ExamTopics P5
Q142: To complete the sentence, select the appropriate option in the answer area. An Azure Policy initiative is a ... A. ... collection of policy definitions B. ... collection of Azure Policy definition assignments C. ... group of Azure Blueprints definitions D. ... group of role-based access control (RBAC) role assignments
Correct Answer: A
Q132: Your company implements ... A. Azure policies B. DDoS protection C. Azure Information Protection D. Azure AD Identity Protection ... to automatically add a watermark to Microsoft Word documents that contain credit card information.
Correct Answer: C Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that contain credit card information. You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it's shared. The labels can include visual markings such as a header, footer, or watermark. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. In this question, we would configure a label to be automatically applied to Microsoft Word documents that contain credit card information. The label would then add the watermark to the documents.
Q136: This question requires that you evaluate the underlined text to determine if it is correct. From Azure Cloud Shell, you can track your company's regulatory standards and regulations, such as ISO 27001. Instructions: Review the underlined text. If it makes the statement correct, select "No change is needed." If the statement is incorrect, select the answer choice that makes the statement correct. A. No change is needed. B. the Microsoft Cloud Partner Portal C. Compliance Manager D. the Trust Center
Correct Answer: C Microsoft Compliance Manager (Preview) is a free workflow-based risk assessment tool that lets you track, assign, and verify regulatory compliance activities related to Microsoft cloud services. Azure Cloud Shell, on the other hand, is an interactive, authenticated, browser-accessible shell for managing Azure resources.
Q126: You create a resource group named RG1 in Azure Resource Manager. You need to prevent the accidental deletion of the resources in RG1. Which setting should you use? To answer, select the appropriate setting in the answer area. A. Quickstart B. Resource costs C. Deployments D. Policies E. Properties F. Locks G. Automation script
Correct Answer: F (Locks) You can configure a lock on a resource group to prevent the accidental deletion. As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively. ✑ CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. ✑ ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Q125: Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks? A. Azure Firewall B. An application security group C. Azure DDoS protection D. A network security group (NSG)
Correct Answer: A You can restrict traffic to multiple virtual networks in multiple subscriptions with a single Azure firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
Q138: The ... A. Microsoft Online Services Privacy Statement B. Microsoft Online Services Terms C. Microsoft Online Service Level Agreement D. Online Subscription Agreement for Microsoft Azure ... explains what data Microsoft processes, how Microsoft processes the data, and the purpose of processing the data.
Correct Answer: A. The Microsoft Privacy Statement explains what personal data Microsoft processes, how Microsoft processes the data, and the purpose of processing the data.
Q144: Your Azure environment contains multiple Azure virtual machines. You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. What is the best solution? A. Modify an Azure Traffic Manager profile B. Modify a network security group (NSG) C. Modify a DDoS protection plan D. Modify an Azure firewall
Correct Answer: B A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network. You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets. You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
Q140: To complete the sentence, select the appropriate option in the answer area. A. Authorization B. Authentication C. Federation D. Ticketing ... is the process of verifying a user's credentials.
Correct Answer: B Authentication, not authorization is the process of verifying a user's credentials. The difference between authentication and authorization is: ✑ Authentication is proving your identity, proving that you are who you say you are. The most common example of this is logging in to a system by providing credentials such as a username and password. ✑ Authorization is what you're allowed to do once you've been authenticated. For example, what resources you're allowed to access and what you can do with those resources.
Q129: What can Azure Information Protection encrypt? A. Network traffic B. Documents and email messages C. An Azure Storage account D. An Azure SQL database
Correct Answer: B Azure Information Protection can encrypt documents and emails. Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location inside or outside your organization, networks, file servers, and applications.
Q135: Your company has an Azure subscription that contains resources in several regions. A company policy states that administrators must only be allowed to create additional Azure resources in a region in the country where their office is located. You need to create the Azure resource that must be used to meet the policy requirement. What should you create? A. A read-only lock B. An Azure policy C. A management group D. A reservation
Correct Answer: B Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non- compliance with assigned policies. All data stored by Azure Policy is encrypted at rest. Azure Policy offers several built-in policies that are available by default. In this question, we would use the "Allowed Locations" policy to define the locations where resources can be deployed.
