104 My notes
Your company has an Azure Active Directory (Azure AD) subscription. You need to deploy five virtual machines (VMs) to your company's virtual network subnet. The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical. Which of the following is the least amount of security groups needed for this configuration
1 all identical security groups so you will only require 1 security group as all the settings are the same
Your company has an Azure subscription. You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set. You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformUpdateDomainCount property
20 - Resource Manager Deployments can then be increased to provide up to 20 update domains
Your company has an Azure Active Directory (Azure AD) subscription. You need to deploy five virtual machines (VMs) to your company's virtual network subnet. The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical. Which of the following is the least amount of network interfaces needed for this configuration
5 5 VM so 5 NIC Cards we have public and private IP address set to them, however they needs same inbound and outbound rule so create NSG and attach to NIC and this req can be fulfilled 5 NIC
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #60 Topic 3 You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data
A. Azure Blob Storage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #38 Topic 3 You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data
A. Azure File Storage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #26 Topic 3 You have an Azure subscription that contains an Azure Storage account. You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage. You need to configure a storage service for Container1. What should you use
A. Azure Files
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #40 Topic 2 You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure. What should you do
A. Create an NS record named research in the adatum.com zone. An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service. You need to create a name server (NS) record for the zone.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #13 Topic 2 You sign up for Azure Active Directory (Azure AD) Premium P2. You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain. What should you configure in Azure AD
A. Device settings from the Devices blade When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device: ✑ The Azure AD global administrator role ✑ The Azure AD device administrator role ✑ The user performing the Azure AD join In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page: 1. Sign in to your Azure portal as a global administrator or device administrator. 2. On the left navbar, click Azure Active Directory. 3. In the Manage section, click Devices. 4. On the Devices page, click Device settings. 5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #55 Topic 2 You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1. The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1. You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1. What should you do first
A. Enable Active Directory Domain Service (AD DS) authentication for storage1. By enabling AD DS authentication, you allow Azure AD security groups to be used for granting access control to file shares in the storage account. This enables you to assign roles, such as the Storage File Data SMB Share Elevated Contributor role, to the security group Group1 for the specific file share share1.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #38 Topic 2 You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1. VM1 runs services that will be used to deploy resources to RG1. You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. What should you do first
A. From the Azure portal, modify the Managed Identity settings of VM1 Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts. You purchase 10 Azure AD Premium P2 licenses for the tenant. You need to ensure that 10 users can use all the Azure AD Premium features. What should you do
A. From the Licenses blade of Azure AD, assign a license
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #34 Topic 3 You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2. VM2 is backed up to RSV1. You need to back up VM2 to RSV2. What should you do first
A. From the RSV1 blade, click Backup items and stop the VM2 backup
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #29 Topic 2 You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the [email protected] sign in. Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: `Unable to invite user [email protected] `" Generic authorization exception.` You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant. What should you do
A. From the Users settings blade, modify the External collaboration settings.
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create
A. MX B. NSEC C. PTR D. RRSIG Correct Answer: A To verify your custom domain name (example) On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type. Note: There are several versions of this Question in the exam. The Question can have two correct answers: 1. MX 2. TXT
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #46 Topic 3 You have an Azure subscription. In the Azure portal, you plan to create a storage account named storage1 that will have the following settings: ✑ Performance: Standard ✑ Replication: Zone-redundant storage (ZRS) ✑ Access tier (default): Cool ✑ Hierarchical namespace: Disabled You need to ensure that you can set Account kind for storage1 to BlockBlobStorage. Which setting should you modify first
A. Performance
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #61 Topic 2 You have two Azure subscriptions named Sub1 and Sub2. An administrator creates a custom role that has an assignable scope to a resource group named RG1 in Sub1. You need to ensure that you can apply the custom role to any resource group in Sub1 and Sub2. The solution must minimize administrative effort. What should you do
A. Select the custom role and add Sub1 and Sub2 to the assignable scopes. Remove RG1 from the assignable scopes.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #51 Topic 2 You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group. Solution: On Dev, you assign the Logic App Contributor role to the Developers group. Does this meet the goal
A. Yes Answer "Yes" is correct. Logic App Contributor role will allow you to create Logic Apps. See here: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #33 Topic 2 You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription. Solution: You assign the Network Contributor role at the subscription level to Admin1. Does this meet the goal
A. Yes Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #34 Topic 2 You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription. Solution: You assign the Owner role at the subscription level to Admin1. Does this meet the goal
A. Yes Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #35 Topic 2 You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription. Solution: You assign the Reader role at the subscription level to Admin1. Does this meet the goal
A. Yes Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create
A. a Microsoft 365 group that uses the Assigned membership type C. a Microsoft 365 group that uses the Dynamic User membership type Option A: Creating a Microsoft 365 group using the Assigned membership type allows you to manually assign users (User1, User2, and User3) to the group. This type of group is suitable when you want to have control over the membership and manually manage who belongs to the group. Option C: Creating a Microsoft 365 group using the Dynamic User membership type allows you to define dynamic membership rules based on user attributes such as department, job title, or other attributes
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #26 Topic 2 You have an Azure subscription. Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs. You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016. You need to ensure that the connections to App1 are spread across all the virtual machines. What are two possible Azure services that you can use
A. an internal load balancer E. an Azure Application m the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the front-end subnet of the application.
Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain. You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the same operating system and custom software requirements. You configure a reference VM in the on-premise virtual environment. You then generalize the VM to create an image. You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs. Which PowerShell cmdlets should you use
Add-AzVhd The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be adapted to reference an administrative password. You need to make sure that the password cannot be stored in plain text. You are preparing to create the necessary components to achieve your goal. Which of the following should you create to achieve your goal
An Azure KV An Access Policy
You administer a solution in Azure that is currently having performance issues. You need to find the cause of the performance issues pertaining to metrics on the Azure infrastructure. Which of the following is the tool you should use
Azure Monitor Azure Monitor is the tool used to collect and analyze performance metrics and logs in Azure. It provides insights into the performance of Azure resources, applications, and workloads, and helps identify and troubleshoot issues related to availability, performance, and security. Azure Traffic Analytics is used to monitor and analyze network traffic, Azure Activity Log provides insights into activities performed on Azure resources, and Azure Advisor provides recommendations for improving the performance, security, and reliability of Azure resources.
You have an Azure subscription. You have 100 Azure virtual machines. You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering. Which blade should you use
B. Advisor Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #56 Topic 2 You have 15 Azure subscriptions. You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1. You plan to purchase additional Azure subscription. You need to ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions. The solution must meet the following requirements: ✑ Use the principle of least privilege. ✑ Minimize administrative effort. What should you do
B. Assign Group1 the User Access Administrator role for the root management group. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have. Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #76 Topic 2 You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: • Reader • Security Admin • Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do
B. Assign User1 the Access Administrator role for VNet1.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #73 Topic 2 You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: • Reader • Security Admin • Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do
B. Assign User1 the Owner role for VNet1.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #53 Topic 2 You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: ✑ Reader ✑ Security Admin ✑ Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do
B. Assign User1 the Owner role for VNet1. Answer "Yes" is correct. Logic App Contributor role will allow you to create Logic Apps. See here: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: ✑ Reader ✑ Security Admin ✑ Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do
B. Assign User1 the User Access Administrator role for VNet1. Has full access to all resources including the right to delegate access to others. Note: There are several versions of this Question in the exam. The Question has two possible correct answers: ✑ Assign User1 the User Access Administrator role for VNet1. ✑ Assign User1 the Owner role for VNet1.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #28 Topic 3 You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data
B. Azure Blob storage Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. Question has two correct answers: 1. Azure File Storage 2. Azure Blob Storage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #54 Topic 3 You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data
B. Azure File Storage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #63 Topic 2 You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1
B. Event | search "error"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #42 Topic 2 You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1
B. Event | search "error" The search operator provides a multi-table/multi-column search experience. The syntax is: Table_name | search "search term"
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties
B. From the Directory role blade, modify the directory role Assign a role to a user - 1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory. 2. Select Azure Active Directory, select Users, and then select a specific user from the list. 3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator. 4. Press Select to save.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #49 Topic 2 You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription. Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1. Does this meet the goal
B. No Assign Network Contributor role at subscription level to Admin1 Yes Q.37 Assign Owner role at subscription level to Admin1 Yes Q.38 Assign Reader role at subscription level to Admin1 Yes Q.52 Assign Traffic Manager Contributor role at subscription level to Admin1
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group. Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal
B. No Correct Answer: B You would need the Logic App Contributor role.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group. Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. Does this meet the goal
B. No DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs. The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #82 Topic 2 You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: You create a PowerShell script that runs the New-MgUser cmdlet for each external user. Does this meet the goal
B. No The `New-MgUser` cmdlet is part of the Microsoft Graph PowerShell module, and it's used for creating new users in Azure AD. However, when creating guest users (or B2B users), you typically would invite them rather than create them like regular members. The cmdlet you'd want to use for inviting external guest users is `New-AzureADMSInvitation` if you're using the AzureAD module or a related command in the Microsoft Graph module.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #65 Topic 2 You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation. Does this meet the goal
B. No They don't mention the redirection URL being in the CSV, and it IS required for external user setup.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #47 Topic 2 You have an Azure Active Directory (Azure AD) tenant. You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center. You need to create and upload a file for the bulk delete. Which user attributes should you include in the file
B. The user principal name of each user only
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #19 Topic 3 You plan to use the Azure Import/Export service to copy files to a storage account. Which two files should you create before you prepare the drives for the import job
B. a dataset CSV file E. a driveset CSV file Correct Answer: B and E Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file Modify the driveset.csv file in the root folder where the tool is. Reference: https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #68 Topic 2 You have an Azure subscription that contains 10 virtual machines, a key vault named Vault1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region. The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet. You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort What should you configure as the destination of the outbound security rule for NSG1
