test6 Flashcards

Question

A company plans to use third-party application software to perform complex data analysis processes. The software will use up to 500 identical virtual machines (VMs) based on an Azure Marketplace VM image. You need to design the infrastructure for the third-party application server. The solution must meet the following requirements: – The number of VMs that are running at any given point in time must change when the user workload changes. – When a new version of the application is available in Azure Marketplace it must be deployed without causing application downtime. – Use VM scale sets. – Minimize the need for ongoing maintenance. Which two technologies should you recommend? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. single placement group single storage account managed disks autoscale

Answer 1

Let's analyze each option in the context of the requirements: Single placement group: Purpose: Placement groups in VM scale sets control the physical placement of VMs. They can be either single or regional. Single placement groups limit the scale set to a single fault domain and upgrade domain within a region. While they can be used for scenarios requiring low latency and tight proximity within a scale set, they don't directly address the requirements of autoscaling, zero-downtime deployments for application updates, or minimizing maintenance in the context of this specific question. Relevance to Requirements: Indirectly related to availability within a single region, but not directly to scaling, zero-downtime updates, or minimizing maintenance in the way the question is framed. Single storage account: Purpose: In older (unmanaged disk) VM scale sets, you would need to manage storage accounts for VM disks. However, with managed disks, Azure handles the storage account management. Recommending a "single storage account" is not directly relevant to the requirements in the context of modern VM scale sets using managed disks. In fact, for very large scale sets, Azure might distribute disks across multiple storage accounts under the hood for scalability and performance. With managed disks, the user doesn't need to manage storage accounts directly. Relevance to Requirements: Not directly relevant, and less so with managed disks being the best practice. Managed disks: Purpose: Managed disks simplify disk management for Azure VMs and VM scale sets. They handle storage account creation and management in the background, providing better reliability, scalability, and management compared to unmanaged disks. Using managed disks minimizes the need for ongoing maintenance related to storage accounts, as Azure handles this. Relevance to Requirements: Directly contributes to minimizing ongoing maintenance by abstracting away storage account management. Also, managed disks are a prerequisite for many advanced VM scale set features, including autoscale and easier updates. Autoscale: Purpose: Autoscale is a core feature of VM scale sets that allows the number of VMs to be automatically adjusted based on metrics (like CPU utilization, memory, custom metrics) or a schedule. This directly addresses the requirement for the number of VMs to change with user workload. Autoscale also helps minimize ongoing maintenance by automating the scaling process, reducing the need for manual intervention to adjust VM counts. Furthermore, rolling upgrades (for zero-downtime deployments) are often triggered or work in conjunction with autoscaling to manage capacity during updates. Relevance to Requirements: Directly addresses scaling based on workload and minimizes ongoing maintenance by automating scaling. Indirectly related to zero-downtime deployments as scaling is often part of deployment strategies. Conclusion: The two technologies that best address the requirements are: Managed disks: Minimizes ongoing maintenance related to storage management and is a best practice for VM scale sets. Autoscale: Directly addresses the dynamic scaling requirement and minimizes manual maintenance related to scaling. While neither option directly and completely solves the zero-downtime deployment of Marketplace application updates on its own, using Managed disks is a foundational best practice for modern VM scale sets, and Autoscale is critical for dynamically adjusting resources based on workload and managing the scale set efficiently, which are key components of a well-designed, maintainable, and scalable infrastructure. Rolling upgrades within VM Scale Sets, often used for zero-downtime updates, rely on these underlying technologies. Final Answer: The final answer is managed disks and autoscale.

Answer 2

The correct answer is Implement a virtual network service endpoint. Here's why: Virtual Network Service Endpoints: Purpose: Virtual network service endpoints are the recommended way to secure Azure service resources to only your virtual network. They extend your virtual network private address space and the identity of your virtual network to the Azure services over a direct connection. Azure Backbone Network: When you use service endpoints, traffic from your virtual network to the Azure service (in this case, Azure Storage) travels over the Azure backbone network. This provides optimized routing, security, and performance compared to going over the public internet. Security: Service endpoints also enable you to secure your Azure Storage account (contososa1) to only allow traffic originating from the specified subnet (Subnet1). This is achieved through the Storage Account's firewall settings, which you configure after enabling the service endpoint. Modify the Firewalls and virtual networks settings for contososa1: While you will need to modify the "Firewalls and virtual networks settings" of the storage account, this is a subsequent step to enabling service endpoints. Simply modifying these settings without enabling a service endpoint on the subnet will not ensure that the traffic uses the Azure backbone network. This option is incomplete as a standalone solution. Create a stored access policy for contososa1: Stored access policies are used to generate Shared Access Signature (SAS) tokens. SAS tokens are for granting delegated access to storage resources with specific permissions and for a defined period. They are related to authentication and authorization, not to network connectivity or ensuring traffic traverses the Azure backbone network. SAS tokens do not address the requirement. Remove the Azure firewall: Removing the Azure firewall is a security risk and is not the correct approach. The Azure firewall is designed to enhance network security, not hinder access to storage from within the virtual network when properly configured. Removing it is counterproductive and does not help achieve the requirement of backbone network access in a secure manner. In summary: To ensure contososa1 is accessible from Subnet1 over the Azure backbone network, the fundamental step is to Implement a virtual network service endpoint for Azure Storage on Subnet1. After this, you would then configure the "Firewalls and virtual networks settings" of contososa1 to allow access from Subnet1. Final Answer: The final answer is Implement a virtual network service endpoint.

Answer 3

To meet the requirements of running PowerShell scripts on OS updates for 100 VMs while minimizing implementation time and recurring costs, we need to leverage Azure services that provide automation and monitoring capabilities. Let's evaluate each option: an alert action group: Purpose: Action groups in Azure Monitor are used to define a collection of actions to perform when an alert is triggered. Actions can include sending notifications, calling webhooks, and crucially, running Azure Automation runbooks. Relevance: This is a crucial component. We will need an action group to connect the alert (detecting OS updates) to the execution of the PowerShell scripts (validation scripts). Action groups are designed for automating responses to alerts. an Azure Monitor query: Purpose: Azure Monitor queries (typically Log Analytics queries) are used to retrieve and analyze data collected by Azure Monitor, such as logs and metrics. You can use queries to identify specific events or conditions within your Azure environment. Relevance: While an Azure Monitor query itself doesn't directly run scripts, it's essential for defining the condition that triggers the script execution. We would use a query to detect OS update events in the Azure Activity Log or other relevant logs. This query would then be used as the basis for an alert rule. However, as a standalone resource for implementing the scripts, it's less direct than other options. The alert rule is the resource that uses the query and triggers actions. an Azure Automation runbook: Purpose: Azure Automation runbooks allow you to automate tasks in Azure and hybrid environments using PowerShell or Python. Relevance: This is the core component for running the PowerShell validation scripts. The runbook will contain the PowerShell scripts that validate the VM environment. We will trigger this runbook when an OS update is detected. a virtual machine that has network access to the 100 virtual machines: Purpose: A VM could be used as a jump box or control machine to manually run scripts against the 100 VMs. Relevance: This option is not suitable for automated script execution based on OS updates and does not minimize implementation time or recurring costs. It would require manual scheduling or complex custom scripting to detect OS updates and trigger scripts, adding to implementation time and ongoing management overhead. It also incurs costs for running the VM continuously. The requirement is for an automated solution, making this option less desirable. an alert rule: Purpose: Azure Monitor alert rules are used to detect specific conditions in your Azure environment based on metrics, logs, or activity log events. When the condition is met, the alert rule triggers defined actions. Relevance: This is essential. We will need an alert rule to monitor for OS update events on the virtual machines. The alert rule will use a condition (possibly based on an Azure Monitor query that detects OS update events in activity logs) and be configured to trigger the action group (which in turn runs the Automation Runbook). The Three Essential Resources: To implement the automated PowerShell script execution upon OS updates with minimal implementation time and recurring costs, the three core resources are: an alert action group: To define the action of running the Automation Runbook when an alert is triggered. an Azure Automation runbook: To contain and execute the PowerShell validation scripts. an alert rule: To monitor for OS update events and trigger the action group when an update occurs. These three resources work together to create an automated, serverless, and cost-effective solution. While an Azure Monitor query is implicitly needed to define the alert condition, the alert rule is the resource that directly triggers the action based on that condition. Final Answer: The final answer is: an alert action group an Azure Automation runbook an alert rule

Answer 4

The correct answer is: Run Azure AD Connect and disable staging mode. Explanation: Here's why this is the correct solution and why the other options are incorrect: Run Azure AD Connect and disable staging mode. (Correct) Staging Mode Behavior: When Azure AD Connect is configured in staging mode, it is designed to be a passive server. This means it performs import and synchronization operations, but it does not export changes to Azure AD. This is by design for staging mode, allowing you to test configurations or have a backup server without actively synchronizing. Synchronization Service Manager in Staging Mode: In staging mode, you might see import and synchronization operations in the Synchronization Service Manager, but export operations will be skipped, and you might not see the typical "sync jobs" that indicate active synchronization to Azure AD. The lack of sync jobs in the description strongly suggests staging mode is the cause. Disabling Staging Mode: To make the Azure AD Connect server active and allow it to synchronize changes to Azure AD, you must disable staging mode. This is the primary purpose of staging mode - to be turned on for specific scenarios and off for active synchronization. From Synchronization Service Manager, run a full import. (Incorrect) Full Import Purpose: A full import is used to refresh the connector space with all objects from the connected directories (Active Directory and Azure AD). While a full import might be necessary after certain configuration changes or if data is inconsistent, it does not override staging mode. If staging mode is enabled, even after a full import, the export step (which synchronizes changes to Azure AD) will still be skipped. Running a full import alone will not resolve the issue of no sync jobs being displayed because the core problem is staging mode being active. Run Azure AD Connect and set the SSO method to Pass-through Authentication. (Incorrect) SSO Method Irrelevance: The SSO method (Password Hash Synchronization, Pass-through Authentication, or Federation) is a separate configuration from staging mode. Changing the SSO method will not disable staging mode or cause synchronization to start if staging mode is enabled. Password hash synchronization is already configured as per the question, and changing it to Pass-through Authentication is not related to the issue of no sync jobs in staging mode. From Azure PowerShell, run Start-AdSyncSyncCycle –PolicyType Initial. (Incorrect) Start-AdSyncSyncCycle Purpose: This PowerShell command is used to manually trigger a synchronization cycle. While this command can initiate a sync, it will still respect the staging mode configuration. If staging mode is enabled, running this command will likely start an import and synchronization cycle, but the export to Azure AD will still be skipped because of staging mode. Therefore, this command will not resolve the fundamental issue of staging mode preventing active synchronization. In summary: The root cause is staging mode being enabled. Disabling staging mode using the Azure AD Connect wizard is the direct and necessary action to allow synchronization to Azure AD to proceed and for sync jobs to be displayed correctly in Synchronization Service Manager. Final Answer: The final answer is Run Azure AD Connect and disable staging mode.

Answer 5

The correct answers are: Deploy the Microsoft Monitoring Agent. Modify Agent configuration settings in Workspace1. Explanation: Let's break down why these two actions are necessary and why the others are not the best choices: Deploy the Microsoft Monitoring Agent (MMA). Why it's correct: The Microsoft Monitoring Agent (MMA), also known as the Log Analytics agent, is the primary agent used to connect Windows and Linux machines (including on-premises VMs) to Azure Monitor and Log Analytics. To collect data from the on-premises Windows Server 2019 VMs and send it to Workspace1, you must deploy the MMA agent on each of these VMs. The agent is responsible for gathering the event logs and securely transmitting them to the configured Log Analytics workspace. Why other options are not replacements: Without an agent installed on the VMs, there's no mechanism to collect and send the event log data to Azure. Modify Agent configuration settings in Workspace1. Why it's correct: After deploying the MMA agent, you need to configure your Log Analytics workspace (Workspace1) to specify which data to collect from the agents. This is done in the "Agents configuration" or "Data" settings within the Log Analytics workspace in the Azure portal. Specifically, you need to configure the Windows Event Logs settings to collect Error events. You can specify which event logs to collect (e.g., Application, System, Security) and the minimum severity level (e.g., Error, Warning, Information). Why other options are not replacements: Simply deploying the agent is not enough. You need to tell the Log Analytics workspace what kind of data to expect and collect from the connected agents. This configuration within Workspace1 is essential for data collection to start and for collecting only errors as required. Create an Azure Event Grid domain. Why it's incorrect: Azure Event Grid is a service for routing events from various Azure services and custom applications to event handlers. It's not directly used for collecting Windows Event Logs from VMs. Event Grid is more for real-time event-driven architectures, not log aggregation in this context. Configure Windows Event Forwarding on the virtual machines. Why it's incorrect: While Windows Event Forwarding (WEF) can be used to forward events to a central collector, it's not necessary for this scenario. The MMA agent can directly collect Windows Event Logs from the local machine and send them to Log Analytics without requiring WEF. Using WEF would add unnecessary complexity and management overhead for 100 VMs. MMA is the simpler and more direct approach for this requirement. Create an Azure Sentinel workspace. Why it's incorrect: Azure Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution built on top of Azure Log Analytics. While Sentinel uses Log Analytics workspaces as its data store, creating a new Azure Sentinel workspace is not necessary to simply collect Windows Event Logs into an existing Log Analytics workspace (Workspace1). You already have Workspace1, and that's sufficient for log collection. Sentinel is for advanced security analysis on top of collected logs, not for the basic act of collecting logs itself. Therefore, the two essential actions are deploying the MMA agent and configuring the Log Analytics workspace to collect Windows Event Log errors. Final Answer: The final answer is Deploy the Microsoft Monitoring Agent and Modify Agent configuration settings in Workspace1.

Answer 6

The correct answer is Linux Diagnostic Extension (LAD). Explanation: Linux Diagnostic Extension (LAD): Purpose: LAD is an Azure VM Extension specifically designed for Linux virtual machines. Its primary function is to collect system-level metrics and logs from the Linux operating system and send them to Azure Monitor. Functionality: LAD can collect a wide range of metrics, including CPU utilization, memory usage, disk I/O, network traffic, and more. It can also be configured to collect various logs, such as syslog, authlog, and custom application logs. Integration with Azure Monitor: LAD seamlessly integrates with Azure Monitor, allowing you to visualize metrics, query logs, set up alerts, and perform in-depth analysis of your Linux VM's performance and health within the Azure portal. Let's look at why the other options are incorrect: Azure HDInsight: Purpose: Azure HDInsight is a cloud service for big data analytics. It allows you to process massive amounts of data using popular open-source frameworks like Hadoop, Spark, Hive, and others. Relevance to VM Monitoring: Azure HDInsight is not related to monitoring the metrics and logs of a single Linux VM. It's for big data processing and analytics, not general VM monitoring. Azure Analysis Services: Purpose: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade semantic modeling capabilities in the cloud. It's used for building and deploying OLAP (Online Analytical Processing) models for business intelligence and data analysis. Relevance to VM Monitoring: Azure Analysis Services is not used for VM monitoring. It's for business intelligence and analytical data modeling. the AzurePerformanceDiagnostics extension: Purpose: The AzurePerformanceDiagnostics extension is designed for Windows virtual machines. It collects performance data and helps troubleshoot performance issues on Windows VMs. Relevance to Linux VMs: This extension is not compatible with Linux VMs. It is specifically for Windows operating systems. In summary: For monitoring metrics and logs of a Linux virtual machine in Azure, the Linux Diagnostic Extension (LAD) is the correct and purpose-built tool. It's designed to collect the necessary data from Linux VMs and integrate with Azure Monitor for visualization, analysis, and alerting. Final Answer: The final answer is Linux Diagnostic Extension (LAD).

Answer 7

Answer: Minimum number of network interfaces: 5 Minimum number of network security groups: 1 Explanation: Minimum number of network interfaces: 5 Each virtual machine needs to be connected to a virtual network to have a private IP address and to be accessible over the network. A network interface (NIC) is the resource that allows a virtual machine to connect to a virtual network. Since you have five virtual machines, you need a minimum of five network interfaces, one for each virtual machine. A single NIC can be configured with both a private and a public IP address. Minimum number of network security groups: 1 Network security groups (NSGs) are used to filter network traffic to and from Azure resources in a virtual network. You can associate an NSG with either a subnet or individual network interfaces. Since all five virtual machines require the same inbound and outbound security rules, you can apply a single NSG at the subnet level. By applying the NSG to the subnet, all virtual machines within that subnet (including the five you plan to deploy) will automatically inherit the security rules defined in that NSG. Therefore, you only need a minimum of one network security group applied to the subnet to enforce the same security rules for all five virtual machines. Final Answer: Minimum number of network interfaces: **5** Minimum number of network security groups: **1**

Answer 8

The three objects you should create in Subscription1 to support the planned deployment of replicating VM1 from on-premises Hyper-V to Azure are: Azure Recovery Services Vault Hyper-V site Replication policy Here's why these options are correct: Azure Recovery Services Vault: This is a crucial component for Azure Site Recovery. It's a storage entity in Azure that stores and manages backup data and recovery points46. It's essential for orchestrating replication from on-premises to Azure. Hyper-V site: When replicating from on-premises Hyper-V to Azure, you need to create a Hyper-V site in Azure Site Recovery. This represents your on-premises Hyper-V infrastructure1. Replication policy: This defines settings such as recovery point retention and frequency of application-consistent snapshots. It's necessary to configure how the replication will occur7. These three components work together to enable the replication of VM1 from your on-premises Hyper-V server to Azure. The Recovery Services vault stores the replication data, the Hyper-V site represents your on-premises environment, and the replication policy defines how the replication occurs. The other options are not necessary for this specific scenario: A storage account is not explicitly required as the Recovery Services vault manages the storage of replication data. An Azure Traffic Manager instance and endpoint are used for routing traffic and are not directly related to VM replication.

Answer 9

The correct answer is Use Azure AD Connect to customize the synchronization options. Explanation: Here's why this option is the most appropriate and why the others are less suitable: Use Azure AD Connect to customize the synchronization options. (Correct) Azure AD Connect Customization: Azure AD Connect provides a wizard-driven interface for configuring and customizing synchronization. When you run Azure AD Connect again after the initial setup, you can choose to "Customize synchronization options." Filtering Options: Within the customization options, Azure AD Connect allows you to configure filtering based on domains, organizational units (OUs), and attributes. This attribute-based filtering is precisely what you need to filter users based on their UPN suffix. UPN Suffix Filtering: You can configure attribute-based filtering to only synchronize users where the userPrincipalName attribute ends with @contoso.com. This ensures that only users with the desired UPN suffix from the contoso.local domain are synchronized to Azure AD. User-Friendly Approach: Using the Azure AD Connect wizard is the recommended and most user-friendly method for making common synchronization customizations like filtering. Use the Synchronization Rules Editor to create a synchronization rule. (Less Ideal, but Possible) Synchronization Rules Editor Power: The Synchronization Rules Editor is a more powerful tool that allows for very granular control over synchronization rules. You could use it to create a custom inbound synchronization rule that filters users based on their UPN suffix. Complexity: However, using the Synchronization Rules Editor is generally considered a more advanced approach. It requires a deeper understanding of the synchronization engine and rule syntax. For a relatively simple filtering requirement like this, using the Azure AD Connect wizard is a simpler and more recommended approach. Directly editing sync rules is typically reserved for more complex scenarios that the wizard doesn't directly cover. Use Synchronization Service Manager to modify the Metaverse Designer tab. (Incorrect) Metaverse Designer Purpose: The Metaverse Designer in Synchronization Service Manager is primarily used to manage the schema of the Metaverse, which is the central identity repository in Azure AD Connect. It's used for extending the schema or modifying object type mappings. It's not the tool for filtering users based on attributes like UPN suffix. Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector. (Incorrect) AD DS Connector Configuration: Modifying the AD DS Connector in Synchronization Service Manager mainly involves configuring the connection to your on-premises Active Directory, such as credentials, connected domains, and OU selection for synchronization. While you can select specific OUs to sync, you cannot directly apply attribute-based filtering (like UPN suffix) at the connector level. Attribute-based filtering is configured through synchronization rules or the Azure AD Connect wizard's customization options. In summary: While the Synchronization Rules Editor could be used, the Azure AD Connect wizard's customization options provide a more user-friendly and recommended way to achieve the desired filtering based on UPN suffix. It's the intended tool for common synchronization configuration changes like filtering. Final Answer: The final answer is Use Azure AD Connect to customize the synchronization options.

Answer 10

To create an Azure SQL database (DB2) within an existing elastic pool (Pool1), DB2 must be deployed on the same Azure SQL server that hosts the elastic pool. According to the question: DB1 is an Azure SQL database created on Sql1. DB1 is in an elastic pool named Pool1. This directly implies that Pool1 is hosted on Sql1. Elastic pools are server-scoped. An elastic pool is created on a specific Azure SQL server, and all databases that are part of that elastic pool must reside on the same SQL server. You cannot have databases in an elastic pool that are spread across different SQL servers. Therefore, to create DB2 in Pool1, you must deploy DB2 on Sql1. Let's examine the options: Sql1: This is the correct answer. Since Pool1 is hosted on Sql1, DB2 must also be deployed on Sql1 to be part of Pool1. Sql2: Sql2 is located in the East US region and resource group RG2. Sql1 is in West US and RG1. Elastic pools and databases within them must be in the same region and on the same SQL server. Sql2 is not the correct location. Sql3: Sql3 is located in the West US region and resource group RG3. While Sql3 is in the same region (West US) as Sql1, it is a different SQL server. You cannot add a database to an elastic pool that is hosted on a different SQL server. Sql4: Sql4 is located in the West US region and resource group RG1, the same region and resource group as Sql1. However, it is still a different SQL server instance than Sql1. You cannot add a database to an elastic pool hosted on Sql1 if you deploy DB2 on Sql4. Conclusion: The only valid location to deploy DB2 so that it can be part of Pool1 is Sql1, as Pool1 is hosted on Sql1. Final Answer: The final answer is Sql1.

Answer 11

Answer Area: Minimum number of network security groups (NSGs) to create: 1 Objects to assign to the network security groups (NSGs): 1 subnet Minimum number of Azure Standard Load Balancer rules to create: 2 Explanation: Minimum number of network security groups (NSGs) to create: 1 You can use a single Network Security Group (NSG) to control inbound and outbound traffic for all virtual machine instances within the virtual machine scale set. NSGs can be associated with a subnet or individual network interfaces. To minimize management and apply the same security rules to all instances in the scale set, you should apply the NSG to the subnet in which VSS1 is deployed. Since all VMs in the scale set need the same security rules (allowing HTTP and HTTPS), one NSG applied at the subnet level is sufficient. Objects to assign to the network security groups (NSGs): 1 subnet As explained above, applying the NSG to the subnet is the most efficient way to manage security rules for all VMs in the VSS. You don't need to create NSGs for each zone or for each individual network interface when the security requirements are the same across all instances. Minimum number of Azure Standard Load Balancer rules to create: 2 You need to provide access to App1 using both HTTP (port 80) and HTTPS (port 443). Azure Load Balancer rules define how traffic is distributed to the backend pool. Each rule typically handles traffic for a specific port and protocol combination. You will need one load balancer rule to handle HTTP traffic (port 80) and forward it to the backend pool (VSS1 instances). You will need a second load balancer rule to handle HTTPS traffic (port 443) and forward it to the same backend pool (VSS1 instances). Therefore, you require a minimum of two load balancer rules to handle both HTTP and HTTPS traffic. Final Answer: Minimum number of network security groups (NSGs) to create: **1** Objects to assign to the network security groups (NSGs): **1 subnet** Minimum number of Azure Standard Load Balancer rules to create: **2**

Answer 12

The question asks if deploying DB1 and DB2 as Azure SQL databases on different Azure SQL Database servers supports server-side transactions across them. Azure SQL Database (Single Database): This deployment option provides a single, isolated database. Each Azure SQL Database server is a logical construct providing administrative scope for databases. Databases on different Azure SQL Database servers are fundamentally independent and isolated from a transactional perspective. Server-Side Transactions Across Databases: True server-side transactions across databases typically require distributed transaction capabilities. In SQL Server, this might be handled using Distributed Transaction Coordinator (DTC) in certain scenarios or linked servers with limitations on full transactional guarantees in distributed scenarios. Azure SQL Database Limitations: Azure SQL Database (single database option) has limitations when it comes to distributed transactions across independent database servers. While you can query across databases using features like elastic queries, these are not designed for ACID (Atomicity, Consistency, Isolation, Durability) transactions that span multiple independent Azure SQL databases. Cross-Database Transactions in Azure SQL Database: While some form of cross-database querying is possible in Azure SQL Database, true distributed transactions in the traditional sense (like within a single SQL Server instance or using DTC across instances) are not directly supported across independent Azure SQL Databases on different servers. Analysis of the Proposed Solution: The solution proposes deploying DB1 and DB2 as separate Azure SQL databases, each on a different Azure SQL Database server. This setup creates two completely independent Azure SQL databases. In this configuration, server-side transactions that span across DB1 and DB2 and maintain full ACID properties are NOT natively supported by Azure SQL Database. While application-level transaction management or eventual consistency patterns might be possible, the requirement is for server-side transactions. Deploying them as independent Azure SQL Databases on different servers does not directly fulfill this requirement with built-in server features. Conclusion: The proposed solution does not meet the goal of supporting server-side transactions across DB1 and DB2 using the described Azure SQL Database deployment. To achieve server-side transactions, a different Azure SQL deployment option (like Azure SQL Managed Instance, which offers more SQL Server instance-level features, or deploying SQL Server on Azure VMs) or a different application architecture might be necessary. Final Answer: No

Answer 13

The question asks if deploying DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server supports server-side transactions across them. Azure SQL Database Server Scope: In Azure SQL Database, a "server" is a logical construct. It's a management unit for Azure SQL databases. Crucially, databases deployed on the same Azure SQL Database server share the same physical SQL Server instance in the backend infrastructure (though this is abstracted from the user). Cross-Database Transactions within a Single SQL Server Instance: Microsoft SQL Server, by design, supports cross-database transactions when the databases reside on the same SQL Server instance. You can use standard SQL transaction commands (like BEGIN TRANSACTION, COMMIT TRANSACTION, ROLLBACK TRANSACTION) to create transactions that span multiple databases on the same instance. You can reference objects in other databases using three or four-part naming conventions (e.g., DatabaseName.SchemaName.ObjectName). Azure SQL Database Behavior: When you deploy multiple Azure SQL databases on the same Azure SQL Database server, they effectively reside within the same logical SQL Server instance environment provided by the Azure SQL Database service. This means they inherit the cross-database transaction capabilities of SQL Server. Server-Side Transactions: The requirement is for server-side transactions. This implies that the transaction management should be handled by the database server itself, not just at the application level. SQL Server's built-in transaction management features, when used for cross-database transactions on the same instance (or Azure SQL Database server), fulfill this requirement. Analysis of the Proposed Solution: The solution proposes deploying DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server. This is the key point. Because they are on the same server, they can participate in server-side transactions that span both databases. You can write stored procedures or application code that initiates a transaction, performs operations in both DB1 and DB2 (using proper database naming conventions), and then commits or rolls back the entire transaction as a single atomic unit. Conclusion: The proposed solution does meet the goal. Deploying DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server enables the implementation of server-side transactions across DB1 and DB2 using standard SQL Server transactional capabilities. Final Answer: Yes

Answer 14

The goal is to retrieve Item1 and Item2 only from Azure Cosmos DB Container1. Let's analyze the provided solution: Solution: You run the following query: SELECT day WHERE value = "10" Use code with caution. SQL You set the Enable Cross Partition Query property to False. Item Data Analysis: Item1: {"id": "1", "day": "Mon", "value": "10"} Item2: {"id": "2", "day": "Mon", "value": "15"} Item3: {"id": "3", "day": "Tue", "value": "10"} Item4: {"id": "4", "day": "Wed", "value": "15"} Query Evaluation: The query SELECT day WHERE value = "10" filters items based on the value property being equal to "10". Item1: value is "10", so it matches the WHERE clause. Item2: value is "15", so it does not match the WHERE clause. Item3: value is "10", so it matches the WHERE clause. Item4: value is "15", so it does not match the WHERE clause. Therefore, based on the WHERE value = "10" condition, the query would retrieve Item1 and Item3, not Item1 and Item2. Cross Partition Query Setting: Setting Enable Cross Partition Query to False means that the query will only be executed against a single partition. However, the query itself is already flawed in achieving the goal, regardless of the cross-partition setting, because it will not retrieve Item2. Goal Evaluation: The goal is to retrieve Item1 and Item2 only. The query SELECT day WHERE value = "10" will retrieve Item1 and Item3, not Item1 and Item2. Item2 has a value of "15" and will be excluded by the WHERE clause. Conclusion: The provided solution does not meet the goal because the query SELECT day WHERE value = "10" will retrieve Item1 and Item3, not Item1 and Item2. Setting Enable Cross Partition Query to False does not change the fact that the query's filter condition is incorrect for retrieving Item1 and Item2 only. Final Answer: No

Answer 15

Final Answer: Public IP addresses: 1 Virtual network gateways: 1 Local network gateways: 2 Why This Is Correct: Azure VPN Gateway (1 VNG, 1 IP): A single VNG with one public IP in active-standby mode ensures HA on the Azure side. If one instance fails, failover occurs within two minutes (typically faster), meeting the requirement. Active-active mode (2 IPs) is overkill for the "minimum" resources. On-Premises Redundancy (2 LNGs): Two LNGs represent the two on-premises VPN devices. The Azure VPN gateway can maintain tunnels to both, and if one device fails, traffic reroutes to the other. Azure detects the failure (e.g., via tunnel health checks or BGP) and switches within two minutes, especially if BGP is used (though static routes also work with proper design). Minimization: This configuration uses the fewest Azure resources (1 IP, 1 VNG) while leveraging the on-premises redundancy (2 devices, 2 LNGs) to meet the HA goal. Alternative Consideration (Why Not More?): 2 Public IPs, 1 VNG (Active-Active): Possible with higher-tier SKUs, but it’s not the minimum, as active-standby (1 IP) meets the two-minute threshold. 2 VNGs: Not feasible in one VNet for site-to-site VPN and unnecessary, as one VNG with HA suffices. 1 LNG: Fails the on-premises redundancy requirement, as it only connects to one device.

Answer 16

The correct answer is Logic Apps Designer. Explanation: Here's why Logic Apps Designer is the best choice and why the other options are less suitable for this specific scenario: Logic Apps Designer: Purpose: Azure Logic Apps is a cloud-based platform for automating workflows and integrating services. The Logic Apps Designer is the visual interface for creating these workflows. Integration with Azure Sentinel: Logic Apps has native connectors and triggers for Azure Sentinel. You can create a Logic App that is triggered when a new Azure Sentinel alert is generated. Email Notification Capabilities: Logic Apps has built-in connectors for various email services (like Office 365 Outlook, Gmail, SendGrid, etc.). You can easily add an action in your Logic App workflow to send an email notification. Dynamic Resource Owner Lookup: Logic Apps can integrate with Azure Resource Graph or Azure Resource Manager to dynamically retrieve information about the resource that triggered the alert. You could potentially use Resource Graph to query for tags on the resource or use Azure RBAC to find the owners/contributors and send notifications to them. Flexibility and Customization: Logic Apps provides a highly flexible and customizable way to build notification workflows. You can tailor the email content, recipients, and notification logic based on the specifics of the Sentinel alert. Azure Security Center (Microsoft Defender for Cloud): Purpose: Microsoft Defender for Cloud focuses on security posture management and threat protection. While it provides security alerts and recommendations, its native email notification capabilities are primarily for Security Center's own findings, not for routing notifications based on Sentinel alerts to resource owners. Limited Customization for Sentinel Alerts: While Defender for Cloud and Sentinel are integrated, Defender for Cloud's notification system is not designed to be the primary mechanism for handling notifications from Sentinel alerts and routing them to resource owners based on resource context. Automation Runbook: Purpose: Azure Automation Runbooks are used for general automation tasks in Azure and hybrid environments. Can Send Emails: Runbooks can be coded (PowerShell or Python) to send emails. Complexity for Workflows: While you could use an Automation Runbook to achieve the goal, it would generally require more coding and be less visually intuitive to build the workflow compared to Logic Apps. You would need to handle the trigger (e.g., via a webhook from Sentinel), resource owner lookup logic, and email sending all within the Runbook code. Logic Apps provides a more declarative, visual, and connector-driven approach that is often simpler for this type of workflow. Azure Machine Learning Studio: Purpose: Azure Machine Learning Studio is for building, training, and deploying machine learning models. It has no relevance to sending email notifications for Azure Sentinel alerts. Why Logic Apps is the Best Choice: Logic Apps Designer is the most direct and efficient tool for this specific requirement because: Native Sentinel Integration: It has built-in triggers for Azure Sentinel alerts. Email Connectors: It provides easy-to-use connectors for sending emails. Workflow Automation Focus: It is designed for building automated workflows, making it ideal for handling alerts and triggering actions like email notifications. Resource Context and Customization: It provides the flexibility to retrieve resource information and customize notifications based on alert details and resource ownership. Final Answer: The final answer is Logic Apps Designer.

Answer 17

Statements: Cosmos75246 is accessible by using a public IP address. No VM1 can read from cosmos75246. Yes VM2 can read from cosmos75246. No Explanation: 1. Cosmos75246 is accessible by using a public IP address. NO Private Endpoint: The exhibit clearly shows that the Cosmos DB account (cosmos75246) is configured with a private endpoint (Endpoint1). Private endpoints provide secure and private connectivity to Azure services without exposing them to the public internet. The service is accessed via a private IP address within the specified virtual network (Vnet1). Since a private endpoint is used, there is no public IP address access. Connectivity method: Private endpoint: In the networking section, the connectivity method is selected as Private Endpoint. 2. VM1 can read from cosmos75246. YES Same Virtual Network: The private endpoint (Endpoint1) is created within Vnet1. VM1 is also located in Vnet1. Because VM1 is in the same virtual network as the private endpoint for the Cosmos DB account, it can communicate with the Cosmos DB account using the private IP address assigned to the endpoint. 3. VM2 can read from cosmos75246. NO Different Virtual Network: VM2 is located in Vnet2, which is a different virtual network from Vnet1 (where the private endpoint is located). By default, virtual networks in Azure are isolated from each other. VM2 cannot directly access the private endpoint in Vnet1, and therefore cannot connect to the Cosmos DB account.

