?
A. Yes
B. No
B. No
Your company has a Microsoft Azure subscription.
The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?
A. Geo-redundant storage
B. Read-only geo-redundant storage
C. Zone-redundant storage
D. Locally redundant storage
B. Read-only geo-redundant storage
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?
A. Yes
B. No
B. No
Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?
A. You should only stop one of the VMs.
B. You should stop two of the VMs.
C. You should stop all three VMs.
D. You should remove the necessary VM from the availability set.
C. You should stop all three VMs.
HOTSPOT
You have an Azure Storage account named storage1 that contains a blob container. The blob container has a default access tier of Hot. Storage1 contains a container named container1.
You create lifecycle management rules in storage1 as shown in the following table.
You perform the actions shown in the following table.
| Date | Action |
|—|—|
| October 1 | Upload three files named Dep1File1.docx, File2.docx, and File3.docx to container 1. |
| October 2 | Edit Dep1File1.docx and File3.docx. |
| October 5 | Edit File2.docx. |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
| Statements | Yes | No |
|—|—|—|
| On October 10, you can read Dep1File1.docx. | ○ | ○ |
| On October 10, you can read File2.docx. | ○ | ○ |
| On October 10, you can read File3.docx. | ○ | ○ |
Name | Rule scope | Blob type | Blob subtype | Rule block | Prefix match |
|—|—|—|—|—|—|
| Rule1 | Limit blobs by using filters. | Block blobs | Base blobs | If base blobs were not modified for two days, move to archive storage. <br></br> If base blobs were not modified for nine days, delete the blob. | container1/Dep1 |
| Rule2 | Apply to all blobs in storage1. | Block blobs | Base blobs | If base blobs were not modified for three days, move to cool storage. <br></br> If base blobs were not modified for nine days, move to archive storage. | Not applicable |
Let me analyze each file’s status on October 10 based on the rules and actions:
“On October 10, you can read Dep1File1.docx” Answer: NO
Why:
File is in container1/Dep1 path (matches Rule1)
Last modified on October 2
Rule1: After 2 days of no modification → moves to archive storage
By October 10, it’s been 8 days since last modification
File is in archive tier
Archive tier requires rehydration before reading
Cannot directly read archived files
“On October 10, you can read File2.docx” Answer: YES
Why:
File is not in Dep1 path (only Rule2 applies)
Last modified on October 5
Rule2: After 3 days → cool storage
By October 10, it’s been 5 days
File is in cool storage tier
Cool storage allows immediate read access
“On October 10, you can read File3.docx” Answer: YES
Why:
File is not in Dep1 path (only Rule2 applies)
Last modified on October 2
Rule2: After 3 days → cool storage
By October 10, it’s been 8 days
File is in cool storage tier
Cool storage allows immediate read access
Key Points:
Archive tier requires rehydration before reading
Cool tier allows immediate read access
Rule1 takes precedence for files in container1/Dep1
Rule2 applies to all other files
Time calculations are based on last modification date
You have an Azure subscription that contains the storage accounts shown in the following table.
Name Kind Redundancy
storage1 StorageV2 Geo-zone-redundant storage (GZRS)
storage2 BlobStorage Read-access geo-redundant storage (RA-GRS)
storage3 BlockBlobStorage Zone-redundant storage (ZRS)
You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier.
Which storage accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer Area
Lifecycle management:
storage1 only
storage2 only
storage1 and storage3 only
storage2 and storage3 only
storage1, storage2, and storage3
The Archive access tier:
storage1 only
storage2 only
storage1 and storage3 only
storage2 and storage3 only
storage1, storage2, and storage3
Which option is correct in per question on answer area? why correct?
- Lifecycle Management
Lifecycle management allows for automatic management of data lifecycle policies, including transitioning data between access tiers (e.g., Hot, Cool, Archive) and deleting data after a specified period.
Support for lifecycle management is as follows:
StorageV2: Supports lifecycle management.
BlobStorage: Supports lifecycle management.
BlockBlobStorage: Does not support lifecycle management.
