Az-103

CH10 - Your organization has Azure resources deployed in the West US, West Europe,and East Australia regions. The company has four offices located in these regions. You need to provide connectivity between all the on-premises networks and all the resources in Azure using a private channel. You configure a VPN gateway for each Azure region and configure a site-to-site VPN for each office and connect to the nearest VPN gateway. You then configure virtual network peering. You need to ensure that users have the lowest traffic latency. Does this solution meet your goal? 1. Yes 2. No

1—Yes—because you configure a VPN gateway for each region, this solution meets the goals. This will result in the lowest traffic latency for your users.

CH4 - Your company has an application that requires data from a blob storage to bemoved from the hot access tier to the archive access tier to reduce costs. Whichtype of storage account do you need to create? 1. General Purpose V2 storage account 2. General Purpose V1 storage account 3. Azure File storage 4. Azure Blob storage

1—You need to configure a general-purpose V2 storage account to move databetween different access tiers

CH5 - Your company has a large amount of data stored inside on-premises databases and file servers (120 TB). This data needs to be uploaded to Azure. What is the fastest way to upload it to Azure? 1. Using Azure Data Box 2. Using Azure Storage Explorer 3. Uploading it manually from the Azure portal 4. Creating an Azure file share

1—You should order an Azure Data Box. You can copy all the data to it, and ship it back to Microsoft. Microsoft will then upload this data into the Azure data center directly from the device

CH15 - You use Azure AD Connect to synchronize all AD domain users and groups with Azure AD. As a result, all users can use Single Sign-on (SSO) to access applications. You should reconfigure the directory synchronization to exclude domain services accounts and user accounts that shouldn't have access to the application. What should you do? 1. Re-run Azure AD Connect 2. Stop the synchronization service 3. Remove the domain services and user accounts manually 4. Configure conditional access rules in Azure AD

1—You should rerun Azure AD Connect. This will perform OU filtering and refreshes the directory schema

CH14 - You need to grant access to an external consultant to some resources inside your Azure subscription. You plan to add this external user using PowerShell. Which cmdlet should you use? 1. New-AzADUser 2. New-AzureADMSInvitation 3. Get-AzADUser 4. Get-AzureADMSInvitation

2—You should use the New-AzureADMSInvitation cmdlet to add an external user to your Azure AD tenant using PowerShell

CH7 - You have an Azure resource group named PacktResourceGroup1 that contains a Linux VM named PacktVM1. You need to automate the deployment of 30 additional Linux machines. The VMs should be based on the configuration of the PacktVM1 VM. Which of the following solutions will meet the goal? 1. From the VM Automation's script blade, you click Deploy 2. From the Templates blade, you click Add 3. From the resource group's policy blade, you click Assign policy

1 and 2—You can deploy the ARM template of the virtual machine from the virtual machine's Automation script blade and you can deploy the template from the Templates blade in the Azure portal.

CH16 - You deploy Multi-Factor Authentication (MFA) in your Azure AD tenant. You don't want your users to be required to enter any additional passwords or code in the browser when using MFA. Which two methods should you make available? 1. Call to phone 2. Text message to phone 3. Notification through the mobile app 4. Verification code from hardware token

1 and 3—Both, call to phone and notification via mobile apps don't require the user to enter a code in a browser

CH6 - You are configuring Azure file sync to sync on-premises file shares with Azure File storage. Which two actions must be complete to ensure that the service will operate successfully on your servers? 1. Disable Internet Explorer Enhanced Security for both administrators and users 2. Disable Internet Explorer Enhanced Security for administrators only 3. Ensure that PowerShell version 5.1 or higher is deployed on theservers 4. Ensure that Azure AD Connect is installed on your servers

1 and 3—You need to make sure that Internet Explorer Enhanced Security is disabled for both administrators and users and you need to make sure that PowerShell version 5.1 or higher is deployed on the servers

CH13 - You have deployed an Azure Load Balancer, which is using the Basic tier and is load balancing a set of VMs in an availability set that is called PacktSet1. You now need to load balance a set of VMs that are deployed to an availability set called PacktSet2. What should you do? 1. Replace the existing Load Balancer with a new one that is created in the Standard tier and use this Load Balancer for both of the availability sets 2. Edit the existing Load Balancer and add an additional backend pool to it 3. Edit the existing Load Balancer and add a new frontend IPconfiguration to it that will load balance the traffic to thenew availability set 4. Deploy a second Load Balancer using the Basic tier and configure this one to load balance the traffic to the new availability set