Answer 18

Let's analyze each statement based on the network configuration provided. Statement 1: VM3 can establish a network connection to VM1. VM3 is in Subnet3 (10.0.3.0/24). VM1 is in Subnet1 (10.0.1.0/24). There is no route table applied to Subnet3, where VM3 resides. By default, Azure virtual networks allow direct communication between subnets within the same VNet. Therefore, VM3 should be able to directly communicate with VM1 using the default system routes of the virtual network. Conclusion for Statement 1: Yes. Statement 2: If VM3 is turned off, VM2 can establish a network connection to VM1. VM2 is in Subnet2 (10.0.2.0/24). VM1 is in Subnet1 (10.0.1.0/24). Route table RT1 is applied to Subnet2. RT1 contains a route for the address prefix 10.0.1.0/24 (which includes VM1's IP address) with the next hop type "Virtual appliance" and the next hop address 10.0.3.4 (which is VM3's IP address). This means that traffic from VM2 destined for VM1 (10.0.1.0/24) is directed to VM3. If VM3 is turned off, the next hop virtual appliance (10.0.3.4) becomes unavailable. When the next hop specified in a route table is unavailable, Azure will not automatically fall back to default system routes for that destination prefix. Traffic matching that route will likely be dropped or routing will fail because the specified next hop is unreachable. Therefore, if VM3 is turned off, VM2 will not be able to establish a network connection to VM1 because the custom route in RT1 points to a non-functional appliance, and default VNet routing is overridden by RT1 for traffic from Subnet2 to Subnet1. Conclusion for Statement 2: No. Statement 3: VM1 can establish a network connection to VM2. VM1 is in Subnet1 (10.0.1.0/24). VM2 is in Subnet2 (10.0.2.0/24). Route table RT1 is applied to Subnet1. RT1 contains a route for the address prefix 10.0.2.0/24 (which includes VM2's IP address) with the next hop type "Virtual appliance" and the next hop address 10.0.3.4 (which is VM3's IP address). This means that traffic from VM1 destined for VM2 (10.0.2.0/24) is directed to VM3. As long as VM3 is running and configured to route traffic between Subnet1 and Subnet2 (which is implied by "Routing is enabled on VM3" and IP forwarding on NIC3), VM1 will be able to establish a network connection to VM2, although the traffic will pass through VM3. Conclusion for Statement 3: Yes. Final Answer: Statements Yes No VM3 can establish a network connection to VM1. ☑ ☐ If VM3 is turned off, VM2 can establish a network connection to VM1. ☐ ☑ VM1 can establish a network connection to VM2. ☑ ☐

Answer 19

Answer Area: Run sysprep.exe on VM1. From Azure CLI, deallocate VM1 and mark VM1 as generalized. Create a virtual machine scale set. Explanation: Run sysprep.exe on VM1: The first step to create a custom image from a Windows VM is to generalize the VM using the System Preparation tool (Sysprep). Sysprep removes computer-specific information, such as the computer name and security identifiers (SIDs), ensuring that the image can be used to create multiple unique VMs. Running sysprep.exe /generalize /shutdown /oobe is the standard command to prepare a Windows VM for image capture. From Azure CLI, deallocate VM1 and mark VM1 as generalized: After running Sysprep and shutting down the VM, you need to deallocate the VM in Azure. Deallocating the VM releases the compute resources associated with it, making it possible to capture the VM as an image. Using the Azure CLI commands az vm deallocate --resource-group --name VM1 and az vm generalize --resource-group --name VM1 is the correct way to deallocate and mark the VM as generalized in Azure. Marking the VM as generalized in Azure signals to the platform that the VM has been sysprepped and is ready to be used as a source for a custom image. Create a virtual machine scale set: Once VM1 is generalized and deallocated, you can create a virtual machine scale set using this generalized VM as a custom image. When creating the scale set, you will specify the resource ID of the generalized VM as the imageReference source in the scale set's configuration. The scale set will then use this custom image to deploy new VM instances. The other actions are not part of the necessary sequence for creating a scale set from a custom image based on an existing VM: Install Network Load Balancing (NLB) on VM1: NLB is used for load balancing traffic within a set of VMs, not for creating a custom image. NLB configuration would typically be done after the scale set is created and deployed, or as part of application deployment within the VM instances. From Azure CLI, apply a custom script extension: Custom script extensions are used to run scripts on VMs after they are provisioned from an image. They are not needed to prepare a VM for image capture itself. While you can use custom script extensions in scale sets to customize instances after deployment, it's not a prerequisite step for creating the custom image. Final Answer: Answer Area 1. Run sysprep.exe on VM1. 2. From Azure CLI, deallocate VM1 and mark VM1 as generalized. 3. Create a virtual machine scale set.

Answer 20

To filter traffic between web servers and application servers within the same subnet using Application Security Groups (ASGs), you need to use a network security group (NSG). Here's why: Network Security Groups (NSGs): NSGs are Azure's fundamental network traffic filtering service. They allow you to control inbound and outbound traffic to Azure resources within a virtual network. NSGs use security rules to allow or deny traffic based on various criteria such as: Source and destination IP addresses or address prefixes Source and destination ports Protocol (TCP, UDP, ICMP) Application Security Groups (ASGs) Application Security Groups (ASGs): ASGs are designed to group virtual machines based on application context. They allow you to define network security rules based on these groups instead of individual IP addresses. This simplifies security management, especially in dynamic environments where IP addresses might change. Filtering with ASGs and NSGs: To filter traffic using ASGs, you need to create an NSG and define security rules within that NSG that use ASGs as the source or destination. In this scenario, you would: Create two Application Security Groups: One for the web servers (e.g., ASG_WebServers) and one for the application servers (e.g., ASG_AppServers). Associate the VMs with ASGs: Associate the 25 web server VMs with ASG_WebServers and the 25 application server VMs with ASG_AppServers. Create a Network Security Group (if one doesn't already exist for Subnet1). Create NSG Security Rules: Within the NSG associated with Subnet1, you would create rules like: Allow inbound traffic from ASG_WebServers to ASG_AppServers on the specific ports required for communication between web and application servers (e.g., port 8080). Deny inbound traffic from ASG_WebServers to ASG_AppServers on other ports if needed, to restrict communication. You can also add rules to control traffic in the reverse direction (from AppServers to WebServers) if required. Let's look at why the other options are not the correct "additional resource": Azure Firewall: Azure Firewall is a more advanced, cloud-native firewall service that provides network and application-level protection, including threat intelligence. While Azure Firewall can filter traffic, it's an over-engineered solution for simply filtering traffic within a subnet based on application groups. NSGs with ASGs are the more appropriate and cost-effective solution for this specific requirement. A user-defined route (UDR): User-defined routes control the routing of traffic, not the filtering of traffic based on application groups. UDRs are used to direct traffic through network appliances like firewalls or NVAs. They are not relevant for implementing application security group-based filtering. Azure Private Link: Azure Private Link provides private connectivity to Azure PaaS services and customer-owned services. It is not related to filtering traffic between VMs within a subnet using application security groups. Conclusion: To filter traffic between web servers and application servers using Application Security Groups, you need to provision a network security group (NSG) as the additional resource. You will then configure NSG rules that use the ASGs to define the traffic filtering policies. Final Answer: The final answer is a network security group (NSG).

Answer 21

The correct answers are: Deploy the Azure Migrate appliance to an on-premises Hyper-V host. Assign the migration account to the Administrators group on each Hyper-V host. Explanation: To evaluate Hyper-V virtual machines using Azure Migrate, you need to perform the following actions: Deploy the Azure Migrate appliance to an on-premises Hyper-V host: The Azure Migrate appliance is a lightweight virtual appliance that you deploy in your on-premises environment. For Hyper-V environments, you deploy it on a Hyper-V host. The appliance acts as a discovery and assessment tool. It discovers your Hyper-V VMs and collects metadata about their configuration, performance, and dependencies. This data is then sent to your Azure Migrate project in Azure. Without deploying the appliance, Azure Migrate cannot discover and assess your on-premises Hyper-V VMs. Assign the migration account to the Administrators group on each Hyper-V host: The Azure Migrate appliance needs credentials to connect to your Hyper-V hosts and perform discovery. You need to provide an account to the appliance that has administrative privileges on the Hyper-V hosts. This is typically done by specifying credentials during the appliance configuration process. Assigning the migration account (the account you configure in the appliance) to the Administrators group on each Hyper-V host grants the necessary permissions for the appliance to access and collect information about the VMs running on those hosts. Let's look at why the other options are incorrect: Deploy the Microsoft Monitoring Agent to each Hyper-V host: While the Microsoft Monitoring Agent (MMA) is used by Azure Monitor and also by the Dependency Agent (which can be used with Azure Migrate for dependency visualization), deploying MMA on Hyper-V hosts is not the primary requirement for initial VM evaluation using Azure Migrate's assessment capabilities. The core discovery and assessment are handled by the Azure Migrate appliance itself. MMA on VMs is more relevant for post-migration monitoring or for dependency analysis, which is an optional step in Azure Migrate assessment. Deploy the Microsoft Monitoring Agent to each Hyper-V virtual machine: Similar to the previous point, deploying MMA on each virtual machine is not a prerequisite for the initial evaluation using Azure Migrate's core assessment features. MMA on VMs is more for in-guest dependency analysis or performance monitoring after migration. For simply evaluating migration readiness and cost, the appliance collecting metadata from Hyper-V hosts is sufficient. Deploy the Azure Migrate appliance as an Azure virtual machine: The Azure Migrate appliance is designed to be deployed on-premises, close to the Hyper-V environment it needs to discover. Deploying it as an Azure VM would not allow it to directly discover and assess your on-premises Hyper-V infrastructure. The appliance needs to be on-premises to have network access to the Hyper-V hosts. In summary: The essential actions to evaluate Hyper-V VMs using Azure Migrate are deploying the Azure Migrate appliance on-premises and providing it with administrative credentials to access the Hyper-V hosts. Final Answer: The final answer is Deploy the Azure Migrate appliance to an on-premises Hyper-V host and Assign the migration account to the Administrators group on each Hyper-V host.

Answer 22

Azure Migrate appliances: 1 MARS agents: 12 Explanation: Azure Migrate appliances: Minimum Requirement: You need at least one Azure Migrate appliance to discover and assess your on-premises Hyper-V virtual machines. The Azure Migrate appliance is deployed on-premises and connects to your Hyper-V environment to collect metadata about your VMs. Scalability: A single Azure Migrate appliance can handle the discovery and assessment of a significant number of VMs. For the given scenario with 62 virtual machines spread across three clusters, one appliance is generally sufficient for assessment. You don't need a separate appliance for each cluster or VM. Redundancy (Not Minimum Requirement): While you can deploy multiple Azure Migrate appliances for redundancy in very large environments, the question asks for the minimum number. For basic assessment, one appliance is enough.

Answer 23

The goal is to enable Admin1 to create access reviews in the Azure AD tenant contoso.com. Admin1 currently cannot access the Access reviews settings, even though other Identity Governance settings are available. Admin1 is currently assigned the following roles: User administrator, Compliance administrator, and Security administrator. The proposed solution is to assign the Service administrator role to Admin1. Let's analyze the permissions associated with each role and their relevance to managing Azure AD Access Reviews: User Administrator: This role can manage all aspects of users and groups, including resetting passwords, managing licenses, and assigning roles to users and groups. Importantly, the User Administrator role is documented to have permissions to manage Access Reviews. Compliance Administrator: This role has permissions to view and manage compliance-related features in Azure AD and Microsoft 365. While it may have some visibility into Identity Governance features for compliance auditing, it is not primarily intended for creating and managing Access Reviews. Security Administrator: This role manages security-related features, including security policies, security reports, and monitoring. It has a broad view of security settings but is not primarily intended for creating and managing Access Reviews. Service Administrator (renamed to Global Administrator): The Service administrator role (now known as Global Administrator) is one of the highest privileged roles in Azure AD. Global Administrators have full access to all features in Azure AD, including Identity Governance and Access Reviews. They can perform any administrative task within the Azure AD tenant. According to Microsoft documentation, the roles that can create and manage access reviews include: Global Administrator User Administrator Identity Governance Administrator Since Admin1 is already assigned the User administrator role, which should grant permissions to manage Access Reviews, the fact that "Access reviews settings are unavailable" is unusual. However, the question specifically asks: "Does this meet the goal?" and proposes assigning the Service administrator role. Analysis of the Solution: Assigning the Service administrator (Global Administrator) role to Admin1 will definitely meet the goal. Global Administrators have all permissions in Azure AD, including the ability to create and manage Access Reviews. By assigning this role, Admin1 will gain the necessary permissions to access the Access reviews settings and create access reviews. Is it the best practice? No. Assigning the Global Administrator role should be avoided if a less privileged role can fulfill the requirement. In a real-world scenario, you would investigate why the User Administrator role is not working as expected before assigning a highly privileged role like Global Administrator. It's possible there's a permission propagation delay, a bug, or some other underlying issue. Does it meet the goal? Yes. The question is asking if the proposed solution will achieve the stated goal. Assigning the Service administrator role will technically grant Admin1 the necessary permissions. Therefore, in the context of this specific question which is focused on whether the proposed solution meets the goal, and given that Service Administrator role indeed grants all permissions, the answer is Yes. Final Answer: Yes

Answer 24

Answer Area: Delete GW1. Create a route-based virtual network gateway. Explanation: Delete GW1: Policy-based VPN gateways do not support Point-to-Site (P2S) VPN configurations. Policy-based gateways are limited in their capabilities compared to route-based gateways, especially when it comes to P2S VPNs and certain advanced VPN features. To enable P2S VPN, you will need to use a route-based VPN gateway. Therefore, the first necessary step is to delete the existing policy-based gateway (GW1) as it cannot be configured for P2S. Create a route-based virtual network gateway: Route-based VPN gateways are required for Point-to-Site VPN connections. Route-based gateways offer the necessary flexibility and features to support P2S VPN, as well as Site-to-Site and VNet-to-VNet VPNs. After deleting the policy-based gateway, you must create a new virtual network gateway of the route-based type. When creating the gateway, you will specify the -GatewayType Vpn and -VpnType RouteBased parameters (if using PowerShell) or select "Route-based" as the VPN type in the Azure portal. Once the route-based gateway is deployed, you can then configure the Point-to-Site configuration on it. Let's look at why the other options are incorrect: Reset GW1: Resetting a VPN gateway restarts the gateway service. While this can resolve temporary connectivity issues, it does not change the gateway type from policy-based to route-based. Resetting a policy-based gateway will not make it support P2S VPN. Add a public IP address space to VNet1: Adding a public IP address space to your virtual network's address space is not relevant to enabling P2S VPN. Virtual network address spaces define the private IP address ranges within your VNet, not public IP addressing for VPN gateways or P2S clients. Add a connection to GW1: Adding a connection to GW1 would typically be for creating a Site-to-Site or VNet-to-VNet VPN connection. If GW1 is a policy-based gateway, adding a P2S connection to it will not work because policy-based gateways do not support P2S. You need to change the gateway type itself. Add a service endpoint to VNet1: Service endpoints are used to secure access to Azure PaaS services (like Azure Storage or Azure SQL Database) from within your virtual network. They are not related to VPN connectivity or enabling Point-to-Site VPN access to your VNet. In summary: To enable Point-to-Site VPN connectivity when you currently have a policy-based gateway, you must replace the policy-based gateway with a route-based gateway. This involves deleting the existing gateway and creating a new one of the route-based type. Final Answer: Answer Area 1. Delete GW1. 2. Create a route-based virtual network gateway.

Answer 25

The correct answer is peering. Explanation: Peering (specifically, Global VNet Peering): Purpose: Azure Virtual Network peering enables you to connect two Azure virtual networks directly. Global VNet peering extends this capability to virtual networks in different Azure regions. Microsoft Backbone: Global VNet peering utilizes the Microsoft backbone infrastructure for communication between the peered virtual networks. This ensures low latency, high bandwidth, and secure communication as traffic stays within the Microsoft global network. Direct Communication: Once peered, VMs in VNET1 and VNET2 can communicate with each other using their private IP addresses, as if they were in the same virtual network. Routing is automatically managed by Azure. Scalability: VNet peering is designed to handle communication between a large number of virtual machines within the peered networks. Let's examine why the other options are not the most suitable for this scenario: Azure ExpressRoute: Purpose: Azure ExpressRoute is designed to establish private, dedicated connections between your on-premises network and Azure. While ExpressRoute provides a connection to the Microsoft backbone, it is primarily used for hybrid connectivity scenarios, connecting your data center to Azure. VNet-to-VNet within Azure: While you could technically use ExpressRoute to route traffic between Azure VNets (by backhauling traffic to your on-premises network and then back to Azure), this is highly inefficient, complex, and adds unnecessary latency and cost. VNet peering is the direct and recommended solution for VNet-to-VNet connectivity within Azure. ExpressRoute is not designed for this intra-Azure VNet communication. A point-to-site VPN: Purpose: Point-to-site (P2S) VPN connections are designed to connect individual client computers to an Azure virtual network. They are not intended for connecting entire virtual networks to each other or enabling communication between hundreds of VMs in different VNets. P2S VPNs are for remote user access, not VNet-to-VNet communication. A site-to-site VPN: Purpose: Site-to-site (S2S) VPN connections can connect an on-premises network to an Azure virtual network, or they can connect two Azure virtual networks. Public Internet Traversal (by default): By default, Site-to-Site VPN connections between Azure VNets traverse the public internet. While you can configure them to use the Microsoft backbone in certain scenarios (like using VPN Gateway with ExpressRoute), this is more complex than necessary and less efficient than VNet peering for direct VNet-to-VNet communication within Azure. Performance and Cost: VPN gateways introduce more latency and have bandwidth limitations compared to VNet peering, which leverages the direct, high-bandwidth nature of the Microsoft backbone. VNet peering is generally more cost-effective for VNet-to-VNet connectivity within Azure. Conclusion: For enabling virtual machines on VNET1 and VNET2 to communicate through the Microsoft backbone infrastructure, peering (Global VNet Peering) is the most appropriate, efficient, and recommended solution. It directly addresses the requirement for VNet-to-VNet connectivity within Azure using the backbone, offering performance, security, and scalability. Final Answer: The final answer is peering.

Answer 26

The question asks if deploying DB1 and DB2 to an Azure SQL Database Managed Instance supports server-side transactions across them. Azure SQL Database Managed Instance (Managed Instance): Managed Instance is designed to provide near-complete compatibility with on-premises SQL Server instances. It offers instance-level features, unlike single Azure SQL Databases which are database-scoped. SQL Server Instance and Cross-Database Transactions: On-premises SQL Server instances natively support server-side transactions that span multiple databases hosted within the same instance. This is a fundamental feature of SQL Server. You can use standard SQL transaction commands to begin, commit, or rollback transactions that involve operations across different databases residing on the same SQL Server instance. Managed Instance and Instance-Level Capabilities: Azure SQL Database Managed Instance is designed to emulate an on-premises SQL Server instance environment in the cloud. This includes providing instance-level features and behaviors, such as cross-database querying and, importantly, cross-database transactions. Transaction Scope in Managed Instance: When you deploy multiple databases (like DB1 and DB2) to a single Azure SQL Database Managed Instance, they are hosted within the same SQL Server instance environment provided by the Managed Instance service. This means that they can leverage the built-in SQL Server capabilities for server-side transactions that span databases on the same instance. Analysis of the Proposed Solution: The solution proposes deploying DB1 and DB2 to an Azure SQL Database Managed Instance. Since Managed Instance is designed to provide SQL Server instance-level compatibility, and SQL Server instances support server-side transactions across databases within the instance, deploying DB1 and DB2 to the same Managed Instance will enable server-side transactions across these databases. Conclusion: The proposed solution does meet the goal. Deploying DB1 and DB2 to an Azure SQL Database Managed Instance allows for the implementation of server-side transactions across DB1 and DB2, leveraging the SQL Server instance-level transactional capabilities provided by Managed Instance. Final Answer: Yes

Answer 27

Let's analyze each option in the context of the requirements: no downtime and dynamically defined scaling for an application running on a single VM that is experiencing increased traffic. Deploy application automatic vertical scaling: Downtime: Vertical scaling (scaling up the VM size) typically requires a VM reboot, which results in downtime for the application. While some newer Azure VM sizes support resizing without downtime, it is not guaranteed for all sizes and scenarios, and it's generally less reliable for zero-downtime scaling compared to horizontal scaling. Dynamic Scaling: Automatic vertical scaling can be dynamically defined based on metrics like CPU utilization or memory usage. Complete Solution?: No, because it likely incurs downtime, violating the "no downtime" requirement. Create a VM availability set: Downtime: Availability sets improve the availability of VMs by distributing them across fault domains and update domains. They protect against hardware failures and planned maintenance, but they do not inherently provide scaling capabilities to handle increased traffic. Availability sets themselves do not dynamically scale resources. Dynamic Scaling: No, availability sets do not offer autoscaling. Complete Solution?: No, availability sets do not address the dynamic scaling requirement or the increased traffic problem directly. They are for high availability, not scalability. Create a VM scale set: Downtime: VM scale sets are designed for horizontal scaling and are built to minimize downtime during scaling operations. Scale-out operations (adding more instances) in a scale set are generally zero-downtime, especially when combined with a load balancer and proper health probes. Rolling upgrades can also minimize downtime during updates. Dynamic Scaling: Yes, VM scale sets have built-in autoscaling capabilities. You can define autoscaling rules based on various metrics (CPU, memory, custom metrics, etc.) to dynamically adjust the number of VM instances based on workload. Complete Solution?: Yes, VM scale sets are a complete and highly recommended solution for both no downtime and dynamically defined scaling for applications in Azure. They enable horizontal scaling, which is ideal for handling increased traffic without service interruption. Deploy application automatic horizontal scaling: Downtime: Horizontal scaling, by its nature, aims to avoid downtime during scale-out operations. By adding more instances behind a load balancer, you can handle increased traffic without interrupting service to existing users. Dynamic Scaling: Yes, automatic horizontal scaling is inherently dynamic. You can automate the process of adding and removing application instances based on load. Complete Solution?: Yes, deploying automatic horizontal scaling is a conceptually correct and effective solution. In Azure, VM scale sets are the primary way to implement automatic horizontal scaling for VM-based applications. Deploy a custom auto-scale implementation: Downtime: The potential for downtime depends entirely on the quality and design of the custom implementation. If meticulously designed, it could achieve zero downtime scaling. However, this is more complex and error-prone than using managed Azure services. Dynamic Scaling: Yes, a custom implementation can be designed to provide fully dynamic scaling based on any metrics you choose. Complete Solution?: Yes, theoretically, a custom auto-scale implementation can be a complete solution. However, it is generally less recommended than using managed services like VM scale sets due to increased complexity, development effort, and ongoing maintenance. It also goes against the "minimize implementation time" aspect of the requirements, compared to readily available Azure features like VM Scale Sets. Considering the "Complete Solution" and Azure Best Practices: The three most appropriate and complete solutions, focusing on Azure managed services and best practices for scalability and high availability, are: Create a VM scale set: This is the most direct and recommended Azure service for horizontal scaling of VMs and meeting both no downtime and dynamic scaling requirements. Deploy application automatic horizontal scaling: This conceptually describes the desired scaling approach, and in the Azure context, VM scale sets are the primary mechanism to achieve this. Deploy a custom auto-scale implementation: While less ideal compared to managed services, a custom implementation could be considered a "complete solution" if designed and implemented correctly, although it adds complexity and overhead. Final Answer: The final answer is: Create a VM scale set. Deploy application automatic horizontal scaling. Deploy a custom auto-scale implementation.

Answer 28

To identify which storage accounts can be used to archive diagnostics logs for Recovery Services vault Vault1, we need to consider the following factors: Location: While it is generally recommended to store diagnostic logs in the same region as the resource for performance and cost optimization, it is not always a strict requirement. However, it's a best practice to prioritize storage accounts in the same region. Storage Account Type: Azure Recovery Services Vault diagnostic logs can be archived to general-purpose storage accounts (v1 and v2) and Blob Storage accounts. Let's analyze each storage account based on these factors: Vault1: Resource Group: RG1 Location: West US (as stated in the question "Vault1 in RG1 in the West US location") Storage1: Resource Group: RG1 Location: West US Account kind: BlobStorage Location: Same region as Vault1 (West US). Account kind: BlobStorage is a compatible type for diagnostic logs. Conclusion: Storage1 is a valid option. Storage2: Resource Group: RG2 Location: West US Account kind: Storage (general purpose v1) Location: Same region as Vault1 (West US). Account kind: General purpose v1 is a compatible type for diagnostic logs. Conclusion: Storage2 is a valid option. Storage3: Resource Group: RG1 Location: East US Account kind: Storage V2 (general purpose v2) Location: Different region from Vault1 (East US vs. West US). Account kind: General purpose v2 is a compatible type for diagnostic logs. Conclusion: Storage3 is technically a valid option as cross-region storage for diagnostics is generally allowed, although less optimal than same-region storage from a cost and latency perspective. Considering the options provided, and prioritizing storage accounts in the same region as Vault1 (West US) for best practices: Storage1 only: Valid, but not the most inclusive correct option if Storage2 is also valid. Storage2 only: Valid, but not the most inclusive correct option if Storage1 is also valid. Storage3 only: Less ideal due to cross-region location, though technically might work. Storage1 or Storage2 only: This option includes both Storage1 and Storage2, which are in the same region as Vault1 and have compatible account types. This is the best option that prioritizes same-region storage. Storage1 or Storage3 only: This option mixes same-region (Storage1) and cross-region (Storage3), and excludes Storage2 which is also in the same region as Vault1. Based on best practices and the available options, the most appropriate answer is the one that includes both same-region storage accounts and excludes the cross-region one, if we are to select the best and most aligned options from the given choices. However, if cross-region is also considered technically possible in the question's context, then all three might be considered technically valid for basic archiving, although less optimal for cross-region case. Given the choices and aiming for the most technically sound and best practice aligned answer, "Storage1 or Storage2 only" is the most suitable because both are in the same region as Vault1 and have compatible storage account types. Final Answer: The final answer is Storage1 or Storage2 only.

Answer 29

The correct URI to access Table1 in the Azure Storage account storage1 follows a specific format for Azure Table Storage. The general structure is: https://.table.core.windows.net/ Use code with caution. Where: is the name of your Azure Storage account (in this case, storage1).

is the name of your Azure Table (in this case, Table1). table.core.windows.net is the domain for Azure Table Storage. Let's evaluate each of the provided options against this correct format: Option 1: https://storage.core.windons.net/12ab3cd4-5e67-8901-f234-g5hi67jkl8m9/storagel/table1 Incorrect Domain: storage.core.windons.net is not the correct domain. It should be *.core.windows.net. Also, "windons" is likely a typo and should be "windows". Incorrect Path with Subscription ID: Including the subscription ID 12ab3cd4-5e67-8901-f234-g5hi67jkl8m9 in the URI path is incorrect. Subscription IDs are not part of the standard Table Storage URI. Misspelled Account Name (Likely): storagel is likely a typo for storage1. Option 2: https://sub1.core.windows.net/storagel/table1 Incorrect Subdomain: sub1.core.windows.net is incorrect. The subdomain should be the storage account name, not the subscription name (sub1). Misspelled Account Name (Likely): storagel is likely a typo for storage1. Option 3: https://table1.table.core.windows.net/storage1 Incorrect Subdomain Order: table1.table.core.windows.net has the table name in place of the storage account name in the subdomain. It should be storage_account_name.table.core.windows.net. Incorrect Path: /storage1 has the storage account name in the path, which is incorrect. The path should contain the table name (or nothing for account-level operations). Option 4: https://storagel.table.core.windows.net/table1 Correct Domain and Subdomain Structure (Mostly): storagel.table.core.windows.net follows the correct structure .table.core.windows.net. Misspelled Account Name (Likely): storagel is likely a typo for storage1, but if we assume the storage account name was actually intended to be storagel, then this part is technically consistent with the provided name (if we consider the typo). Correct Table Name in Path: /table1 correctly places the table name in the path. Considering the most likely intent and the structure of the options, Option 4 is the closest to the correct answer, assuming there's a typo in the question and the storage account name is indeed meant to be storagel instead of storage1 in the URI context. If we correct this likely typo in the question to storagel instead of storage1, then Option 4 becomes the perfectly correct URI. If we are forced to choose from the provided options and have to assume a typo in the storage account name in the question's description but not in Option 4, then Option 4 is the closest and most logically correct answer. Final Answer: The final answer is https://storagel.table.core.windows.net/table1.

You monitor Azure virtual machines by using Azure Monitor. You plan to restart the virtual machines when CPU usage exceeds 95 percent for more than 30 minutes. You need to create an alert in Azure Monitor to restart the virtual machines. The solution must minimize administrative effort. Which type of action should you use in the alert? ITSM Webhook Automation Runbook Logic App

Correct Answer: Automation Runbook Why it’s correct: Restart VMs: An Automation Runbook can execute Restart-AzVM to restart the VMs when the alert fires, meeting the functional requirement. Minimize Administrative Effort: Runbooks are natively supported by Azure Monitor action groups, requiring only a simple script (e.g., below) and minimal setup. Once created, it’s a set-and-forget solution with no external dependencies or complex workflows. powershell param ([string]$resourceId) Connect-AzAccount -Identity Restart-AzVM -ResourceId $resourceId Uses Managed Identity for authentication, reducing credential management. No need for external systems or custom endpoints. Exam Context (AZ-305): AZ-305 tests practical Azure automation solutions. Automation Runbooks are a go-to choice for simple, resource-specific tasks like VM management, aligning with Azure best practices. How it works: Create an Azure Automation Account and a PowerShell runbook to restart VMs (using Restart-AzVM). In Azure Monitor, create a metric alert for CPU usage > 95% over 30 minutes (e.g., using the "Percentage CPU" metric). Configure an action group, selecting "Automation Runbook" as the action type and linking the runbook. When the alert triggers, the runbook executes and restarts the affected VM(s).

You have an Azure subscription that contains an Azure Log Analytics workspace. You have a resource group that contains 100 virtual machines. The virtual machines run Linux. You need to collect events from the virtual machines to the Log Analytics workspace. Which Agent configuration setting should you modify? Syslog Linux performance counters custom fields

The correct answer is Syslog. Explanation: Syslog Configuration Setting: Syslog is the standard protocol for message logging in Linux and other Unix-like systems. The Azure Log Analytics agent for Linux is designed to collect logs from the Syslog facility. By modifying the Syslog configuration setting in your Log Analytics workspace (specifically, under the "Agents configuration" or "Data" settings for Linux Data Sources), you can specify which Syslog facilities and severities you want to collect from your Linux virtual machines. Common Syslog facilities include auth, cron, daemon, kern, local0 through local7, lpr, mail, news, syslog, and user. Severities range from Emergency to Debug. Example Configuration: You might configure Syslog to collect: facility: auth with minimum severity: Warning (to collect authentication-related warnings and errors) facility: daemon with minimum severity: Error (to collect daemon-related errors) facility: user with minimum severity: Information (to collect user-level informational events) Why other options are incorrect: Linux performance counters: This setting is for collecting performance metrics (CPU, memory, disk I/O, network) from Linux VMs, not events or logs. While performance counters are valuable for monitoring VM performance, they are not the source of event logs that you'd typically collect for application or system troubleshooting. Custom fields: Custom fields are used to parse and extract specific data within logs that are already being collected. They are not a setting to enable the collection of logs themselves. Custom fields are applied after you've configured the agent to collect Syslog or other log types, to further process the ingested log data. In summary: To collect events (logs) from Linux virtual machines to Azure Log Analytics, you need to modify the Syslog configuration setting in the Log Analytics workspace to specify which Syslog facilities and severities you want to ingest. Final Answer: The final answer is Syslog.

Case study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains. Existing Environment Currently, Contoso uses multiple types of servers for business operations, including the following: – File servers – Domain controllers – Microsoft SQL Server servers Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory. You have a public-facing application named App1. App1 is comprised of the following three tiers: – A SQL database – A web front end – A processing middle tier Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements Planned Changes Contoso plans to implement the following changes to the infrastructure: – Move all the tiers of App1 to Azure. – Move the existing product blueprint files to Azure Blob storage. – Create a hybrid directory to support an upcoming Microsoft 365 migration project. Technical Requirements Contoso must meet the following technical requirements: – Move all the virtual machines for App1 to Azure. – Minimize the number of open ports between the App1 tiers. – Ensure that all the virtual machines for App1 are protected by backups. – Copy the blueprint files to Azure over the Internet. – Ensure that the blueprint files are stored in the archive storage tier. – Ensure that partner access to the blueprint files is secured and temporary. – Prevent user passwords or hashes of passwords from being stored in Azure. – Use unmanaged standard storage for the hard disks of the virtual machines. – Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity. – Minimize administrative effort whenever possible. User Requirements Contoso identifies the following requirements for users: – Ensure that only users who are part of a group named Pilot can join devices to Azure AD. – Designate a new user named Admin1 as the service admin for the Azure subscription. – Admin1 must receive email alerts regarding service outages. – Ensure that a new user named User3 can create network objects for the Azure subscription. HOTSPOT You need to identify the storage requirements for Contoso. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Statements Yes No Contoso requires a storage account that supports Blob storage. Contoso requires a storage account that supports Azure Table storage. Contoso requires a storage account that supports Azure File Storage.

To determine the storage requirements for Contoso, we need to review the "Requirements" section of the case study, specifically focusing on planned changes and technical requirements related to storage. Planned Changes and Technical Requirements related to Storage: Move the existing product blueprint files to Azure Blob storage: This explicitly states that Contoso needs to use Azure Blob storage for storing blueprint files. Copy the blueprint files to Azure over the Internet: This indicates that the storage solution needs to be accessible over the internet for data transfer. Ensure that the blueprint files are stored in the archive storage tier: This mandates the use of the Azure Blob storage Archive tier for cost optimization of infrequently accessed blueprint files. Ensure that partner access to the blueprint files is secured and temporary: This implies the need for secure, time-limited access to the blueprint files, which can be achieved using Shared Access Signatures (SAS) in Azure Blob storage. Use unmanaged standard storage for the hard disks of the virtual machines: This specifies the type of storage to be used for VM disks (unmanaged standard storage), but it's about VM disk storage, not blueprint file storage. Analyzing each statement: Statement 1: Contoso requires a storage account that supports Blob storage. Analysis: The requirement "Move the existing product blueprint files to Azure Blob storage" directly states the need for Blob storage. Azure Blob storage is designed for storing massive amounts of unstructured data, such as documents, media files, and application installers, which aligns with the description of blueprint files. Conclusion: Yes, Contoso definitely requires a storage account that supports Blob storage. Statement 2: Contoso requires a storage account that supports Azure Table storage. Analysis: There is no mention in the requirements or existing environment description about needing Azure Table storage. Azure Table storage is a NoSQL key-value store, suitable for structured non-relational data. The case study focuses on blueprint files (unstructured data for Blob storage) and moving SQL databases. There's no indication of a need for Table storage. Conclusion: No, there is no requirement stated in the case study that necessitates Azure Table storage. Statement 3: Contoso requires a storage account that supports Azure File Storage. Analysis: Azure File Storage provides fully managed file shares in the cloud that are accessible via the SMB protocol. While the existing environment mentions "File servers," the planned changes specifically state "Move the existing product blueprint files to Azure Blob storage," not Azure File Storage. Azure File Storage is typically used for migrating file shares that need to be accessed by applications using standard file system protocols (SMB/NFS). For blueprint files intended for partner access and archive storage, Blob storage is a more suitable and scalable choice. Conclusion: No, based on the requirements, there's no explicit need for Azure File Storage. Blob storage is explicitly mentioned and more appropriate for the blueprint files scenario. Final Answer: Statements Yes No Contoso requires a storage account that supports Blob storage. ☑ ☐ Contoso requires a storage account that supports Azure Table storage. ☐ ☑ Contoso requires a storage account that supports Azure File Storage. ☐ ☑

You need to move the blueprint files to Azure. What should you do? Use the Azure Import/Export service. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer. Use Azure Storage Explorer to copy the files. Generate an access key. Map a drive, and then copy the files by using File Explorer.

To move the blueprint files to Azure Blob storage over the internet, we need to choose a method that is efficient, secure, and minimizes administrative effort, as per the requirements. Let's analyze each option: Use the Azure Import/Export service. Analysis: Azure Import/Export service is designed for transferring large amounts of data to Azure Storage by physically shipping disk drives to an Azure datacenter. This service is most beneficial when network bandwidth is limited, or the data volume is extremely large (terabytes or petabytes). Suitability: While Import/Export is suitable for large datasets, the requirement states "Copy the blueprint files to Azure over the Internet." This suggests that internet connectivity is available and should be used. Using Import/Export would involve shipping disks, which is more complex and time-consuming than a network-based transfer over the internet, and likely more administrative effort for this scenario. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer. Analysis: A Shared Access Signature (SAS) provides secure, delegated access to Azure Storage resources. Generating a SAS is a good security practice for granting temporary access. Mapping a drive to Azure Blob storage using WebDAV and then using File Explorer is possible, but it's not the most efficient or robust method for bulk file transfer to Blob storage. File Explorer and WebDAV are better suited for occasional file access and management, not for large-scale or frequent data migration. Suitability: While SAS is good for security, mapping a drive and using File Explorer for copying blueprint files is not an optimal approach for efficiency or minimizing administrative effort, especially for potentially numerous or large blueprint files. Use Azure Storage Explorer to copy the files. Analysis: Azure Storage Explorer is a free, standalone application from Microsoft specifically designed for managing Azure Storage resources, including Blob storage. It provides a graphical user interface for efficiently uploading, downloading, and managing blobs. Storage Explorer is optimized for transferring files to and from Azure Storage over the internet. It supports various authentication methods, including storage account access keys and SAS tokens. Suitability: Azure Storage Explorer is an excellent tool for this task. It is user-friendly, efficient for internet-based transfers, and minimizes administrative effort by providing a visual interface and optimized transfer mechanisms for Azure Blob storage. Generate an access key. Map a drive, and then copy the files by using File Explorer. Analysis: Using a storage account access key provides full administrative access to the storage account. While it would allow File Explorer to authenticate and access the storage account, using access keys directly in client applications is a security risk and is generally discouraged. SAS tokens are preferred for delegated and temporary access. Mapping a drive and using File Explorer, even with an access key, is still not as efficient or recommended for bulk upload to Blob storage as using a dedicated tool like Azure Storage Explorer. Suitability: While technically possible, using access keys directly and File Explorer is less secure and less efficient than using Azure Storage Explorer. It also does not minimize administrative effort compared to using a tool designed for storage management. Conclusion: Azure Storage Explorer is the most appropriate solution for moving the blueprint files to Azure Blob storage over the internet. It is designed for this type of task, is efficient, secure (can use SAS or access keys, but SAS is recommended for better security in general scenarios), and minimizes administrative effort by providing a dedicated tool with a graphical interface for Azure Blob storage management. Final Answer: Use Azure Storage Explorer to copy the files.