B. a service tag In order to ensure that the virtual machines can access Vault1 while also using the principle of least privilege and minimizing administrative effort, you should configure a service tag as the destination of the outbound security rule for NSG1. Service tags represent a group of IP addresses associated with Azure PaaS and SaaS services. By specifying a service tag as the destination of the outbound security rule, you can allow the virtual machines to access Vault1 without having to manually specify the IP addresses of Vault1. This reduces administrative effort and ensures that the virtual machines are only able to access Vault1, rather than any other internet destination.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #50 Topic 2 You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant. You need to grant user management permissions to a local administrator in each office. What should you use
B. administrative units "administrative units" "It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind."- https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units#deployment-scenario
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #41 Topic 3 You have an Azure Storage account named storage1 that contains a blob container named container1. You need to prevent new content added to container1 from being modified for one year. What should you configure
B. an access policy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #24 Topic 3 You have an Azure Storage account named storage1. You plan to use AzCopy to copy data to storage1. You need to identify the storage services in storage1 to which you can copy the data. Which storage services should you identify
B. blob and file only AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #74 Topic 2 Your on-premises network contains a VPN gateway. You have an Azure subscription that contains the resources shown in the following table. You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure
B. private endpoints
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1
B. search in (Event) "error" To search a term in a specific table, add the table-name just after the search operator Note: The Question has two possible correct answers: 1. Event | search "error" 2. Event | where EventType == "error" 3. search in (Event) "error"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #37 Topic 3 You create an Azure Storage account named contosostorage. You plan to create a file share named data. Users need to map a drive to the data file share from home computers that run Windows 10. Which outbound port should you open between the home computers and the data file share
C. 445 Server Message Block (SMB) is used to connect to an Azure file share over the internet. The SMB protocol requires TCP port 445 to be open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #71 Topic 2 You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: • Reader • Security Admin • Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do
C. Assign User1 the Owner role for VNet1.
Your company has serval departments. Each department has a number of virtual machines (VMs). The company has an Azure subscription that contains a resource group named RG1. All VMs are located in RG1. You want to associate each VM with its respective department. What should you do
C. Assign tags to the virtual machines.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #30 Topic 2 You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources. No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #64 Topic 2 You have an Azure App Services web app named App1. You plan to deploy App1 by using Web Deploy. You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1. The solution must use the principle of least privilege. What should you do
C. Assign the Website Contributor role to the developers
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #22 Topic 3 You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data
C. Azure File Storage Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. The maximum size of an Azure Files Resource of a file share is 5 TB. Question has two correct answers: 1. Azure File Storage 2. Azure Blob Storage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #36 Topic 2 You have an Azure subscription that contains a user named User1. You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege. Which role-based access control (RBAC) role should you assign to User1
C. Contributor Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager. Subscription1 contains a virtual machine named VM1. You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent. What should you do first
C. Deploy the IT Service Management Connector (ITSM) IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center Service Manager, Provance, Cherwell. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview
You have an Azure virtual machine (VM) that has a single data disk. You have been tasked with attaching this data disk to another Azure VM. You need to make sure that your strategy allows for the virtual machines to be offline for the least amount of time possible. Which of the following is the action you should take FIRST
C. Detach the data disk.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #35 Topic 3 You have a general-purpose v1 Azure Storage account named storage1 that uses locally-redundant storage (LRS). You need to ensure that the data in the storage account is protected if a zone fails. The solution must minimize costs and administrative effort. What should you do first
C. Upgrade the account to general-purpose v2.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #51 Topic 3 You have an on-premises server that contains a folder named D:\Folder1. You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata. Which command should you run
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #45 Topic 3 You have an on-premises server that contains a folder named D:\Folder1. You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata. Which command should you run
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are located in a single Azure virtual network named VNet1. The company has users that work remotely. The remote workers require access to the VMs on VNet1. You need to provide access for the remote workers. What should you do
Configure a Point-to-Site (P2S) VPN. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers. You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs. You need a solution that ensures the scripts are run on the new VMs. Which of the following is the best solution
Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #48 Topic 3 You create an Azure Storage account. You plan to add 10 blob containers to the storage account. For one of the containers, you need to use a different key to encrypt data at rest. What should you do before you create the container
D. Create an encryption scope. Encryption scopes enable you to manage encryption with a key that is scoped to a container or an individual blob. You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #20 Topic 3 You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines. You need to delete the Recovery Services vault. What should you do first
D. From the Recovery Service vault, stop the backup of each backup item. You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data. Remove vault dependencies and delete vault In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.