1 and 4—You should deploy a second Load Balancer using the Basic tier and use this one to route traffic to the new availability set or delete the old Load Balancer and create a new one using the Standard tier. Only the Standard tier is allowed to route traffic to different availability sets

CH5 - Your company has developed a web application that uses dynamic and static content. The application is deployed in multiple regions to achieve the best performance. Users complain about the performance of the web application and report that it takes a lot of time before the images are loaded. You decide to configure a Content Delivery Network (CDN). Which two actions should you perform? 1. Implement custom caching rules on the CDN 2. Implement cross-origin sharing on the website 3. Implement general web delivery on the CDN 4. Implement dynamic site acceleration on the CDN

1 and 4—You should implement custom caching and dynamic site acceleration on the CDN. Dynamic site acceleration improves performance when delivering dynamic content. You can configure caching rules for static content

CH9 - A VM named PacktVM1 is deployed in a resource group named PacktResourceGroup1. The VM is connected to a VNet named PacktVNet1. You plan to connect the PacktVM1 VM to an additional VNet named PacktVNet2. You need to create an additional network interface on the PacktVM1 VM and connect it to the PacktVNet2 VNet. Which two Azure Command-line Interface (CLI) commands should you use? 1. az vm nic add 2. am vm nic create 3. az network update 4. az network nic create

1 and 4—You should use az vm nic add to create a new NIC. Then you should use az network nic create to attach the NIC to PacktVM1

CH4 - Your company is developing a .NET application that stores information in an Azure storage account. You need to ensure that the information is stored in a secure way. You ask the developers to use a shared access signature (SAS) when accessing the information. You need to make the required configurations on the storage account to follow security best practices. Which statement is true? 1. You need to configure a stored access policy. 2. To revoke a SAS, you can delete the stored access policy. 3. You should set the SAS start time to now

1—True, you need to configure a stored access policy. 2—True, to revoke an SAS,you can delete the stored access policy. 3—False, when you set the timer to now,there can be differences in the clock of the servers hosting your storage account.This can lead to access problems for a short period of time.

CH6 - You are setting up backup and restore for your Azure file shares. To create a backup policy in PowerShell, which of the following cmdlets should you use? 1. New-AzRecoveryServicesBackupProtectionPolicy 2. Get-AzRecoveryServicesBackupSchedulePolicyObject 3. Get-AzRecoveryServicesVault 4. Enable-AzRecoveryServicesBackupProtection

1—When you create a new policy in PowerShell, you should use the New-AzRecoveryServicesBackupProtectionPolicy cmdlet. The Get-AzRecoveryServicesBackupSchedulePolicyObject cmdlet gets a reference to a base policy item. The Get-AzRecoveryServicesVault cmdlet gets a reference to the Recovery Services Vault and the Enable-AzRecoveryServicesBackupProtection cmdlet enables the backup policy after creation

CH1 - You have an Azure subscription named Subscription1, which contains two resource groups named ResourceGroup1 and ResourceGroup2. You need to ensure that all global administrators can manage all the resources inside both resource groups. You enable access management for the Azure resources from the Azure Active Directory properties blade. Does this solution meet your goal? 1. Yes 2. No

1—Yes, this does meet your goal. The access management setting from the Azure Active Directory Properties blade ensures that Azure AD users assigned to the global administrator role maintain full control over all subscription resources

CH3 - You need to delegate some of the global administrator privileges to a new cloud engineer in your office. You decide to create a custom role using a JSON file and the following PowerShell cmdlet to add the custom role: NewAzureRmRoleDefinition -InputFile"C:\ARM_templates/customrole.json". Is this correct? 1. Yes 2. No

1—Yes, this is the right way to create a custom role using PowerShell

CH13 - You deploy an Azure internal Load Balancer to load balance traffic to the internal corporate portal. You want to ensure that users only view the most recent copy of the portal. You created a file called NewVersion.html and want to configure the Load Balancer to direct the traffic only to the VMs that contain these files. What should you do? 1. Create a new health probe that uses HTTP as the protocol and includes the path to the NewVersion.html file. 2. Create a new health probe that uses TCP as the protocol and includes the path to the NewVersion.html file. 3. Create a new load balancing rule that includes the path to the NewVersion.html file. This rule will only load balance traffic if the file exists. 4. Use the Set-AzureRmLoadBalancerProbeConfig PowerShell cmdlet to create a new health probe that uses HTTP as the protocol and includes the path to the NewVersion.html file.