You need to implement a backup solution for App1 after the application is moved. What should you create first? an Azure Backup Server a Recovery Services vault a recovery plan a backup policy

To implement a backup solution for App1 in Azure using Azure Backup, the first step is to create a Recovery Services vault. Here's why: Recovery Services vault: Central Management: A Recovery Services vault is the foundational, top-level Azure resource for Azure Backup. It acts as a management container for your backup data, backup policies, and protected items. Prerequisite for Backup: Before you can configure backups for any Azure resources (like VMs, SQL databases, etc.) using Azure Backup, you must first create a Recovery Services vault in your Azure subscription and region. Policy and Item Association: Backup policies and protected items (like VMs) are associated with a Recovery Services vault. You create backup policies within a vault and then apply them to resources you want to protect within that vault. Let's analyze why the other options are not the correct first step: an Azure Backup Server: Azure Backup Server (MABS) is an on-premises server that you can use to back up on-premises workloads and certain Azure workloads to Azure. While MABS can be part of a hybrid backup strategy, it's not the first resource you create in Azure to start using Azure Backup for Azure resources. The question is about implementing a backup solution in Azure for App1 after it is moved to Azure, implying we are focusing on Azure-native backup services. a recovery plan: Recovery plans are used with Azure Site Recovery (ASR) for orchestrating disaster recovery failover and failback of virtual machines. Recovery plans are not related to Azure Backup, which is for data protection and restoration, not DR orchestration. a backup policy: A backup policy defines the schedule and retention settings for backups. You create backup policies after you have a Recovery Services vault. You cannot create a backup policy without first having a vault to contain it. Backup policies are associated with a Recovery Services vault. Sequence of Azure Backup Setup: The typical sequence for setting up Azure Backup for Azure resources is: Create a Recovery Services vault. (First step) Configure backup policies within the vault (define schedule, retention). Configure protected items (select VMs, SQL databases, etc.) and associate them with backup policies within the vault. Conclusion: The Recovery Services vault is the essential and first resource you must create in Azure to begin implementing a backup solution using Azure Backup. Final Answer: The final answer is a Recovery Services vault.

Case Study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview. General Overview Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd. Overview. Physical Locations Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco. Existing Environment. Identity Environment The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect. Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant. Users at Litware have a UPN suffix of Litware.com Litware has an internal certification authority (CA) that is trusted by all devices. The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com. Existing Environment. Azure Environment Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1 contains the resources shown in the following table. Name Type Azure region Configuration VNet1 Virtual network East US None KV1 Azure key vault East US None storage1 Storage account East US BlockBlobStorage storage2 Storage account East US Storage (general purpose v1) Contains 500 GB of NoSQL data in Azure Table storage VPN1 Virtual network gateway East US Deployed to VNet1 FW1 Azure Firewall East US Deployed to VNet1 Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group. Fabrikam does NOT have an Azure environment. Existing Environment. On-Premises Environment The on-premises network of Litware contains the resources shown in the following table. Name Operating system Configuration DC1 Windows Server 2019 Domain controller DNS server WEB1 Windows Server 2016 Internet Information Services (IIS) server Hosts an internet facing ASP.NET web app named WebApp1 The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019. Existing Environment. Network Environment Litware has a site-to-site VPN connection to VNet1. The Litware and Fabrikam datacenters are not connected. Requirements. Planned Changes Litware plans to implement the following changes: – Establish a trust relationship between the Litware and Fabrikam forests. – Migrate data from the on-premises NoSQL datastores to Azure Table storage. – Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1. – Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1. Requirements. Deployment Requirements Litware identifies the following deployment requirements: – The existing ARM templates must be used for deployments to Sub1. – WebApp1 must be deployed to the AKS cluster without having to change the source code. Requirements. Authentication and Authorization Requirements Litware identifies the following authentication and authorization requirements: – The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO. – The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1. – Company policy must prohibit the creation of guest user accounts in the Litware.com tenant. – You must be able to configure deny permissions for RG1 and for the resources in RG1. – WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1. Requirements. Security Requirements Litware identifies the following security requirements: – On-premises Litware users must access KVI by using the private IP address of the key vault. – Azure virtual machines must have all their disks encrypted, including the temporary disks. – Azure Storage must encrypt all data by using keys issued by the internal CA of Litware. – Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks. – The principle of least privilege must be used. You need to ensure that the NoSQL data is encrypted. The solution must meet the security requirements. What should you do first? Upgrade storage2 to StorageV2 (general purpose v2). Create a new general-purpose v2 storage account. Create a new Azure Blob storage account. Modify the Encryption settings of storage2.

The question asks what to do first to ensure NoSQL data (currently in Azure Table storage within storage2) is encrypted and meets security requirements. Let's analyze the options in the context of Azure Storage encryption and the case study requirements. Existing Environment and Requirements Analysis: Existing NoSQL Data: 500 GB of NoSQL data in Azure Table storage within storage2. Storage2 Type: Storage (general purpose v1). Security Requirement: "Azure Storage must encrypt all data by using keys issued by the internal CA of Litware." This points to Customer-Managed Keys (CMK) for Azure Storage encryption, specifically using keys from Litware's internal CA (likely meaning Azure Key Vault integration). Encryption State of Storage (general purpose v1): General-purpose v1 storage accounts do not support Azure Storage encryption (SSE) with Customer-Managed Keys (CMK). They only support Service-Managed Keys (SSE-S2). Evaluating each option: Upgrade storage2 to StorageV2 (general purpose v2). Analysis: Upgrading storage2 to General-purpose v2 (StorageV2) is a necessary first step. StorageV2 accounts do support Azure Storage encryption (SSE) with Customer-Managed Keys (CMK). General-purpose v1 accounts do not offer this feature. Benefits: Upgrading to StorageV2 is generally recommended for modern storage features, performance, and cost optimization. It also unlocks the ability to use CMK encryption, which is required for the security requirement. Impact on NoSQL data: Upgrading a storage account type does not typically cause data loss or require data migration within the same account. Azure handles the upgrade process. Meets Security Requirement (Partially): Upgrading to StorageV2 enables CMK encryption, which is a prerequisite for meeting the security requirement, but upgrading alone doesn't enable CMK encryption. Create a new general-purpose v2 storage account. Analysis: Creating a new StorageV2 account would also allow for CMK encryption. However, it would require migrating the 500 GB of NoSQL data from storage2 (v1) to the new v2 storage account. This data migration is an additional step and effort that might be avoidable if we can simply upgrade storage2. Suitability as "First Step": Creating a new account is not the first step if we can upgrade the existing one. Upgrading is generally less disruptive and requires less initial migration effort. Create a new Azure Blob storage account. Analysis: Creating a new Blob storage account (BlockBlobStorage account type) is also not the most direct first step for the NoSQL data which is currently in Table storage within storage2. While Blob storage accounts also support CMK encryption, Table storage is a different service and data model than Blob storage. Migrating Table storage data to Blob storage would be a significant data model change and likely not intended based on the case study (which mentions migrating from on-premises NoSQL to Azure Table storage, implying continued use of Table Storage). Modify the Encryption settings of storage2. Analysis: You cannot directly "modify the Encryption settings of storage2" to enable Customer-Managed Keys if storage2 is a general-purpose v1 account. General-purpose v1 accounts simply don't support CMK. This option is premature and not possible as a first step until storage2 is upgraded to StorageV2. After upgrading to StorageV2, then modifying encryption settings to enable CMK would be a valid subsequent step. Conclusion: The most logical and efficient first step to ensure NoSQL data encryption and meet the security requirement is to Upgrade storage2 to StorageV2 (general purpose v2). This upgrade is a prerequisite to enabling Customer-Managed Keys encryption for the existing Table storage data within storage2. After the upgrade, you can then modify the encryption settings to configure CMK with Azure Key Vault and Litware's internal CA keys. Final Answer: The final answer is Upgrade storage2 to StorageV2 (general purpose v2).

Case Study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview. General Overview Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd. Overview. Physical Locations Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco. Existing Environment. Identity Environment The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect. Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant. Users at Litware have a UPN suffix of Litware.com Litware has an internal certification authority (CA) that is trusted by all devices. The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com. Existing Environment. Azure Environment Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1 contains the resources shown in the following table. Name Type Azure region Configuration VNet1 Virtual network East US None KV1 Azure key vault East US None storage1 Storage account East US BlockBlobStorage storage2 Storage account East US Storage (general purpose v1) Contains 500 GB of NoSQL data in Azure Table storage VPN1 Virtual network gateway East US Deployed to VNet1 FW1 Azure Firewall East US Deployed to VNet1 Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group. Fabrikam does NOT have an Azure environment. Existing Environment. On-Premises Environment The on-premises network of Litware contains the resources shown in the following table. Name Operating system Configuration DC1 Windows Server 2019 Domain controller DNS server WEB1 Windows Server 2016 Internet Information Services (IIS) server Hosts an internet facing ASP.NET web app named WebApp1 The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019. Existing Environment. Network Environment Litware has a site-to-site VPN connection to VNet1. The Litware and Fabrikam datacenters are not connected. Requirements. Planned Changes Litware plans to implement the following changes: – Establish a trust relationship between the Litware and Fabrikam forests. – Migrate data from the on-premises NoSQL datastores to Azure Table storage. – Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1. – Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1. Requirements. Deployment Requirements Litware identifies the following deployment requirements: – The existing ARM templates must be used for deployments to Sub1. – WebApp1 must be deployed to the AKS cluster without having to change the source code. Requirements. Authentication and Authorization Requirements Litware identifies the following authentication and authorization requirements: – The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO. – The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1. – Company policy must prohibit the creation of guest user accounts in the Litware.com tenant. – You must be able to configure deny permissions for RG1 and for the resources in RG1. – WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1. Requirements. Security Requirements Litware identifies the following security requirements: – On-premises Litware users must access KVI by using the private IP address of the key vault. – Azure virtual machines must have all their disks encrypted, including the temporary disks. – Azure Storage must encrypt all data by using keys issued by the internal CA of Litware. – Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks. – The principle of least privilege must be used. You need to ensure that you can implement Azure AD Seamless SSO for Fabrikam. The solution must meet the following requirements: – Support the planned changes. – Meet the authentication and authorization requirements. What should you do? Create a new Azure AD tenant named fabrikam.com From the Fabrikam forest, configure an additional UPN suffix of Litware.com. From the Fabrikam forest, configure all users to have a UPN suffix of Litware.com. From the Litware.com tenant, add a custom domain named fabrikam com.

To implement Azure AD Seamless SSO for Fabrikam users to authenticate to the Litware.com tenant, we need to integrate the Fabrikam identities with the Litware.com Azure AD tenant in a way that supports Seamless SSO and avoids creating guest accounts, as per the requirements. Let's analyze each option in the context of Azure AD Seamless SSO and the given requirements: Option 1: Create a new Azure AD tenant named fabrikam.com Analysis: Creating a new Azure AD tenant for Fabrikam would isolate Fabrikam identities in a separate tenant. This would not allow Fabrikam users to authenticate to the Litware.com tenant using Seamless SSO. Seamless SSO is about authenticating to a specific Azure AD tenant, in this case, Litware.com. A separate Fabrikam tenant would not fulfill this requirement. Conclusion: Incorrect. This option does not address the requirement for Fabrikam users to authenticate to the Litware.com tenant using Seamless SSO. Option 2: From the Fabrikam forest, configure an additional UPN suffix of Litware.com. Analysis: Adding Litware.com as an additional UPN suffix in the Fabrikam on-premises Active Directory is not directly related to enabling Azure AD Seamless SSO in the Litware.com tenant for Fabrikam users. While UPN suffixes are important for user identities, changing the UPN suffix in Fabrikam forest to Litware.com would be confusing and not the correct approach for cross-forest authentication. Seamless SSO leverages existing UPNs. Conclusion: Incorrect. This option is not the correct way to enable Seamless SSO for Fabrikam users in the Litware.com tenant. Option 3: From the Fabrikam forest, configure all users to have a UPN suffix of Litware.com. Analysis: This is even more incorrect than Option 2. Changing the UPN suffix for all Fabrikam users to Litware.com in their on-premises fabrikam.com forest is disruptive, incorrect identity management, and not related to enabling Seamless SSO for cross-tenant authentication. This would fundamentally change the identity structure in Fabrikam and is not a viable solution. Conclusion: Incorrect. This option is a highly inappropriate and disruptive action. Option 4: From the Litware.com tenant, add a custom domain named fabrikam com. Analysis: Adding fabrikam.com as a custom domain to the Litware.com Azure AD tenant is the correct first step towards enabling authentication for Fabrikam users in the Litware.com tenant without creating guest accounts. Domain Verification: Adding a custom domain involves verifying domain ownership, which is a standard procedure for managing identities in Azure AD. Identity Integration: Adding fabrikam.com as a custom domain allows you to potentially manage Fabrikam users within the Litware.com tenant or set up federation. While Seamless SSO itself is primarily configured on-premises and in Azure AD Connect, adding the custom domain is a necessary prerequisite for many identity integration scenarios, including federation or potentially using Azure AD Connect to sync Fabrikam users to Litware.com tenant (though this case does not explicitly mention directory sync for Fabrikam). In the context of Seamless SSO for Fabrikam users to Litware.com tenant without guest accounts, adding the custom domain is a logical preparatory step. Avoid Guest Accounts: By integrating Fabrikam's domain with Litware.com tenant, you move towards a more integrated identity model rather than relying on guest accounts, which aligns with the company policy. Although Seamless SSO itself is configured via Azure AD Connect and on-premises AD, the question is asking for a first step that supports the overall goal. Adding the custom domain is a foundational step to integrate Fabrikam identities into the Litware.com Azure AD tenant, which is necessary to enable any form of direct authentication (including Seamless SSO or federation) for Fabrikam users without relying on guest accounts. Conclusion: Option 4, From the Litware.com tenant, add a custom domain named fabrikam com, is the most logical and correct first step to support Azure AD Seamless SSO for Fabrikam users to the Litware.com tenant, while adhering to the requirement of not creating guest user accounts and supporting planned changes and authentication requirements. It sets the stage for further identity integration configuration. Final Answer: The final answer is From the Litware.com tenant, add a custom domain named fabrikam com.

Case Study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview. General Overview Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd. Overview. Physical Locations Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco. Existing Environment. Identity Environment The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect. Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant. Users at Litware have a UPN suffix of Litware.com Litware has an internal certification authority (CA) that is trusted by all devices. The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com. Existing Environment. Azure Environment Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1 contains the resources shown in the following table. Name Type Azure region Configuration VNet1 Virtual network East US None KV1 Azure key vault East US None storage1 Storage account East US BlockBlobStorage storage2 Storage account East US Storage (general purpose v1) Contains 500 GB of NoSQL data in Azure Table storage VPN1 Virtual network gateway East US Deployed to VNet1 FW1 Azure Firewall East US Deployed to VNet1 Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group. Fabrikam does NOT have an Azure environment. Existing Environment. On-Premises Environment The on-premises network of Litware contains the resources shown in the following table. Name Operating system Configuration DC1 Windows Server 2019 Domain controller DNS server WEB1 Windows Server 2016 Internet Information Services (IIS) server Hosts an internet facing ASP.NET web app named WebApp1 The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019. Existing Environment. Network Environment Litware has a site-to-site VPN connection to VNet1. The Litware and Fabrikam datacenters are not connected. Requirements. Planned Changes Litware plans to implement the following changes: – Establish a trust relationship between the Litware and Fabrikam forests. – Migrate data from the on-premises NoSQL datastores to Azure Table storage. – Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1. – Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1. Requirements. Deployment Requirements Litware identifies the following deployment requirements: – The existing ARM templates must be used for deployments to Sub1. – WebApp1 must be deployed to the AKS cluster without having to change the source code. Requirements. Authentication and Authorization Requirements Litware identifies the following authentication and authorization requirements: – The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO. – The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1. – Company policy must prohibit the creation of guest user accounts in the Litware.com tenant. – You must be able to configure deny permissions for RG1 and for the resources in RG1. – WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1. Requirements. Security Requirements Litware identifies the following security requirements: – On-premises Litware users must access KVI by using the private IP address of the key vault. – Azure virtual machines must have all their disks encrypted, including the temporary disks. – Azure Storage must encrypt all data by using keys issued by the internal CA of Litware. – Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks. – The principle of least privilege must be used. DRAG DROP You need to ensure that the virtual machine disks are encrypted. The solution must meet the security requirements. Which three actions should you perform in Sub1 in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Actions Create a key in KV1 and configure a disk encryption set. Register the Microsoft.Compute encryption provider feature. Deploy the virtual machines and set Encryption at host to Yes. Register the Microsoft KeyVault resource provider. Deploy the virtual machines and enable Azure Disk Encryption. Answer Area

The correct sequence of actions to ensure virtual machine disks are encrypted in Sub1, meeting the security requirements, is: Register the Microsoft.Compute encryption provider feature. Register the Microsoft KeyVault resource provider. Create a key in KV1 and configure a disk encryption set. This sequence is correct for the following reasons: Registering the Microsoft.Compute encryption provider feature is necessary to enable advanced encryption capabilities for virtual machines1. Registering the Microsoft KeyVault resource provider is required to use Azure Key Vault for storing encryption keys1. Creating a key in KV1 and configuring a disk encryption set allows for the use of customer-managed keys for disk encryption, which provides more control over the encryption process1. This approach ensures that all disks, including temporary disks, are encrypted, meeting the security requirement: "Azure virtual machines must have all their disks encrypted, including the temporary disks"1.

Case Study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview. General Overview Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd. Overview. Physical Locations Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco. Existing Environment. Identity Environment The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect. Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant. Users at Litware have a UPN suffix of Litware.com Litware has an internal certification authority (CA) that is trusted by all devices. The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com. Existing Environment. Azure Environment Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1 contains the resources shown in the following table. Name Type Azure region Configuration VNet1 Virtual network East US None KV1 Azure key vault East US None storage1 Storage account East US BlockBlobStorage storage2 Storage account East US Storage (general purpose v1) Contains 500 GB of NoSQL data in Azure Table storage VPN1 Virtual network gateway East US Deployed to VNet1 FW1 Azure Firewall East US Deployed to VNet1 Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group. Fabrikam does NOT have an Azure environment. Existing Environment. On-Premises Environment The on-premises network of Litware contains the resources shown in the following table. Name Operating system Configuration DC1 Windows Server 2019 Domain controller DNS server WEB1 Windows Server 2016 Internet Information Services (IIS) server Hosts an internet facing ASP.NET web app named WebApp1 The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019. Existing Environment. Network Environment Litware has a site-to-site VPN connection to VNet1. The Litware and Fabrikam datacenters are not connected. Requirements. Planned Changes Litware plans to implement the following changes: – Establish a trust relationship between the Litware and Fabrikam forests. – Migrate data from the on-premises NoSQL datastores to Azure Table storage. – Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1. – Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1. Requirements. Deployment Requirements Litware identifies the following deployment requirements: – The existing ARM templates must be used for deployments to Sub1. – WebApp1 must be deployed to the AKS cluster without having to change the source code. Requirements. Authentication and Authorization Requirements Litware identifies the following authentication and authorization requirements: – The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO. – The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1. – Company policy must prohibit the creation of guest user accounts in the Litware.com tenant. – You must be able to configure deny permissions for RG1 and for the resources in RG1. – WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1. Requirements. Security Requirements Litware identifies the following security requirements: – On-premises Litware users must access KVI by using the private IP address of the key vault. – Azure virtual machines must have all their disks encrypted, including the temporary disks. – Azure Storage must encrypt all data by using keys issued by the internal CA of Litware. – Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks. – The principle of least privilege must be used. You need to configure Azure AD Seamless SSO for Fabrikam. The solution must meet the authentication and authorization requirements. What should you install first? the Azure AD Connect provisioning agent on SERVER1 the Azure AD Connect provisioning agent on DC1 Azure AD Connect in staging mode on SERVER1 an Azure AD Connect primary server on SERVER1

To configure Azure AD Seamless SSO for Fabrikam users to authenticate to the Litware.com tenant, the key is to extend the Seamless SSO configuration in the Litware.com tenant to recognize and trust authentication requests coming from the Fabrikam environment. Let's analyze the options in terms of being the first step in this process. the Azure AD Connect provisioning agent on SERVER1: Analysis: The Azure AD Connect provisioning agent is used for Azure AD Connect cloud sync, which is a newer, lighter-weight synchronization option. While provisioning agents are part of Azure AD Connect ecosystem, they are not directly involved in configuring or enabling Azure AD Seamless SSO. Seamless SSO is a feature configured within the main Azure AD Connect application itself. Installing the provisioning agent on SERVER1 (a Fabrikam domain member server) would not be the first step to enable Seamless SSO for Fabrikam users to Litware.com. Conclusion: Incorrect. The provisioning agent is not the primary component for enabling Seamless SSO. the Azure AD Connect provisioning agent on DC1: Analysis: Similar to the previous option, the provisioning agent is not the core component for Seamless SSO. Installing it on DC1 (a Litware domain controller) is also not the correct first step for configuring Seamless SSO for Fabrikam users. Seamless SSO configuration happens within the Azure AD Connect application. Conclusion: Incorrect. The provisioning agent is not the primary component for enabling Seamless SSO. Azure AD Connect in staging mode on SERVER1: Analysis: Installing Azure AD Connect in staging mode on SERVER1 (a Fabrikam domain member server) is a more relevant option related to Azure AD Connect. Staging mode is used for testing configurations without active synchronization to Azure AD. While SERVER1 is in the Fabrikam domain, setting up Azure AD Connect in staging mode could be a preparatory step to configure and test Seamless SSO settings related to the Fabrikam forest before making it active or impacting the existing Litware.com sync. It allows for experimentation and configuration in a non-production impacting way. Although SERVER1 in Fabrikam forest is not the ideal location for managing SSO for Fabrikam to Litware, in the context of these options, it's the closest to a plausible first configuration step involving Azure AD Connect. Conclusion: Plausible as a first step for configuration and testing in a non-disruptive manner, even though SERVER1's domain is not Litware. an Azure AD Connect primary server on SERVER1: Analysis: Installing a primary Azure AD Connect server on SERVER1 (Fabrikam domain) to connect to the Litware.com tenant is architecturally less likely to be the first step for Seamless SSO configuration in this cross-forest scenario. Typically, Seamless SSO configuration for a tenant is managed by the Azure AD Connect instance that is already syncing to that tenant (in this case, the existing Litware.com Azure AD Connect setup, although its location is not specified). Setting up a new primary Azure AD Connect server on SERVER1 for Litware.com tenant is not the standard approach and might even conflict with the existing Azure AD Connect setup for Litware.com. Conclusion: Less likely and potentially disruptive as a first step. Most Logical First Step (Considering Imperfect Options): Given the available options and the need to start configuring Azure AD Seamless SSO for Fabrikam users to Litware.com, installing Azure AD Connect in staging mode on SERVER1 is the most reasonable first action to perform. It allows for a non-production impacting environment to begin exploring and configuring Azure AD Connect settings that might be related to extending Seamless SSO to Fabrikam users, even though SERVER1 is in Fabrikam's domain and not the ideal management location for Litware.com Azure AD tenant integration. The other options are less relevant to starting the Seamless SSO configuration process itself. Final Answer: The final answer is Azure AD Connect in staging mode on SERVER1.

You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD). You need to select authentication mechanisms that can be used for both MFA and SSPR. Which two authentication methods should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. Authenticator app Email addresses App passwords Short Message Service (SMS) messages Security questions

The correct answers are Authenticator app and Short Message Service (SMS) messages. Explanation: Let's analyze each authentication method and its applicability to both MFA and SSPR: Authenticator app: MFA: The Microsoft Authenticator app (and other authenticator apps that support TOTP) is a widely used and secure method for MFA. It can provide push notifications for approval or generate time-based one-time passcodes (TOTP). SSPR: The Authenticator app can also be used for SSPR. Users can receive push notifications or use TOTP codes to verify their identity during the password reset process. Conclusion: The Authenticator app is a valid and recommended method for both MFA and SSPR. Short Message Service (SMS) messages: MFA: SMS messages are a common method for MFA, where a verification code is sent to the user's mobile phone via SMS. SSPR: SMS is also a frequently used method for SSPR. Users can receive a verification code via SMS to their registered mobile phone number to reset their password. Conclusion: SMS messages are a valid and widely used method for both MFA and SSPR. Email addresses: MFA: While email can be used as a fallback MFA method (e.g., sending a verification code to an email address), it is generally considered less secure than other methods like Authenticator app or SMS for MFA in isolation. Email accounts themselves can be compromised. SSPR: Email addresses are a very common and primary method for SSPR. Users typically receive a password reset link or verification code to their alternate email address or primary email address. Conclusion: Email addresses are primarily a core method for SSPR and can be used as a weaker fallback for MFA in certain configurations, but might not be considered as robust or primary MFA method compared to Authenticator app or SMS. However, if the question is asking for methods usable for both, then email addresses, especially alternate email addresses configured for recovery, can be considered usable for both. App passwords: MFA: App passwords are not an authentication method for MFA itself. App passwords are a security feature that allows users who have MFA enabled on their accounts to use older, legacy applications that do not support modern authentication. App passwords are generated after MFA is enabled to bypass MFA prompts for these legacy apps. They are not used as a method to perform MFA itself. SSPR: App passwords are not used in SSPR processes. Conclusion: App passwords are not an authentication method for either MFA or SSPR in the way the question intends. Security questions: MFA: Security questions were historically used as a form of authentication, including for MFA in some older systems. However, they are now strongly discouraged for MFA due to significant security vulnerabilities (easily guessable, social engineering risks, etc.). Modern MFA strongly prefers more robust methods like Authenticator apps, SMS, or FIDO2 keys. SSPR: Security questions are a common and still used method for SSPR, although their security is also debated. They are often used as a fallback or secondary SSPR method. Conclusion: Security questions are primarily an SSPR method and are not recommended nor a best practice for MFA in modern security contexts. While technically usable for SSPR and historically used in some MFA scenarios (now discouraged), they are not a strong or preferred method for both. Selecting the Best Two for "Both MFA and SSPR": Considering the most robust, widely used, and recommended methods for both MFA and SSPR, the best two choices from the list are: Authenticator app Short Message Service (SMS) messages These two methods are consistently strong and commonly deployed for both modern MFA and SSPR implementations in Azure AD. Final Answer: The final answer is Authenticator app and Short Message Service (SMS) messages.

Your company has the groups shown in the following table. Group Number of members Managers 10 Sales 100 Development 15 The company has an Azure subscription that is associated with an Azure Active Directory (Azure AD) tenant named contoso.com. An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group. Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD. You verify that Admin1 is assigned the Global administrator role. You need to ensure that Admin1 can enable Enterprise State Roaming. What should you do? Assign an Azure AD Privileged Identity Management (PIM) role to Admin1. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group. Enforce Azure Multi-Factor Authentication (MFA) for Admin1. Purchase an Azure AD Premium P1 license for each user in the Managers group.

The problem states that Admin1, a Global administrator, cannot access the Enterprise State Roaming settings in Azure AD. The goal is to enable Admin1 to configure Enterprise State Roaming. Let's evaluate each option: Assign an Azure AD Privileged Identity Management (PIM) role to Admin1: PIM is used to manage, control, and monitor access to privileged roles. Admin1 is already assigned the Global administrator role, which is the highest privileged role in Azure AD and inherently should have permissions to manage all features, including Enterprise State Roaming. PIM is about managing the use of privileged roles, not granting access to features that a Global Admin should already possess. Assigning a PIM role wouldn't directly address the issue of the settings being unavailable if the Global Administrator role already grants the necessary permissions. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group: Azure Rights Management (Azure RMS), now part of Azure Information Protection, is for protecting sensitive documents and emails. It is not related to Enterprise State Roaming licensing or enabling admin access to Enterprise State Roaming settings. Azure RMS licenses are for information protection features, not device state roaming. Enforce Azure Multi-Factor Authentication (MFA) for Admin1: Enforcing MFA for Admin1 is a good security practice, but it is not related to the availability of Enterprise State Roaming settings. MFA is an authentication security measure, not a feature licensing or access enabler. MFA doesn't unlock features in Azure AD; it secures access. Purchase an Azure AD Premium P1 license for each user in the Managers group: Enterprise State Roaming licensing requirement: Azure AD Enterprise State Roaming is a feature that requires Azure AD Premium P1 or P2 licenses for the users who will be using the feature. While a Global Administrator has the permission to configure the feature, the feature itself might be gated by the licensing of the users who will benefit from it. Feature Availability based on Licensing: If Enterprise State Roaming is not licensed for any users in the tenant, it's possible that the Azure AD portal interface might indeed disable or hide the settings related to Enterprise State Roaming, even for a Global Administrator. This is because the feature is not considered "enabled" for the tenant if no users have the required licenses. Enabling the Feature: Purchasing Azure AD Premium P1 licenses for the target users (the Managers group in this case) would fulfill the licensing prerequisite for Enterprise State Roaming. Once the licenses are assigned, the Enterprise State Roaming feature should become fully enabled in the tenant, and the settings should become accessible to Admin1 (as a Global Administrator). Conclusion: The most likely reason why the Enterprise State Roaming options are unavailable to Admin1, even with Global Administrator role, is that the Azure AD tenant or the intended users are not licensed for Azure AD Premium P1 or P2, which is a prerequisite for using Enterprise State Roaming. Purchasing Azure AD Premium P1 licenses for the Managers group (the intended users of Enterprise State Roaming) is the action that directly addresses this licensing prerequisite and would most likely enable the feature and make its settings accessible to Admin1. Final Answer: The final answer is Purchase an Azure AD Premium P1 license for each user in the Managers group.

HOTSPOT You plan to implement an access review to meet the following requirements: The access review must be enforced until otherwise configured. Each user or group that has access to the Azure environment must be in the scope of the access review. The access review must be completed within two weeks. A lack of response must not cause changes in the operational environment. An administrator creates the access review shown in the answer area. Which two sections of the access review should you modify to meet the requirements? To answer, select the appropriate sections in the answer area. NOTE: Each correct selection is worth one point. Create an access review A. Review name*: Review1 Description*: B. Start date*: 09/16/2020 Frequency: Quarterly Duration (in days): [Slider] 25 End*: Never [End by Occurrences] Number of times: End date*: 10/16/2020 C. Users Users to review: Members of a group Scope: Guest users only Everyone D. Group Group1 E. Reviewers Reviewers: Group owners F. Programs Link to program Default Program G. Upon completion settings Auto apply results to resource: [Enable] If reviewers don’t respond: Remove access [Dropdown] (Preview) Action to apply on denied users: Remove user's membership from the resource H. Advanced settings Show recommendations: [Enable] [Disable] Require reason on approval: [Enable] [Disable] Mail notifications: [Enable] [Disable] Reminders: [Enable] [Disable] (Preview) Additional content for reviewer email:

To determine which two sections of the access review should be modified, let's review each requirement against the current configuration and identify the sections needing changes. Requirements: Requirement 1: The access review must be enforced until otherwise configured. Current Configuration (Section C): "End*: Never" - This configuration ALREADY meets this requirement. The review is set to run indefinitely until explicitly changed. Requirement 2: Each user or group that has access to the Azure environment must be in the scope of the access review. Current Configuration (Section D & E): "Users to review: Members of a group", "Scope: Guest users only", "Group: Group1". This configuration is NOT meeting the requirement. It is currently scoped to only review Guest users who are members of a specific group (Group1). To meet the requirement of each user or group, the scope needs to be broadened to include all users, not just guest users and members of a specific group. Requirement 3: The access review must be completed within two weeks. Current Configuration (Section C): "Duration (in days): [Slider] 25". This configuration is NOT meeting the requirement. The duration is set to 25 days, which is longer than two weeks (14 days). This needs to be changed to 14 days. Requirement 4: A lack of response must not cause changes in the operational environment. Current Configuration (Section G): "If reviewers don’t respond: Remove access [Dropdown]". This configuration is NOT meeting the requirement. Currently, if reviewers don't respond, access is set to be removed. This needs to be changed to an action that does not remove access on no response. Sections to Modify: Based on the analysis above, the two sections that directly address requirements that are NOT currently met in the provided configuration are: C. Start date, Frequency, Duration (in days), End**: This section needs to be modified to change the Duration (in days) to 14 to meet Requirement 3 (completed within two weeks). G. Upon completion settings: This section needs to be modified in the "If reviewers don’t respond" dropdown. The current setting "Remove access" needs to be changed to an option that represents "no changes" or "Take no action" to meet Requirement 4 (lack of response = no changes). While Section D & E (Users and Scope) also needs modification to meet Requirement 2 (all users in scope), the question asks for only two sections. Sections C and G are the most direct and critical modifications needed to address explicit, quantifiable requirements related to duration and action upon non-response, which are directly configurable in these sections. Therefore, the two sections to modify are C and G. Final Answer: The final answer is C and G.

HOTSPOT You have a hierarchy of management groups and Azure subscriptions as shown in the following table. Tenant Root Group ├── ManagementGroup1 │ └── Subscription1 └── ManagementGroup2 └── Subscription2 You create the Azure resources shown in the following table. Name Type Created in RG1 Resource group Subscription1 RG2 Resource group Subscription2 VM2 Virtual machine RG2 You have the Owner role. You assign roles to users as shown in the following table. User name Role On resource User1 Contributor ManagementGroup1 User2 Contributor ManagementGroup2 User3 Reader Tenant Root Group For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Statements You can remove User1 from the Contributor role for RG1. User2 can delete VM2. You can add User3 as a Contributor for RG1.

Let's analyze each statement based on Azure RBAC role inheritance and the provided hierarchy. Statement 1: You can remove User1 from the Contributor role for RG1. Analysis: You are stated to have the Owner role at the subscription level (Subscription1 and Subscription2, and implicitly at the Tenant Root Group as Owner at subscription implies Owner at all levels above). The Owner role grants full access to manage all resources, including role assignments. User1's Role: User1 is assigned the Contributor role at ManagementGroup1. Subscription1 is a child of ManagementGroup1. Role assignments are inherited down the management group hierarchy. Therefore, User1 inherits the Contributor role on Subscription1 and all resources within Subscription1, including RG1 and resources within RG1. Your Permissions: As an Owner at the subscription level, you have permissions to manage RBAC at Subscription1 and below. This includes removing role assignments. Conclusion: Yes, as an Owner at the subscription level, you have sufficient permissions to remove User1's Contributor role assignment for RG1 (or any resource within Subscription1, even though User1's explicit assignment is at ManagementGroup1 level due to inheritance). Statement 2: User2 can delete VM2. Analysis: User2 is assigned the Contributor role at ManagementGroup2. Subscription2 is a child of ManagementGroup2. VM2 is in RG2, which is in Subscription2. Contributor Role Permissions: The Contributor role allows users to create and manage Azure resources but does not grant permissions to manage role assignments (RBAC). However, the Contributor role does grant permissions to perform most operations on resources, including deleting virtual machines. Scope of Contributor Role: User2's Contributor role assignment at ManagementGroup2 is inherited by Subscription2 and all resources within Subscription2, including RG2 and VM2. Conclusion: Yes, User2, with the Contributor role at ManagementGroup2, inherits Contributor permissions on VM2 and therefore can delete VM2. Statement 3: You can add User3 as a Contributor for RG1. Analysis: You are an Owner at the subscription level (and above). User3 is assigned the Reader role at the Tenant Root Group. Role assignments are inherited down the management group hierarchy, but Reader role does not grant write permissions. Your Permissions (Owner): As an Owner, you have full control over RBAC within your subscription and below. You can assign any role to any user or group within your scope. User3's Current Role (Reader): User3's Reader role at the Tenant Root Group is inherited down to Subscription1 and RG1. However, this inherited Reader role does not prevent you, as an Owner, from assigning a different role (like Contributor) to User3 at a lower scope (like RG1). Role assignments at lower scopes take precedence. Adding Contributor Role: You can add User3 as a Contributor at RG1. This would grant User3 Contributor permissions specifically for RG1, overriding the inherited Reader role for resources within RG1. Conclusion: Yes, as an Owner, you have permissions to assign the Contributor role to User3 at RG1. Final Answer: Statements Yes No You can remove User1 from the Contributor role for RG1. ☑ ☐ User2 can delete VM2. ☑ ☐ You can add User3 as a Contributor for RG1. ☑ ☐

You have an Azure subscription that includes the resources shown in the following table. Name Resource type VM1 Virtual machine VM2 Virtual machine RG1 Resource group You attempt to add a role assignment to RG1 as shown in the following exhibit. Add role assignment Role Reader Assign access to Azure AD user, group, or service principal Select VM VM1 Selected members: No members selected. Search for and add one or more members you want to assign to the role for this resource. Learn more about RBAC What should you do to ensure that you can assign VM2 the Reader role for the resource group? Configure just in time (JIT) VM access on VM2. Configure Access control (IAM) on VM2. Assign a managed identity to VM2. Modify the Reader role at the subscription level.