Note: The >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question has three possible correct answers: 1. search in (Event) "error" 2. Event | search "error" 3. Event | where EventType == "error" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #43 Topic 2 You have a registered DNS domain named contoso.com. You create a public Azure DNS zone named contoso.com. You need to ensure that records created in the contoso.com zone are resolvable from the internet. What should you do
D. Modify the NS records in the DNS domain registrar.
You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription. You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA). Which of the following should you use to create the virtual machine
D. The az vm create command.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #27 Topic 3 You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2. You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting VM1 and VM2. What should you include in the Availability Set
D. two update domains Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #57 Topic 3 You have an Azure subscription that contains a storage account named storage1. You plan to create a blob container named container1. You need to use customer-managed key encryption for container1. Which key should you use
E. an RSA key type with a key size of 2048, 3072, or 4096 only
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #16 Topic 3 You have an Azure subscription that contains a storage account named account1. You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of 131.107.1.0/24. You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24. You need to configure account1 to meet the following requirements: ✑ Ensure that you can upload the disk files to account1. ✑ Ensure that you can attach the disks to VM1. ✑ Prevent all other access to account1. Which two actions should you perform
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From the Networking blade of account1, select Selected networks. C. From the Networking blade of account1, add the 131.107.1.0/24 IP address range.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Question #43 Topic 3 You are configuring Azure Active Directory (Azure AD) authentication for an Azure Storage account named storage1. You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege. Which two roles should you configure for storage1
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. B. Storage Blob Data Contributor C. Reader To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments: * A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor * The Azure Resource Manager Reader role, at a minimum The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal. Note: in order from least to greatest permissions: The Reader and Data Access role - The Storage Account Contributor role The Azure Resource Manager Contributor role The Azure Resource Manager Owner role
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1. An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users. What should you do first
From contoso.com, create an OAuth 2.0 authorization endpoint
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties
From the Directory role blade, modify the directory role Assign a role to a user - 1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory. 2. Select Azure Active Directory, select Users, and then select a specific user from the list. 3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator. 4. Press Select to save.
Your company has an Azure subscription that includes a number of Azure virtual machines (VMs), which are all part of the same virtual network. Your company also has an on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure. Which of the following objects that must be created to achieve this goal
Hyper-V Site Azure Recovery Services Vault Replication Policy
You recently created a new Azure subscription that contains a user named Admin1. Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure PowerShell and receives the following error message: `User failed validation to purchase resources. Error message: `Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/
LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.` You need to ensure that Admin1 can deploy the Marketplace resource successfully. What should you do? C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set. You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformFaultDomainCount property
Max Value
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: From Azure AD in the Azure portal, you use the Bulk create user operation. Does this meet the goal
No
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal
No
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately. Solution: You restart the NetLogon service on a domain controller. Does the solution meet the goal
No
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately. Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller. Does the solution meet the goal
No
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model. Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data. Does the solution meet the goal
No
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model. Solution: You reconfigure the existing usage model via the Azure CLI. Does the solution meet the goal
No
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user. Does this meet the goal
No - Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory
Your company has an azure subscription that includes a storage account, a resource group, a blob container and a file share. A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an additional Azure Storage account. You want to review the ARM template that was used by Jon Ross. Solution: You access the Virtual Machine blade. Solution: You access the Container blade. Does the solution meet the goal
No - Use the RG blade
Your company's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB. VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company's on- premises network and VirtualNetworkA. You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation. You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation. Solution: You choose the Allow gateway transit setting on VirtualNetworkA. Solution: You choose the Allow gateway transit setting on VirtualNetworkB. Does the solution meet the goal
No - here is why: "After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises network." This indicates the Allow/Use gateway transit is set up working. The next step will be restart/reinstall the VPN-Client config at the windows 10 WS.