1—You should create a new health probe that uses HTTP as the protocol and include the path to the NewVersion.html file. Health probes are designed to test whether a port or file is accessible.

CH14 - You are asked to create a new set of Azure Active Directory (AD) security groups that represent the entire hierarchy of a manager's team. This includes people that are managed by the manager. You need to implement the request using the least amount of administrative effort. What should you do? 1. Create new groups using the Direct Reports rule 2. Create new Azure AD groups for each manager and use a custom script to detect the ManagerID attribute changes and modify the group membership when needed 3. Create dynamic groups and Azure AD using a ruleset, including the ManagerID attribute 4. Create multiple Azure AD groups and add the members with the same ManagerID attribute value to each group

1—You should create new groups using the Direct Reports rule. This will create a dynamic group, including all members who have the same ManagerID attribute. This will also handle updates to the group accordingly

CH3 - Your company has an Azure AD tenant and an on-premises AD that are synced using Azure AD Connect. You have one subscription called Packt_Main. The helpdesk administrators are members of the Packt_HD group. You need to grant the helpdesk group the permissions to reset user passwords using the azure portal, while using the least amount of permissions. What should you do? 1. Grant the Packt_HD group the password administrator role in Azure administrator 2. Delegate password reset privileges to the Packt_HD group on the user's Organizational Unit (OU) in Azure Directory users and computers 3. Add the Packt_HD group to the domain admins user group 4. Grant the Packt_HD group the ownership role on the Packt_Main subscription

1—You should grant the Packt_HD group the password administrator role inAzure AD. This role grants the right to reset non-admin passwords, which arethe minimal permissions that are required.

CH9 - You need to assign a static IPv4 address for a Windows Server VM named PacktVM1 running in a VNet named PacktVNet1. What should you do? 1. Modify the IP configuration of the VNet interface associated withthe PacktVM1 VM 2. Edit the address range of the PacktVNet1 VNet 3. Connect to the PacktVM1 VM by using WinRM and run the SetNetIPAddress cmdlet 4. Connect to the PacktVM1 VM by using Remote Desktop Protocol and edit the VM's virtual network connection properties

1—You should modify the IP configuration of the virtual network interface associated with PacktVM1.

CH11 - You have a Windows Server that is deployed in Azure and uses an ExpressRoute connection. After two months of normal use without any issues, suddenly you receive feedback from the users that they are experiencing network issues when they attempt to connect to the server. What tool do you need to use to monitor the network traffic to the server? 1. Network Performance Monitor 2. Application Insights 3. Azure Monitor 4. Network Watcher

1—You should use Network Performance Monitor to monitor network traffic. You can also use this to monitor network traffic across an ExpressRoute connection

CH7 - Your company has a VM that is stored inside a resource group. You need to deploy additional VMs in the same resource group. You are planning to deploy them using an ARM template. You need to create a template from the original VM using PowerShell. Which cmdlet should you use? 1. Use the Export-AzResourceGroup 2. Use the Get-AzResourceGroupDeployment 3. Use the Get-AzResourceGroupDeploymentOperation 4. Use the Get-AzResourceGroupDeploymentTemplate

1—You should use the Export-AzResourceGroup cmdlet. This captures the specified resource group as a template and saves it to a JSON file

CH8 - You need to move a VM using PowerShell. Which cmdlet should you use? 1. Set-AzVM 2. Get-AzVM 3. Update-AzVM 4. Redeploy-AzVM

1—You should use the Set-AzVM cmdlet, followed by the -Redeploy method

CH6 - Your company has eight on-premises file servers and an Azure subscription,which includes a storage account. You are planning to implement an Azure file share in a hybrid configuration using Azure file share sync. Which of the following statements is true? 1. Azure file share sync secures the hybrid connection using IPSec 2. Azure file share sync reduces the storage footprint of the on premises file servers 3. Azure file share sync provides fault tolerance for the on-premises file-shares