From the table:
storage1 → StorageV2 → Supports lifecycle management ✅
storage2 → BlobStorage → Supports lifecycle management ✅
storage3 → BlockBlobStorage → Does not support lifecycle management ❌
Thus, the correct answer for lifecycle management is:
storage1 and storage2 only - Archive Access Tier
The Archive access tier is used to store data that is rarely accessed and has very low storage costs but high retrieval costs.
Support for the Archive access tier is as follows:
StorageV2: Supports the Archive access tier.
BlobStorage: Supports the Archive access tier.
BlockBlobStorage: Supports the Archive access tier.
From the table:
storage1 → StorageV2 → Supports Archive access tier ✅
storage2 → BlobStorage → Supports Archive access tier ✅
storage3 → BlockBlobStorage → Supports Archive access tier ✅
Thus, the correct answer for Archive access tier is:
storage1, storage2, and storage3
Final Answer
Lifecycle management: storage1 and storage2 only
Archive access tier: storage1, storage2, and storage3
You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following table.
On June 1, you store two blobs in storage1 as shown in the following table.
| Name | Location | Access tier |
| :—– | :———– | :———– |
| File1 | container1 | Hot |
| File2 | container2 | Hot |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements
On June 6, File1 will be stored in the Cool access tier.
On June 1, File2 will be stored in the Cool access tier.
On June 16, File2 will be stored in the Archive access tier.
Which option is correct in per question on answer area? why yes? why no?
Name | Blob prefix | If base were last modified more than (days ago) | Then |
| :—– | :———– | :—————————————– | :————————- |
| Rule1 | container1/ | 3 days | Move to archive storage |
| Rule2 | Not applicable | 5 days | Move to cool storage |
| Rule3 | container2/ | 10 days | Delete the blob |
| Rule4 | container2/ | 15 days | Move to archive storage |
Let me help you analyze each statement based on the lifecycle management rules:
“On June 6, File1 will be stored in the Cool access tier.”
Answer: NO
Explanation:
File1 is in container1
Rule1 applies to container1/ and moves blobs to archive storage after 3 days
Rule2 (move to cool after 5 days) applies to all containers, but Rule1 will execute first
By June 6 (5 days later), File1 would already be in archive storage (moved there on June 4 by Rule1)
“On June 1, File2 will be stored in the Cool access tier.”
Answer: NO
Explanation:
This is the same day the file was stored
No lifecycle rules would trigger immediately
The file remains in its original Hot tier on the day it was created
“On June 16, File2 will be stored in the Archive access tier.”
Answer: NO
Explanation:
File2 is in container2
Rule3 applies to container2/ and deletes blobs after 10 days
Rule4 applies to container2/ and moves to archive after 15 days
By June 16 (15 days later), File2 would have already been deleted by Rule3 on June 11
Therefore, it cannot be moved to archive storage as it no longer exists
The key to understanding these answers is that:
Rules are evaluated in chronological order based on the number of days
Once a rule takes action on a blob, subsequent rules cannot affect it
If a blob is deleted by a rule, it cannot be affected by later rules
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT After implementing the planned changes for DCR1, which event types will be collected from VM4? Answer Area
All System events
Only System events with ID 4648
All Security events
Only Security events with ID 4648
Only System events with ID 4648
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which Microsoft Entra role must be assigned to Admin2 to manage Attribute1? Answer Area
Global Administrator
Attribute Definition Administrator
Attribute Assignment Administrator
Security Administrator
Attribute Definition Administrator
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the minimum Azure role needed for User1 to link Zone1 to VNet1? Answer Area
Private DNS Zone Contributor
Network Contributor
DNS Zone Contributor
Private DNS Zone Administrator
Private DNS Zone Contributor
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which encryption type must be used for the virtual machines that support Azure Disk Encryption with KEK? Answer Area
Server-side encryption
Client-side encryption
Double encryption
Infrastructure encryption
Server-side encryption
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the maximum backup frequency available for cont1 in storage1 using Azure Backup? Answer Area
Every 4 hours
Every 6 hours
Every 12 hours
Every 24 hours
Every 4 hours
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which certificate from Vault1 should be used for WebApp1’s TLS configuration? Answer Area
Cert1
Cert2
Cert3
Cert4
Cert2 (4096-bit RSA provides stronger security)
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is required to implement the encryption scope Scope1 in storage2? Answer Area
StorageV2 account type
Premium performance tier
Hierarchical namespace disabled
Hierarchical namespace enabled
Hierarchical namespace disabled
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which virtual machines can be encrypted using Azure Disk Encryption with KEK? Select all that apply:
VM1
VM2
VM3
VM4
VM5
VM2, VM3, VM5 (Windows Server and standard Linux VMs)
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT What is the minimum role required to deploy containers using Image1 and Image2? Answer Area
AcrPull
AcrPush
AcrDelete
AcrImageSigner
AcrPull
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
HOTSPOT Which storage account feature must be enabled to organize content using directories? Answer Area
Blob versioning
Hierarchical namespace
Soft delete
Change feed
Hierarchical namespace
HOTSPOT
Overview
ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York.