Q122: Your network contains an Active Directory forest. The forest contains 5,000 user accounts. Your company plans to migrate all network resources to Azure and to decommission the on-premises data center. You need to recommend a solution to minimize the impact on users after the planned migration. What should you recommend? A. Implement Azure Multi-Factor Authentication (MFA) B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD) C. Instruct all users to change their password D. Create a guest user account in Azure Active Directory (Azure AD) for each user
Correct Answer: B To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on users. The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Q121: This question requires that you evaluate the underlined text to determine if it is correct. Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions. Instructions: Review the underlined text. If it makes the statement correct, select "No change is needed". If the statement is incorrect, select the answer choice that makes the statement correct. A. No change is needed B. Management groups C. Azure policies D. Azure App Service plans
Correct Answer: C Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non- compliance with assigned policies. All data stored by Azure Policy is encrypted at rest. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.
Q127: Which Azure service should you use to store certificates? A. Azure Security Center B. an Azure Storage account C. Azure Key Vault D. Azure Information Protection
Correct Answer: C Azure Key Vault is a secure store for storage various types of sensitive information including passwords and certificates. Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
Q130: What should you use to evaluate whether your company's Azure environment meets regulatory requirements? A. The Knowledge Center website B. The Advisor blade from the Azure portal C. Compliance Manager from the Service Trust Portal D. The Solutions blade from the Azure portal
Correct Answer: C Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization's regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.
Q147: To complete the sentence, select the appropriate option in the answer area. You deploy an Azure resource. The resource becomes unavailable for an extended period due to a service outage. Microsoft will ... A. ... refund your bank account B. ... migrate the resource to another subscription C. ... credit your Azure account D. ... send you a coupon code that you can redeem for Azure credits
Correct Answer: C If the SLA for an Azure service is not met, you receive credits for that service and that service only. The credits are deducted from your monthly bill for that service. If you stopped using the service where the SLA was not met, your account would remain in credit for that service. The credits would not be applied to any other services that you may be using. Service Credits apply only to fees paid for the particular Service, Service Resource, or Service tier for which a Service Level has not been met. In cases where Service Levels apply to individual Service Resources or to separate Service tiers, Service Credits apply only to fees paid for the affected Service Resource or Service tier, as applicable. The Service Credits awarded in any billing month for a particular Service or Service Resource will not, under any circumstance, exceed your monthly service fees for that Service or Service Resource, as applicable, in the billing month.
Q133: You have an Azure virtual network named VNET1 in a resource group named RG1. You assign the Azure Policy definition of "Not Allowed Resource Type" and specify that virtual networks are not an allowed resource type in RG1. What happens then? => VNET1 ... A. ... is deleted automatically B. ... is moved automatically to another resource group C. ... continues to function normally D. ... is now a read-only object
Correct Answer: C The VNet will be marked as "Non-compliant" when the policy is assigned. However, it will not be deleted and will continue to function normally. Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. If there are any existing resources that aren't compliant with a new policy assignment, they appear under Non-compliant resources.
Q124: To complete the sentence, select the appropriate option in the answer area. A. From Azure Access Control IAM ... B. From Azure Event Hubs ... C. From Azure Activity Log ... D. From Azure Service Health ... ... you can view which user turned off a specific virtual machine during the last 14 days.
Correct Answer: C You would use the Azure Activity Log, not Access Control to view which user turned off a specific virtual machine during the last 14 days. Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than 90 days in the past. In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14 days.