2 and 3—Azure File Share Sync reduces the storage footprint of the on premise file servers by using cloud tiering. This generates a heat map on the on premise file share and archives infrequently accessed files to Azure. It also provides fault tolerance for on-premise file shares. If a file server goes offline, you can easily restore its file shares to another file server

CH5 - Your company has developed a web application that uses dynamic and static content. The application is deployed in multiple regions to achieve the best performance. Users complain about the performance of the web application and report that it takes a lot of time before the images are loaded. You decide to configure a CDN. What are two possible ways to configure the CDN? 1. Configure a single Azure CDN Premium Verizon endpoint, configure dynamic site acceleration, and configure caching rules 2. Configure a single Azure CDN Standard Akamai endpoint, configure dynamic site acceleration, and configure caching rules 3. Configure a single Azure CDN Standard Verizon endpoint, configure dynamic site acceleration, and configure caching rules 4. Configure a single Azure CDN Standard Microsoft endpoint, configure dynamic site acceleration, and configure caching rules

2 and 3—You can configure an Azure CDN Standard Akamai and an Azure CDN Standard Verizon endpoint, configure dynamic site acceleration,and configure caching rules. Dynamic site acceleration improves performance when delivering dynamic content. You can configure caching rules for static content. You should not create an Azure CDN Standard Microsoft endpoint, because this doesn't support dynamic site acceleration. You also should not create an Azure CDN Premium Verizon endpoint, because caching is configured using a rule engine instead of caching rules.

CH2 - Your company has an application that uses an Azure SQL Database for storing information. The company has also deployed System Center Service Manager. You need to configure an alert when the database reaches 80% of CPU usage. When this alert rises, you want your administrator to be notified using email and SMS. You also need to create a ticket in the corporate issue tracker automatically when the alert arises. Which two actions should you perform? 1. Configure System Center Service Manager with Azure Automation 2. Configure one action group with three actions: one for email, one for SMS, and one for creating the ticket 3. Configure an IT Service Management Connector 4. Configure two actions groups: one for email and SMS and one for creating the ticket

2 and 3—You need to create one action group and you need to configure the ITService Management Connector (ITSMC). This connector connects System Center Service Manager with Azure.

CH11 - Your organization has Azure resources deployed in the West US, West Europe, and East Australia regions. The company has four offices located in these regions. Each office is connected to the nearest available Azure region using a site-to-site VPN connection. The VNets from each region are connected using virtual network peering. You need to monitor the traffic between the networks. You configure the connection troubleshoot capability of Azure Network Watcher. Does this solution meet your goal? 1. Yes 2. No

2—No—the network monitor is only capable of monitoring traffic generated from Azure to the on-premise network and not the other way around. You need to monitor all of the traffic on all of your networks

CH2 - You have two Azure resource groups named ResourceGroup1 and ResourceGroup2. The ResourceGroup1 resource group contains 20 WindowsServer VMs and all the VMs are connected to an Azure Log Analytics workspace named Workspace1. You need to write a log search query that collects all security events with the following properties: all security levels other than 8 and with Event ID 4672. How should you write your query? 1. SecurityEvent | where Level == 8 | and EventID == 4672 2. SecurityEvent | where Level <> 8 | where EventID ==4672 3. SecurityEvent | where Level == 8 | summarize EventID ==4672 4. SecurityEvent | where Level <> 8 | and EventID == 4672

2—The right query should be SecurityEvent | where Level <> 8 |where EventID == 4672.

CH11 - You have several VNets configured in several Azure regions. Your on-premises infrastructure is based in the East US region and has four subnets configured. You are experiencing network performance issues in your on-premises infrastructure and decide to use the Network Performance Monitor for troubleshooting. Do you need to install the Log Analytics agent on all on-premises servers? 1. Yes 2. No

2—You don't need to install the Log Analytics agent on all the on-premise servers. You only need to install the agent for each network subnet, so you need to install at least four agents

Ch10 - You have an application running on an Azure VM. Your on-premises network connects to the Azure Virtual Network using an Azure VPN Gateway. The application cannot be exposed directly to the internet due to security requirements. Users of the marketing department should be able to access the application when they are traveling and are using their company laptop. Which kind of connection should you configure? 1. ExpressRoute 2. Point-to-site 3. Site-to-site 4. VNet-to-VNet