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the multi-factor authentication page to alter the user settings. Does the solution meet the goal
No - why Create a new Conditional Access policy in Azure AD portal. Set the policy to require Multi-Factor Authentication and Azure AD device registration. In the policy's "Users and Groups" section, specify the Global Administrators group as the target. In the policy's "Conditions" section, specify the locations that are considered untrusted. Save the policy.
Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model. Solution: You reconfigure the existing usage model via the Azure portal. Does the solution meet the goal
No - why You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data. You cannot change the usage model (per enabled user or per authentication) after an MFA provider is created. Also - Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider.
Your company has a Microsoft Azure subscription. The company has datacenters in Los Angeles and New York. You are configuring the two datacenters as geo-clustered sites for site resiliency. You need to recommend an Azure storage redundancy option. You have the following data storage requirements: ✑ Data must be stored on multiple nodes. ✑ Data must be stored on nodes in separate geographic locations. ✑ Data can be read from the secondary location as well as from the primary location. Which of the following Azure stored redundancy options should you recommend
Read-only geo-redundant storage RA-GRS allows you to have higher read availability for your storage account by providing ג€read onlyג€ access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region.
Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address. You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network. You need to configure the two VMs with static internal IP addresses. What should you do
Run the Set-AzureStaticVNetIP PowerShell cmdlet.
Your company has three virtual machines (VMs) that are included in an availability set. You try to resize one of the VMs, which returns an allocation failure message. It is imperative that the VM is resized. Which of the following actions should you take
STOP all (3) VMs
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs). You need to configure an Azure internal load balancer as a listener for the availability group. Solution: You create an HTTP health probe on port 1433. Solution: You set Session persistence to Client IP. Does the solution meet the goal
The load balancing rules configure how the load balancer routes traffic to the SQL Server instances. For this load balancer, you enable direct server return because only one of the two SQL Server instances owns the availability group listener resource at a time. Therefore Floating IP (direct server return) is Enabled. TCP 1433 is the standard SQL port. The availability group listener health probe port has to be different from the cluster core IP address health probe port. The ports on a health probe are TCP59999 and TCP58888.
You have an Azure subscription named Subscription1 that contains a resource group named RG1. In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2. You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege. Which role should you assign to Admin1 for each task
To add a backend pool to LB1: Network Contributor on LB1 To add a health probe to LB2: Network Contributor on LB2 Remember - The Network Contributor role lets you manage networks, but not access them.
Your company has an Azure subscription that includes a Recovery Services vault. You want to use Azure Backup to schedule a backup of your company's virtual machines (VMs) to the Recovery Services vault. Which of the following VMs can you back up
VMs that run Windows 10 VMs that run Windows Server 2012 or higher VMs that have NOT been shut down VMs that run Debian 8.2+ VMs that have been shut down
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user. Does this meet the goal
Yes
Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs). You need to configure an Azure internal load balancer as a listener for the availability group. Solution: You enable Floating IP. Does the solution meet the goal
Yes
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. Does the solution meet the goal
Yes
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately. Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet. Does the solution meet the goal
Yes
Your company's Azure subscription includes two Azure networks named VirtualNetworkA and VirtualNetworkB. VirtualNetworkA includes a VPN gateway that is configured to make use of static routing. Also, a site-to-site VPN connection exists between your company's on- premises network and VirtualNetworkA. You have configured a point-to-site VPN connection to VirtualNetworkA from a workstation running Windows 10. After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises network. However, you find that you cannot establish a connection to VirtualNetworkB from the Windows 10 workstation. You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation. Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation. Does the solution meet the goal
Yes
Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016. One of the VMs is backed up every day using Azure Backup Instant Restore. When the VM becomes infected with data encrypting ransomware, you decide to recover the VM's files. Which of the following is TRUE in this scenario
You can recover the files to any VM within the company's subscription
Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016. One of the VMs is backed up every day using Azure Backup Instant Restore. When the VM becomes infected with data encrypting ransomware, you are required to restore the VM. Which of the following actions should you take
You should restore the VM to a new Azure VM When a VM is infected with ransomware, you should not restore the VM to the infected VM. This is because the ransomware will still be present on the VM, and it will encrypt the files again. You should also not restore the VM to any VM within the company's subscription. This is because the ransomware could spread to other VMs in the subscription. The best way to restore a VM that is infected with ransomware is to restore it to a new Azure VM. This will ensure that the ransomware is not present on the new VM