Q128: You have a resource group named RG1. You plan to create virtual networks and app services in RG1. You need to prevent the creation of virtual machines only in RG1. What should you use? A. A lock B. An Azure role C. A tag D. An Azure policy
Correct Answer: D Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource group. You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
Q141: You need to configure an Azure solution that meets the following requirements: ✑ Secures websites from attacks ✑ Generates reports that contain details of attempted attacks What should you include in the solution? A. Azure Firewall B. A network security group (NSG) C. Azure Information Protection D. DDoS protection
Correct Answer: D DDoS is a type of attack that tries to exhaust application resources. The goal is to affect the application's availability and its ability to handle legitimate requests. DDoS attacks can be targeted at any endpoint that is publicly reachable through the Internet. Azure has two DDoS service offerings that provide protection from network attacks: DDoS Protection Basic and DDoS Protection Standard. DDoS Basic protection is integrated into the Azure platform by default and at no extra cost. You have the option of paying for DDoS Standard. It has several advantages over the basic service, including logging, alerting, and telemetry. DDoS Standard can generate reports that contain details of attempted attacks as required in this question.
Q145: To complete the sentence, select the appropriate option in the answer area. You can enable just in time (JIT) VM access by using ... A. ... Azure Bastion B. ... Azure Firewall C. ... Azure Front Door D. ... Azure Security Center
Correct Answer: D The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center allows you to lock down inbound traffic to your Azure Virtual Machines. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
Q150: Your company plans to migrate to Azure. The company has several departments. All the Azure resources used by each department will be managed by a department administrator. What are two possible techniques to segment Azure for the departments? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Multiple subscriptions B. Multiple Azure Active Directory (Azure AD) directories C. Multiple regions D. Multiple resource groups
Correct Answers: AD An Azure subscription is a container for Azure resources. It is also a boundary for permissions to resources and for billing. You are charged monthly for all resources in a subscription. A single Azure tenant (Azure Active Directory) can contain multiple Azure subscriptions. A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. To enable each department administrator to manage the Azure resources used by that department, you will need to create a separate subscription per department. You can then assign each department administrator as an administrator for the subscription to enable them to manage all resources in that subscription.
Q148: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: All Azure services in private preview must be accessed by using a separate Azure portal. Yes or No? ----- Q2: Azure services in public preview can be used in production environments. Yes or no? ----- Q3: Azure servieces in public preview are subject to a SLA. Yes or No?
Public Preview means that the service is in public beta and can be tried out by anyone with an Azure subscription. Services in public preview are often offered at a discount price. Q1: No - Services in private preview can be viewed in the regular Azure portal. However, you need to be signed up for the feature in private preview before you can view it. Access to private preview features is usually by invitation only. Q2: Yes - You can use services in public preview in production environments. However, you should be aware that the service may have faults, is not subject to an SLA and may be withdrawn without notice. Q3: No - Public previews are excluded from SLAs and in some cases, no support is offered.
Q149: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: A Standard support plan is included in an Azure free account. Yes or No? ----- Q2: A Premier support plan can only be purchased by companies that have an Enterprise Agreement (EA). Yes or No? ----- Q3: Support from MSDN forums is only provided to companies that have a pay-as-you-go subcription. Yes or No?
Q1: No - An Azure free account comes with a "˜basic' support plan, not a "˜standard' support plan. Q2: Yes - You can purchase the Professional Direct, Standard, and Developer support plans with the Microsoft Customer Agreement. You can also purchase the Professional and Standard support plans with the Enterprise Agreement. Q3: No - Users with any type of Azure subscription (pay-as-you-go, Enterprise Agreement, Microsoft Customer Agreement etc.) can get support from the MSDN forums.
Q131: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: Azure Advisor can generate a list of Azure virtual machines that are protected by Azure Backup. Yes or No? ----- Q2: If you implement the security recommendations by Azure Advisor, your company's secure score will decrease. Yes or No? ----- Q3: To maintain Microsoft support, you must implement the security recommendations provided by Azure Advisor within a period of 30 days. Yes or No?
Q1: No - Azure Advisor does not generate a list of virtual machines that ARE protected by Azure Backup. Azure Advisor does however, generate a list of virtual that ARE NOT protected by Azure Backup. You can view a list of virtual machines that are protected by Azure Backup by viewing the Protected Items in the Azure Recovery Services Vault. Q2: No - If you implement the security recommendations, you company's score will increase, not decrease. Q3: No - There is no requirement to implement the security recommendations provided by Azure Advisor. The recommendations are just that, "recommendations". They are not "requirements".