2—You should configure an Azure VPN gateway to accept point-to-site VPN connections from users' laptops

CH13 - You deploy an Azure public Load Balancer to load balance traffic to six virtual machines. You want to remotely access VM1 from the internet through the public Load Balancer using the Remote Desktop Protocol (RDP). What should you do? 1. Set a frontend IP configuration that maps the public IP address to the private IP address of VM1 2. Configure an inbound network address translation rule that maps the Transmission Control Protocol (TCP) port 3389 to VM1 3. Configure a new internal Load Balancer and configure it to allow the TCP port 3386 from the internet to VM1 4. Configure a load balancing rule that uses the TCP port 3386 to forward traffic to VM1

2—You should configure an inbound network address translation (NAT) rule that maps TCP port 3389 to VM1. Inbound NAT rules are designed to map a port to an internal IP address of a VM

CH16 - Your company has an Azure AD tenant and an on-premises AD that are synced using Azure AD Connect. Your on-premises environment is running a mix of Windows Server 2012 and Windows Server 2016 servers. You use Azure MFA for multi-factor authentication. Users report that they are required to use MFA while using company devices. You need to turn MFA off for domain-joined devices.What should you do? 1. Enable SSO on Azure AD Connect 2. Create a conditional access rule to allow users to use either MFA or a domain-joined device when accessing applications 3. Configure Windows Hello for Business on all domain-joined devices 4. Add the company external IP address to the Azure MFA Trusted IPs list

2—You should create a conditional access rule to allow users to use either MFA or a domain-joined device when accessing applications. The rule will not force MFA when using a domain-joined device

CH1 - You determine that business units inside your organization have Azure resources spread across different Azure resource groups. You need to make sure that the resources are assigned to proper cost centers. What should you do? 1. Deploy an Azure policy 2. Create taxonomic tags and assign them at the resource level 3. Create taxonomic tags and assign them at the resource group level 4. Use queries to obtain the right resources and create a report from this outcome

2—You should create taxonomic tags and assign them to the resource level;because Azure resources are spread over different resource groups, you can't apply them to the resource group level

CH15 - You are asked to configure a solution that allows users to log into Office 365 applications without providing their passwords. Your company also wants to deploy cloud-based two-factor authentication for some user profiles. What should you do? 1. Enable password hash synchronization 2. Enable pass-through authentication 3. Install Azure AD Connect 4. Enable Azure Multi-Factor Authentication

2—You should enable pass-through authentication. This enables SSO for users and enables the company to implement two-factor authentication using AzureMFA

CH10 - You are managing the network of your organization. The on-premises infrastructure consists of multiple subnets. A new branch office was recently added. The network devices in the new office are assigned to a 192.168.22.0/24 subnet. You need to configure the Azure VPN Gateway to make sure that all the network devices in the branch office are accessible from the Azure network as well. Which PowerShell cmdlet should you use? 1. Add-AzureRmVirtualNetworkSubnetConfig 2. Set-AzureRmLocalNetworkGateway 3. Set-AzureRmNetworkInterface 4. Add-AzureRmNetworkInterfaceIpConfig

2—You should use the Set-AzureRmLocalNetworkGateway cmdlet. You need to reconfigure the local network gateway for this.