Correct Answer: Assign a managed identity to VM2. Assign a managed identity to VM2. Correct: A managed identity (system-assigned or user-assigned) turns VM2 into an Azure AD security principal. Once VM2 has a managed identity, it appears in Azure AD and can be selected in the “Add role assignment” interface under “Azure AD user, group, or service principal.” This enables you to assign the Reader role to VM2 for RG1, allowing VM2 to read resources within RG1 (e.g., for programmatic access via its identity).

You have an Azure Active Directory (Azure AD) tenant linked to an Azure subscription. The tenant contains a group named Admins. You need to prevent users, except for the members of Admins, from using the Azure portal and Azure PowerShell to access the subscription. What should you do? From Azure AD, configure the User settings. From Azure AD, create a conditional access policy. From the Azure subscription, assign an Azure policy. From the Azure subscription, configure Access control (IAM).

The correct answer is From Azure AD, create a conditional access policy. Explanation: Let's analyze each option and why Conditional Access is the most suitable solution: From Azure AD, create a conditional access policy. Conditional Access Policies in Azure AD: Conditional Access is a powerful tool in Azure AD that allows you to create policies to control access to cloud applications based on various conditions. These conditions can include: Users and groups: You can target specific users or groups for the policy. In this case, you can create a policy that applies to all users and then exclude the 'Admins' group. Cloud apps or actions: Conditional Access can target specific applications. For managing Azure subscriptions, the relevant "cloud app" to target is "Microsoft Azure Management". This application represents access to Azure management interfaces, including the Azure portal and Azure PowerShell (and Azure CLI, and other management tools). Access controls: You can define access controls, such as: Block access: Completely prevent access. Grant access: Allow access, possibly with conditions like requiring multi-factor authentication or a compliant device. Meeting the Requirement: By creating a Conditional Access policy with the following configuration, you can effectively meet the requirement: Users and groups: Include "All users" and exclude the "Admins" group. Cloud apps or actions: Select "Microsoft Azure Management". Access controls: Select "Block access". This policy will block all users except members of the 'Admins' group from accessing "Microsoft Azure Management", which includes the Azure portal and Azure PowerShell. From Azure AD, configure the User settings. User settings in Azure AD: User settings in Azure AD primarily control features like: External collaboration settings (guest access) User and guest invitations License management User profile settings Self-service group management User settings are not designed to control access to Azure subscriptions or Azure management interfaces based on group membership and the method of access (portal/PowerShell). They are more about user lifecycle management and collaboration features within Azure AD itself. From the Azure subscription, assign an Azure policy. Azure Policies: Azure Policies are used to enforce organizational standards and assess compliance for Azure resources. They control what types of resources can be deployed, configured, and managed within Azure subscriptions and resource groups. Scope of Azure Policies: Azure Policies are applied to subscriptions, resource groups, or management groups to govern resources. They are not designed to control user access to the Azure portal or Azure PowerShell based on group membership. Azure Policy is for resource governance, not user access control at the portal level. From the Azure subscription, configure Access control (IAM). Access control (IAM) in Azure subscriptions: Access Control (IAM) in Azure subscriptions is used for Role-Based Access Control (RBAC). RBAC controls authorization – what actions users and groups can perform on Azure resources once they have access. Limitations of IAM for Access Prevention: While you can use RBAC to grant or deny specific permissions to resources, IAM in the Azure subscription is not designed to prevent all access to the Azure portal or Azure PowerShell for entire groups of users. IAM controls what you can do, not whether you can access the portal/PowerShell at all. IAM is about resource-level authorization, not preventing entry to management interfaces. Conclusion: Conditional Access policies in Azure AD are the appropriate tool to control access to the Azure portal and Azure PowerShell based on group membership. They offer the necessary conditions (user/group targeting, application targeting) and access controls (block access) to meet the requirement effectively. Final Answer: The final answer is From Azure AD, create a conditional access policy.

You have Azure virtual machines deployed to three Azure regions. Each region contains a single virtual network that has four virtual machines on the same subnet. Each virtual machine runs an application named App1. App1 is accessible by using HTTPS. Currently, the virtual machines are inaccessible from the internet. You need to use Azure Front Door to load balance requests for App1 across all the virtual machines. Which additional Azure service should you provision? Azure Traffic Manager an internal Azure Load Balancer a public Azure Load Balancer Azure Private Link

The correct answer is a public Azure Load Balancer. Explanation: Here's why a public Azure Load Balancer is the necessary additional service and why the other options are not as suitable in this scenario: Public Azure Load Balancer: Purpose: A public Azure Load Balancer is designed to provide load balancing for traffic originating from the internet and distribute it to backend servers within Azure. Functionality in this scenario: Backend Pool: You would create a backend pool in the public Azure Load Balancer that consists of the virtual machines running App1 within each Azure region. Frontend IP Configuration: You would configure a public IP address as the frontend IP for the load balancer. This public IP address will be the endpoint that Front Door will target. Load Balancing Rules: You would create load balancing rules to distribute HTTPS traffic (port 443) to the backend VMs in each region. Health Probes: You would configure health probes to monitor the health of App1 on each VM in the backend pool. Integration with Front Door: You would then configure Azure Front Door to use the public IP address of the public Azure Load Balancer in each region as a backend pool. Front Door will then distribute global traffic across these regional public load balancers. The public load balancers will, in turn, distribute traffic within each region to the VMs. Internet Accessibility: The public Azure Load Balancer is crucial for making the backend VMs accessible from the internet via Front Door. Front Door needs a publicly reachable endpoint to send traffic to in each region, and a public load balancer provides exactly that. Let's examine why the other options are not the best fit: Azure Traffic Manager: Azure Traffic Manager is a DNS-based traffic load balancer. While it can distribute traffic across regions, it operates at the DNS level. Azure Front Door is already designed to be a global, more advanced load balancer that operates at layer 7 (HTTP/HTTPS) and provides features like WAF, caching, and more granular routing than Traffic Manager. Using Traffic Manager in addition to Front Door for basic load balancing of VMs in this scenario is redundant and not the intended architecture. Front Door is meant to replace the need for Traffic Manager in many web application scenarios. An internal Azure Load Balancer: An internal Azure Load Balancer is used to distribute traffic within an Azure virtual network or across peered virtual networks. It is not designed to make resources directly accessible from the internet. Front Door needs to communicate with a publicly accessible endpoint in each region. An internal load balancer would not provide this internet-facing capability. Azure Private Link: Azure Private Link provides private connectivity to Azure PaaS services and customer-owned services over the Azure backbone network. It's about private access, not making VMs accessible from the internet. Private Link is not relevant to making the VMs internet-accessible via Front Door. Conclusion: To make App1 accessible from the internet via Azure Front Door and load balance requests across VMs in each region, you need to provision a public Azure Load Balancer in each Azure region. Front Door will then use the public IP addresses of these load balancers as backend pools to distribute global traffic, while the public load balancers will distribute traffic within each region to the VMs. Final Answer: The final answer is a public Azure Load Balancer.

You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table. Resource Name Operating system Location group VM1 Windows Server 2012 R2 RG1 East US VM2 Windows Server 2016 RG1 West US VM3 Windows Server 2019 RG2 West US VM4 Red Hat Enterprise Linux 7.7 RG2 West US VM5 Ubuntu Server 18.04 LTS RG1 East US VM6 CentOS-based 7.7 RG1 East US You need to ensure that all critical and security updates are applied to each virtual machine every month. What is the minimum number of update deployments you should create? 4 6 2 1

To determine the minimum number of update deployments required, we need to consider the constraints of Azure Update Management and the requirements for applying updates to the VMs. Azure Update Management has the following key characteristics relevant to this question: Operating System Specificity: Update deployments in Azure Update Management are operating system specific. You cannot target both Windows and Linux VMs in a single update deployment. You need separate deployments for Windows and Linux operating systems. Scope: Update deployments can target VMs across different: Resource Groups: You can include VMs from multiple resource groups in a single deployment. Locations (Regions): You can include VMs from different Azure regions in a single deployment. Based on these characteristics and the VM configuration provided: Categorize VMs by Operating System: Windows VMs: VM1: Windows Server 2012 R2 (RG1, East US) VM2: Windows Server 2016 (RG1, West US) VM3: Windows Server 2019 (RG2, West US) All three are Windows Server based. They can be included in a single update deployment targeting Windows VMs. Linux VMs: VM4: Red Hat Enterprise Linux 7.7 (RG2, West US) VM5: Ubuntu Server 18.04 LTS (RG1, East US) VM6: CentOS-based 7.7 (RG1, East US) All three are Linux distributions. They can be included in a single update deployment targeting Linux VMs. Determine Minimum Deployments: Since update deployments are OS-specific, we need at least one deployment for Windows VMs and one deployment for Linux VMs to cover all virtual machines. Deployment 1: Windows Updates - Target VMs: VM1, VM2, VM3. Configure to apply "Critical" and "Security" updates monthly. Deployment 2: Linux Updates - Target VMs: VM4, VM5, VM6. Configure to apply "Critical" and "Security" updates monthly. Evaluate Options: 4: Too many. We don't need separate deployments based on Resource Group or Location. 6: Too many. We don't need separate deployments for each VM. 2: This is the correct minimum. We need two deployments to separate Windows and Linux VMs. 1: Too few. A single deployment cannot target both Windows and Linux VMs. Conclusion: The minimum number of update deployments required is 2: one deployment for all Windows VMs and one deployment for all Linux VMs. Resource group and location differences do not necessitate additional deployments. Final Answer: The final answer is 2.

You have an Azure subscription. You create a custom role in Azure by using the following Azure Resource Manager template. { "Name": "Role1", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Role1 Description", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/981dd4bc-8cf4-46fc-9513-0c599648b44b" ] } You assign the role to a user named User1. Which action can User1 perform? Create virtual machines. Create resource groups. Delete virtual machines. Create support requests.

To determine which action User1 can perform, we need to analyze the permissions defined in the custom role "Role1". Let's examine the "Actions" array in the provided JSON template: "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ] Use code with caution. Json Now, let's evaluate each option against these defined actions: Create virtual machines. To create virtual machines, the role would need actions like Microsoft.Compute/virtualMachines/write or Microsoft.Compute/virtualMachines/*. Role1 only includes Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action, and Microsoft.Compute/virtualMachines/restart/action. These actions grant read permissions for compute resources and specific actions to start and restart VMs, but not to create them. Conclusion: User1 cannot create virtual machines. Create resource groups. To create resource groups, the role would need actions like Microsoft.Resources/subscriptions/resourceGroups/write or Microsoft.Resources/subscriptions/resourceGroups/*. Role1 only includes Microsoft.Resources/subscriptions/resourceGroups/read. This action grants read permissions for resource groups, but not to create them. Conclusion: User1 cannot create resource groups. Delete virtual machines. To delete virtual machines, the role would need actions like Microsoft.Compute/virtualMachines/delete or Microsoft.Compute/virtualMachines/*. Role1 only includes Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action, and Microsoft.Compute/virtualMachines/restart/action. These actions do not include permissions to delete virtual machines. Conclusion: User1 cannot delete virtual machines. Create support requests. Role1 includes the action Microsoft.Support/*. The wildcard * after Microsoft.Support/ indicates that the role grants permissions for all operations within the Microsoft Support resource provider. This includes actions to create, read, update, and manage support requests with Microsoft Azure support. Conclusion: User1 can create support requests. Based on the analysis, the only action User1 is authorized to perform with Role1 is to create support requests. Final Answer: The final answer is Create support requests.

You have an Azure SQL database named Db1 that runs on an Azure SQL server named SQLserver1. You need to ensure that you can use the query editor on the Azure portal to query Db1. What should you do? Copy the ADO.NET connection string of Db1 and paste the string to the query editor. Approve private endpoint connections for SQLserver1. Modify the Advanced Data Security settings of Db1. Configure the Firewalls and virtual networks settings for SQLserver1.

The correct answer is Configure the Firewalls and virtual networks settings for SQLserver1. Explanation: To use the query editor in the Azure portal to query an Azure SQL database, you need to ensure that your client machine (the machine you are using to access the Azure portal) is allowed to connect to the Azure SQL server through the firewall. Here's why Configure the Firewalls and virtual networks settings for SQLserver1 is the correct action and why the other options are incorrect: Configure the Firewalls and virtual networks settings for SQLserver1: Azure SQL Server Firewall: Azure SQL Server has a built-in firewall that, by default, restricts access to the server and its databases from all public networks except for other Azure services. Allowing Azure Portal Access: To use the query editor in the Azure portal, you need to configure the firewall settings of the Azure SQL server (SQLserver1) to allow access from the Azure portal's IP address ranges or, more commonly, to allow access from your client IP address (the IP address of the machine you are using to access the Azure portal). Steps to Configure Firewall: Navigate to your Azure SQL server (SQLserver1) in the Azure portal. Go to Firewall and virtual networks settings. You can either: Allow Azure services and resources to access this server: Set this to Yes (if you want to allow other Azure services to access the server). Add client IP address: Click + Add client IP address. This will automatically detect your current client IP address and add a firewall rule to allow access from your machine. Add a firewall rule: Manually add a firewall rule specifying a range of IP addresses that include your client IP address. Copy the ADO.NET connection string of Db1 and paste the string to the query editor: ADO.NET connection strings are used by applications to connect to a database programmatically. The Azure portal query editor does not use connection strings in this way. The query editor establishes a direct connection to the database using your Azure credentials and network access permissions. Pasting a connection string into the query editor is not a valid action to enable query editor access. Approve private endpoint connections for SQLserver1: Private endpoints are used to provide private and secure access to Azure services from within your virtual network. If private endpoints were configured for SQLserver1 and specifically blocking public access, then approving private endpoint connections might be relevant for applications within the VNet. However, for accessing the query editor from your local machine through the Azure portal, private endpoints are not the issue. Private endpoints would actually restrict public access, not enable it for the query editor from your machine. This is not the solution for general query editor access from the portal. Modify the Advanced Data Security settings of Db1: Advanced Data Security (now Microsoft Defender for SQL) is related to security features like threat detection and vulnerability assessment within the database. It does not control basic network connectivity or firewall rules that are preventing you from accessing the query editor. Modifying Advanced Data Security settings will not enable query editor access if the firewall is blocking your connection. Therefore, the correct action is to configure the Firewalls and virtual networks settings for SQLserver1 to allow your client IP address or Azure portal IP ranges to access the SQL server. Final Answer: The final answer is Configure the Firewalls and virtual networks settings for SQLserver1.

DRAG DROP You have an Azure subscription that contains the resources shown in the following table Name Type Region Resource group RG1 Resource group Central US Not applicable RG2 Resource group West US Not applicable VM1 Virtual machine East US RG2 VNET1 Virtual network East US RG1 In RG2, you need to create a new virtual machine named VM2 that will connect to VNET1. VM2 will use a network interface named VM2_Interface. In which region should you create VM2 and VM2_Interface? To answer, drag the appropriate regions to the correct targets. Each region may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Regions Central US East US West US Answer Area VM2: Region VM2_Interface: Region

Answer Area: VM2: Region East US VM2_Interface: Region East US Explanation: Virtual Networks are Regional: Azure Virtual Networks (VNets) are regional resources. VNET1 is located in East US. Virtual Machines and VNets must be in the Same Region: Virtual Machines (VMs) must be created in the same Azure region as the Virtual Network they are intended to connect to. Since VM2 needs to connect to VNET1 (which is in East US), VM2 itself must also be created in East US. Network Interfaces and VNets/VMs must be in the Same Region: Network Interfaces (NICs) are also regional resources. A NIC must be in the same region as both the Virtual Network it connects to and the Virtual Machine it is attached to. Because VM2 and VNET1 must be in East US, VM2_Interface must also be created in East US. Therefore, to ensure VM2 can connect to VNET1, both VM2 and its network interface VM2_Interface must be created in the East US region. Final Answer: VM2: Region **East US** VM2_Interface: Region **East US**

A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and Azure-based VMs communicate using ExpressRoute. The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and must not require Multiprotocol Label Switching (MPLS) support. You need to recommend a solution that provides continued operations. What should you recommend? Increase the bandwidth of the existing ExpressRoute connection. Increase the bandwidth for the on-premises internet connection. Set up a VPN connection. Set up a second ExpressRoute connection.

For the scenario described, where a company uses ExpressRoute to connect on-premises virtual machines (VMs) to Azure-based VMs and needs a failover solution that uses the Internet without requiring MPLS support in case the ExpressRoute connection fails, the best recommendation is: Set up a VPN connection. Why this is the correct answer: Requirement for Internet-based failover: The question specifies that failover connections must use the Internet and not rely on MPLS. ExpressRoute typically uses a private, MPLS-based connection through a partner network, but a VPN (specifically a Site-to-Site VPN over the Internet) meets the requirement of using the public Internet as a failover option. Continued operations: A Site-to-Site VPN can be configured as a backup to ExpressRoute, allowing seamless communication between on-premises VMs and Azure VMs if the ExpressRoute link fails. Azure supports this hybrid connectivity model, where VPN serves as a redundant path. No MPLS requirement: Unlike ExpressRoute, which often involves MPLS through a provider, a VPN over the Internet does not require MPLS, aligning with the stated constraints. Practical for AZ-305 context: The AZ-305 exam (Designing Microsoft Azure Infrastructure Solutions) focuses on designing resilient and hybrid solutions. Configuring a VPN as a failover for ExpressRoute is a well-documented Azure best practice for high availability.

Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant. You deploy Azure AD Connect and configure pass-through authentication. Your Azure subscription contains several web apps that are accessed from the Internet. You plan to use Azure Multi-Factor Authentication (MFA) with the Azure Active Directory tenant. You need to recommend a solution to prevent users from being prompted for Azure MFA when they access the web apps from the on-premises network. What should you include in the recommendation? an Azure policy trusted IPs a site-to-site VPN between the on-premises network and Azure an Azure ExpressRoute circuit

Correct Answer: Trusted IPs Explanation: The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet. The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators.

HOTSPOT Your network contains an on-premises Active Directory domain named contoso.com that contains a user named User1. The domain syncs to Azure Active Directory (Azure AD). You have the Windows 10 devices shown in the following table. Name Joined to Device1 On-premises Active Directory Device2 Azure AD Device3 Workgroup he User Sign-In settings are configured as shown in the following exhibit. PROVISION FROM ACTIVE DIRECTORY Azure AD Connect cloud provisioning This feature allows you to manage provisioning from the cloud. Manage provisioning (Preview) Azure AD Connect sync Sync Status Enabled Last Sync Less than 1 hour ago Password Hash Sync Enabled USER SIGN-IN Federation Disabled 0 domains Seamless single sign-on Enabled 1 domain Pass-through authentication Disabled 0 agents For each of the following statements, select Yes if the statement is true. Otherwise, select No. Statements Yes No When accessing the Azure portal from Device1, User1 will sign in automatically by using SSO. When accessing the Azure portal from Device2, User1 will sign in automatically by using SSO. When accessing the Azure portal from Device3, User1 will sign in automatically by using SSO.

Explanation: Box 1: Yes Seamless SSO needs the user’s device to be domain-joined only, but it is not used on Azure AD Joined or Hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the primary refresh token. Box 2: No Box 3: No

You create a new Azure subscription. You create a resource group named RG1. In RG1, you create the resources shown in the following table. Name Type VNET1 Virtual network VM1 Virtual machine GWSN1 Gateway subnet VPNGW1 Virtual network gateway You need to configure an encrypted tunnel between your on-premises network and VNET1. Which two additional resources should you create in Azure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. a VPN gateway a site-to-site connection a point-to-site configuration a VNet-to-VNet connection a local network gateway

The correct answers are: a site-to-site connection a local network gateway Explanation: To configure an encrypted tunnel between an on-premises network and an Azure Virtual Network (VNET1) using a Virtual Network Gateway (VPNGW1), you need the following additional Azure resources: a local network gateway: Purpose: A Local Network Gateway represents your on-premises VPN device and network in Azure. It provides Azure with the necessary information about your on-premises VPN endpoint, including: Public IP address of your on-premises VPN device: Azure VPN Gateway needs to know the public IP address of your on-premises VPN device to establish the connection. On-premises network address prefixes: You define the on-premises network address spaces (subnets) that you want to be reachable from Azure through the VPN tunnel. Why it's necessary: Azure VPN Gateway uses the Local Network Gateway configuration to know where to initiate the VPN connection and what networks to route traffic to on the on-premises side. a site-to-site connection: Purpose: A Connection resource in Azure represents the actual VPN tunnel itself. For a site-to-site VPN, you need to create a "Site-to-Site (IPsec)" connection. This connection resource defines: Connection type: Site-to-to (IPsec) VPN type: RouteBased or PolicyBased (depending on your VPNGW1 configuration - although RouteBased is generally recommended) Shared key (pre-shared key): A secret key used for authentication between the Azure VPN gateway and the on-premises VPN device. References to Azure VPN gateway and Local Network Gateway: The connection resource links your existing Azure VPN gateway (VPNGW1) to the Local Network Gateway representing your on-premises VPN device. Why it's necessary: The Connection resource is the resource that actually establishes the VPN tunnel. It uses the information from both the Azure VPN gateway and the Local Network Gateway to set up the encrypted connection. Why other options are incorrect: a VPN gateway: You already have a VPN gateway named VPNGW1. You don't need to create another VPN gateway to establish a single site-to-site VPN connection. a point-to-site configuration: Point-to-Site (P2S) VPN is for connecting individual client computers to your Azure VNet, not for connecting an entire on-premises network. Site-to-Site VPN is the correct type for connecting networks. a VNet-to-VNet connection: VNet-to-VNet connections are used to connect two Azure Virtual Networks together. This is not relevant for connecting an on-premises network to Azure. In summary, to create a site-to-site VPN tunnel, you need to represent your on-premises VPN endpoint in Azure using a Local Network Gateway and then create a Connection resource to define and establish the VPN tunnel between your Azure VPN Gateway and the Local Network Gateway. Final Answer: Answer Area VM2: Region East US VM2_Interface: Region East US

You plan to create an Azure Storage account named storage1 that will store blobs and be accessed by Azure Databricks. You need to ensure that you can set permissions for individual blobs by using Azure Active Directory (Azure AD) authentication. Which Advanced setting should you enable for storage1? Large file shares Hierarchical namespace NFS v3 Blob soft delete

To enable Azure Active Directory (Azure AD) authentication for setting permissions on individual blobs in an Azure Storage account, you need to enable Hierarchical namespace. Here's why: Hierarchical Namespace (HNS): Purpose: Hierarchical namespace transforms Azure Blob Storage into Azure Data Lake Storage Gen2 (ADLS Gen2). ADLS Gen2 provides a hierarchical file system structure (directories and subdirectories) on top of Blob storage. Azure AD Integration for Access Control: A key feature of ADLS Gen2 (enabled by HNS) is its deep integration with Azure Active Directory (Azure AD) for access control. HNS enables you to use Azure AD identities to manage access permissions at the directory and individual blob level using Access Control Lists (ACLs). This is crucial for setting permissions for individual blobs using Azure AD authentication, as required in the question. POSIX-like Permissions: HNS supports POSIX-style permissions, which are commonly used in file systems and allow for granular control over read, write, and execute permissions for users and groups managed in Azure AD. Let's examine why the other options are not correct for this requirement: Large file shares: Purpose: Large file shares is an option for Azure File Storage, enabling file shares larger than the standard size. Azure File Storage is accessed using SMB protocol and has its own authentication mechanisms (like Active Directory Domain Services or Azure Active Directory Domain Services). It is not related to Blob storage or Azure AD authentication for blobs. NFS v3: Purpose: NFS v3 (Network File System version 3) allows you to mount Azure Blob Storage containers as file systems using the NFS v3 protocol. While NFS v3 provides file system access, it does not directly enable Azure AD authentication for individual blobs in the way that Hierarchical Namespace does. NFS v3 authentication in this context is generally handled through other mechanisms and is not the same as native Azure AD ACLs on blobs. Blob soft delete: Purpose: Blob soft delete is a data protection feature that allows you to recover accidentally deleted blobs within a defined retention period. It is a data recovery feature and has no relation to authentication or authorization methods for accessing blobs. Conclusion: To meet the requirement of setting permissions for individual blobs using Azure AD authentication in Azure Storage, you must enable the Hierarchical namespace Advanced setting for the storage account. This transforms the storage account into Azure Data Lake Storage Gen2, which provides the necessary Azure AD integration and ACL capabilities for fine-grained access control at the blob level. Final Answer: The final answer is Hierarchical namespace.

HOTSPOT You have an Azure subscription that includes an Azure key vault named Vault1. You create the Azure virtual machines shown in the following table. --- --- Name Operating system disk type Use managed disks VM1 Premium SSD No VM2 Standard HDD Yes VM3 Standard SSD Yes --- --- You enable Azure Disk Encryption for all the virtual machines and use the –VolumeType All parameter. You add data disks to the virtual machines as shown in the following table. Name Virtual machine Storage account type VM1-Disk1 VM1 Premium SSD VM2-Disk1 VM2 Standard SSD VM3-Disk1 VM3 Standard HDD For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Statements VM1-Disk1 is encrypted automatically by using Azure Disk Encryption. VM2-Disk1 is encrypted automatically by using Azure Disk Encryption. VM3-Disk1 is encrypted automatically by using Azure Disk Encryption.

Final Answers: VM1-Disk1 is encrypted automatically by using Azure Disk Encryption: No Unmanaged disks added after ADE enablement aren’t dynamically encrypted without reapplying ADE. VM2-Disk1 is encrypted automatically by using Azure Disk Encryption: Yes Managed disks are encrypted automatically when ADE is enabled with --VolumeType All. VM3-Disk1 is encrypted automatically by using Azure Disk Encryption: Yes Managed disks are encrypted automatically when ADE is enabled with --VolumeType All.

You have the following Azure Active Directory (Azure AD) tenants: Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization – Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1 – You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1. What should you do? Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. Configure contoso.onmicrosoft.com to use pass-through authentication. Configure contosoazure.onmicrosoft.com to use pass-through authentication.

Final Answer: The final answer is Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. Explanation: Let's break down why this is the correct solution and why the other options are incorrect: Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. (Correct) Tenant Association: Azure subscriptions are fundamentally linked to an Azure Active Directory (Azure AD) tenant. This tenant serves as the directory for managing users, groups, and their access to resources within that subscription. Currently, Subscription1 is linked to contosoazure.onmicrosoft.com, while the users you want to grant access (from contoso.com forest) are synced to contoso.onmicrosoft.com. Changing Tenant Association: The most direct way to allow contoso.com users to access Subscription1 resources is to change the Azure AD tenant that Subscription1 trusts for identity management. By associating Subscription1 with contoso.onmicrosoft.com, you make the users and groups from contoso.onmicrosoft.com (and by extension, contoso.com) the native identities for authorization within Subscription1. Role Reassignment: After changing the tenant association, the existing role assignments in Subscription1 will likely be based on principals from the old contosoazure.onmicrosoft.com tenant. These assignments will become invalid or irrelevant when the subscription is linked to contoso.onmicrosoft.com. Therefore, you'll need to reassign all roles within Subscription1 to users and groups from the newly associated contoso.onmicrosoft.com tenant to restore and configure access for the intended users. Effectiveness: This method directly addresses the core issue by placing the subscription under the control of the Azure AD tenant that manages the desired users. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. (Incorrect) Single Tenant Sync: An Azure AD Connect server is designed to synchronize a single on-premises Active Directory forest to one Azure AD tenant. You cannot configure a single Azure AD Connect server to synchronize the same on-premises forest to multiple Azure AD tenants (like both contoso.onmicrosoft.com and contosoazure.onmicrosoft.com). This option is technically not feasible with a single Azure AD Connect instance. Even if you could, it's not the correct architectural approach. Configure contoso.onmicrosoft.com to use pass-through authentication. (Incorrect) Authentication Method: Pass-through authentication is an Azure AD sign-in method. Configuring contoso.onmicrosoft.com to use pass-through authentication only changes how users in contoso.onmicrosoft.com authenticate. It doesn't change the tenant association of Subscription1 or grant access to users in contoso.com forest to resources in Subscription1. It's irrelevant to the tenant association problem. Configure contosoazure.onmicrosoft.com to use pass-through authentication. (Incorrect) Authentication Method: Similarly, configuring contosoazure.onmicrosoft.com to use pass-through authentication only affects authentication for users within contosoazure.onmicrosoft.com (if any cloud-only users exist there). It does not bridge the identity gap or grant access to contoso.com users in Subscription1.

You have several Azure web apps that use access keys to access databases. You plan to migrate the access keys to Azure Key Vault. Each app must authenticate by using Azure Active Directory (Azure AD) to gain access to the access keys. What should you create in Azure to ensure that the apps can access the access keys? managed identities managed applications Azure policies an App Service plan

The correct answer is managed identities. Explanation: Here's why managed identities are the correct solution and why the other options are not: Managed Identities: Purpose: Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). This allows Azure services to authenticate to Azure services that support Azure AD authentication without needing to hardcode credentials in code or configuration. Scenario Application: In this scenario, you would enable managed identities for each Azure web app. This creates a service principal identity in Azure AD for each web app. Key Vault Access: You would then grant these managed identities specific permissions to access your Azure Key Vault. For example, you would grant the "Get Secret" permission to each web app's managed identity on the Key Vault where you store the database access keys. Authentication Process: When the web apps need to access a database access key, they would use the Azure SDK (e.g., Azure.Identity library) to authenticate to Azure Key Vault using their managed identity. The Azure SDK automatically handles the authentication process, obtaining tokens from Azure AD without requiring any explicit credentials to be stored or managed by the web app. Security Benefits: This approach is highly secure because: No Hardcoded Credentials: You eliminate the need to store access keys directly in web app configuration or code. Automated Credential Management: Azure automatically manages the lifecycle and rotation of the managed identity credentials. Principle of Least Privilege: You can grant each web app only the necessary permissions (e.g., "Get Secret" for specific secrets) in Key Vault, adhering to the principle of least privilege. Let's look at why the other options are not the correct solution: Managed applications: Managed applications are pre-packaged and deployable applications offered through the Azure Marketplace. They are not directly related to the authentication mechanism for web apps to access Key Vault for secrets. Azure policies: Azure Policies are used to enforce organizational standards and assess compliance across Azure resources. They are not designed for managing application authentication to Key Vault or providing identities to applications. An App Service plan: An App Service plan defines the set of compute resources for running Azure web apps. It determines the region, size, and scale of the underlying VMs. It does not provide authentication mechanisms for web apps to access other Azure services like Key Vault. Therefore, the correct answer is managed identities because they are the Azure feature specifically designed to enable Azure AD-based authentication for Azure services (like web apps) to securely access other Azure services (like Key Vault) without managing credentials directly. Final Answer: The final answer is managed identities.

You have an Azure key vault named KV1. You need to implement a process that will digitally sign the blobs stored in Azure Storage. What is required in KV1 to sign the blobs? a key a secret a certificate

The correct answer is a key. Explanation: To digitally sign blobs stored in Azure Storage using Azure Key Vault (KV1), you need to use a cryptographic key that is stored and managed within KV1. Here's why: Keys in Azure Key Vault for Digital Signing: Azure Key Vault is designed to securely store and manage cryptographic keys, secrets, and certificates. For digital signing, you specifically need a cryptographic key. Key Vault supports different types of keys, including: RSA keys: Commonly used for digital signatures and encryption. EC keys: Elliptic Curve keys, also used for digital signatures and key exchange, often preferred for performance and smaller key sizes. To perform digital signing, you would create or import a key into KV1. This key will be a cryptographic key pair, where the private key is used to create the digital signature, and the corresponding public key can be used to verify the signature. Crucially, the private key remains secure within Key Vault and is never directly exposed. The signing operation is performed by Key Vault itself, using the private key on your behalf. Why other options are incorrect: a secret: Secrets in Azure Key Vault are used to store sensitive information like passwords, connection strings, API keys, and other text or binary data. Secrets are not designed for performing cryptographic operations like digital signing. While you can store text that could represent a key, a "secret" object in Key Vault itself does not have the cryptographic functionality needed for signing. You would need a "key" object. a certificate: Certificates in Azure Key Vault are X.509 certificates. Certificates are primarily used for authentication and encryption, and they contain a public key (and optionally a private key). While you could import a certificate containing a private key into Key Vault and potentially use the private key within the certificate for signing (if the certificate allows key export and signing operations), the most direct and fundamental requirement for signing is a key. Certificates are a higher-level construct built around keys, but the underlying cryptographic material needed for signing is the key. For just signing blobs, directly using a key is more straightforward and appropriate.

You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled. Admin1 accesses the Azure portal by using a web browser. Which additional security verifications can Admin1 use when accessing the Azure portal? a phone call, an email message that contains a verification code, and a text message that contains an app password. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.

When Multi-Factor Authentication (MFA) is enabled for a user in Azure Active Directory (Azure AD), they will be prompted for additional security verification methods beyond their password when they sign in. The available verification methods depend on the configuration set by the administrator and the methods configured by the user. Let's evaluate each option against the standard MFA verification methods offered by Azure AD: Option 1: a phone call, an email message that contains a verification code, and a text message that contains an app password. a phone call: Phone call to a registered phone number is a valid Azure MFA verification method. an email message that contains a verification code: While email can be used for Self-Service Password Reset (SSPR) verification, it is not a standard primary MFA verification method for Azure AD sign-in in typical configurations. It's less secure compared to other methods. a text message that contains an app password: This is incorrect. App passwords are not sent via text messages. App passwords are generated by users (or admins) after MFA is enabled to allow legacy applications that don't support modern authentication to bypass MFA prompts. Text messages contain verification codes, not app passwords. Option 2: an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app. an app password: As mentioned before, app passwords are not MFA verification methods themselves. They are a way to bypass MFA for legacy apps. Incorrect. a text message that contains a verification code: Text message (SMS) verification is a valid Azure MFA method. a verification code sent from the Microsoft Authenticator app: Verification code generated by the Microsoft Authenticator app (Time-based One-Time Password - TOTP) is a valid Azure MFA method. Option 3: an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app. an app password: Incorrect, as explained before. a text message that contains a verification code: Valid SMS verification. a notification sent from the Microsoft Authenticator app: Push notification sent to the Microsoft Authenticator app for approval is a valid Azure MFA method. Option 4: a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app. a phone call: Valid phone call verification. a text message that contains a verification code: Valid SMS verification. a notification or a verification code sent from the Microsoft Authenticator app: Both push notifications and verification codes (TOTP) from the Microsoft Authenticator app are valid Azure MFA methods. Comparing the options, Option 4 lists only valid and standard Azure MFA verification methods: phone call, SMS message with verification code, and Microsoft Authenticator app (both push notification and verification code). Options 1, 2, and 3 incorrectly include "app password" as a verification method, and Option 1 incorrectly includes "email message with verification code" as a standard primary MFA method. Final Answer: The final answer is a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.