Existing Environment
Azure Environment
ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3.
The subscription contains the storage accounts shown in the following table.
Name Kind Location Hierarchical namespace Container File share
storage1 StorageV2 West US Yes cont1 share1
storage2 StorageV2 West US No cont2 share2
The subscription contains the virtual machines shown in the following table.
Name Size Operating system Description
VM1 A Red Hat Enterprise Linux (RHEL) Uses ephemeral OS disks
VM2 A Windows Server 2022 Has a basic volume
VM3 B Red Hat Enterprise Linux (RHEL) Uses a standard SSDs
VM4 M Windows Server 2022 Uses Write Accelerator disks
VM5 E Windows Server 2022 Has a dynamic volume
The subscription has an Azure container registry that contains the images shown in the following table.
Name Operating system
Image1 Windows Server
Image2 Linux
The subscription contains the resources shown in the following table.
Name Description In resource group
Workspace1 Log Analytics workspace RG1
WebApp1 Azure App Service web app RG1
VNet1 Virtual network RG2
zone1.com Azure Private DNS zone RG3
The subscription contains an Azure key vault named Vault1.
Vault1 contains the certificates shown in the following table.
Name Content type Key type Key size
Cert1 PKCS#12 RSA 2048
Cert2 PKCS#12 RSA 4096
Cert3 PEM RSA 2048
Cert4 PEM RSA 4096
Vault1 contains the keys shown in the following table.
Name Type Description
Key1 RSA Has a key size of 4096
Key2 EC Has Elliptic curve name set to P-256
ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table.
Name Microsoft Entra role Azure role
Admin1 Global Administrator None
Admin2 Attribute Definition Administrator None
Admin3 Attribute Assignment Administrator None
User1 None Reader for RG2 and RG3
The tenant contains the groups shown in the following table.
Name Type
Group1 Security group
Group2 Microsoft 365 group
The adatum.com tenant has a custom security attribute named Attribute1.
ADatum plans to implement the following changes:
Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4.
In storage1, create a new container named cont2 that has the following access policies:
o Three stored access policies named Stored1, Stored2, and Stored3
o A legal hold for immutable blob storage
Whenever possible, use directories to organize storage account content.
Grant User1 the permissions required to link Zone1 to VNet1.
Assign Attribute1 to supported adatum.com resources.
In storage2, create an encryption scope named Scope1.
Deploy new containers by using Image1 or Image2.
ADatum must meet the following technical requirements:
Use TLS for WebApp1.
Follow the principle of least privilege.
Grant permissions at the required scope only.
Ensure that Scope1 is used to encrypt storage services.
Use Azure Backup to back up cont1 and share1 as frequently as possible.
Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.
You implement the planned changes for cont2
You need to grant User1 the permissions required to link zone1.com to VNet1.
Question: What is the minimum Azure role you need to assign to User1, and at what scope should it be assigned to follow the principle of least privilege?
Answer Area:
Role:
DNS Zone Contributor
Network Contributor
Virtual Machine Contributor
Reader
Scope:
RG1
RG2
RG3
Subscription
Granting User1 Permissions to Link zone1.com to VNet1
Answer:
Role: DNS Zone Contributor
Scope: RG3
Explanation:
Linking a Private DNS Zone to a Virtual Network requires the DNS Zone Contributor role.
Since zone1.com is in RG3, the role should be assigned at the RG3 scope to follow the principle of least privilege. Assigning at a higher scope (e.g., subscription) would violate least privilege.