CH12 - Your company plans to release a new web application. This application is deployed using an App Service in Azure and will be available for all users of thepacktpub.com domain. You have already purchased the packtpub.comdomain name. You configure the packtpub.com Azure Domain Name System(DNS) zone and delegate it to the Azure DNS. You need to ensure that the web application can be accessed by using the packtpub.com domain name. You decide to use PowerShell to accomplish this. Which command should you use? 1. New-AzDnsRecordSet -Name "packtpub.com" -RecordType"AAAA" -ZoneName "packtpub.com" `-ResourceGroupName "MyAzureResourceGroup" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -IPv4Address "<yourweb app IP address>") New-AzDnsRecordSet -ZoneName packtpub.com -ResourceGroupName PacktAzureResourceGroup `-Name "applicationscs.azurewebsites.net" -RecordType"CNAME" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -Value"packtpub.azurewebsites.net") 2. New-AzDnsRecordSet -Name "@" -RecordType "A" -ZoneName"packtpub.com" `-ResourceGroupName "MyAzureResourceGroup" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -IPv4Address "<yourweb app IP address>") New-AzDnsRecordSet -ZoneName packtpub.com -ResourceGroupName PacktAzureResourceGroup `-Name "@" -RecordType "txt" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -Value"packtpub.azurewebsites.net") 3. New-AzDnsRecordSet -Name"applicationscs.azurewebsites.net" -RecordType "AAAA" -ZoneName "packtpub.com" `-ResourceGroupName "MyAzureResourceGroup" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -IPv4Address "<yourweb app IP address>") New-AzDnsRecordSet -ZoneName packtpub.com -ResourceGroupName PacktAzureResourceGroup `-Name "www.packtpub.com" -RecordType "AAAA" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -Value"packtpub.azurewebsites.net")

2—You should use the following commands to add the DNS: New-AzDnsRecordSet -Name "@" -RecordType "A" -ZoneName"packtpub.com" `-ResourceGroupName "MyAzureResourceGroup" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -IPv4Address "<your web appIP address>") New-AzDnsRecordSet -ZoneName packtpub.com -ResourceGroupName PacktAzureResourceGroup `-Name "@" -RecordType "txt" -Ttl 600 `-DnsRecords (New-AzDnsRecordConfig -Value"packtpub.azurewebsites.net")

CH8 - You have a VM deployed in a resource group and want to add an additional data disk to it to increase storage. You want to add the disk using PowerShell. Which cmdlet should you use? 1. Set-AzVMDataDisk 2. New-AzVMDataDisk 3. Add-AzVMDataDisk 4. New-AzDisk

3—The Add-AzVMDataDisk cmdlet adds a data disk to a virtual machine. You can add a data disk when you create a virtual machine, or you can add a data disk to an existing virtual machine

CH3 - You want to create a group of resource group managers in the Azure portal. Which RBAC role do you need to assign to them to manage all the resource groups in the Azure subscription? 1. Contributor 2. Reader 3. Owner 4. Monitoring reader

3—You should assign the owner role to the group of resource group managers.

CH16 - Your company has an Azure AD tenant and an on-premises AD that are synced using Azure AD Connect. The security department notices a high number of logins from various public IP addresses. What should you do to reduce these logins? 1. Enable Azure AD smart lockout 2. Add all the public IP addresses to conditional access and use location blocking to deny all login attempts 3. Create a conditional access rule to require MFA for all risky logins labeled medium risk and above 4. Turn on Azure MFA fraud alerts

3—You should create a conditional access rule to require MFA authentication for all risky logins labeled medium-risk and above. Azure AD can apply risk levels to all sign-in attempts using a selection of parameters. You can use conditional access to enforce sign-in requirements based on those levels.

CH12 - You design a virtual network topology with the following characteristics: web subnet: 3 web frontend VMs, app subnet: 3 application server VMs, data subnet: 3 database server VMs. Your company requires that inter-subnet network traffic be strictly controlled with Network Security Groups (NSGs). You need to design a solution that minimizes NSG rule creation and maintenance. What should you do? 1. Enable the built-in rules in each NSG 2. Bind a route table to each subnet 3. Define application security groups that align to each application tier 4. Enable the Virtual Network NSG Service Tag in each NSG

3—You should define application security groups (ASGs) that align to each application tier. This simplifies network administration in Azure and makes rule maintenance more straightforward.

CH7 - You have a Windows Server 2016 machine deployed inside an availability set. You need to change the availability set assignment for the VM. What will you do? 1. Migrate the VM to another Azure region 2. Assign the VM to a new availability set 3. Redeploy the VM from a recovery point 4. Move the VM to a different availability set

3—You should redeploy the VM from a recovery point. VMs can only be assigned to an availability set during initial deployment.

CH9 - Your company has two Virtual Networks (VNets) deployed, VNet1 and VNet2. You need to connect both VNets together. What is the most cost-effective solution? 1. VNet-to-VNet 2. Site-to-site 3. User-defined Routes 4. VNet peering

4—VNet peering is the most cost-effective solution to connect different VNets.