HOTSPOT You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the following table. Name Role Member of User1 Global administrator None User2 User administrator Group1 User3 Password administrator Group1 User4 None Group1 You enable self-service password reset (SSPR) for Group1. You configure the Notifications settings as shown in the following exhibit. Save X Discard Notify users on password resets? ① No Notify all admins when other admins reset their password? ① Yes For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Statements User1 gets a notification when User3 resets her password by using SSPR. User3 gets a notification when User3 resets her password by using SSPR. User1 gets a notification when User2 resets the password of User4.

Let's analyze each statement based on the provided Azure AD SSPR notification settings and user roles. Notification Settings: Notify users on password resets? No Notify all admins when other admins reset their password? Yes User Roles and Group Membership: User1: Global administrator, Not member of Group1 User2: User administrator, Member of Group1 User3: Password administrator, Member of Group1 User4: None, Member of Group1 Statement 1: User1 gets a notification when User3 resets her password by using SSPR. Analysis: User1 is a Global administrator, which is an admin role. User3 is a Password administrator, which is also an admin role. User3 is resetting her own password using Self-Service Password Reset (SSPR). The notification setting "Notify all admins when other admins reset their password?" is set to Yes. Since User3 is an admin and is resetting her own password using SSPR, and the notification setting for admin-to-admin SSPR resets is enabled, all admins should be notified. User1, being a Global administrator, is an admin. Conclusion: Yes, Statement 1 is True. Statement 2: User3 gets a notification when User3 resets her password by using SSPR. Analysis: User3 is resetting her own password using SSPR. The notification setting "Notify users on password resets?" is set to No. This setting directly controls whether the user who initiates the password reset (in this case, User3) receives a notification. Since it is set to "No," User3 should not receive a notification about her own password reset. Conclusion: No, Statement 2 is False. Statement 3: User1 gets a notification when User2 resets the password of User4. Analysis: User1 is a Global administrator (Admin role). User2 is a User administrator (Admin role). User2 is resetting the password of User4. While the scenario mentions SSPR, it's implied that User2, as a User administrator, is using admin capabilities (likely through the Azure AD admin center or similar tools) to reset User4's password, not User2 performing SSPR for User2's own password. The notification setting "Notify all admins when other admins reset their password?" specifically refers to notifications when admins reset their own passwords using SSPR. It is not designed for scenarios where an admin resets another user's password through admin interfaces, even if the underlying password reset mechanism shares components with SSPR. Admin-initiated password resets are distinct actions from user-initiated SSPR. The notification is for "when other admins reset their password". In this case, User2 is resetting User4's password, not User2's own password. Conclusion: No, Statement 3 is False. The "Notify all admins when other admins reset their password?" setting is specifically for admin self-service password resets, not for admin-initiated password resets of other users. Therefore, User1 will not be notified in this scenario based on the configured SSPR notification settings. Final Answer: Statements Yes No User1 gets a notification when User3 resets her password by using SSPR. ☑ ☐ User3 gets a notification when User3 resets her password by using SSPR. ☐ ☑ User1 gets a notification when User2 resets the password of User4. ☐ ☑

Your company has an Azure subscription. You enable multi-factor authentication (MFA) for all users. The company’s help desk reports an increase in calls from users who receive MFA requests while they work from the company’s main office. You need to prevent the users from receiving MFA requests when they sign in from the main office. What should you do? From Conditional access in Azure Active Directory (Azure AD), create a named location. From the MFA service settings, create a trusted IP range. From Conditional access in Azure Active Directory (Azure AD), create a custom control. From Azure Active Directory (Azure AD), configure organizational relationships.

the best solution is: From the MFA service settings, create a trusted IP range. Why this is the correct answer: MFA Trusted IPs Feature: Azure AD MFA includes a service setting that allows you to define "trusted IPs" (IP address ranges) where MFA prompts can be bypassed. This is specifically designed for scenarios like this—reducing MFA prompts for users signing in from trusted locations, such as the company’s main office. Matches the Requirement: The goal is to prevent MFA requests when users sign in from the main office. By configuring the public IP range of the main office as a trusted IP in the MFA service settings, users authenticating from that location will not be prompted for MFA, while MFA remains enforced elsewhere. AZ-305 Relevance: The AZ-305 exam (Designing Microsoft Azure Infrastructure Solutions) emphasizes practical solutions for identity and security management. Configuring trusted IPs is a straightforward, built-in MFA feature that aligns with designing secure and user-friendly authentication policies.

HOTSPOT You have an Azure logic app named App1 and an Azure Service Bus queue named Queue1. You need to ensure that App1 can read messages from Queue1. App1 must authenticate by using Azure Active Directory (Azure AD). What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. On App1: Add a logic app step Configure Access control (IAM) Regenerate the access key Turn on the managed identity On Queue1: Add a read-only lock Add a shared access policy Configure Access control (IAM) Modify the properties

Answer Area: On App1: Turn on the managed identity On Queue1: Configure Access control (IAM) Explanation: On App1 (Logic App): Turn on the managed identity: This is the crucial step for enabling Azure AD authentication for App1. By turning on a managed identity (specifically, a system-assigned managed identity is usually simpler for this scenario), Azure automatically creates an identity for the Logic App in your Azure AD tenant. This identity can then be granted permissions to access other Azure resources that support Azure AD authentication, such as Azure Service Bus. Why not other options for App1? Add a logic app step: While you will need to add a Service Bus connector step in your Logic App to actually read messages from Queue1, this step itself doesn't handle authentication. Authentication needs to be configured separately. Configure Access control (IAM): Configuring IAM on App1 itself is not relevant for App1 authenticating to Service Bus. IAM on App1 controls who/what can manage the Logic App resource, not its outbound authentication to other services. Regenerate the access key: Access keys are used for Shared Access Signature (SAS) authentication, which is an alternative to Azure AD authentication. The requirement explicitly states "App1 must authenticate by using Azure Active Directory (Azure AD)", so SAS keys are not the desired method. On Queue1 (Service Bus Queue): Configure Access control (IAM): This step is essential to authorize App1's managed identity to access Queue1. You need to grant the managed identity of App1 the necessary permissions to read messages from Queue1. This is done through Azure RBAC (Role-Based Access Control) via the Access control (IAM) blade for Queue1. You would assign a built-in role like "Azure Service Bus Data Receiver" to the managed identity of App1 at the scope of Queue1 (or at a higher scope like the Service Bus namespace if appropriate). This role grants the necessary permissions to receive (read and delete) messages from the queue. Why not other options for Queue1? Add a read-only lock: Read-only locks prevent accidental modifications or deletions of the queue itself. They do not control access for reading messages. Add a shared access policy: Shared Access Policies (SAPs) are used for SAS authentication, again, an alternative to Azure AD authentication. Since we need to use Azure AD, SAPs are not the correct approach. Modify the properties: Modifying queue properties (like max size, TTL, etc.) does not configure authentication or authorization for accessing the queue's messages. In Summary: To enable Azure AD authentication for App1 to read messages from Queue1, you need to: Enable Managed Identity on App1: This provides App1 with an Azure AD identity. Configure Access control (IAM) on Queue1: Grant the Managed Identity of App1 the "Azure Service Bus Data Receiver" role (or a similar role with read permissions) to authorize App1 to read messages. Final Answer: On App1: Turn on the managed identity On Queue1: Configure Access control (IAM)

You have the following Azure Active Directory (Azure AD) tenants: – Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization – Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1 You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1. What should you do? Create an Azure management group that contains Subscription1. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.

Let's analyze each option to determine the best way to grant users from contoso.com access to resources in Subscription1. Create an Azure management group that contains Subscription1. Explanation: Azure Management Groups are used to organize and manage multiple Azure subscriptions under a single management structure. Management groups are primarily for policy and access control at scale across subscriptions. Creating a management group itself does not bridge the identity gap between different Azure AD tenants. Management groups help with organizing and governing subscriptions but do not inherently solve cross-tenant identity and access management for users. Does it meet the goal? No. Management groups do not enable users from contoso.com (synced to contoso.onmicrosoft.com) to access resources in Subscription1 (linked to contosoazure.onmicrosoft.com). Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. Explanation: Azure AD Connect is designed to synchronize a single on-premises Active Directory forest to one Azure AD tenant. The existing Azure AD Connect server is already correctly syncing contoso.com to contoso.onmicrosoft.com. You cannot reconfigure the same Azure AD Connect server to sync the same on-premises forest to a second, different Azure AD tenant (contosoazure.onmicrosoft.com). This is not a supported or feasible configuration for Azure AD Connect. Does it meet the goal? No. This is not a valid Azure AD Connect configuration and will not solve the cross-tenant access problem. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com. Explanation: While you can deploy multiple Azure AD Connect servers for redundancy or for syncing different on-premises forests to different Azure AD tenants, you cannot sync the same on-premises forest (contoso.com) to two separate Azure AD tenants (contoso.onmicrosoft.com and contosoazure.onmicrosoft.com) using multiple Azure AD Connect servers connected to the same on-premises forest. This is not a supported Azure AD Connect topology. Each on-premises forest should have a dedicated Azure AD Connect instance syncing to one Azure AD tenant. Does it meet the goal? No. This is not a valid Azure AD Connect configuration and will not solve the cross-tenant access problem. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Explanation: This option utilizes Azure AD Business-to-Business (B2B) collaboration. You would invite users from the contoso.onmicrosoft.com tenant as guest users into the contosoazure.onmicrosoft.com tenant. How it works: Invite users from contoso.onmicrosoft.com as guests to contosoazure.onmicrosoft.com. Guest user objects are created in contosoazure.onmicrosoft.com that represent the external users from contoso.onmicrosoft.com. You can then assign Azure RBAC roles to these guest user accounts in contosoazure.onmicrosoft.com for resources in Subscription1. Users from contoso.com (authenticating via contoso.onmicrosoft.com) can then access resources in Subscription1 using their original contoso.com credentials, but as guest users in contosoazure.onmicrosoft.com. Does it meet the goal? Yes. This is the correct and standard way to grant users from one Azure AD tenant access to resources in another Azure AD tenant. It allows you to assign roles to users from contoso.com in Subscription1 while they use their existing credentials. Final Answer: The final answer is Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.

You have an application named App1 that does not support Azure Active Directory (Azure AD) authentication. You need to ensure that App1 can send messages to an Azure Service Bus queue. The solution must prevent App1 from listening to the queue. What should you do? Configure Access control (IAM) for the Service Bus. Add a shared access policy to the queue. Modify the locks of the queue. Configure Access control (IAM) for the queue.

Final Answer: The final answer is Add a shared access policy to the queue. The requirement is to grant an application (App1) that does not support Azure Active Directory (Azure AD) authentication the ability to send messages to an Azure Service Bus queue (Queue1) while explicitly preventing it from listening to messages. This scenario points towards using Shared Access Policies (SAPs) for delegated access with specific permissions, as App1 cannot use Azure AD for authentication. Let's analyze each option: Configure Access control (IAM) for the Service Bus. Explanation: Access control (IAM) in Azure is primarily designed for managing access for Azure AD identities (users, groups, service principals, managed identities). Since App1 does not support Azure AD authentication, using IAM directly is not the appropriate solution for App1's authentication. IAM is best suited for applications that can authenticate with Azure AD. IAM roles for Service Bus typically grant broad permissions and are not designed for the granular send-only vs. listen-only scenario for non-AD applications. Add a shared access policy to the queue. Explanation: Shared Access Policies (SAPs) are a feature of Azure Service Bus specifically designed to grant delegated access to Service Bus resources (namespaces, queues, topics, subscriptions) to applications that may not support Azure AD authentication or when you need to grant access using shared keys. Granular Permissions: When creating a Shared Access Policy, you can precisely control the permissions granted. For a queue, these permissions typically include: Send: Allows sending messages to the queue. Listen: Allows receiving (reading and processing) messages from the queue. Manage: Allows managing the queue itself. Meeting the Requirements: To meet the requirements, you should add a shared access policy to Queue1 and, crucially, grant only the Send permission in the policy, while explicitly not granting the Listen permission. App1 can then use the connection string generated from this SAP to authenticate to Service Bus and send messages, but it will be denied access if it tries to listen or receive messages because the SAP lacks the "Listen" permission. Modify the locks of the queue. Explanation: Locks in Azure Service Bus are used to prevent accidental deletion or modification of the queue itself. Locks are for resource management and protection of the queue's configuration, not for controlling permissions for sending or receiving messages. Modifying locks will not achieve the goal of granting send-only access to App1. Configure Access control (IAM) for the queue. Explanation: As explained earlier, IAM is primarily for Azure AD identities. While you can use IAM with Service Bus, it's not the intended authentication mechanism for an application that does not support Azure AD authentication. Furthermore, IAM roles for Service Bus are generally broader and might not provide the fine-grained control to grant only "Send" and explicitly deny "Listen" permissions in the context of non-AD authentication as effectively as Shared Access Policies. Conclusion: The most appropriate and effective solution to grant App1 send-only access to Queue1, especially when App1 does not support Azure AD authentication, is to Add a shared access policy to the queue and configure the policy to grant only the "Send" permission, explicitly excluding the "Listen" permission. This directly addresses both requirements: enabling sending and preventing listening for the non-AD application. Final Answer: The final answer is Add a shared access policy to the queue.

An administrator plans to create a function app in Azure that will have the following settings: – Runtime stack: .NET Core – Operating System: Linux – Plan type: Consumption – Enable Application Insights: Yes You need to ensure that you can back up the function app. Which settings should you recommend changing before creating the function app? Runtime stack Disable Application Insights Operating System Plan type

The correct answer is Plan type. Here's why: Azure Functions on the Consumption plan have some limitations regarding backup and restore. Specifically, they don't support traditional backup mechanisms like those available for App Service plans. Consumption plan function apps are ephemeral by nature, scaling dynamically and relying on storage for persistence. To enable proper backup and restore capabilities, you should switch from the Consumption plan to an App Service plan (either dedicated or premium). App Service plans provide a dedicated environment with more control over the underlying infrastructure, allowing for snapshot-based backups and restore operations. While the other options might have indirect impacts on backup (like Application Insights influencing monitoring and logging), they don't directly address the core issue of backup capability itself. The runtime stack and OS are generally orthogonal to backup functionality. Disabling Application Insights would reduce data collected but not affect the ability to back up the function app itself. Therefore, changing the plan type is the only change that directly enables backup functionality.

HOTSPOT You have an Azure subscription. You plan to deploy an app that has a web front end and an application tier. You need to recommend a load balancing solution that meets the following requirements: – Internet to web tier: – Provides URL-based routing – Supports connection draining – Prevents SQL injection attacks – Web tier to application tier: – Provides port forwarding – Supports HTTPS health probes – Supports an availability set as a backend pool Your solution must minimize costs. Which load balancing solution should you recommend for each tier? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Internet to web tier: An Azure Application Gateway that has a web application firewall (WAF) An internal Azure Standard Load Balancer A public Azure Basic Load Balancer Web tier to application tier: An Azure Application Gateway that has a web application firewall (WAF) An internal Azure Standard Load Balancer A public Azure Standard Load Balancer

Here's the breakdown of the correct load balancing solutions for each tier, along with the reasons: Internet to web tier: An Azure Application Gateway that has a web application firewall (WAF) URL-based routing: Application Gateway natively supports routing traffic based on URLs. This is a key requirement. Connection draining: Application Gateway supports connection draining, ensuring that existing connections are gracefully terminated when a backend server is being taken offline. Prevents SQL injection attacks: The Web Application Firewall (WAF) integrated with Application Gateway provides protection against common web vulnerabilities, including SQL injection. Cost: While Application Gateway is more expensive than basic Load Balancer, the requirements explicitly include WAF, necessitating the use of Application Gateway for the internet-facing tier. Using Load Balancer here would require deploying another product to provide WAF capabilities, increasing complexity and potentially cost. Web tier to application tier: An internal Azure Standard Load Balancer Port forwarding: Load Balancers can forward traffic on specific ports. HTTPS health probes: Standard Load Balancer supports HTTPS health probes, allowing it to monitor the health of backend instances by sending HTTPS requests and verifying the responses. Supports an availability set as a backend pool: Both Basic and Standard Load Balancers can use an availability set as a backend pool. Internal: The load balancer needs to be internal because you're balancing traffic between the web tier and the application tier within your Azure virtual network. Standard: While a Basic Load Balancer can handle load distribution, Standard Load Balancer provides increased functionality and features that align with the application's needs and future scalability requirements. Features such as HTTPS health probes and support for Availability Zones make the Standard Load Balancer the best choice. In summary: Internet to web tier: Azure Application Gateway with WAF is essential to meet the URL-based routing, connection draining, and SQL injection prevention requirements for traffic from the internet. Web tier to application tier: An internal Azure Standard Load Balancer effectively handles load balancing between the web and application tiers, meeting requirements with health probes, port forwarding, and availability set integration.

You have 10 Azure virtual machines on a subnet named Subnet1. Subnet1 is on a virtual network named VNet1. You plan to deploy a public Azure Standard Load Balancer named LB1 to the same Azure region as the 10 virtual machines. You need to ensure that traffic from all the virtual machines to the internet flows through LB1. The solution must prevent the virtual machines from being accessible on the internet. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. Add health probes to LB1. Add the network interfaces of the virtual machines to the backend pool of LB1. Add an inbound rule to LB1. Add an outbound rule to LB1. Associate a network security group (NSG) to Subnet1. Associate a user-defined route to Subnet1.

Here's the breakdown of the correct actions and why they're needed: Add the network interfaces of the virtual machines to the backend pool of LB1. This is essential for the load balancer to be aware of the VMs it should distribute traffic to. Without this, the load balancer doesn't know which VMs are part of its managed pool. Add an outbound rule to LB1. Standard Load Balancers require outbound rules to enable outbound connectivity to the internet when VMs in the backend pool don't have public IPs directly assigned. This rule defines how outbound connections from the VMs are translated to the load balancer's public IP. Associate a network security group (NSG) to Subnet1. The NSG is critical for preventing the VMs from being directly accessible from the internet. You'll configure the NSG to: Deny inbound traffic from the internet: This is the key step to ensure that the VMs are not directly accessible from the outside. Block all inbound traffic except traffic originating from within the VNet (or specific sources you need to allow). Allow outbound traffic to the internet through the load balancer: This allows the VMs to initiate outbound connections, which are then handled and NAT'd by the load balancer via the outbound rule. The default outbound rule should suffice here. Why the other options are incorrect: Add health probes to LB1: Health probes are necessary for the load balancer to determine the health of the backend VMs. While important for the load balancer's function in general, they are not directly related to the requirement of routing internet traffic through the load balancer and preventing direct access to the VMs. If you're not using the NSG, the load balancer is basically balancing traffic to the internet, but the client will go directly to your VM and not from your load balancer IP. Add an inbound rule to LB1: Inbound rules are for directing traffic to the VMs through the load balancer. Since the requirement is to prevent the VMs from being directly accessible on the internet, adding an inbound rule isn't directly relevant to that goal. Associate a user-defined route to Subnet1. User-defined routes (UDRs) are used to control the routing of traffic within the virtual network. While you could potentially use UDRs in a more complex scenario, using an NSG to block direct internet access is simpler and more direct.

You have SQL Server on an Azure virtual machine named SQL1. You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for the virtual machines. The backups must meet the following requirements: – Meet a recovery point objective (RPO) of 15 minutes. – Retain the backups for 30 days. – Encrypt the backups at rest. What should you provision as part of the backup solution? Elastic Database jobs Azure Key Vault an Azure Storage account a Recovery Services vault

The correct answer is a Recovery Services vault. Here's why: Recovery Services Vault: This is the central management entity for Azure Backup. Automated Backup v2 for virtual machines uses the Recovery Services vault to orchestrate the backup process, store backup metadata, and manage retention policies. You'll configure the backup settings (frequency, retention, etc.) within the Recovery Services vault. Automated Backup v2 utilizes Log backups to achieve the RPO of 15 minutes. Here's why the other options are not the primary solution: Elastic Database jobs: These are used for managing and automating tasks across multiple Azure SQL databases. They are not directly related to backing up SQL Server running inside an Azure VM. Azure Key Vault: While you can integrate Azure Key Vault with Azure Backup to encrypt the backups themselves at rest, it is not required. Azure Backup, by default, can encrypt the backup data using platform-managed keys or customer-managed keys. Key Vault would be needed if you opted for customer-managed keys. And more importantly, a Recovery Services vault is required regardless to manage the overall backup process. an Azure Storage account: While backups are stored in Azure Storage, you don't directly provision a storage account for Automated Backup v2. The Recovery Services vault manages the storage account creation and configuration behind the scenes. You have limited control over this storage account.

You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table. Name Connected to VM1 VNET1/Subnet1 VM2 VNET1/Subnet2 KeyVault1 has an access policy that provides several users with Create Key permissions. You need to ensure that the users can only register secrets in KeyVault1 from VM1. What should you do? Create a network security group (NSG) that is linked to Subnet1. Configure the Firewall and virtual networks settings for KeyVault1. Modify the access policy for KeyVault1. Configure KeyVault1 to use a hardware security module (HSM).

The correct answer is Configure the Firewall and virtual networks settings for KeyVault1. Here's why: Key Vault Firewall and Virtual Networks: This feature allows you to restrict access to your key vault based on the source IP address or the virtual network the request originates from. By configuring this, you can specify that only traffic originating from VNET1 (or, more specifically, Subnet1) is allowed to access KeyVault1. This ensures that only VM1 can register secrets. Here's why the other options are incorrect: Create a network security group (NSG) that is linked to Subnet1: NSGs control inbound and outbound traffic to and from a subnet or network interface. While you can use NSGs to restrict outbound traffic from VM2, you can't use them to grant specific access to KeyVault1 only from VM1. NSGs operate at the network layer and don't have the fine-grained control to say "Allow this specific action on this specific resource only from this VM." Modify the access policy for KeyVault1: Access policies control who (users, service principals, managed identities) has what permissions on the key vault (e.g., get, create, list). You already have an access policy granting users Create Key permissions. You can't use access policies to restrict where those permissions can be used from (i.e., only from VM1). Configure KeyVault1 to use a hardware security module (HSM): HSMs provide a higher level of security for storing keys, but they don't provide network-based access control. Using an HSM won't restrict access based on the source VM.

HOTSPOT You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table. User Role User1 Owner User2 Security Admin User3 Network Contributor Which user can perform each configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Add a subnet to VNet1: User1 only User3 only User1 and User3 only User2 and User3 only User1, User2, and User3 Assign a user the Reader role to VNet1: User1 only User2 only User3 only User1 and User2 only User2 and User3 only User1, User2, and User3 | User | Role

Here's the breakdown of which user can perform each configuration, along with the reasoning: Add a subnet to VNet1: User1 and User3 only Owner (User1): The Owner role has full control over the subscription and all its resources. This includes the ability to create and modify virtual networks and subnets. Network Contributor (User3): The Network Contributor role specifically grants permissions to manage network resources, including virtual networks and subnets. Security Admin (User2): The Security Admin role manages security-related configurations and policies. While they might be involved in securing a network, they don't have the inherent permission to directly modify network resources like adding subnets. Assign a user the Reader role to VNet1: User1 only Owner (User1): The Owner role possesses the right to assign roles to resources within the Azure subscription. Security Admin (User2): The Security Admin role can manage security-related configurations and policies, but does not have the ability to assign roles. Network Contributor (User3): The Network Contributor role specifically grants permissions to manage network resources, but does not have the ability to assign roles. In summary: Add a subnet to VNet1: User1 and User3 only Assign a user the Reader role to VNet1: User1 only

HOTSPOT You have an Azure subscription named Subscription1. In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as shown in the following exhibit. ResourceGroupName : default-activitylogalerts GroupShortName : AG1 Enabled : True EmailReceivers : {Action1_-EmailAction-} SMSReceivers : {Action1_-SMSAction-} WebhookReceivers : {} Id : /subscriptions/a4fde29b-d56a-4f6c-8298-6c53cd0b720c/resourceGroups/default-activitylogalerts/providers/microsoft.insights/actionGroups/ActionGroup1 Name : ActionGroup1 Type : Microsoft.Insights/ActionGroups Location : Global Tags : {} Alert1 alert criteria is triggered every minute. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. The number of email messages that Alert1 will send in an hour is [answer choice]. 0 4 6 12 60 The number of SMS messages that Alert1 will send in an hour is [answer choice]. 0 4 6 12 60

Here's the breakdown of the correct answers: The number of email messages that Alert1 will send in an hour is [60]. The alert criteria is triggered every minute. This means that the action group (which includes sending an email) will also be triggered every minute. There are 60 minutes in an hour, therefore, 60 emails will be sent. The number of SMS messages that Alert1 will send in an hour is [60]. The alert criteria is triggered every minute. This means that the action group (which includes sending an SMS) will also be triggered every minute. There are 60 minutes in an hour, therefore, 60 SMS messages will be sent. Therefore the answers are: 60 60

You have an Azure subscription that contains the Azure SQL Database servers shown in the following table. Name Resource group Location SQL1 RG1 West US SQL2 RG2 West US The SQL Database servers have the elastic pools shown in the following table. Name SQL Database server vCores Maximum data size Pool1 SQL1 2 16 GB Pool2 SQL2 6 48 GB SQL1 has the SQL databases shown in the following table. SQL Database Name server vCores Maximum data size Elastic pool DB1 SQL1 4 30 GB None DB2 SQL1 2 10 GB Pool1 What will occur if you add DB1 to Pool1? The vCores on DB1 will decrease to two. The maximum data size of Pool1 will increase to 22 GB. The maximum data size of DB1 will decrease to 6 GB. The vCores on Pool1 will increase to four.

The correct answer is: The maximum data size of DB1 will decrease to 6 GB. Here's why: Elastic Pools and Resource Limits: Elastic pools provide a shared pool of resources (vCores, data size) for the databases within them. When a database is moved into an elastic pool, it becomes subject to the resource limits of that pool. This means that the database's individual resource limits (vCores, maximum data size) are governed by the pool's settings, even if the database was previously configured with higher values. Pool1 Limits: Pool1 has a maximum data size of 16 GB. When DB1, which is currently configured for 30 GB, is added to Pool1, its maximum data size will be constrained by what remains available within Pool1 for it. Pool1 Capacity and DB2: Currently Pool1 only contains DB2 which is set at 10GB. DB1 Changes: DB1 will be reduced to a maximum data size of 6GB which is what is available in Pool1 after DB2 is accounted for. Here's why the other options are incorrect: The vCores on DB1 will decrease to two: While the database will share vCores with other databases in the pool, its explicitly configured vCores do not automatically change. The database is still technically allocated its originally configured vCores, however the maximum it can consume at any time while in the pool is limited by what the pool has available, and what priority the DB is given. The effect is a maximum vCore limit of Pool1 / Number of Databases in the pool, or as configured under database settings within the pool. The maximum data size of Pool1 will increase to 22 GB: The operation of adding a DB to a pool does not dynamically increase the pool size. The pool is a separate entity that must be configured separately. The vCores on Pool1 will increase to four: The operation of adding a DB to a pool does not dynamically increase the pool vCore size. The pool is a separate entity that must be configured separately.

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password? an Azure Key Vault and an access policy Azure Active Directory (AD) Identity Protection and an Azure policy a Recovery Services vault and a backup policy an Azure Storage account and an access policy

The correct answer is an Azure Key Vault and an access policy. Here's why: Azure Key Vault: Key Vault is designed for securely storing secrets, keys, and certificates. It provides a centralized and secure way to manage sensitive information, preventing you from storing passwords in plain text in your ARM template. Access Policy: Access policies control which users, applications, or services have access to the secrets stored in the Key Vault. You would create an access policy to grant the appropriate permissions to your deployment process (e.g., a service principal) to retrieve the password from the Key Vault during the VM deployment. Here's why the other options are incorrect: Azure Active Directory (AD) Identity Protection and an Azure policy: Azure AD Identity Protection helps detect and remediate identity risks, but it's not designed for storing passwords. Azure Policy enforces organizational standards, but does not serve as a secure store for credentials. a Recovery Services vault and a backup policy: Recovery Services vaults are used for backup and disaster recovery. They aren't related to storing secrets or passwords. an Azure Storage account and an access policy: While Azure Storage can store data securely, it's not the appropriate service for managing and controlling access to secrets. Key Vault is specifically designed for this purpose, offering features like auditing, versioning, and access control tailored for secrets management.

You have an Azure Storage account named storage1 that is accessed by several applications. An administrator manually rotates the access keys for storage1. After the rotation, the applications fail to access the storage account. A developer manually modifies the applications to resolve the issue. You need to implement a solution to rotate the access keys automatically. The solution must minimize the need to update the applications once the solution is implemented. What should you include in the solution? an Azure AD enterprise application Azure Key Vault Azure Logic Apps an Azure Desired State Configuration (DSC) extension

The correct answer is Azure Key Vault. Here's why: Azure Key Vault for Secure Storage and Rotation: Azure Key Vault is the core component here. You store the Storage Account access keys in Key Vault. Applications don't directly use the keys. Instead, they use a managed identity to authenticate to Azure Key Vault, and then retrieve the Storage Account keys from there. Automatic Rotation with Least Application Impact: When you want to rotate the Storage Account keys, you rotate them in the Storage Account, and then update the values stored in Azure Key Vault with the new keys. Because the applications are retrieving the keys from Key Vault (and not storing them directly), they don't need to be changed. They simply start retrieving the new key values from Key Vault automatically. Here's why the other options are not as suitable: an Azure AD enterprise application: While enterprise applications can be used for authentication and authorization, they don't provide the secure storage and key rotation capabilities needed for this scenario. An enterprise application would be used to provide the managed identity required for this setup. Azure Logic Apps: Logic Apps can automate tasks, but they don't inherently provide a secure secrets storage or a mechanism for applications to dynamically retrieve those secrets without needing modification. Logic Apps could be used as part of solution that handles the rotation itself (updating the keys in storage account and Key Vault), but it's Key Vault that makes the entire thing work with minimal application impact. an Azure Desired State Configuration (DSC) extension: DSC is used for managing the configuration of virtual machines. While you could potentially use DSC to update configuration files containing connection strings, it doesn't address the core issue of secure secrets management and rotation, and would require significant application code changes. Furthermore, storing connection strings in files on VMs is less secure than using Key Vault.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. You have an on-premises file server named Server1 that runs Windows Server 2019. You manage Server1 by using Windows Admin Center. You need to ensure that if Server1 fails, you can recover Server1 files from Azure. Solution: You create an Azure Storage account and an Azure Storage Sync service. You configure Azure File Sync for Server1. Does this meet the goal? Yes No

The answer is Yes. Here's why: Azure File Sync Overview: Azure File Sync allows you to centralize your organization's file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server. It effectively creates a cloud-based copy of your on-premises files. Protection Against Server Failure: If Server1 fails, the files are still stored in Azure Files. You can then: Provision a new Windows Server, install the Azure File Sync agent, and configure it to sync with the same Azure file share. This will download the files from Azure Files to the new server. Access the files directly in the Azure file share itself. This might be suitable for short-term access while a new server is being provisioned. Therefore, the solution meets the goal of being able to recover Server1 files from Azure in the event of a failure. The files are replicated to Azure.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. You have an on-premises file server named Server1 that runs Windows Server 2019. You manage Server1 by using Windows Admin Center. You need to ensure that if Server1 fails, you can recover Server1 files from Azure. Solution: From the Azure portal, you create a Recovery Services vault. On Server1, you install the Azure Backup agent and you successfully perform a backup. Does this meet the goal? Yes No

The answer is Yes. Here's why: Azure Backup Overview: Azure Backup is a service that backs up your data to Azure. It can be used to protect a wide variety of workloads, including on-premises Windows Servers. Protection Against Server Failure: By installing the Azure Backup agent on Server1 and performing a successful backup to a Recovery Services vault, you have created a backup copy of Server1's data in Azure. If Server1 fails, you can use Azure Backup to restore the files to a new server or even to the same server (after it's repaired/replaced).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. You have an on-premises file server named Server1 that runs Windows Server 2019. You manage Server1 by using Windows Admin Center. You need to ensure that if Server1 fails, you can recover Server1 files from Azure. Solution: You register Windows Admin Center in Azure and configure Azure Backup. Does this meet the goal? Yes No

The answer is No. Here's why: Registering Windows Admin Center in Azure: Registering Windows Admin Center in Azure allows you to manage your on-premises servers from the Azure portal. It provides a centralized management interface. This in itself, does not provide the capability to recover files to Azure. Configuring Azure Backup in Windows Admin Center: Configuring Azure Backup from Windows Admin Center is the critical point. If you configure Azure Backup on your server through the Windows Admin Center, you are then utilizing Azure Backup to store the data in Azure. Without Azure Backup: If you are not utilizing Azure Backup, and you simply register Windows Admin Center in Azure, your backups are still in your Server1 environment, and this does not meet the goal.

HOTSPOT You need to design an authentication solution that will integrate on-premises Active Directory and Azure Active Directory (Azure AD). The solution must meet the following requirements: – Active Directory users must not be able to sign in to Azure AD-integrated apps outside of the sign-in hours configured in the Active Directory user accounts. – Active Directory users must authenticate by using multi-factor authentication (MFA) when they sign in to Azure AD-integrated apps. – Administrators must be able to obtain Azure AD-generated reports that list the Active Directory users who have leaked credentials. – The infrastructure required to implement and maintain the solution must be minimized. What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Integrate Active Directory and Azure AD by using: Active Directory Federation Services Pass-through authentication with Azure AD Seamless SSO Pass-through authentication with Azure AD Seamless SSO and password hash synchronization Password hash synchronization with Azure AD Seamless SSO Implement MFA by using: A third-party authentication solution Azure MFA The Active Directory Federation Services (AD FS) Azure MFA adapter

Here's the breakdown of the correct selections: Integrate Active Directory and Azure AD by using: Password hash synchronization with Azure AD Seamless SSO Password hash synchronization: This is a critical requirement as it allows Azure AD to enforce policies like sign-in hours, which are based on Active Directory attributes. Password hash sync allows Azure AD to have a representation of the on-premises passwords, enabling it to work with Conditional Access policies that need on-premises user information. Password hash synchronization is also the simplest method. Azure AD Seamless SSO: Seamless SSO provides a better user experience by automatically signing users in when they are on their corporate network and using corporate devices, without prompting for their passwords. This complements password hash synchronization and enhances the user experience. Implement MFA by using: Azure MFA Azure MFA: Azure Multi-Factor Authentication (MFA) is the native solution in Azure for enforcing multi-factor authentication. It integrates directly with Azure AD and is the most straightforward and maintainable solution for requiring MFA for Azure AD-integrated apps. Here's why the other options are incorrect: Active Directory Federation Services (AD FS): AD FS is a more complex solution for federated identity, but it's not required in this scenario. Password hash synchronization with Seamless SSO provides the necessary functionality with significantly less infrastructure and management overhead. AD FS is useful when more complex trust relationships or authentication methods are required, but the requirements here don't warrant the added complexity of AD FS. Also, AD FS cannot report on leaked credentials. Pass-through authentication with Azure AD Seamless SSO: While pass-through authentication simplifies the sign-in experience, it doesn't allow Azure AD to enforce policies like sign-in hours based on Active Directory attributes. Azure AD needs to have synchronized password hashes to enforce AD policies, which pass-through authentication does not provide. A third-party authentication solution: Using a third-party authentication solution would add unnecessary complexity and management overhead. Azure MFA is the built-in solution and meets the requirements. The Active Directory Federation Services (AD FS) Azure MFA adapter: This option is only relevant if you are using AD FS. Since the recommended solution is to use password hash synchronization with Seamless SSO and Azure MFA, the AD FS adapter is not applicable.