Q134: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: Azure Firewall will encrypt all the network traffic sent from Azure to the Internet. Yes or No? ----- Q2: A network security group (NSG) will encrypt all the network traffic sent from Azure to the Internet. Yes or No? ----- Q3: Azure Virtual Machines that run Windows Server 2016 can encrypt network traffic sent to the Internet. Yes or No?
Q1: No - Azure firewall does not encrypt network traffic. It is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol. Q2: No - A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used to block or allow traffic based on source/ destination IP address, source/destination ports and protocol. Box 3: No - The question is rather vague as it would depend on the configuration of the host on the Internet. Windows Server does come with a VPN client and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if the Internet host was configured to require or accept the encryption. However, the VM could not encrypt the traffic to an Internet host that is not configured to require the encryption.
Q137: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: You can create Group Policies in Azure AD. Yes or No? ----- Q2: You can join Windows 10 devices to Azure AD. Yes or No? ----- Q3: You can join Android devices to Azure AD. Yes or No?
Q1: Yes Q2: Yes Q3: No, Azure AD join only applies to Windows 10 devices
Q139: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: Azure Security Center can monitor Azure resources and on-premises resources. Yes or No? ----- Q2: All Azure Security Center features are free. Yes or No? ----- Q3: From Azure Security Center, you can download a Regulatory Compliance Report. Yes or No?
Q1: Yes - Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. Q2: No - Only two features: Continuous assessment and security recommendations, and Azure secure score, are free. Q3: Yes - The advanced monitoring capabilities in Security Center also let you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Q146: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: In Azure AD Premium P2, at least 99.9% availability is guaranteed. Yes or No? ----- Q2: The SLA for Azure AD Premium P2 is the same as the SLA for Azure AD Free. Yes or No? ----- Q3: All paying Azure customers receive a credit if their monthly uptime percentage is below the guaranteed amount in the SLA. Yes or No?
Q1: Yes - Microsoft guarantee at least 99.9% availability of the Azure Active Directory Premium edition services. The services are considered available in the following scenarios: ✑ Users are able to login to the service, login to the Access Panel, access applications on the Access Panel and reset passwords. ✑ IT administrators are able to create, read, write and delete entries in the directory or provision or de-provision users to applications in the directory. Q2: No - No SLA is provided for the Free tier of Azure Active Directory. Q3: Yes - You can claim credit if the availability falls below the SLA. The amount of credit depends on the availability. For example: You can claim 25% credit if the availability is less than 99.9%, 50% credit for less than 99% and 100% for less than 95% availability.
Q123: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Q1: You can configure the Azure AD activity logs to appear in Azure Monitor. Yes or No? ----- Q2: From Azure Monitor, you can monitor resources across multiple Azure subscriptions. Yes or No? ----- Q3: From Azure Monitor, you can create alerts. Yes or No?
Q1: Yes - You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data. All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it's consuming. Q2: Yes - Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together. Q3: Yes - You can create alerts in Azure Monitor. Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple sources.
Q143: You plan to implement several security services for an Azure environment. You need to identify which Azure services must be used to meet the following security requirements: ✑ Monitor threats by using sensors ✑ Enforce Azure Multi-Factor Authentication (MFA) based on a condition Which Azure service should you identify for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Monitor threats by using sensors ... A. Azure Monitor B. Azure Security Center C. Azure AD Identity Protection D. Azure Advanced Threat Protection (ATP) Enforce Azure MFA based on a condition ... A. Azure Monitor B. Azure Security Center C. Azure AD Identity Protection D. Azure Advanced Threat Protection (ATP)
Question 1: D To monitor threats by using sensors, you would use Azure Advanced Threat Protection (ATP). Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Sensors are software packages you install on your servers to upload information to Azure ATP. Question 2: C To enforce MFA based on a condition, you would use Azure Active Directory Identity Protection. Azure AD Identity Protection helps you manage the roll-out of Azure Multi-Factor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you are signing in to.