CH8 - Your company has two different Azure subscriptions named PacktSubscription1 and PacktSubscription2, which both have their own Azure Active Directory assigned. You have a VM deployed in a resource group called PacktResourceGroup1 in the PacktSubscription1 subscription. You want to move this VM to another resource group, which is deployed in PacktSubscription2. You get an error when you try to move the VM. What is most likely causing this error? 1. The VM has managed disks configured 2. The VM is a classic VM 3. The destination resource group is in a different subscription 4. The subscriptions are in different Azure AD tenants

4—You cannot move the VM because the subscriptions are in different Azure AD tenants. One of the prerequisites for moving VMs is that the source and the destination subscriptions remain in the same Azure AD tenant.

CH1 - You are creating a Windows Server Virtual Machine (VM) that you plan to use as an image for future deployments. You need to ensure that other administrators cannot make any changes to it until you complete the image. What should you do? 1. Edit the role-based access control (RBAC) permissions on the VM level. 2. Edit the RBAC permissions on the resource group level. 3. Set a delete lock at the VM level. 4. Set a read-only lock on the resource group level.

4—You need to set a read-only lock on the resource group level. This will ensure that administrators and all other users can't make changes to all the different Azure resources that are created for your VM, such as changes to virtual networks, disks, and more.

CH14 - You need to add another administrator who will be responsible for managing all Infrastructure-as-a-Service (IaaS) deployments in your Azure subscription. You create a new account in Azure AD for the user. You need to configure the user account to meet the following requirements: read and write access to all Azure IaaS deployments, read-only access to Azure AD, and no access to Azure subscription metadata. The solution must also minimize your access maintenance in the future. What should you do? 1. Assign the owner role at the resource level to the user account 2. Assign the global administrator directory role to the user account 3. Assign the virtual machine operator role at the subscription level to theuser account 4. Assign the contributor role at the resource group level to the useraccount

4—You should assign the Contributor role at the resource group level to the user account. This provides the user with full read/write access at the resource group level, but doesn't grant the user any permissions in the subscription or Azure AD levels.

CH4 - Your company wants to deploy a storage account. You need to ensure that the data is available in the case of the failure of an entire data center. The solution must be the most cost-effective. What should you do? 1. Configure geo redundant storage 2. Configure local redundant storage 3. Configure read-access geo redundant storage 4. Configure zone redundant storage

4—You should configure a storage account with Zone Redundant Storage (ZRS) replication. This makes a synchronous copy of the data between three different zones in the same region.

CH2 - You have an Azure subscription that has eight VMs deployed in it. You need to configure monitoring for this, and want to receive a notification when the Central Processing Unit (CPU) or available memory reaches a certain threshold value. The notification needs to be sent using an email and needs to create a new issue in the corporate issue tracker. What is the minimum number of action groups and alerts that you need to create to meet these requirements? 1. Eight alerts and one action group 2. Two alerts and two action groups 3. One alert and two action groups 4. One alert and one action group

4—You should create one alert and one action group for this. One alert can contain multiple metrics-based conditions and a single action group can contain more than one notification or remediation step. So, you can create the metrics for both the CPU and memory in one alert. You can use one action group for sending out the email and creating an issue in the corporate issue tracker.

CH12 - Your company plans to release a new web application and it needs to be available for all users on the packtpub.com domain. You decide to configure a DNS zone in Azure and check whether the domain is still available. What is the first step that you have to take to configure Azure DNS for this web application? 1. Create a Start of Authority record in your Azure DNS zone that points to Azure DNS servers 2. Configure a forward DNS zone in Azure 3. Configure a private DNS zone in Azure 4. Purchase the packtpub.com domain from a third-party domain registrar

4—You should purchase the packtpub.com domain from a third-party domain registrar first, before taking any other steps.

CH15 - Your company wants to enable all user accounts to use SSO to log in to applications and Office 365. The company has an on-premises AD and uses smartcard authentication. Which solution do you need to deploy to allow users to login without providing a password? 1. Azure AD Connect with pass-through authentication and SSO 2. Azure AD Connect with pass hash synchronization and SSO 3. Azure AD Connect with pass hash synchronization 4. Active Directory Federation Services

You should deploy ADFS. Using this solution, users can log in using SSO and use smartcard authentication. Smartcard authentication is not supported for Azure AD Connect