You have resources in three Azure regions. Each region contains two virtual machines. Each virtual machine has a public IP address assigned to its network interface and a locally installed application named App1. You plan to implement Azure Front Door-based load balancing across all the virtual machines. You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front Door. What should you implement? Azure Private Link service endpoints network security groups (NSGs) with service tags network security groups (NSGs) with application security groups

The correct answer is network security groups (NSGs) with service tags. Here's why: NSGs and Service Tags for Source Filtering: Network Security Groups (NSGs) are used to filter network traffic to and from Azure resources. Service tags represent a group of IP address prefixes from a given Azure service. By using service tags in your NSG rules, you can easily allow traffic from Azure Front Door while blocking all other traffic. Service Tag: AzureFrontDoor.Backend: Azure Front Door has a service tag named AzureFrontDoor.Backend. This service tag represents the IP address ranges used by Azure Front Door's backend services. You can create an NSG rule that allows inbound traffic from AzureFrontDoor.Backend and denies all other inbound traffic. This will ensure that only traffic originating from Azure Front Door can reach your virtual machines. Here's why the other options are incorrect: Azure Private Link: Azure Private Link provides private connectivity to Azure PaaS services from your virtual network. While it enhances security by removing exposure to the public internet, it's not directly applicable to ensuring that traffic only comes from Azure Front Door. Private Link is more relevant when you want to access a service from within your VNet without using public endpoints. Service endpoints: Service endpoints provide secure and direct connectivity from your virtual network to Azure service resources. Similar to Private Link, they don't directly address the requirement of restricting traffic to only come from Azure Front Door. They are for connecting to service resources, not filtering traffic sources. Network security groups (NSGs) with application security groups: Application security groups (ASGs) group VMs with similar functions together. While you can use ASGs in NSG rules, they don't help you filter traffic based on the source of the traffic (i.e., ensuring it only comes from Azure Front Door).

You have an Azure key vault named KV1. You need to ensure that applications can use KV1 to provision certificates automatically from an external certification authority (CA). Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. From KV1, create a certificate issuer resource. Obtain the CA account credentials. Obtain the root CA certificate. From KV1, create a certificate signing request (CSR). From KV1, create a private key,

Final Answer: The two correct actions are: From KV1, create a certificate issuer resource. Obtain the CA account credentials. Explanation of Correctness: Certificate Issuer Resource: This establishes the link between KV1 and the external CA, defining how KV1 communicates with the CA. It’s a one-time setup that enables automation by specifying the CA provider and credentials. Without this, KV1 cannot initiate certificate requests or renewals. CA Account Credentials: These are required to authenticate KV1 to the external CA, allowing it to request certificates and manage their lifecycle automatically. This is a prerequisite for the issuer resource to function effectively in an automated provisioning scenario.

You create the following Azure role definition. { "Name": "Role1", "Id": "80808080-8080-8080-8080-808080808080", "IsCustom": false, "Description": "", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtual Machines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read"], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [] } You need to create Role1 by using the role definition. Which two values should you modify before you create Role1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. AssignableScopes Description DataActions IsCustom Id

The two values that need to be modified before creating the role definition are: AssignableScopes Id Here's why: AssignableScopes: This property defines where the custom role can be assigned. You must specify at least one scope (e.g., subscription, resource group) to make the role useful. Without an assignable scope, the role cannot be assigned to any user, group, or service principal. This is the most critical change required. Id: This property must be a unique GUID. The provided GUID "80808080-8080-8080-8080-808080808080" is likely a placeholder or a default and will cause a conflict if you try to create another role with the same ID. Azure will generate a GUID for you, or you can generate one yourself (using New-Guid in PowerShell, for example) to ensure uniqueness. Here's why the other options are not required to be modified, though some could be: Description: While a description is recommended for clarity, it's not mandatory for creating the role. You can leave it as an empty string ("") if you choose. DataActions: This property is for specifying actions that can be performed on data within a resource (e.g., reading blob data, sending a message to a queue). Since the current role primarily grants management plane access, the DataActions property is left empty, which is perfectly valid if the role doesn't need to manage data actions. IsCustom: The value should be set to true when the role is customer created. The value in the presented code, is set to false. In summary: AssignableScopes must be set to define where the role can be assigned. Id must be a unique GUID to avoid conflicts with existing roles.

You have the following Azure Active Directory (Azure AD) tenants: – Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization – Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1 You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1. What should you do? Create an Azure management group that contains Subscription1. Configure contoso.onmicrosoft.com to use pass-through authentication. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.

The correct answer is: Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Here's why: Azure AD Tenants and Access Control: Azure AD tenants are isolated security boundaries. To grant users from one tenant (contoso.onmicrosoft.com) access to resources in another tenant (contosoazure.onmicrosoft.com), you need to create a representation of those users in the target tenant. The standard way to do this is by creating guest accounts. Guest Accounts: Guest accounts are B2B (Business-to-Business) collaboration accounts in Azure AD. They allow users from external Azure AD tenants or other identity providers to access resources in your Azure AD tenant. Here's why the other options are incorrect: Create an Azure management group that contains Subscription1: Management groups are used for organizing and managing Azure subscriptions and resources. While management groups are useful for setting policies and assigning roles at a higher level, they don't solve the fundamental problem of cross-tenant identity and access management. Creating a management group will not automatically grant access to users in another tenant. Configure contoso.onmicrosoft.com to use pass-through authentication: Pass-through authentication is an authentication method that allows users to sign in to Azure AD-integrated applications using the same password they use on their on-premises Active Directory. While pass-through authentication can simplify sign-in, it doesn't resolve the issue of users needing a representation in the contosoazure.onmicrosoft.com tenant to be granted access to resources. The users still do not exist in the Azure AD. Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com: Setting up AD FS federation is overly complex for this scenario. Federation is useful when you need to establish a trust relationship between two organizations to allow users to seamlessly access resources across both organizations using their existing credentials. Guest accounts with B2B collaboration are much simpler to set up and maintain for granting access to resources in a different Azure AD tenant.

You are developing an application that will enable users to download content from an Azure Storage account. The users must only be able to download the content for a period of seven days. You need to recommend an authentication solution to access the storage account. What should you include in the recommendation? shared access signature (SAS) tokens identity-based authentication that uses Active Directory Domain Services (AD DS) storage access key identity-based authentication that uses Azure Active Directory (Azure AD)

The correct answer is shared access signature (SAS) tokens. Here's why: Shared Access Signatures (SAS): SAS tokens provide granular, time-bound, and secure access to specific resources in Azure Storage. You can create a SAS token that grants read-only access to the content for a specific duration (in this case, seven days). The SAS token includes all the necessary authorization information, so the application doesn't need to store any credentials. Controlling Access Duration: One of the key benefits of SAS tokens is that you can specify the start and expiry time for the access. This perfectly fulfills the requirement of allowing users to download content only for seven days. Here's why the other options are incorrect: Identity-based authentication that uses Active Directory Domain Services (AD DS): AD DS is an on-premises directory service. While you can integrate AD DS with Azure, using it directly for storage access would be more complex and less suitable for this scenario, which requires time-limited access. AD DS authentication is typically used for VMs and servers, but not directly for user-specific storage access. Storage access key: Storage account access keys provide full access to the entire storage account. Sharing the storage access key would be a significant security risk, and it doesn't allow you to control the access duration or the specific resources that the users can access. Identity-based authentication that uses Azure Active Directory (Azure AD): Azure AD authentication provides identity-based access to Azure resources. While it's a more secure approach than using storage access keys, it requires creating and managing user identities in Azure AD, and it doesn't provide a built-in mechanism for limiting the access duration. You would need to implement additional logic in your application to enforce the seven-day limit. Using SAS, the Azure storage automatically expires the token without requiring any code.

HOTSPOT You have an on-premises server that runs Windows Server 2019 and hosts a web app named App1. You have an Azure subscription named Subscription1. You plan to migrate App1 to Subsciption1 by using Azure Migrate. To which type of Azure service will App1 be migrated, and what should you provide during the migration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Azure service type: A logic app An app service A virtual machine A container instance During the migration, provide: The device code An X.509 certificate A personal access token (PAT)

Here's the breakdown of the correct selections: Azure service type: An app service The question states you are migrating a web app named App1. The Azure App Service is designed to host web applications. Azure Migrate can be used to migrate on-premises web applications to Azure App Service. During the migration, provide: A personal access token (PAT) When migrating to Azure App Service using Azure Migrate, you'll need to provide credentials to access the source web app (in this case, on-premises Server1). A Personal Access Token (PAT) can be used to authenticate to a deployment source (like an on-premises web server) during the migration process. Here's why the other options are incorrect: A logic app: Logic Apps are designed for automating workflows and integrating applications, but they are not the correct type of service for hosting a web application directly. A virtual machine: While you could migrate App1 to an Azure virtual machine, it would be less efficient and cost-effective than using Azure App Service, which is optimized for hosting web apps. App Service abstracts away much of the infrastructure management required with VMs. A container instance: Container Instances are useful for running isolated containers, but they're generally not used for directly migrating existing web applications that are already running on a web server. Container Instances are better suited for containerized applications or microservices. The device code: Device code authentication is typically used for headless devices or applications without a browser to authenticate with Azure Active Directory. An X.509 certificate: While X.509 certificates are used for securing communications and authenticating to resources, they're not the typical credential type used during an Azure Migrate migration.

You create the user-assigned managed identities shown in the following table. Name Resource group Location Identity1 RG1 West US Identity2 RG2 Central US Identity3 RG2 West US You create a virtual machine that has the following configurations: – Name: VM1 – Location: West US – Resource group: RG1 Which managed identities can you add to VM1? Identity1 only Identity1 and Identity2 only Identity1 and Identity3 only Identity1, Identity2, and Identity3

The correct answer is Identity1 and Identity3 only. Here's why: User-assigned managed identities must reside in the same Azure region as the virtual machine they are assigned to. VM1 Location: West US Identity1 Location: West US (Same region as VM1) - Therefore, it can be assigned. Identity2 Location: Central US (Different region from VM1) - Therefore, it cannot be assigned. Identity3 Location: West US (Same region as VM1) - Therefore, it can be assigned. While user-assigned managed identities can be in a different resource group than the resource to which they are assigned, they cannot be in a different region.

You have an Azure key vault named KV1 and an Azure web app named WebApp1. WebApp1 runs in a Shared App Service plan. You need to grant WebApp1 permissions to KV1. What should you do? Change to a Standard App Service plan. Add a certificate to WebApp1. Change to a Basic App Service plan. Add a managed identity to WebApp1.

The correct answer is Add a managed identity to WebApp1. Here's why: Managed Identities for Azure Resources: Managed identities provide an Azure service (like a web app) with an automatically managed identity in Azure Active Directory (Azure AD). This allows the service to authenticate to other Azure services (like Key Vault) without needing to embed credentials in the code or configuration. Key Vault Access Control: Key Vault uses Azure AD for authentication. You grant access to Key Vault by assigning permissions to Azure AD identities. By enabling a managed identity for WebApp1, you can then grant that identity the appropriate permissions (e.g., Get Secret) on KV1. Here's why the other options are not the correct solution: Change to a Standard App Service plan: While upgrading to a Standard App Service plan provides more resources and features, it's not directly related to granting WebApp1 permissions to Key Vault. The managed identity feature is the key to secure authentication. Add a certificate to WebApp1: Adding a certificate to WebApp1 might be needed for HTTPS communication, but doesn't grant WebApp1 permission to access Key Vault. Certificates handle secure communication, not service-to-service authentication. Change to a Basic App Service plan: The same logic applies to the Basic app service plan. Upgrading or downgrading the service plan is not the correct way to solve the authentication problem. In fact, Managed Identities are supported in the Basic App Service plan (and higher).

HOTSPOT You have an Azure subscription that contains 20 virtual machines. The virtual machines run Windows Server 2019. You need to enable Update Management and deploy the required agents to the virtual machines. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. To enable Update Management, modify: the Log Analytics workspace the Azure Sentinel workbook the Azure Automation account To deploy the required agents to the virtual machines, use: An Azure Sentinel workbook An Azure Automation account An Azure Log Analytics workspace

Here's the breakdown of the correct selections: To enable Update Management, modify: the Azure Automation account Update Management is a feature of Azure Automation. To enable it, you need to enable the Update Management solution in your Azure Automation account. To deploy the required agents to the virtual machines, use: An Azure Automation account The Log Analytics agent (MMA) is required to enable the Update Management, however, the process to enable the Update Management solution is performed in the Azure Automation Account. Here's why the other options are incorrect: The Log Analytics workspace: A Log Analytics workspace is where the logs and data collected by Update Management are stored, but you don't modify it to enable the feature itself. It is a destination not a configuration point. The Azure Sentinel workbook: Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) platform. While Sentinel can consume logs from Update Management, you don't enable Update Management or deploy agents through Sentinel.

Answer 30

Correct Answer: Automation Runbook Why it’s correct: Restart VMs: An Automation Runbook can execute Restart-AzVM to restart the VMs when the alert fires, meeting the functional requirement. Minimize Administrative Effort: Runbooks are natively supported by Azure Monitor action groups, requiring only a simple script (e.g., below) and minimal setup. Once created, it’s a set-and-forget solution with no external dependencies or complex workflows. powershell param ([string]$resourceId) Connect-AzAccount -Identity Restart-AzVM -ResourceId $resourceId Uses Managed Identity for authentication, reducing credential management. No need for external systems or custom endpoints. Exam Context (AZ-305): AZ-305 tests practical Azure automation solutions. Automation Runbooks are a go-to choice for simple, resource-specific tasks like VM management, aligning with Azure best practices. How it works: Create an Azure Automation Account and a PowerShell runbook to restart VMs (using Restart-AzVM). In Azure Monitor, create a metric alert for CPU usage > 95% over 30 minutes (e.g., using the "Percentage CPU" metric). Configure an action group, selecting "Automation Runbook" as the action type and linking the runbook. When the alert triggers, the runbook executes and restarts the affected VM(s).

Answer 31

The correct answer is Syslog. Explanation: Syslog Configuration Setting: Syslog is the standard protocol for message logging in Linux and other Unix-like systems. The Azure Log Analytics agent for Linux is designed to collect logs from the Syslog facility. By modifying the Syslog configuration setting in your Log Analytics workspace (specifically, under the "Agents configuration" or "Data" settings for Linux Data Sources), you can specify which Syslog facilities and severities you want to collect from your Linux virtual machines. Common Syslog facilities include auth, cron, daemon, kern, local0 through local7, lpr, mail, news, syslog, and user. Severities range from Emergency to Debug. Example Configuration: You might configure Syslog to collect: facility: auth with minimum severity: Warning (to collect authentication-related warnings and errors) facility: daemon with minimum severity: Error (to collect daemon-related errors) facility: user with minimum severity: Information (to collect user-level informational events) Why other options are incorrect: Linux performance counters: This setting is for collecting performance metrics (CPU, memory, disk I/O, network) from Linux VMs, not events or logs. While performance counters are valuable for monitoring VM performance, they are not the source of event logs that you'd typically collect for application or system troubleshooting. Custom fields: Custom fields are used to parse and extract specific data within logs that are already being collected. They are not a setting to enable the collection of logs themselves. Custom fields are applied after you've configured the agent to collect Syslog or other log types, to further process the ingested log data. In summary: To collect events (logs) from Linux virtual machines to Azure Log Analytics, you need to modify the Syslog configuration setting in the Log Analytics workspace to specify which Syslog facilities and severities you want to ingest. Final Answer: The final answer is Syslog.

Answer 32

To determine the storage requirements for Contoso, we need to review the "Requirements" section of the case study, specifically focusing on planned changes and technical requirements related to storage. Planned Changes and Technical Requirements related to Storage: Move the existing product blueprint files to Azure Blob storage: This explicitly states that Contoso needs to use Azure Blob storage for storing blueprint files. Copy the blueprint files to Azure over the Internet: This indicates that the storage solution needs to be accessible over the internet for data transfer. Ensure that the blueprint files are stored in the archive storage tier: This mandates the use of the Azure Blob storage Archive tier for cost optimization of infrequently accessed blueprint files. Ensure that partner access to the blueprint files is secured and temporary: This implies the need for secure, time-limited access to the blueprint files, which can be achieved using Shared Access Signatures (SAS) in Azure Blob storage. Use unmanaged standard storage for the hard disks of the virtual machines: This specifies the type of storage to be used for VM disks (unmanaged standard storage), but it's about VM disk storage, not blueprint file storage. Analyzing each statement: Statement 1: Contoso requires a storage account that supports Blob storage. Analysis: The requirement "Move the existing product blueprint files to Azure Blob storage" directly states the need for Blob storage. Azure Blob storage is designed for storing massive amounts of unstructured data, such as documents, media files, and application installers, which aligns with the description of blueprint files. Conclusion: Yes, Contoso definitely requires a storage account that supports Blob storage. Statement 2: Contoso requires a storage account that supports Azure Table storage. Analysis: There is no mention in the requirements or existing environment description about needing Azure Table storage. Azure Table storage is a NoSQL key-value store, suitable for structured non-relational data. The case study focuses on blueprint files (unstructured data for Blob storage) and moving SQL databases. There's no indication of a need for Table storage. Conclusion: No, there is no requirement stated in the case study that necessitates Azure Table storage. Statement 3: Contoso requires a storage account that supports Azure File Storage. Analysis: Azure File Storage provides fully managed file shares in the cloud that are accessible via the SMB protocol. While the existing environment mentions "File servers," the planned changes specifically state "Move the existing product blueprint files to Azure Blob storage," not Azure File Storage. Azure File Storage is typically used for migrating file shares that need to be accessed by applications using standard file system protocols (SMB/NFS). For blueprint files intended for partner access and archive storage, Blob storage is a more suitable and scalable choice. Conclusion: No, based on the requirements, there's no explicit need for Azure File Storage. Blob storage is explicitly mentioned and more appropriate for the blueprint files scenario. Final Answer: Statements Yes No Contoso requires a storage account that supports Blob storage. ☑ ☐ Contoso requires a storage account that supports Azure Table storage. ☐ ☑ Contoso requires a storage account that supports Azure File Storage. ☐ ☑

Answer 33

To move the blueprint files to Azure Blob storage over the internet, we need to choose a method that is efficient, secure, and minimizes administrative effort, as per the requirements. Let's analyze each option: Use the Azure Import/Export service. Analysis: Azure Import/Export service is designed for transferring large amounts of data to Azure Storage by physically shipping disk drives to an Azure datacenter. This service is most beneficial when network bandwidth is limited, or the data volume is extremely large (terabytes or petabytes). Suitability: While Import/Export is suitable for large datasets, the requirement states "Copy the blueprint files to Azure over the Internet." This suggests that internet connectivity is available and should be used. Using Import/Export would involve shipping disks, which is more complex and time-consuming than a network-based transfer over the internet, and likely more administrative effort for this scenario. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer. Analysis: A Shared Access Signature (SAS) provides secure, delegated access to Azure Storage resources. Generating a SAS is a good security practice for granting temporary access. Mapping a drive to Azure Blob storage using WebDAV and then using File Explorer is possible, but it's not the most efficient or robust method for bulk file transfer to Blob storage. File Explorer and WebDAV are better suited for occasional file access and management, not for large-scale or frequent data migration. Suitability: While SAS is good for security, mapping a drive and using File Explorer for copying blueprint files is not an optimal approach for efficiency or minimizing administrative effort, especially for potentially numerous or large blueprint files. Use Azure Storage Explorer to copy the files. Analysis: Azure Storage Explorer is a free, standalone application from Microsoft specifically designed for managing Azure Storage resources, including Blob storage. It provides a graphical user interface for efficiently uploading, downloading, and managing blobs. Storage Explorer is optimized for transferring files to and from Azure Storage over the internet. It supports various authentication methods, including storage account access keys and SAS tokens. Suitability: Azure Storage Explorer is an excellent tool for this task. It is user-friendly, efficient for internet-based transfers, and minimizes administrative effort by providing a visual interface and optimized transfer mechanisms for Azure Blob storage. Generate an access key. Map a drive, and then copy the files by using File Explorer. Analysis: Using a storage account access key provides full administrative access to the storage account. While it would allow File Explorer to authenticate and access the storage account, using access keys directly in client applications is a security risk and is generally discouraged. SAS tokens are preferred for delegated and temporary access. Mapping a drive and using File Explorer, even with an access key, is still not as efficient or recommended for bulk upload to Blob storage as using a dedicated tool like Azure Storage Explorer. Suitability: While technically possible, using access keys directly and File Explorer is less secure and less efficient than using Azure Storage Explorer. It also does not minimize administrative effort compared to using a tool designed for storage management. Conclusion: Azure Storage Explorer is the most appropriate solution for moving the blueprint files to Azure Blob storage over the internet. It is designed for this type of task, is efficient, secure (can use SAS or access keys, but SAS is recommended for better security in general scenarios), and minimizes administrative effort by providing a dedicated tool with a graphical interface for Azure Blob storage management. Final Answer: Use Azure Storage Explorer to copy the files.

Answer 34

To implement a backup solution for App1 in Azure using Azure Backup, the first step is to create a Recovery Services vault. Here's why: Recovery Services vault: Central Management: A Recovery Services vault is the foundational, top-level Azure resource for Azure Backup. It acts as a management container for your backup data, backup policies, and protected items. Prerequisite for Backup: Before you can configure backups for any Azure resources (like VMs, SQL databases, etc.) using Azure Backup, you must first create a Recovery Services vault in your Azure subscription and region. Policy and Item Association: Backup policies and protected items (like VMs) are associated with a Recovery Services vault. You create backup policies within a vault and then apply them to resources you want to protect within that vault. Let's analyze why the other options are not the correct first step: an Azure Backup Server: Azure Backup Server (MABS) is an on-premises server that you can use to back up on-premises workloads and certain Azure workloads to Azure. While MABS can be part of a hybrid backup strategy, it's not the first resource you create in Azure to start using Azure Backup for Azure resources. The question is about implementing a backup solution in Azure for App1 after it is moved to Azure, implying we are focusing on Azure-native backup services. a recovery plan: Recovery plans are used with Azure Site Recovery (ASR) for orchestrating disaster recovery failover and failback of virtual machines. Recovery plans are not related to Azure Backup, which is for data protection and restoration, not DR orchestration. a backup policy: A backup policy defines the schedule and retention settings for backups. You create backup policies after you have a Recovery Services vault. You cannot create a backup policy without first having a vault to contain it. Backup policies are associated with a Recovery Services vault. Sequence of Azure Backup Setup: The typical sequence for setting up Azure Backup for Azure resources is: Create a Recovery Services vault. (First step) Configure backup policies within the vault (define schedule, retention). Configure protected items (select VMs, SQL databases, etc.) and associate them with backup policies within the vault. Conclusion: The Recovery Services vault is the essential and first resource you must create in Azure to begin implementing a backup solution using Azure Backup. Final Answer: The final answer is a Recovery Services vault.

Answer 35

The question asks what to do first to ensure NoSQL data (currently in Azure Table storage within storage2) is encrypted and meets security requirements. Let's analyze the options in the context of Azure Storage encryption and the case study requirements. Existing Environment and Requirements Analysis: Existing NoSQL Data: 500 GB of NoSQL data in Azure Table storage within storage2. Storage2 Type: Storage (general purpose v1). Security Requirement: "Azure Storage must encrypt all data by using keys issued by the internal CA of Litware." This points to Customer-Managed Keys (CMK) for Azure Storage encryption, specifically using keys from Litware's internal CA (likely meaning Azure Key Vault integration). Encryption State of Storage (general purpose v1): General-purpose v1 storage accounts do not support Azure Storage encryption (SSE) with Customer-Managed Keys (CMK). They only support Service-Managed Keys (SSE-S2). Evaluating each option: Upgrade storage2 to StorageV2 (general purpose v2). Analysis: Upgrading storage2 to General-purpose v2 (StorageV2) is a necessary first step. StorageV2 accounts do support Azure Storage encryption (SSE) with Customer-Managed Keys (CMK). General-purpose v1 accounts do not offer this feature. Benefits: Upgrading to StorageV2 is generally recommended for modern storage features, performance, and cost optimization. It also unlocks the ability to use CMK encryption, which is required for the security requirement. Impact on NoSQL data: Upgrading a storage account type does not typically cause data loss or require data migration within the same account. Azure handles the upgrade process. Meets Security Requirement (Partially): Upgrading to StorageV2 enables CMK encryption, which is a prerequisite for meeting the security requirement, but upgrading alone doesn't enable CMK encryption. Create a new general-purpose v2 storage account. Analysis: Creating a new StorageV2 account would also allow for CMK encryption. However, it would require migrating the 500 GB of NoSQL data from storage2 (v1) to the new v2 storage account. This data migration is an additional step and effort that might be avoidable if we can simply upgrade storage2. Suitability as "First Step": Creating a new account is not the first step if we can upgrade the existing one. Upgrading is generally less disruptive and requires less initial migration effort. Create a new Azure Blob storage account. Analysis: Creating a new Blob storage account (BlockBlobStorage account type) is also not the most direct first step for the NoSQL data which is currently in Table storage within storage2. While Blob storage accounts also support CMK encryption, Table storage is a different service and data model than Blob storage. Migrating Table storage data to Blob storage would be a significant data model change and likely not intended based on the case study (which mentions migrating from on-premises NoSQL to Azure Table storage, implying continued use of Table Storage). Modify the Encryption settings of storage2. Analysis: You cannot directly "modify the Encryption settings of storage2" to enable Customer-Managed Keys if storage2 is a general-purpose v1 account. General-purpose v1 accounts simply don't support CMK. This option is premature and not possible as a first step until storage2 is upgraded to StorageV2. After upgrading to StorageV2, then modifying encryption settings to enable CMK would be a valid subsequent step. Conclusion: The most logical and efficient first step to ensure NoSQL data encryption and meet the security requirement is to Upgrade storage2 to StorageV2 (general purpose v2). This upgrade is a prerequisite to enabling Customer-Managed Keys encryption for the existing Table storage data within storage2. After the upgrade, you can then modify the encryption settings to configure CMK with Azure Key Vault and Litware's internal CA keys. Final Answer: The final answer is Upgrade storage2 to StorageV2 (general purpose v2).

Answer 36

To implement Azure AD Seamless SSO for Fabrikam users to authenticate to the Litware.com tenant, we need to integrate the Fabrikam identities with the Litware.com Azure AD tenant in a way that supports Seamless SSO and avoids creating guest accounts, as per the requirements. Let's analyze each option in the context of Azure AD Seamless SSO and the given requirements: Option 1: Create a new Azure AD tenant named fabrikam.com Analysis: Creating a new Azure AD tenant for Fabrikam would isolate Fabrikam identities in a separate tenant. This would not allow Fabrikam users to authenticate to the Litware.com tenant using Seamless SSO. Seamless SSO is about authenticating to a specific Azure AD tenant, in this case, Litware.com. A separate Fabrikam tenant would not fulfill this requirement. Conclusion: Incorrect. This option does not address the requirement for Fabrikam users to authenticate to the Litware.com tenant using Seamless SSO. Option 2: From the Fabrikam forest, configure an additional UPN suffix of Litware.com. Analysis: Adding Litware.com as an additional UPN suffix in the Fabrikam on-premises Active Directory is not directly related to enabling Azure AD Seamless SSO in the Litware.com tenant for Fabrikam users. While UPN suffixes are important for user identities, changing the UPN suffix in Fabrikam forest to Litware.com would be confusing and not the correct approach for cross-forest authentication. Seamless SSO leverages existing UPNs. Conclusion: Incorrect. This option is not the correct way to enable Seamless SSO for Fabrikam users in the Litware.com tenant. Option 3: From the Fabrikam forest, configure all users to have a UPN suffix of Litware.com. Analysis: This is even more incorrect than Option 2. Changing the UPN suffix for all Fabrikam users to Litware.com in their on-premises fabrikam.com forest is disruptive, incorrect identity management, and not related to enabling Seamless SSO for cross-tenant authentication. This would fundamentally change the identity structure in Fabrikam and is not a viable solution. Conclusion: Incorrect. This option is a highly inappropriate and disruptive action. Option 4: From the Litware.com tenant, add a custom domain named fabrikam com. Analysis: Adding fabrikam.com as a custom domain to the Litware.com Azure AD tenant is the correct first step towards enabling authentication for Fabrikam users in the Litware.com tenant without creating guest accounts. Domain Verification: Adding a custom domain involves verifying domain ownership, which is a standard procedure for managing identities in Azure AD. Identity Integration: Adding fabrikam.com as a custom domain allows you to potentially manage Fabrikam users within the Litware.com tenant or set up federation. While Seamless SSO itself is primarily configured on-premises and in Azure AD Connect, adding the custom domain is a necessary prerequisite for many identity integration scenarios, including federation or potentially using Azure AD Connect to sync Fabrikam users to Litware.com tenant (though this case does not explicitly mention directory sync for Fabrikam). In the context of Seamless SSO for Fabrikam users to Litware.com tenant without guest accounts, adding the custom domain is a logical preparatory step. Avoid Guest Accounts: By integrating Fabrikam's domain with Litware.com tenant, you move towards a more integrated identity model rather than relying on guest accounts, which aligns with the company policy. Although Seamless SSO itself is configured via Azure AD Connect and on-premises AD, the question is asking for a first step that supports the overall goal. Adding the custom domain is a foundational step to integrate Fabrikam identities into the Litware.com Azure AD tenant, which is necessary to enable any form of direct authentication (including Seamless SSO or federation) for Fabrikam users without relying on guest accounts. Conclusion: Option 4, From the Litware.com tenant, add a custom domain named fabrikam com, is the most logical and correct first step to support Azure AD Seamless SSO for Fabrikam users to the Litware.com tenant, while adhering to the requirement of not creating guest user accounts and supporting planned changes and authentication requirements. It sets the stage for further identity integration configuration. Final Answer: The final answer is From the Litware.com tenant, add a custom domain named fabrikam com.

Answer 37

The correct sequence of actions to ensure virtual machine disks are encrypted in Sub1, meeting the security requirements, is: Register the Microsoft.Compute encryption provider feature. Register the Microsoft KeyVault resource provider. Create a key in KV1 and configure a disk encryption set. This sequence is correct for the following reasons: Registering the Microsoft.Compute encryption provider feature is necessary to enable advanced encryption capabilities for virtual machines1. Registering the Microsoft KeyVault resource provider is required to use Azure Key Vault for storing encryption keys1. Creating a key in KV1 and configuring a disk encryption set allows for the use of customer-managed keys for disk encryption, which provides more control over the encryption process1. This approach ensures that all disks, including temporary disks, are encrypted, meeting the security requirement: "Azure virtual machines must have all their disks encrypted, including the temporary disks"1.

Answer 38

To configure Azure AD Seamless SSO for Fabrikam users to authenticate to the Litware.com tenant, the key is to extend the Seamless SSO configuration in the Litware.com tenant to recognize and trust authentication requests coming from the Fabrikam environment. Let's analyze the options in terms of being the first step in this process. the Azure AD Connect provisioning agent on SERVER1: Analysis: The Azure AD Connect provisioning agent is used for Azure AD Connect cloud sync, which is a newer, lighter-weight synchronization option. While provisioning agents are part of Azure AD Connect ecosystem, they are not directly involved in configuring or enabling Azure AD Seamless SSO. Seamless SSO is a feature configured within the main Azure AD Connect application itself. Installing the provisioning agent on SERVER1 (a Fabrikam domain member server) would not be the first step to enable Seamless SSO for Fabrikam users to Litware.com. Conclusion: Incorrect. The provisioning agent is not the primary component for enabling Seamless SSO. the Azure AD Connect provisioning agent on DC1: Analysis: Similar to the previous option, the provisioning agent is not the core component for Seamless SSO. Installing it on DC1 (a Litware domain controller) is also not the correct first step for configuring Seamless SSO for Fabrikam users. Seamless SSO configuration happens within the Azure AD Connect application. Conclusion: Incorrect. The provisioning agent is not the primary component for enabling Seamless SSO. Azure AD Connect in staging mode on SERVER1: Analysis: Installing Azure AD Connect in staging mode on SERVER1 (a Fabrikam domain member server) is a more relevant option related to Azure AD Connect. Staging mode is used for testing configurations without active synchronization to Azure AD. While SERVER1 is in the Fabrikam domain, setting up Azure AD Connect in staging mode could be a preparatory step to configure and test Seamless SSO settings related to the Fabrikam forest before making it active or impacting the existing Litware.com sync. It allows for experimentation and configuration in a non-production impacting way. Although SERVER1 in Fabrikam forest is not the ideal location for managing SSO for Fabrikam to Litware, in the context of these options, it's the closest to a plausible first configuration step involving Azure AD Connect. Conclusion: Plausible as a first step for configuration and testing in a non-disruptive manner, even though SERVER1's domain is not Litware. an Azure AD Connect primary server on SERVER1: Analysis: Installing a primary Azure AD Connect server on SERVER1 (Fabrikam domain) to connect to the Litware.com tenant is architecturally less likely to be the first step for Seamless SSO configuration in this cross-forest scenario. Typically, Seamless SSO configuration for a tenant is managed by the Azure AD Connect instance that is already syncing to that tenant (in this case, the existing Litware.com Azure AD Connect setup, although its location is not specified). Setting up a new primary Azure AD Connect server on SERVER1 for Litware.com tenant is not the standard approach and might even conflict with the existing Azure AD Connect setup for Litware.com. Conclusion: Less likely and potentially disruptive as a first step. Most Logical First Step (Considering Imperfect Options): Given the available options and the need to start configuring Azure AD Seamless SSO for Fabrikam users to Litware.com, installing Azure AD Connect in staging mode on SERVER1 is the most reasonable first action to perform. It allows for a non-production impacting environment to begin exploring and configuring Azure AD Connect settings that might be related to extending Seamless SSO to Fabrikam users, even though SERVER1 is in Fabrikam's domain and not the ideal management location for Litware.com Azure AD tenant integration. The other options are less relevant to starting the Seamless SSO configuration process itself. Final Answer: The final answer is Azure AD Connect in staging mode on SERVER1.

Answer 39

The correct answers are Authenticator app and Short Message Service (SMS) messages. Explanation: Let's analyze each authentication method and its applicability to both MFA and SSPR: Authenticator app: MFA: The Microsoft Authenticator app (and other authenticator apps that support TOTP) is a widely used and secure method for MFA. It can provide push notifications for approval or generate time-based one-time passcodes (TOTP). SSPR: The Authenticator app can also be used for SSPR. Users can receive push notifications or use TOTP codes to verify their identity during the password reset process. Conclusion: The Authenticator app is a valid and recommended method for both MFA and SSPR. Short Message Service (SMS) messages: MFA: SMS messages are a common method for MFA, where a verification code is sent to the user's mobile phone via SMS. SSPR: SMS is also a frequently used method for SSPR. Users can receive a verification code via SMS to their registered mobile phone number to reset their password. Conclusion: SMS messages are a valid and widely used method for both MFA and SSPR. Email addresses: MFA: While email can be used as a fallback MFA method (e.g., sending a verification code to an email address), it is generally considered less secure than other methods like Authenticator app or SMS for MFA in isolation. Email accounts themselves can be compromised. SSPR: Email addresses are a very common and primary method for SSPR. Users typically receive a password reset link or verification code to their alternate email address or primary email address. Conclusion: Email addresses are primarily a core method for SSPR and can be used as a weaker fallback for MFA in certain configurations, but might not be considered as robust or primary MFA method compared to Authenticator app or SMS. However, if the question is asking for methods usable for both, then email addresses, especially alternate email addresses configured for recovery, can be considered usable for both. App passwords: MFA: App passwords are not an authentication method for MFA itself. App passwords are a security feature that allows users who have MFA enabled on their accounts to use older, legacy applications that do not support modern authentication. App passwords are generated after MFA is enabled to bypass MFA prompts for these legacy apps. They are not used as a method to perform MFA itself. SSPR: App passwords are not used in SSPR processes. Conclusion: App passwords are not an authentication method for either MFA or SSPR in the way the question intends. Security questions: MFA: Security questions were historically used as a form of authentication, including for MFA in some older systems. However, they are now strongly discouraged for MFA due to significant security vulnerabilities (easily guessable, social engineering risks, etc.). Modern MFA strongly prefers more robust methods like Authenticator apps, SMS, or FIDO2 keys. SSPR: Security questions are a common and still used method for SSPR, although their security is also debated. They are often used as a fallback or secondary SSPR method. Conclusion: Security questions are primarily an SSPR method and are not recommended nor a best practice for MFA in modern security contexts. While technically usable for SSPR and historically used in some MFA scenarios (now discouraged), they are not a strong or preferred method for both. Selecting the Best Two for "Both MFA and SSPR": Considering the most robust, widely used, and recommended methods for both MFA and SSPR, the best two choices from the list are: Authenticator app Short Message Service (SMS) messages These two methods are consistently strong and commonly deployed for both modern MFA and SSPR implementations in Azure AD. Final Answer: The final answer is Authenticator app and Short Message Service (SMS) messages.

Answer 40

The problem states that Admin1, a Global administrator, cannot access the Enterprise State Roaming settings in Azure AD. The goal is to enable Admin1 to configure Enterprise State Roaming. Let's evaluate each option: Assign an Azure AD Privileged Identity Management (PIM) role to Admin1: PIM is used to manage, control, and monitor access to privileged roles. Admin1 is already assigned the Global administrator role, which is the highest privileged role in Azure AD and inherently should have permissions to manage all features, including Enterprise State Roaming. PIM is about managing the use of privileged roles, not granting access to features that a Global Admin should already possess. Assigning a PIM role wouldn't directly address the issue of the settings being unavailable if the Global Administrator role already grants the necessary permissions. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group: Azure Rights Management (Azure RMS), now part of Azure Information Protection, is for protecting sensitive documents and emails. It is not related to Enterprise State Roaming licensing or enabling admin access to Enterprise State Roaming settings. Azure RMS licenses are for information protection features, not device state roaming. Enforce Azure Multi-Factor Authentication (MFA) for Admin1: Enforcing MFA for Admin1 is a good security practice, but it is not related to the availability of Enterprise State Roaming settings. MFA is an authentication security measure, not a feature licensing or access enabler. MFA doesn't unlock features in Azure AD; it secures access. Purchase an Azure AD Premium P1 license for each user in the Managers group: Enterprise State Roaming licensing requirement: Azure AD Enterprise State Roaming is a feature that requires Azure AD Premium P1 or P2 licenses for the users who will be using the feature. While a Global Administrator has the permission to configure the feature, the feature itself might be gated by the licensing of the users who will benefit from it. Feature Availability based on Licensing: If Enterprise State Roaming is not licensed for any users in the tenant, it's possible that the Azure AD portal interface might indeed disable or hide the settings related to Enterprise State Roaming, even for a Global Administrator. This is because the feature is not considered "enabled" for the tenant if no users have the required licenses. Enabling the Feature: Purchasing Azure AD Premium P1 licenses for the target users (the Managers group in this case) would fulfill the licensing prerequisite for Enterprise State Roaming. Once the licenses are assigned, the Enterprise State Roaming feature should become fully enabled in the tenant, and the settings should become accessible to Admin1 (as a Global Administrator). Conclusion: The most likely reason why the Enterprise State Roaming options are unavailable to Admin1, even with Global Administrator role, is that the Azure AD tenant or the intended users are not licensed for Azure AD Premium P1 or P2, which is a prerequisite for using Enterprise State Roaming. Purchasing Azure AD Premium P1 licenses for the Managers group (the intended users of Enterprise State Roaming) is the action that directly addresses this licensing prerequisite and would most likely enable the feature and make its settings accessible to Admin1. Final Answer: The final answer is Purchase an Azure AD Premium P1 license for each user in the Managers group.

Answer 41

To determine which two sections of the access review should be modified, let's review each requirement against the current configuration and identify the sections needing changes. Requirements: Requirement 1: The access review must be enforced until otherwise configured. Current Configuration (Section C): "End*: Never" - This configuration ALREADY meets this requirement. The review is set to run indefinitely until explicitly changed. Requirement 2: Each user or group that has access to the Azure environment must be in the scope of the access review. Current Configuration (Section D & E): "Users to review: Members of a group", "Scope: Guest users only", "Group: Group1". This configuration is NOT meeting the requirement. It is currently scoped to only review Guest users who are members of a specific group (Group1). To meet the requirement of each user or group, the scope needs to be broadened to include all users, not just guest users and members of a specific group. Requirement 3: The access review must be completed within two weeks. Current Configuration (Section C): "Duration (in days): [Slider] 25". This configuration is NOT meeting the requirement. The duration is set to 25 days, which is longer than two weeks (14 days). This needs to be changed to 14 days. Requirement 4: A lack of response must not cause changes in the operational environment. Current Configuration (Section G): "If reviewers don’t respond: Remove access [Dropdown]". This configuration is NOT meeting the requirement. Currently, if reviewers don't respond, access is set to be removed. This needs to be changed to an action that does not remove access on no response. Sections to Modify: Based on the analysis above, the two sections that directly address requirements that are NOT currently met in the provided configuration are: C. Start date, Frequency, Duration (in days), End**: This section needs to be modified to change the Duration (in days) to 14 to meet Requirement 3 (completed within two weeks). G. Upon completion settings: This section needs to be modified in the "If reviewers don’t respond" dropdown. The current setting "Remove access" needs to be changed to an option that represents "no changes" or "Take no action" to meet Requirement 4 (lack of response = no changes). While Section D & E (Users and Scope) also needs modification to meet Requirement 2 (all users in scope), the question asks for only two sections. Sections C and G are the most direct and critical modifications needed to address explicit, quantifiable requirements related to duration and action upon non-response, which are directly configurable in these sections. Therefore, the two sections to modify are C and G. Final Answer: The final answer is C and G.

Answer 42

Let's analyze each statement based on Azure RBAC role inheritance and the provided hierarchy. Statement 1: You can remove User1 from the Contributor role for RG1. Analysis: You are stated to have the Owner role at the subscription level (Subscription1 and Subscription2, and implicitly at the Tenant Root Group as Owner at subscription implies Owner at all levels above). The Owner role grants full access to manage all resources, including role assignments. User1's Role: User1 is assigned the Contributor role at ManagementGroup1. Subscription1 is a child of ManagementGroup1. Role assignments are inherited down the management group hierarchy. Therefore, User1 inherits the Contributor role on Subscription1 and all resources within Subscription1, including RG1 and resources within RG1. Your Permissions: As an Owner at the subscription level, you have permissions to manage RBAC at Subscription1 and below. This includes removing role assignments. Conclusion: Yes, as an Owner at the subscription level, you have sufficient permissions to remove User1's Contributor role assignment for RG1 (or any resource within Subscription1, even though User1's explicit assignment is at ManagementGroup1 level due to inheritance). Statement 2: User2 can delete VM2. Analysis: User2 is assigned the Contributor role at ManagementGroup2. Subscription2 is a child of ManagementGroup2. VM2 is in RG2, which is in Subscription2. Contributor Role Permissions: The Contributor role allows users to create and manage Azure resources but does not grant permissions to manage role assignments (RBAC). However, the Contributor role does grant permissions to perform most operations on resources, including deleting virtual machines. Scope of Contributor Role: User2's Contributor role assignment at ManagementGroup2 is inherited by Subscription2 and all resources within Subscription2, including RG2 and VM2. Conclusion: Yes, User2, with the Contributor role at ManagementGroup2, inherits Contributor permissions on VM2 and therefore can delete VM2. Statement 3: You can add User3 as a Contributor for RG1. Analysis: You are an Owner at the subscription level (and above). User3 is assigned the Reader role at the Tenant Root Group. Role assignments are inherited down the management group hierarchy, but Reader role does not grant write permissions. Your Permissions (Owner): As an Owner, you have full control over RBAC within your subscription and below. You can assign any role to any user or group within your scope. User3's Current Role (Reader): User3's Reader role at the Tenant Root Group is inherited down to Subscription1 and RG1. However, this inherited Reader role does not prevent you, as an Owner, from assigning a different role (like Contributor) to User3 at a lower scope (like RG1). Role assignments at lower scopes take precedence. Adding Contributor Role: You can add User3 as a Contributor at RG1. This would grant User3 Contributor permissions specifically for RG1, overriding the inherited Reader role for resources within RG1. Conclusion: Yes, as an Owner, you have permissions to assign the Contributor role to User3 at RG1. Final Answer: Statements Yes No You can remove User1 from the Contributor role for RG1. ☑ ☐ User2 can delete VM2. ☑ ☐ You can add User3 as a Contributor for RG1. ☑ ☐

Answer 43

Correct Answer: Assign a managed identity to VM2. Assign a managed identity to VM2. Correct: A managed identity (system-assigned or user-assigned) turns VM2 into an Azure AD security principal. Once VM2 has a managed identity, it appears in Azure AD and can be selected in the “Add role assignment” interface under “Azure AD user, group, or service principal.” This enables you to assign the Reader role to VM2 for RG1, allowing VM2 to read resources within RG1 (e.g., for programmatic access via its identity).

Answer 44

The correct answer is From Azure AD, create a conditional access policy. Explanation: Let's analyze each option and why Conditional Access is the most suitable solution: From Azure AD, create a conditional access policy. Conditional Access Policies in Azure AD: Conditional Access is a powerful tool in Azure AD that allows you to create policies to control access to cloud applications based on various conditions. These conditions can include: Users and groups: You can target specific users or groups for the policy. In this case, you can create a policy that applies to all users and then exclude the 'Admins' group. Cloud apps or actions: Conditional Access can target specific applications. For managing Azure subscriptions, the relevant "cloud app" to target is "Microsoft Azure Management". This application represents access to Azure management interfaces, including the Azure portal and Azure PowerShell (and Azure CLI, and other management tools). Access controls: You can define access controls, such as: Block access: Completely prevent access. Grant access: Allow access, possibly with conditions like requiring multi-factor authentication or a compliant device. Meeting the Requirement: By creating a Conditional Access policy with the following configuration, you can effectively meet the requirement: Users and groups: Include "All users" and exclude the "Admins" group. Cloud apps or actions: Select "Microsoft Azure Management". Access controls: Select "Block access". This policy will block all users except members of the 'Admins' group from accessing "Microsoft Azure Management", which includes the Azure portal and Azure PowerShell. From Azure AD, configure the User settings. User settings in Azure AD: User settings in Azure AD primarily control features like: External collaboration settings (guest access) User and guest invitations License management User profile settings Self-service group management User settings are not designed to control access to Azure subscriptions or Azure management interfaces based on group membership and the method of access (portal/PowerShell). They are more about user lifecycle management and collaboration features within Azure AD itself. From the Azure subscription, assign an Azure policy. Azure Policies: Azure Policies are used to enforce organizational standards and assess compliance for Azure resources. They control what types of resources can be deployed, configured, and managed within Azure subscriptions and resource groups. Scope of Azure Policies: Azure Policies are applied to subscriptions, resource groups, or management groups to govern resources. They are not designed to control user access to the Azure portal or Azure PowerShell based on group membership. Azure Policy is for resource governance, not user access control at the portal level. From the Azure subscription, configure Access control (IAM). Access control (IAM) in Azure subscriptions: Access Control (IAM) in Azure subscriptions is used for Role-Based Access Control (RBAC). RBAC controls authorization – what actions users and groups can perform on Azure resources once they have access. Limitations of IAM for Access Prevention: While you can use RBAC to grant or deny specific permissions to resources, IAM in the Azure subscription is not designed to prevent all access to the Azure portal or Azure PowerShell for entire groups of users. IAM controls what you can do, not whether you can access the portal/PowerShell at all. IAM is about resource-level authorization, not preventing entry to management interfaces. Conclusion: Conditional Access policies in Azure AD are the appropriate tool to control access to the Azure portal and Azure PowerShell based on group membership. They offer the necessary conditions (user/group targeting, application targeting) and access controls (block access) to meet the requirement effectively. Final Answer: The final answer is From Azure AD, create a conditional access policy.

Answer 45

The correct answer is a public Azure Load Balancer. Explanation: Here's why a public Azure Load Balancer is the necessary additional service and why the other options are not as suitable in this scenario: Public Azure Load Balancer: Purpose: A public Azure Load Balancer is designed to provide load balancing for traffic originating from the internet and distribute it to backend servers within Azure. Functionality in this scenario: Backend Pool: You would create a backend pool in the public Azure Load Balancer that consists of the virtual machines running App1 within each Azure region. Frontend IP Configuration: You would configure a public IP address as the frontend IP for the load balancer. This public IP address will be the endpoint that Front Door will target. Load Balancing Rules: You would create load balancing rules to distribute HTTPS traffic (port 443) to the backend VMs in each region. Health Probes: You would configure health probes to monitor the health of App1 on each VM in the backend pool. Integration with Front Door: You would then configure Azure Front Door to use the public IP address of the public Azure Load Balancer in each region as a backend pool. Front Door will then distribute global traffic across these regional public load balancers. The public load balancers will, in turn, distribute traffic within each region to the VMs. Internet Accessibility: The public Azure Load Balancer is crucial for making the backend VMs accessible from the internet via Front Door. Front Door needs a publicly reachable endpoint to send traffic to in each region, and a public load balancer provides exactly that. Let's examine why the other options are not the best fit: Azure Traffic Manager: Azure Traffic Manager is a DNS-based traffic load balancer. While it can distribute traffic across regions, it operates at the DNS level. Azure Front Door is already designed to be a global, more advanced load balancer that operates at layer 7 (HTTP/HTTPS) and provides features like WAF, caching, and more granular routing than Traffic Manager. Using Traffic Manager in addition to Front Door for basic load balancing of VMs in this scenario is redundant and not the intended architecture. Front Door is meant to replace the need for Traffic Manager in many web application scenarios. An internal Azure Load Balancer: An internal Azure Load Balancer is used to distribute traffic within an Azure virtual network or across peered virtual networks. It is not designed to make resources directly accessible from the internet. Front Door needs to communicate with a publicly accessible endpoint in each region. An internal load balancer would not provide this internet-facing capability. Azure Private Link: Azure Private Link provides private connectivity to Azure PaaS services and customer-owned services over the Azure backbone network. It's about private access, not making VMs accessible from the internet. Private Link is not relevant to making the VMs internet-accessible via Front Door. Conclusion: To make App1 accessible from the internet via Azure Front Door and load balance requests across VMs in each region, you need to provision a public Azure Load Balancer in each Azure region. Front Door will then use the public IP addresses of these load balancers as backend pools to distribute global traffic, while the public load balancers will distribute traffic within each region to the VMs. Final Answer: The final answer is a public Azure Load Balancer.

Answer 46

To determine the minimum number of update deployments required, we need to consider the constraints of Azure Update Management and the requirements for applying updates to the VMs. Azure Update Management has the following key characteristics relevant to this question: Operating System Specificity: Update deployments in Azure Update Management are operating system specific. You cannot target both Windows and Linux VMs in a single update deployment. You need separate deployments for Windows and Linux operating systems. Scope: Update deployments can target VMs across different: Resource Groups: You can include VMs from multiple resource groups in a single deployment. Locations (Regions): You can include VMs from different Azure regions in a single deployment. Based on these characteristics and the VM configuration provided: Categorize VMs by Operating System: Windows VMs: VM1: Windows Server 2012 R2 (RG1, East US) VM2: Windows Server 2016 (RG1, West US) VM3: Windows Server 2019 (RG2, West US) All three are Windows Server based. They can be included in a single update deployment targeting Windows VMs. Linux VMs: VM4: Red Hat Enterprise Linux 7.7 (RG2, West US) VM5: Ubuntu Server 18.04 LTS (RG1, East US) VM6: CentOS-based 7.7 (RG1, East US) All three are Linux distributions. They can be included in a single update deployment targeting Linux VMs. Determine Minimum Deployments: Since update deployments are OS-specific, we need at least one deployment for Windows VMs and one deployment for Linux VMs to cover all virtual machines. Deployment 1: Windows Updates - Target VMs: VM1, VM2, VM3. Configure to apply "Critical" and "Security" updates monthly. Deployment 2: Linux Updates - Target VMs: VM4, VM5, VM6. Configure to apply "Critical" and "Security" updates monthly. Evaluate Options: 4: Too many. We don't need separate deployments based on Resource Group or Location. 6: Too many. We don't need separate deployments for each VM. 2: This is the correct minimum. We need two deployments to separate Windows and Linux VMs. 1: Too few. A single deployment cannot target both Windows and Linux VMs. Conclusion: The minimum number of update deployments required is 2: one deployment for all Windows VMs and one deployment for all Linux VMs. Resource group and location differences do not necessitate additional deployments. Final Answer: The final answer is 2.

Answer 47

To determine which action User1 can perform, we need to analyze the permissions defined in the custom role "Role1". Let's examine the "Actions" array in the provided JSON template: "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ] Use code with caution. Json Now, let's evaluate each option against these defined actions: Create virtual machines. To create virtual machines, the role would need actions like Microsoft.Compute/virtualMachines/write or Microsoft.Compute/virtualMachines/*. Role1 only includes Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action, and Microsoft.Compute/virtualMachines/restart/action. These actions grant read permissions for compute resources and specific actions to start and restart VMs, but not to create them. Conclusion: User1 cannot create virtual machines. Create resource groups. To create resource groups, the role would need actions like Microsoft.Resources/subscriptions/resourceGroups/write or Microsoft.Resources/subscriptions/resourceGroups/*. Role1 only includes Microsoft.Resources/subscriptions/resourceGroups/read. This action grants read permissions for resource groups, but not to create them. Conclusion: User1 cannot create resource groups. Delete virtual machines. To delete virtual machines, the role would need actions like Microsoft.Compute/virtualMachines/delete or Microsoft.Compute/virtualMachines/*. Role1 only includes Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action, and Microsoft.Compute/virtualMachines/restart/action. These actions do not include permissions to delete virtual machines. Conclusion: User1 cannot delete virtual machines. Create support requests. Role1 includes the action Microsoft.Support/*. The wildcard * after Microsoft.Support/ indicates that the role grants permissions for all operations within the Microsoft Support resource provider. This includes actions to create, read, update, and manage support requests with Microsoft Azure support. Conclusion: User1 can create support requests. Based on the analysis, the only action User1 is authorized to perform with Role1 is to create support requests. Final Answer: The final answer is Create support requests.

Answer 48

The correct answer is Configure the Firewalls and virtual networks settings for SQLserver1. Explanation: To use the query editor in the Azure portal to query an Azure SQL database, you need to ensure that your client machine (the machine you are using to access the Azure portal) is allowed to connect to the Azure SQL server through the firewall. Here's why Configure the Firewalls and virtual networks settings for SQLserver1 is the correct action and why the other options are incorrect: Configure the Firewalls and virtual networks settings for SQLserver1: Azure SQL Server Firewall: Azure SQL Server has a built-in firewall that, by default, restricts access to the server and its databases from all public networks except for other Azure services. Allowing Azure Portal Access: To use the query editor in the Azure portal, you need to configure the firewall settings of the Azure SQL server (SQLserver1) to allow access from the Azure portal's IP address ranges or, more commonly, to allow access from your client IP address (the IP address of the machine you are using to access the Azure portal). Steps to Configure Firewall: Navigate to your Azure SQL server (SQLserver1) in the Azure portal. Go to Firewall and virtual networks settings. You can either: Allow Azure services and resources to access this server: Set this to Yes (if you want to allow other Azure services to access the server). Add client IP address: Click + Add client IP address. This will automatically detect your current client IP address and add a firewall rule to allow access from your machine. Add a firewall rule: Manually add a firewall rule specifying a range of IP addresses that include your client IP address. Copy the ADO.NET connection string of Db1 and paste the string to the query editor: ADO.NET connection strings are used by applications to connect to a database programmatically. The Azure portal query editor does not use connection strings in this way. The query editor establishes a direct connection to the database using your Azure credentials and network access permissions. Pasting a connection string into the query editor is not a valid action to enable query editor access. Approve private endpoint connections for SQLserver1: Private endpoints are used to provide private and secure access to Azure services from within your virtual network. If private endpoints were configured for SQLserver1 and specifically blocking public access, then approving private endpoint connections might be relevant for applications within the VNet. However, for accessing the query editor from your local machine through the Azure portal, private endpoints are not the issue. Private endpoints would actually restrict public access, not enable it for the query editor from your machine. This is not the solution for general query editor access from the portal. Modify the Advanced Data Security settings of Db1: Advanced Data Security (now Microsoft Defender for SQL) is related to security features like threat detection and vulnerability assessment within the database. It does not control basic network connectivity or firewall rules that are preventing you from accessing the query editor. Modifying Advanced Data Security settings will not enable query editor access if the firewall is blocking your connection. Therefore, the correct action is to configure the Firewalls and virtual networks settings for SQLserver1 to allow your client IP address or Azure portal IP ranges to access the SQL server. Final Answer: The final answer is Configure the Firewalls and virtual networks settings for SQLserver1.

Answer 49

Answer Area: VM2: Region East US VM2_Interface: Region East US Explanation: Virtual Networks are Regional: Azure Virtual Networks (VNets) are regional resources. VNET1 is located in East US. Virtual Machines and VNets must be in the Same Region: Virtual Machines (VMs) must be created in the same Azure region as the Virtual Network they are intended to connect to. Since VM2 needs to connect to VNET1 (which is in East US), VM2 itself must also be created in East US. Network Interfaces and VNets/VMs must be in the Same Region: Network Interfaces (NICs) are also regional resources. A NIC must be in the same region as both the Virtual Network it connects to and the Virtual Machine it is attached to. Because VM2 and VNET1 must be in East US, VM2_Interface must also be created in East US. Therefore, to ensure VM2 can connect to VNET1, both VM2 and its network interface VM2_Interface must be created in the East US region. Final Answer: VM2: Region **East US** VM2_Interface: Region **East US**

Answer 50

For the scenario described, where a company uses ExpressRoute to connect on-premises virtual machines (VMs) to Azure-based VMs and needs a failover solution that uses the Internet without requiring MPLS support in case the ExpressRoute connection fails, the best recommendation is: Set up a VPN connection. Why this is the correct answer: Requirement for Internet-based failover: The question specifies that failover connections must use the Internet and not rely on MPLS. ExpressRoute typically uses a private, MPLS-based connection through a partner network, but a VPN (specifically a Site-to-Site VPN over the Internet) meets the requirement of using the public Internet as a failover option. Continued operations: A Site-to-Site VPN can be configured as a backup to ExpressRoute, allowing seamless communication between on-premises VMs and Azure VMs if the ExpressRoute link fails. Azure supports this hybrid connectivity model, where VPN serves as a redundant path. No MPLS requirement: Unlike ExpressRoute, which often involves MPLS through a provider, a VPN over the Internet does not require MPLS, aligning with the stated constraints. Practical for AZ-305 context: The AZ-305 exam (Designing Microsoft Azure Infrastructure Solutions) focuses on designing resilient and hybrid solutions. Configuring a VPN as a failover for ExpressRoute is a well-documented Azure best practice for high availability.

Answer 51

Correct Answer: Trusted IPs Explanation: The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet. The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators.

Answer 52

Explanation: Box 1: Yes Seamless SSO needs the user’s device to be domain-joined only, but it is not used on Azure AD Joined or Hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the primary refresh token. Box 2: No Box 3: No

Answer 53

The correct answers are: a site-to-site connection a local network gateway Explanation: To configure an encrypted tunnel between an on-premises network and an Azure Virtual Network (VNET1) using a Virtual Network Gateway (VPNGW1), you need the following additional Azure resources: a local network gateway: Purpose: A Local Network Gateway represents your on-premises VPN device and network in Azure. It provides Azure with the necessary information about your on-premises VPN endpoint, including: Public IP address of your on-premises VPN device: Azure VPN Gateway needs to know the public IP address of your on-premises VPN device to establish the connection. On-premises network address prefixes: You define the on-premises network address spaces (subnets) that you want to be reachable from Azure through the VPN tunnel. Why it's necessary: Azure VPN Gateway uses the Local Network Gateway configuration to know where to initiate the VPN connection and what networks to route traffic to on the on-premises side. a site-to-site connection: Purpose: A Connection resource in Azure represents the actual VPN tunnel itself. For a site-to-site VPN, you need to create a "Site-to-Site (IPsec)" connection. This connection resource defines: Connection type: Site-to-to (IPsec) VPN type: RouteBased or PolicyBased (depending on your VPNGW1 configuration - although RouteBased is generally recommended) Shared key (pre-shared key): A secret key used for authentication between the Azure VPN gateway and the on-premises VPN device. References to Azure VPN gateway and Local Network Gateway: The connection resource links your existing Azure VPN gateway (VPNGW1) to the Local Network Gateway representing your on-premises VPN device. Why it's necessary: The Connection resource is the resource that actually establishes the VPN tunnel. It uses the information from both the Azure VPN gateway and the Local Network Gateway to set up the encrypted connection. Why other options are incorrect: a VPN gateway: You already have a VPN gateway named VPNGW1. You don't need to create another VPN gateway to establish a single site-to-site VPN connection. a point-to-site configuration: Point-to-Site (P2S) VPN is for connecting individual client computers to your Azure VNet, not for connecting an entire on-premises network. Site-to-Site VPN is the correct type for connecting networks. a VNet-to-VNet connection: VNet-to-VNet connections are used to connect two Azure Virtual Networks together. This is not relevant for connecting an on-premises network to Azure. In summary, to create a site-to-site VPN tunnel, you need to represent your on-premises VPN endpoint in Azure using a Local Network Gateway and then create a Connection resource to define and establish the VPN tunnel between your Azure VPN Gateway and the Local Network Gateway. Final Answer: Answer Area VM2: Region East US VM2_Interface: Region East US

Answer 54

To enable Azure Active Directory (Azure AD) authentication for setting permissions on individual blobs in an Azure Storage account, you need to enable Hierarchical namespace. Here's why: Hierarchical Namespace (HNS): Purpose: Hierarchical namespace transforms Azure Blob Storage into Azure Data Lake Storage Gen2 (ADLS Gen2). ADLS Gen2 provides a hierarchical file system structure (directories and subdirectories) on top of Blob storage. Azure AD Integration for Access Control: A key feature of ADLS Gen2 (enabled by HNS) is its deep integration with Azure Active Directory (Azure AD) for access control. HNS enables you to use Azure AD identities to manage access permissions at the directory and individual blob level using Access Control Lists (ACLs). This is crucial for setting permissions for individual blobs using Azure AD authentication, as required in the question. POSIX-like Permissions: HNS supports POSIX-style permissions, which are commonly used in file systems and allow for granular control over read, write, and execute permissions for users and groups managed in Azure AD. Let's examine why the other options are not correct for this requirement: Large file shares: Purpose: Large file shares is an option for Azure File Storage, enabling file shares larger than the standard size. Azure File Storage is accessed using SMB protocol and has its own authentication mechanisms (like Active Directory Domain Services or Azure Active Directory Domain Services). It is not related to Blob storage or Azure AD authentication for blobs. NFS v3: Purpose: NFS v3 (Network File System version 3) allows you to mount Azure Blob Storage containers as file systems using the NFS v3 protocol. While NFS v3 provides file system access, it does not directly enable Azure AD authentication for individual blobs in the way that Hierarchical Namespace does. NFS v3 authentication in this context is generally handled through other mechanisms and is not the same as native Azure AD ACLs on blobs. Blob soft delete: Purpose: Blob soft delete is a data protection feature that allows you to recover accidentally deleted blobs within a defined retention period. It is a data recovery feature and has no relation to authentication or authorization methods for accessing blobs. Conclusion: To meet the requirement of setting permissions for individual blobs using Azure AD authentication in Azure Storage, you must enable the Hierarchical namespace Advanced setting for the storage account. This transforms the storage account into Azure Data Lake Storage Gen2, which provides the necessary Azure AD integration and ACL capabilities for fine-grained access control at the blob level. Final Answer: The final answer is Hierarchical namespace.

Answer 55

Final Answers: VM1-Disk1 is encrypted automatically by using Azure Disk Encryption: No Unmanaged disks added after ADE enablement aren’t dynamically encrypted without reapplying ADE. VM2-Disk1 is encrypted automatically by using Azure Disk Encryption: Yes Managed disks are encrypted automatically when ADE is enabled with --VolumeType All. VM3-Disk1 is encrypted automatically by using Azure Disk Encryption: Yes Managed disks are encrypted automatically when ADE is enabled with --VolumeType All.

Answer 56

Final Answer: The final answer is Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. Explanation: Let's break down why this is the correct solution and why the other options are incorrect: Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. (Correct) Tenant Association: Azure subscriptions are fundamentally linked to an Azure Active Directory (Azure AD) tenant. This tenant serves as the directory for managing users, groups, and their access to resources within that subscription. Currently, Subscription1 is linked to contosoazure.onmicrosoft.com, while the users you want to grant access (from contoso.com forest) are synced to contoso.onmicrosoft.com. Changing Tenant Association: The most direct way to allow contoso.com users to access Subscription1 resources is to change the Azure AD tenant that Subscription1 trusts for identity management. By associating Subscription1 with contoso.onmicrosoft.com, you make the users and groups from contoso.onmicrosoft.com (and by extension, contoso.com) the native identities for authorization within Subscription1. Role Reassignment: After changing the tenant association, the existing role assignments in Subscription1 will likely be based on principals from the old contosoazure.onmicrosoft.com tenant. These assignments will become invalid or irrelevant when the subscription is linked to contoso.onmicrosoft.com. Therefore, you'll need to reassign all roles within Subscription1 to users and groups from the newly associated contoso.onmicrosoft.com tenant to restore and configure access for the intended users. Effectiveness: This method directly addresses the core issue by placing the subscription under the control of the Azure AD tenant that manages the desired users. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. (Incorrect) Single Tenant Sync: An Azure AD Connect server is designed to synchronize a single on-premises Active Directory forest to one Azure AD tenant. You cannot configure a single Azure AD Connect server to synchronize the same on-premises forest to multiple Azure AD tenants (like both contoso.onmicrosoft.com and contosoazure.onmicrosoft.com). This option is technically not feasible with a single Azure AD Connect instance. Even if you could, it's not the correct architectural approach. Configure contoso.onmicrosoft.com to use pass-through authentication. (Incorrect) Authentication Method: Pass-through authentication is an Azure AD sign-in method. Configuring contoso.onmicrosoft.com to use pass-through authentication only changes how users in contoso.onmicrosoft.com authenticate. It doesn't change the tenant association of Subscription1 or grant access to users in contoso.com forest to resources in Subscription1. It's irrelevant to the tenant association problem. Configure contosoazure.onmicrosoft.com to use pass-through authentication. (Incorrect) Authentication Method: Similarly, configuring contosoazure.onmicrosoft.com to use pass-through authentication only affects authentication for users within contosoazure.onmicrosoft.com (if any cloud-only users exist there). It does not bridge the identity gap or grant access to contoso.com users in Subscription1.

Answer 57

The correct answer is managed identities. Explanation: Here's why managed identities are the correct solution and why the other options are not: Managed Identities: Purpose: Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). This allows Azure services to authenticate to Azure services that support Azure AD authentication without needing to hardcode credentials in code or configuration. Scenario Application: In this scenario, you would enable managed identities for each Azure web app. This creates a service principal identity in Azure AD for each web app. Key Vault Access: You would then grant these managed identities specific permissions to access your Azure Key Vault. For example, you would grant the "Get Secret" permission to each web app's managed identity on the Key Vault where you store the database access keys. Authentication Process: When the web apps need to access a database access key, they would use the Azure SDK (e.g., Azure.Identity library) to authenticate to Azure Key Vault using their managed identity. The Azure SDK automatically handles the authentication process, obtaining tokens from Azure AD without requiring any explicit credentials to be stored or managed by the web app. Security Benefits: This approach is highly secure because: No Hardcoded Credentials: You eliminate the need to store access keys directly in web app configuration or code. Automated Credential Management: Azure automatically manages the lifecycle and rotation of the managed identity credentials. Principle of Least Privilege: You can grant each web app only the necessary permissions (e.g., "Get Secret" for specific secrets) in Key Vault, adhering to the principle of least privilege. Let's look at why the other options are not the correct solution: Managed applications: Managed applications are pre-packaged and deployable applications offered through the Azure Marketplace. They are not directly related to the authentication mechanism for web apps to access Key Vault for secrets. Azure policies: Azure Policies are used to enforce organizational standards and assess compliance across Azure resources. They are not designed for managing application authentication to Key Vault or providing identities to applications. An App Service plan: An App Service plan defines the set of compute resources for running Azure web apps. It determines the region, size, and scale of the underlying VMs. It does not provide authentication mechanisms for web apps to access other Azure services like Key Vault. Therefore, the correct answer is managed identities because they are the Azure feature specifically designed to enable Azure AD-based authentication for Azure services (like web apps) to securely access other Azure services (like Key Vault) without managing credentials directly. Final Answer: The final answer is managed identities.

Answer 58

The correct answer is a key. Explanation: To digitally sign blobs stored in Azure Storage using Azure Key Vault (KV1), you need to use a cryptographic key that is stored and managed within KV1. Here's why: Keys in Azure Key Vault for Digital Signing: Azure Key Vault is designed to securely store and manage cryptographic keys, secrets, and certificates. For digital signing, you specifically need a cryptographic key. Key Vault supports different types of keys, including: RSA keys: Commonly used for digital signatures and encryption. EC keys: Elliptic Curve keys, also used for digital signatures and key exchange, often preferred for performance and smaller key sizes. To perform digital signing, you would create or import a key into KV1. This key will be a cryptographic key pair, where the private key is used to create the digital signature, and the corresponding public key can be used to verify the signature. Crucially, the private key remains secure within Key Vault and is never directly exposed. The signing operation is performed by Key Vault itself, using the private key on your behalf. Why other options are incorrect: a secret: Secrets in Azure Key Vault are used to store sensitive information like passwords, connection strings, API keys, and other text or binary data. Secrets are not designed for performing cryptographic operations like digital signing. While you can store text that could represent a key, a "secret" object in Key Vault itself does not have the cryptographic functionality needed for signing. You would need a "key" object. a certificate: Certificates in Azure Key Vault are X.509 certificates. Certificates are primarily used for authentication and encryption, and they contain a public key (and optionally a private key). While you could import a certificate containing a private key into Key Vault and potentially use the private key within the certificate for signing (if the certificate allows key export and signing operations), the most direct and fundamental requirement for signing is a key. Certificates are a higher-level construct built around keys, but the underlying cryptographic material needed for signing is the key. For just signing blobs, directly using a key is more straightforward and appropriate.

Answer 59

When Multi-Factor Authentication (MFA) is enabled for a user in Azure Active Directory (Azure AD), they will be prompted for additional security verification methods beyond their password when they sign in. The available verification methods depend on the configuration set by the administrator and the methods configured by the user. Let's evaluate each option against the standard MFA verification methods offered by Azure AD: Option 1: a phone call, an email message that contains a verification code, and a text message that contains an app password. a phone call: Phone call to a registered phone number is a valid Azure MFA verification method. an email message that contains a verification code: While email can be used for Self-Service Password Reset (SSPR) verification, it is not a standard primary MFA verification method for Azure AD sign-in in typical configurations. It's less secure compared to other methods. a text message that contains an app password: This is incorrect. App passwords are not sent via text messages. App passwords are generated by users (or admins) after MFA is enabled to allow legacy applications that don't support modern authentication to bypass MFA prompts. Text messages contain verification codes, not app passwords. Option 2: an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app. an app password: As mentioned before, app passwords are not MFA verification methods themselves. They are a way to bypass MFA for legacy apps. Incorrect. a text message that contains a verification code: Text message (SMS) verification is a valid Azure MFA method. a verification code sent from the Microsoft Authenticator app: Verification code generated by the Microsoft Authenticator app (Time-based One-Time Password - TOTP) is a valid Azure MFA method. Option 3: an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app. an app password: Incorrect, as explained before. a text message that contains a verification code: Valid SMS verification. a notification sent from the Microsoft Authenticator app: Push notification sent to the Microsoft Authenticator app for approval is a valid Azure MFA method. Option 4: a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app. a phone call: Valid phone call verification. a text message that contains a verification code: Valid SMS verification. a notification or a verification code sent from the Microsoft Authenticator app: Both push notifications and verification codes (TOTP) from the Microsoft Authenticator app are valid Azure MFA methods. Comparing the options, Option 4 lists only valid and standard Azure MFA verification methods: phone call, SMS message with verification code, and Microsoft Authenticator app (both push notification and verification code). Options 1, 2, and 3 incorrectly include "app password" as a verification method, and Option 1 incorrectly includes "email message with verification code" as a standard primary MFA method. Final Answer: The final answer is a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.

Answer 60

Let's analyze each statement based on the provided Azure AD SSPR notification settings and user roles. Notification Settings: Notify users on password resets? No Notify all admins when other admins reset their password? Yes User Roles and Group Membership: User1: Global administrator, Not member of Group1 User2: User administrator, Member of Group1 User3: Password administrator, Member of Group1 User4: None, Member of Group1 Statement 1: User1 gets a notification when User3 resets her password by using SSPR. Analysis: User1 is a Global administrator, which is an admin role. User3 is a Password administrator, which is also an admin role. User3 is resetting her own password using Self-Service Password Reset (SSPR). The notification setting "Notify all admins when other admins reset their password?" is set to Yes. Since User3 is an admin and is resetting her own password using SSPR, and the notification setting for admin-to-admin SSPR resets is enabled, all admins should be notified. User1, being a Global administrator, is an admin. Conclusion: Yes, Statement 1 is True. Statement 2: User3 gets a notification when User3 resets her password by using SSPR. Analysis: User3 is resetting her own password using SSPR. The notification setting "Notify users on password resets?" is set to No. This setting directly controls whether the user who initiates the password reset (in this case, User3) receives a notification. Since it is set to "No," User3 should not receive a notification about her own password reset. Conclusion: No, Statement 2 is False. Statement 3: User1 gets a notification when User2 resets the password of User4. Analysis: User1 is a Global administrator (Admin role). User2 is a User administrator (Admin role). User2 is resetting the password of User4. While the scenario mentions SSPR, it's implied that User2, as a User administrator, is using admin capabilities (likely through the Azure AD admin center or similar tools) to reset User4's password, not User2 performing SSPR for User2's own password. The notification setting "Notify all admins when other admins reset their password?" specifically refers to notifications when admins reset their own passwords using SSPR. It is not designed for scenarios where an admin resets another user's password through admin interfaces, even if the underlying password reset mechanism shares components with SSPR. Admin-initiated password resets are distinct actions from user-initiated SSPR. The notification is for "when other admins reset their password". In this case, User2 is resetting User4's password, not User2's own password. Conclusion: No, Statement 3 is False. The "Notify all admins when other admins reset their password?" setting is specifically for admin self-service password resets, not for admin-initiated password resets of other users. Therefore, User1 will not be notified in this scenario based on the configured SSPR notification settings. Final Answer: Statements Yes No User1 gets a notification when User3 resets her password by using SSPR. ☑ ☐ User3 gets a notification when User3 resets her password by using SSPR. ☐ ☑ User1 gets a notification when User2 resets the password of User4. ☐ ☑

Answer 61

the best solution is: From the MFA service settings, create a trusted IP range. Why this is the correct answer: MFA Trusted IPs Feature: Azure AD MFA includes a service setting that allows you to define "trusted IPs" (IP address ranges) where MFA prompts can be bypassed. This is specifically designed for scenarios like this—reducing MFA prompts for users signing in from trusted locations, such as the company’s main office. Matches the Requirement: The goal is to prevent MFA requests when users sign in from the main office. By configuring the public IP range of the main office as a trusted IP in the MFA service settings, users authenticating from that location will not be prompted for MFA, while MFA remains enforced elsewhere. AZ-305 Relevance: The AZ-305 exam (Designing Microsoft Azure Infrastructure Solutions) emphasizes practical solutions for identity and security management. Configuring trusted IPs is a straightforward, built-in MFA feature that aligns with designing secure and user-friendly authentication policies.

Answer 62

Answer Area: On App1: Turn on the managed identity On Queue1: Configure Access control (IAM) Explanation: On App1 (Logic App): Turn on the managed identity: This is the crucial step for enabling Azure AD authentication for App1. By turning on a managed identity (specifically, a system-assigned managed identity is usually simpler for this scenario), Azure automatically creates an identity for the Logic App in your Azure AD tenant. This identity can then be granted permissions to access other Azure resources that support Azure AD authentication, such as Azure Service Bus. Why not other options for App1? Add a logic app step: While you will need to add a Service Bus connector step in your Logic App to actually read messages from Queue1, this step itself doesn't handle authentication. Authentication needs to be configured separately. Configure Access control (IAM): Configuring IAM on App1 itself is not relevant for App1 authenticating to Service Bus. IAM on App1 controls who/what can manage the Logic App resource, not its outbound authentication to other services. Regenerate the access key: Access keys are used for Shared Access Signature (SAS) authentication, which is an alternative to Azure AD authentication. The requirement explicitly states "App1 must authenticate by using Azure Active Directory (Azure AD)", so SAS keys are not the desired method. On Queue1 (Service Bus Queue): Configure Access control (IAM): This step is essential to authorize App1's managed identity to access Queue1. You need to grant the managed identity of App1 the necessary permissions to read messages from Queue1. This is done through Azure RBAC (Role-Based Access Control) via the Access control (IAM) blade for Queue1. You would assign a built-in role like "Azure Service Bus Data Receiver" to the managed identity of App1 at the scope of Queue1 (or at a higher scope like the Service Bus namespace if appropriate). This role grants the necessary permissions to receive (read and delete) messages from the queue. Why not other options for Queue1? Add a read-only lock: Read-only locks prevent accidental modifications or deletions of the queue itself. They do not control access for reading messages. Add a shared access policy: Shared Access Policies (SAPs) are used for SAS authentication, again, an alternative to Azure AD authentication. Since we need to use Azure AD, SAPs are not the correct approach. Modify the properties: Modifying queue properties (like max size, TTL, etc.) does not configure authentication or authorization for accessing the queue's messages. In Summary: To enable Azure AD authentication for App1 to read messages from Queue1, you need to: Enable Managed Identity on App1: This provides App1 with an Azure AD identity. Configure Access control (IAM) on Queue1: Grant the Managed Identity of App1 the "Azure Service Bus Data Receiver" role (or a similar role with read permissions) to authorize App1 to read messages. Final Answer: On App1: Turn on the managed identity On Queue1: Configure Access control (IAM)

Answer 63

Let's analyze each option to determine the best way to grant users from contoso.com access to resources in Subscription1. Create an Azure management group that contains Subscription1. Explanation: Azure Management Groups are used to organize and manage multiple Azure subscriptions under a single management structure. Management groups are primarily for policy and access control at scale across subscriptions. Creating a management group itself does not bridge the identity gap between different Azure AD tenants. Management groups help with organizing and governing subscriptions but do not inherently solve cross-tenant identity and access management for users. Does it meet the goal? No. Management groups do not enable users from contoso.com (synced to contoso.onmicrosoft.com) to access resources in Subscription1 (linked to contosoazure.onmicrosoft.com). Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. Explanation: Azure AD Connect is designed to synchronize a single on-premises Active Directory forest to one Azure AD tenant. The existing Azure AD Connect server is already correctly syncing contoso.com to contoso.onmicrosoft.com. You cannot reconfigure the same Azure AD Connect server to sync the same on-premises forest to a second, different Azure AD tenant (contosoazure.onmicrosoft.com). This is not a supported or feasible configuration for Azure AD Connect. Does it meet the goal? No. This is not a valid Azure AD Connect configuration and will not solve the cross-tenant access problem. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com. Explanation: While you can deploy multiple Azure AD Connect servers for redundancy or for syncing different on-premises forests to different Azure AD tenants, you cannot sync the same on-premises forest (contoso.com) to two separate Azure AD tenants (contoso.onmicrosoft.com and contosoazure.onmicrosoft.com) using multiple Azure AD Connect servers connected to the same on-premises forest. This is not a supported Azure AD Connect topology. Each on-premises forest should have a dedicated Azure AD Connect instance syncing to one Azure AD tenant. Does it meet the goal? No. This is not a valid Azure AD Connect configuration and will not solve the cross-tenant access problem. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Explanation: This option utilizes Azure AD Business-to-Business (B2B) collaboration. You would invite users from the contoso.onmicrosoft.com tenant as guest users into the contosoazure.onmicrosoft.com tenant. How it works: Invite users from contoso.onmicrosoft.com as guests to contosoazure.onmicrosoft.com. Guest user objects are created in contosoazure.onmicrosoft.com that represent the external users from contoso.onmicrosoft.com. You can then assign Azure RBAC roles to these guest user accounts in contosoazure.onmicrosoft.com for resources in Subscription1. Users from contoso.com (authenticating via contoso.onmicrosoft.com) can then access resources in Subscription1 using their original contoso.com credentials, but as guest users in contosoazure.onmicrosoft.com. Does it meet the goal? Yes. This is the correct and standard way to grant users from one Azure AD tenant access to resources in another Azure AD tenant. It allows you to assign roles to users from contoso.com in Subscription1 while they use their existing credentials. Final Answer: The final answer is Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.

Answer 64

Final Answer: The final answer is Add a shared access policy to the queue. The requirement is to grant an application (App1) that does not support Azure Active Directory (Azure AD) authentication the ability to send messages to an Azure Service Bus queue (Queue1) while explicitly preventing it from listening to messages. This scenario points towards using Shared Access Policies (SAPs) for delegated access with specific permissions, as App1 cannot use Azure AD for authentication. Let's analyze each option: Configure Access control (IAM) for the Service Bus. Explanation: Access control (IAM) in Azure is primarily designed for managing access for Azure AD identities (users, groups, service principals, managed identities). Since App1 does not support Azure AD authentication, using IAM directly is not the appropriate solution for App1's authentication. IAM is best suited for applications that can authenticate with Azure AD. IAM roles for Service Bus typically grant broad permissions and are not designed for the granular send-only vs. listen-only scenario for non-AD applications. Add a shared access policy to the queue. Explanation: Shared Access Policies (SAPs) are a feature of Azure Service Bus specifically designed to grant delegated access to Service Bus resources (namespaces, queues, topics, subscriptions) to applications that may not support Azure AD authentication or when you need to grant access using shared keys. Granular Permissions: When creating a Shared Access Policy, you can precisely control the permissions granted. For a queue, these permissions typically include: Send: Allows sending messages to the queue. Listen: Allows receiving (reading and processing) messages from the queue. Manage: Allows managing the queue itself. Meeting the Requirements: To meet the requirements, you should add a shared access policy to Queue1 and, crucially, grant only the Send permission in the policy, while explicitly not granting the Listen permission. App1 can then use the connection string generated from this SAP to authenticate to Service Bus and send messages, but it will be denied access if it tries to listen or receive messages because the SAP lacks the "Listen" permission. Modify the locks of the queue. Explanation: Locks in Azure Service Bus are used to prevent accidental deletion or modification of the queue itself. Locks are for resource management and protection of the queue's configuration, not for controlling permissions for sending or receiving messages. Modifying locks will not achieve the goal of granting send-only access to App1. Configure Access control (IAM) for the queue. Explanation: As explained earlier, IAM is primarily for Azure AD identities. While you can use IAM with Service Bus, it's not the intended authentication mechanism for an application that does not support Azure AD authentication. Furthermore, IAM roles for Service Bus are generally broader and might not provide the fine-grained control to grant only "Send" and explicitly deny "Listen" permissions in the context of non-AD authentication as effectively as Shared Access Policies. Conclusion: The most appropriate and effective solution to grant App1 send-only access to Queue1, especially when App1 does not support Azure AD authentication, is to Add a shared access policy to the queue and configure the policy to grant only the "Send" permission, explicitly excluding the "Listen" permission. This directly addresses both requirements: enabling sending and preventing listening for the non-AD application. Final Answer: The final answer is Add a shared access policy to the queue.

Answer 65

The correct answer is Plan type. Here's why: Azure Functions on the Consumption plan have some limitations regarding backup and restore. Specifically, they don't support traditional backup mechanisms like those available for App Service plans. Consumption plan function apps are ephemeral by nature, scaling dynamically and relying on storage for persistence. To enable proper backup and restore capabilities, you should switch from the Consumption plan to an App Service plan (either dedicated or premium). App Service plans provide a dedicated environment with more control over the underlying infrastructure, allowing for snapshot-based backups and restore operations. While the other options might have indirect impacts on backup (like Application Insights influencing monitoring and logging), they don't directly address the core issue of backup capability itself. The runtime stack and OS are generally orthogonal to backup functionality. Disabling Application Insights would reduce data collected but not affect the ability to back up the function app itself. Therefore, changing the plan type is the only change that directly enables backup functionality.

Answer 66

Here's the breakdown of the correct load balancing solutions for each tier, along with the reasons: Internet to web tier: An Azure Application Gateway that has a web application firewall (WAF) URL-based routing: Application Gateway natively supports routing traffic based on URLs. This is a key requirement. Connection draining: Application Gateway supports connection draining, ensuring that existing connections are gracefully terminated when a backend server is being taken offline. Prevents SQL injection attacks: The Web Application Firewall (WAF) integrated with Application Gateway provides protection against common web vulnerabilities, including SQL injection. Cost: While Application Gateway is more expensive than basic Load Balancer, the requirements explicitly include WAF, necessitating the use of Application Gateway for the internet-facing tier. Using Load Balancer here would require deploying another product to provide WAF capabilities, increasing complexity and potentially cost. Web tier to application tier: An internal Azure Standard Load Balancer Port forwarding: Load Balancers can forward traffic on specific ports. HTTPS health probes: Standard Load Balancer supports HTTPS health probes, allowing it to monitor the health of backend instances by sending HTTPS requests and verifying the responses. Supports an availability set as a backend pool: Both Basic and Standard Load Balancers can use an availability set as a backend pool. Internal: The load balancer needs to be internal because you're balancing traffic between the web tier and the application tier within your Azure virtual network. Standard: While a Basic Load Balancer can handle load distribution, Standard Load Balancer provides increased functionality and features that align with the application's needs and future scalability requirements. Features such as HTTPS health probes and support for Availability Zones make the Standard Load Balancer the best choice. In summary: Internet to web tier: Azure Application Gateway with WAF is essential to meet the URL-based routing, connection draining, and SQL injection prevention requirements for traffic from the internet. Web tier to application tier: An internal Azure Standard Load Balancer effectively handles load balancing between the web and application tiers, meeting requirements with health probes, port forwarding, and availability set integration.

Answer 67

Here's the breakdown of the correct actions and why they're needed: Add the network interfaces of the virtual machines to the backend pool of LB1. This is essential for the load balancer to be aware of the VMs it should distribute traffic to. Without this, the load balancer doesn't know which VMs are part of its managed pool. Add an outbound rule to LB1. Standard Load Balancers require outbound rules to enable outbound connectivity to the internet when VMs in the backend pool don't have public IPs directly assigned. This rule defines how outbound connections from the VMs are translated to the load balancer's public IP. Associate a network security group (NSG) to Subnet1. The NSG is critical for preventing the VMs from being directly accessible from the internet. You'll configure the NSG to: Deny inbound traffic from the internet: This is the key step to ensure that the VMs are not directly accessible from the outside. Block all inbound traffic except traffic originating from within the VNet (or specific sources you need to allow). Allow outbound traffic to the internet through the load balancer: This allows the VMs to initiate outbound connections, which are then handled and NAT'd by the load balancer via the outbound rule. The default outbound rule should suffice here. Why the other options are incorrect: Add health probes to LB1: Health probes are necessary for the load balancer to determine the health of the backend VMs. While important for the load balancer's function in general, they are not directly related to the requirement of routing internet traffic through the load balancer and preventing direct access to the VMs. If you're not using the NSG, the load balancer is basically balancing traffic to the internet, but the client will go directly to your VM and not from your load balancer IP. Add an inbound rule to LB1: Inbound rules are for directing traffic to the VMs through the load balancer. Since the requirement is to prevent the VMs from being directly accessible on the internet, adding an inbound rule isn't directly relevant to that goal. Associate a user-defined route to Subnet1. User-defined routes (UDRs) are used to control the routing of traffic within the virtual network. While you could potentially use UDRs in a more complex scenario, using an NSG to block direct internet access is simpler and more direct.

Answer 68

The correct answer is a Recovery Services vault. Here's why: Recovery Services Vault: This is the central management entity for Azure Backup. Automated Backup v2 for virtual machines uses the Recovery Services vault to orchestrate the backup process, store backup metadata, and manage retention policies. You'll configure the backup settings (frequency, retention, etc.) within the Recovery Services vault. Automated Backup v2 utilizes Log backups to achieve the RPO of 15 minutes. Here's why the other options are not the primary solution: Elastic Database jobs: These are used for managing and automating tasks across multiple Azure SQL databases. They are not directly related to backing up SQL Server running inside an Azure VM. Azure Key Vault: While you can integrate Azure Key Vault with Azure Backup to encrypt the backups themselves at rest, it is not required. Azure Backup, by default, can encrypt the backup data using platform-managed keys or customer-managed keys. Key Vault would be needed if you opted for customer-managed keys. And more importantly, a Recovery Services vault is required regardless to manage the overall backup process. an Azure Storage account: While backups are stored in Azure Storage, you don't directly provision a storage account for Automated Backup v2. The Recovery Services vault manages the storage account creation and configuration behind the scenes. You have limited control over this storage account.

Answer 69

The correct answer is Configure the Firewall and virtual networks settings for KeyVault1. Here's why: Key Vault Firewall and Virtual Networks: This feature allows you to restrict access to your key vault based on the source IP address or the virtual network the request originates from. By configuring this, you can specify that only traffic originating from VNET1 (or, more specifically, Subnet1) is allowed to access KeyVault1. This ensures that only VM1 can register secrets. Here's why the other options are incorrect: Create a network security group (NSG) that is linked to Subnet1: NSGs control inbound and outbound traffic to and from a subnet or network interface. While you can use NSGs to restrict outbound traffic from VM2, you can't use them to grant specific access to KeyVault1 only from VM1. NSGs operate at the network layer and don't have the fine-grained control to say "Allow this specific action on this specific resource only from this VM." Modify the access policy for KeyVault1: Access policies control who (users, service principals, managed identities) has what permissions on the key vault (e.g., get, create, list). You already have an access policy granting users Create Key permissions. You can't use access policies to restrict where those permissions can be used from (i.e., only from VM1). Configure KeyVault1 to use a hardware security module (HSM): HSMs provide a higher level of security for storing keys, but they don't provide network-based access control. Using an HSM won't restrict access based on the source VM.

Answer 70

Here's the breakdown of which user can perform each configuration, along with the reasoning: Add a subnet to VNet1: User1 and User3 only Owner (User1): The Owner role has full control over the subscription and all its resources. This includes the ability to create and modify virtual networks and subnets. Network Contributor (User3): The Network Contributor role specifically grants permissions to manage network resources, including virtual networks and subnets. Security Admin (User2): The Security Admin role manages security-related configurations and policies. While they might be involved in securing a network, they don't have the inherent permission to directly modify network resources like adding subnets. Assign a user the Reader role to VNet1: User1 only Owner (User1): The Owner role possesses the right to assign roles to resources within the Azure subscription. Security Admin (User2): The Security Admin role can manage security-related configurations and policies, but does not have the ability to assign roles. Network Contributor (User3): The Network Contributor role specifically grants permissions to manage network resources, but does not have the ability to assign roles. In summary: Add a subnet to VNet1: User1 and User3 only Assign a user the Reader role to VNet1: User1 only

Answer 71

Here's the breakdown of the correct answers: The number of email messages that Alert1 will send in an hour is [60]. The alert criteria is triggered every minute. This means that the action group (which includes sending an email) will also be triggered every minute. There are 60 minutes in an hour, therefore, 60 emails will be sent. The number of SMS messages that Alert1 will send in an hour is [60]. The alert criteria is triggered every minute. This means that the action group (which includes sending an SMS) will also be triggered every minute. There are 60 minutes in an hour, therefore, 60 SMS messages will be sent. Therefore the answers are: 60 60

Answer 72

The correct answer is: The maximum data size of DB1 will decrease to 6 GB. Here's why: Elastic Pools and Resource Limits: Elastic pools provide a shared pool of resources (vCores, data size) for the databases within them. When a database is moved into an elastic pool, it becomes subject to the resource limits of that pool. This means that the database's individual resource limits (vCores, maximum data size) are governed by the pool's settings, even if the database was previously configured with higher values. Pool1 Limits: Pool1 has a maximum data size of 16 GB. When DB1, which is currently configured for 30 GB, is added to Pool1, its maximum data size will be constrained by what remains available within Pool1 for it. Pool1 Capacity and DB2: Currently Pool1 only contains DB2 which is set at 10GB. DB1 Changes: DB1 will be reduced to a maximum data size of 6GB which is what is available in Pool1 after DB2 is accounted for. Here's why the other options are incorrect: The vCores on DB1 will decrease to two: While the database will share vCores with other databases in the pool, its explicitly configured vCores do not automatically change. The database is still technically allocated its originally configured vCores, however the maximum it can consume at any time while in the pool is limited by what the pool has available, and what priority the DB is given. The effect is a maximum vCore limit of Pool1 / Number of Databases in the pool, or as configured under database settings within the pool. The maximum data size of Pool1 will increase to 22 GB: The operation of adding a DB to a pool does not dynamically increase the pool size. The pool is a separate entity that must be configured separately. The vCores on Pool1 will increase to four: The operation of adding a DB to a pool does not dynamically increase the pool vCore size. The pool is a separate entity that must be configured separately.

Answer 73

The correct answer is an Azure Key Vault and an access policy. Here's why: Azure Key Vault: Key Vault is designed for securely storing secrets, keys, and certificates. It provides a centralized and secure way to manage sensitive information, preventing you from storing passwords in plain text in your ARM template. Access Policy: Access policies control which users, applications, or services have access to the secrets stored in the Key Vault. You would create an access policy to grant the appropriate permissions to your deployment process (e.g., a service principal) to retrieve the password from the Key Vault during the VM deployment. Here's why the other options are incorrect: Azure Active Directory (AD) Identity Protection and an Azure policy: Azure AD Identity Protection helps detect and remediate identity risks, but it's not designed for storing passwords. Azure Policy enforces organizational standards, but does not serve as a secure store for credentials. a Recovery Services vault and a backup policy: Recovery Services vaults are used for backup and disaster recovery. They aren't related to storing secrets or passwords. an Azure Storage account and an access policy: While Azure Storage can store data securely, it's not the appropriate service for managing and controlling access to secrets. Key Vault is specifically designed for this purpose, offering features like auditing, versioning, and access control tailored for secrets management.

Answer 74

The correct answer is Azure Key Vault. Here's why: Azure Key Vault for Secure Storage and Rotation: Azure Key Vault is the core component here. You store the Storage Account access keys in Key Vault. Applications don't directly use the keys. Instead, they use a managed identity to authenticate to Azure Key Vault, and then retrieve the Storage Account keys from there. Automatic Rotation with Least Application Impact: When you want to rotate the Storage Account keys, you rotate them in the Storage Account, and then update the values stored in Azure Key Vault with the new keys. Because the applications are retrieving the keys from Key Vault (and not storing them directly), they don't need to be changed. They simply start retrieving the new key values from Key Vault automatically. Here's why the other options are not as suitable: an Azure AD enterprise application: While enterprise applications can be used for authentication and authorization, they don't provide the secure storage and key rotation capabilities needed for this scenario. An enterprise application would be used to provide the managed identity required for this setup. Azure Logic Apps: Logic Apps can automate tasks, but they don't inherently provide a secure secrets storage or a mechanism for applications to dynamically retrieve those secrets without needing modification. Logic Apps could be used as part of solution that handles the rotation itself (updating the keys in storage account and Key Vault), but it's Key Vault that makes the entire thing work with minimal application impact. an Azure Desired State Configuration (DSC) extension: DSC is used for managing the configuration of virtual machines. While you could potentially use DSC to update configuration files containing connection strings, it doesn't address the core issue of secure secrets management and rotation, and would require significant application code changes. Furthermore, storing connection strings in files on VMs is less secure than using Key Vault.

Answer 75

The answer is Yes. Here's why: Azure File Sync Overview: Azure File Sync allows you to centralize your organization's file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server. It effectively creates a cloud-based copy of your on-premises files. Protection Against Server Failure: If Server1 fails, the files are still stored in Azure Files. You can then: Provision a new Windows Server, install the Azure File Sync agent, and configure it to sync with the same Azure file share. This will download the files from Azure Files to the new server. Access the files directly in the Azure file share itself. This might be suitable for short-term access while a new server is being provisioned. Therefore, the solution meets the goal of being able to recover Server1 files from Azure in the event of a failure. The files are replicated to Azure.

Answer 76

The answer is Yes. Here's why: Azure Backup Overview: Azure Backup is a service that backs up your data to Azure. It can be used to protect a wide variety of workloads, including on-premises Windows Servers. Protection Against Server Failure: By installing the Azure Backup agent on Server1 and performing a successful backup to a Recovery Services vault, you have created a backup copy of Server1's data in Azure. If Server1 fails, you can use Azure Backup to restore the files to a new server or even to the same server (after it's repaired/replaced).

Answer 77

The answer is No. Here's why: Registering Windows Admin Center in Azure: Registering Windows Admin Center in Azure allows you to manage your on-premises servers from the Azure portal. It provides a centralized management interface. This in itself, does not provide the capability to recover files to Azure. Configuring Azure Backup in Windows Admin Center: Configuring Azure Backup from Windows Admin Center is the critical point. If you configure Azure Backup on your server through the Windows Admin Center, you are then utilizing Azure Backup to store the data in Azure. Without Azure Backup: If you are not utilizing Azure Backup, and you simply register Windows Admin Center in Azure, your backups are still in your Server1 environment, and this does not meet the goal.

Answer 78

Here's the breakdown of the correct selections: Integrate Active Directory and Azure AD by using: Password hash synchronization with Azure AD Seamless SSO Password hash synchronization: This is a critical requirement as it allows Azure AD to enforce policies like sign-in hours, which are based on Active Directory attributes. Password hash sync allows Azure AD to have a representation of the on-premises passwords, enabling it to work with Conditional Access policies that need on-premises user information. Password hash synchronization is also the simplest method. Azure AD Seamless SSO: Seamless SSO provides a better user experience by automatically signing users in when they are on their corporate network and using corporate devices, without prompting for their passwords. This complements password hash synchronization and enhances the user experience. Implement MFA by using: Azure MFA Azure MFA: Azure Multi-Factor Authentication (MFA) is the native solution in Azure for enforcing multi-factor authentication. It integrates directly with Azure AD and is the most straightforward and maintainable solution for requiring MFA for Azure AD-integrated apps. Here's why the other options are incorrect: Active Directory Federation Services (AD FS): AD FS is a more complex solution for federated identity, but it's not required in this scenario. Password hash synchronization with Seamless SSO provides the necessary functionality with significantly less infrastructure and management overhead. AD FS is useful when more complex trust relationships or authentication methods are required, but the requirements here don't warrant the added complexity of AD FS. Also, AD FS cannot report on leaked credentials. Pass-through authentication with Azure AD Seamless SSO: While pass-through authentication simplifies the sign-in experience, it doesn't allow Azure AD to enforce policies like sign-in hours based on Active Directory attributes. Azure AD needs to have synchronized password hashes to enforce AD policies, which pass-through authentication does not provide. A third-party authentication solution: Using a third-party authentication solution would add unnecessary complexity and management overhead. Azure MFA is the built-in solution and meets the requirements. The Active Directory Federation Services (AD FS) Azure MFA adapter: This option is only relevant if you are using AD FS. Since the recommended solution is to use password hash synchronization with Seamless SSO and Azure MFA, the AD FS adapter is not applicable.

Answer 79

The correct answer is network security groups (NSGs) with service tags. Here's why: NSGs and Service Tags for Source Filtering: Network Security Groups (NSGs) are used to filter network traffic to and from Azure resources. Service tags represent a group of IP address prefixes from a given Azure service. By using service tags in your NSG rules, you can easily allow traffic from Azure Front Door while blocking all other traffic. Service Tag: AzureFrontDoor.Backend: Azure Front Door has a service tag named AzureFrontDoor.Backend. This service tag represents the IP address ranges used by Azure Front Door's backend services. You can create an NSG rule that allows inbound traffic from AzureFrontDoor.Backend and denies all other inbound traffic. This will ensure that only traffic originating from Azure Front Door can reach your virtual machines. Here's why the other options are incorrect: Azure Private Link: Azure Private Link provides private connectivity to Azure PaaS services from your virtual network. While it enhances security by removing exposure to the public internet, it's not directly applicable to ensuring that traffic only comes from Azure Front Door. Private Link is more relevant when you want to access a service from within your VNet without using public endpoints. Service endpoints: Service endpoints provide secure and direct connectivity from your virtual network to Azure service resources. Similar to Private Link, they don't directly address the requirement of restricting traffic to only come from Azure Front Door. They are for connecting to service resources, not filtering traffic sources. Network security groups (NSGs) with application security groups: Application security groups (ASGs) group VMs with similar functions together. While you can use ASGs in NSG rules, they don't help you filter traffic based on the source of the traffic (i.e., ensuring it only comes from Azure Front Door).

Answer 80

Final Answer: The two correct actions are: From KV1, create a certificate issuer resource. Obtain the CA account credentials. Explanation of Correctness: Certificate Issuer Resource: This establishes the link between KV1 and the external CA, defining how KV1 communicates with the CA. It’s a one-time setup that enables automation by specifying the CA provider and credentials. Without this, KV1 cannot initiate certificate requests or renewals. CA Account Credentials: These are required to authenticate KV1 to the external CA, allowing it to request certificates and manage their lifecycle automatically. This is a prerequisite for the issuer resource to function effectively in an automated provisioning scenario.

Answer 81

The two values that need to be modified before creating the role definition are: AssignableScopes Id Here's why: AssignableScopes: This property defines where the custom role can be assigned. You must specify at least one scope (e.g., subscription, resource group) to make the role useful. Without an assignable scope, the role cannot be assigned to any user, group, or service principal. This is the most critical change required. Id: This property must be a unique GUID. The provided GUID "80808080-8080-8080-8080-808080808080" is likely a placeholder or a default and will cause a conflict if you try to create another role with the same ID. Azure will generate a GUID for you, or you can generate one yourself (using New-Guid in PowerShell, for example) to ensure uniqueness. Here's why the other options are not required to be modified, though some could be: Description: While a description is recommended for clarity, it's not mandatory for creating the role. You can leave it as an empty string ("") if you choose. DataActions: This property is for specifying actions that can be performed on data within a resource (e.g., reading blob data, sending a message to a queue). Since the current role primarily grants management plane access, the DataActions property is left empty, which is perfectly valid if the role doesn't need to manage data actions. IsCustom: The value should be set to true when the role is customer created. The value in the presented code, is set to false. In summary: AssignableScopes must be set to define where the role can be assigned. Id must be a unique GUID to avoid conflicts with existing roles.

Answer 82

The correct answer is: Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Here's why: Azure AD Tenants and Access Control: Azure AD tenants are isolated security boundaries. To grant users from one tenant (contoso.onmicrosoft.com) access to resources in another tenant (contosoazure.onmicrosoft.com), you need to create a representation of those users in the target tenant. The standard way to do this is by creating guest accounts. Guest Accounts: Guest accounts are B2B (Business-to-Business) collaboration accounts in Azure AD. They allow users from external Azure AD tenants or other identity providers to access resources in your Azure AD tenant. Here's why the other options are incorrect: Create an Azure management group that contains Subscription1: Management groups are used for organizing and managing Azure subscriptions and resources. While management groups are useful for setting policies and assigning roles at a higher level, they don't solve the fundamental problem of cross-tenant identity and access management. Creating a management group will not automatically grant access to users in another tenant. Configure contoso.onmicrosoft.com to use pass-through authentication: Pass-through authentication is an authentication method that allows users to sign in to Azure AD-integrated applications using the same password they use on their on-premises Active Directory. While pass-through authentication can simplify sign-in, it doesn't resolve the issue of users needing a representation in the contosoazure.onmicrosoft.com tenant to be granted access to resources. The users still do not exist in the Azure AD. Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com: Setting up AD FS federation is overly complex for this scenario. Federation is useful when you need to establish a trust relationship between two organizations to allow users to seamlessly access resources across both organizations using their existing credentials. Guest accounts with B2B collaboration are much simpler to set up and maintain for granting access to resources in a different Azure AD tenant.

Answer 83

The correct answer is shared access signature (SAS) tokens. Here's why: Shared Access Signatures (SAS): SAS tokens provide granular, time-bound, and secure access to specific resources in Azure Storage. You can create a SAS token that grants read-only access to the content for a specific duration (in this case, seven days). The SAS token includes all the necessary authorization information, so the application doesn't need to store any credentials. Controlling Access Duration: One of the key benefits of SAS tokens is that you can specify the start and expiry time for the access. This perfectly fulfills the requirement of allowing users to download content only for seven days. Here's why the other options are incorrect: Identity-based authentication that uses Active Directory Domain Services (AD DS): AD DS is an on-premises directory service. While you can integrate AD DS with Azure, using it directly for storage access would be more complex and less suitable for this scenario, which requires time-limited access. AD DS authentication is typically used for VMs and servers, but not directly for user-specific storage access. Storage access key: Storage account access keys provide full access to the entire storage account. Sharing the storage access key would be a significant security risk, and it doesn't allow you to control the access duration or the specific resources that the users can access. Identity-based authentication that uses Azure Active Directory (Azure AD): Azure AD authentication provides identity-based access to Azure resources. While it's a more secure approach than using storage access keys, it requires creating and managing user identities in Azure AD, and it doesn't provide a built-in mechanism for limiting the access duration. You would need to implement additional logic in your application to enforce the seven-day limit. Using SAS, the Azure storage automatically expires the token without requiring any code.

Answer 84

Here's the breakdown of the correct selections: Azure service type: An app service The question states you are migrating a web app named App1. The Azure App Service is designed to host web applications. Azure Migrate can be used to migrate on-premises web applications to Azure App Service. During the migration, provide: A personal access token (PAT) When migrating to Azure App Service using Azure Migrate, you'll need to provide credentials to access the source web app (in this case, on-premises Server1). A Personal Access Token (PAT) can be used to authenticate to a deployment source (like an on-premises web server) during the migration process. Here's why the other options are incorrect: A logic app: Logic Apps are designed for automating workflows and integrating applications, but they are not the correct type of service for hosting a web application directly. A virtual machine: While you could migrate App1 to an Azure virtual machine, it would be less efficient and cost-effective than using Azure App Service, which is optimized for hosting web apps. App Service abstracts away much of the infrastructure management required with VMs. A container instance: Container Instances are useful for running isolated containers, but they're generally not used for directly migrating existing web applications that are already running on a web server. Container Instances are better suited for containerized applications or microservices. The device code: Device code authentication is typically used for headless devices or applications without a browser to authenticate with Azure Active Directory. An X.509 certificate: While X.509 certificates are used for securing communications and authenticating to resources, they're not the typical credential type used during an Azure Migrate migration.

Answer 85

The correct answer is Identity1 and Identity3 only. Here's why: User-assigned managed identities must reside in the same Azure region as the virtual machine they are assigned to. VM1 Location: West US Identity1 Location: West US (Same region as VM1) - Therefore, it can be assigned. Identity2 Location: Central US (Different region from VM1) - Therefore, it cannot be assigned. Identity3 Location: West US (Same region as VM1) - Therefore, it can be assigned. While user-assigned managed identities can be in a different resource group than the resource to which they are assigned, they cannot be in a different region.

Answer 86

The correct answer is Add a managed identity to WebApp1. Here's why: Managed Identities for Azure Resources: Managed identities provide an Azure service (like a web app) with an automatically managed identity in Azure Active Directory (Azure AD). This allows the service to authenticate to other Azure services (like Key Vault) without needing to embed credentials in the code or configuration. Key Vault Access Control: Key Vault uses Azure AD for authentication. You grant access to Key Vault by assigning permissions to Azure AD identities. By enabling a managed identity for WebApp1, you can then grant that identity the appropriate permissions (e.g., Get Secret) on KV1. Here's why the other options are not the correct solution: Change to a Standard App Service plan: While upgrading to a Standard App Service plan provides more resources and features, it's not directly related to granting WebApp1 permissions to Key Vault. The managed identity feature is the key to secure authentication. Add a certificate to WebApp1: Adding a certificate to WebApp1 might be needed for HTTPS communication, but doesn't grant WebApp1 permission to access Key Vault. Certificates handle secure communication, not service-to-service authentication. Change to a Basic App Service plan: The same logic applies to the Basic app service plan. Upgrading or downgrading the service plan is not the correct way to solve the authentication problem. In fact, Managed Identities are supported in the Basic App Service plan (and higher).

Answer 87

Here's the breakdown of the correct selections: To enable Update Management, modify: the Azure Automation account Update Management is a feature of Azure Automation. To enable it, you need to enable the Update Management solution in your Azure Automation account. To deploy the required agents to the virtual machines, use: An Azure Automation account The Log Analytics agent (MMA) is required to enable the Update Management, however, the process to enable the Update Management solution is performed in the Azure Automation Account. Here's why the other options are incorrect: The Log Analytics workspace: A Log Analytics workspace is where the logs and data collected by Update Management are stored, but you don't modify it to enable the feature itself. It is a destination not a configuration point. The Azure Sentinel workbook: Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) platform. While Sentinel can consume logs from Update Management, you don't enable Update Management or deploy agents through Sentinel.