NO.161
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
(A). From the Directory role blade, modify the directory role.
(B). From the Groups blade, invite the user account to a new group.
(C). From the Licenses blade, assign a new license.
Answer: A
Assign a role to a user. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory. Select Azure Active Directory, select Users, and then select a specific user from the list. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator. Press Select to save.
NO.162 *
You have an Azure Service Bus. You need to implement a Service Bus queue that guarantees first in first-out (FIFO) delivery of messages.
What should you do?
(A). Set the Lock Duration setting to 10 seconds.
(B). Enable duplicate detection.
(C). Set the Max Size setting of the queue to 5 GB.
(D). Enable partitioning.
(E). Enable sessions.
Answer: E
Through the use of messaging sessions you can guarantee ordering of messages, that is first-in-firstout (FIFO) delivery of messages.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-busqueues-compared-contrasted
Azure Service Bus sessions enable joint and ordered handling of unbounded sequences of related messages. Sessions can be used in first in, first out (FIFO) and request-response patterns.
Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics (in a namespace). Service Bus is used to decouple applications and services from each other, providing the following benefits:
- Load-balancing work across competing workers
- Safely routing and transferring data and control across service and application boundaries
- Coordinating transactional work that requires a high-degree of reliability
Azure supports two types of queue mechanisms: Storage queues and Service Bus queues.
Storage queues are part of the Azure Storage infrastructure. They allow you to store large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously. For more information, see What are Azure Storage queues.
Service Bus queues are part of a broader Azure messaging infrastructure that supports queuing, publish/subscribe, and more advanced integration patterns. They're designed to integrate applications or application components that may span multiple communication protocols, data contracts, trust domains, or network environments. For more information about Service Bus queues/topics/subscriptions, see the Service Bus queues, topics, and subscriptions.
NO.163 *
You have an Azure subscription that contains the resources shown in the following table.

All virtual machines run Windows Server 2016. On VM1, you back up a folder named Folder1 as shown in the following exhibit.

You plan to restore the backup to a different virtual machine. You need to restore the backup to VM2. What should you do first?
A. From VM1, install the Windows Server Backup feature.
B. From VM2, install the Microsoft Azure Recovery Services Agent.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
D. From VM2, install the Windows Server Backup feature.
Suggested Answer: B 🗳️
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server
NO.164
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts. You purchase 10 Azure AD Premium P2 licenses for the tenant. You need to ensure that 10 users can use all the Azure AD Premium features. What should you do?
A. From the Directory role blade of each user, modify the directory role.
B. From the Azure AD domain, add an enterprise application.
C. From the Groups blade of each user, invite the users to a group.
D. From the Licenses blade of Azure AD, assign a license.
Suggested Answer: D 🗳️
Reference:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants. Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in the Azure Active Directory > Users > Profile > Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
NO.165 *
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

You create virtual machines in Subscription1 as shown in the following table.

You plan to use Vault1 for the backup of as many virtual machines as possible. Which virtual machines can be backed up to Vault1?
A. VM1 only
B. VM3 and VMC only
C. VM1, VM2, VM3, VMA, VMB, and VMC
D. VM1, VM3, VMA, and VMC only Most Voted
E. VM1 and VM3 only
Suggested Answer: D 🗳️
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several regions, create a Recovery Services vault in each region.
Reference:https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
NO.166
You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines. Your company has three cost centers named Manufacturing, Sales, and Finance. You need to associate each virtual machine to a specific cost center. What should you do?
A. Configure locks for the virtual machine.
B. Add an extension to the virtual machines.
C. Assign tags to the virtual machines.
D. Modify the inventory settings of the virtual machine.
Correct Answer: C 🗳️
References:https://docs.microsoft.com/en-us/azure/billing/billing-getting-started https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
You apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair.
NO.167
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2. VM2 is backed up to RSV1. You need to back up VM2 to RSV2. What should you do first?
A. From the RSV1 blade, click Backup items and stop the VM2 backup
B. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Suggested Answer: A 🗳️
If you want to change the recovery service vault you need to disassociate the previous RSV and delete the backup data. To delete backup data, you need to stop the backup first. So: 1. Stop the backup in RSV1 (D) 2. Remove the backup data. 3. Disassociate the VM in RSV1. 4. Associate the VM in RSV2.
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
NO.168 *
You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain. The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2. The storage1 account contains a file share named share1 and has the following configurations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

Answer is correct:
Yes User1 can be assigned to the role
No Only Users and Groups can be assigned to Azure file shares
Yes The user is created in AAD but synced towards on-prem so also contains a netbios login name
Share-level permissions on Azure file shares are configured for Azure Active Directory (Azure AD) users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Azure AD identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported.
Most users should assign share-level permissions to specific Azure AD users or groups, and then use Windows ACLs for granular access control at the directory and file level. This is the most stringent and secure configuration.
NO.169
You create an Azure Storage account named contosostorage. You plan to create a file share named data.Users need to map a drive to the data file share from home computers that run Windows 10. Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Suggested Answer: C 🗳️
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
References:https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
NO.170 *
You have an Azure subscription. You have 100 Azure virtual machines. You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering. Which blade should you use?
A. Metrics
B. Customer insights
C. Monitor
D. Advisor
Suggested Answer: D 🗳️
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.Reference:https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
NO.171
You have an Azure App Service web app named app1.
You configure autoscaling as shown in following exhibit.

You configure the autoscale rule criteria as shown in the following exhibit.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic. NOTE Each correct selection is worth one point.

AExplanation:Answer is below in image.

NO.172
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
NO.173 *
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed. You need to install the kubectl client on Computer1. Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

To install kubectl locally, use the az aks install-cli command: az aks install-cliReference:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
NO.174 **
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?
A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.
You have an Azure subscription that contains a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?
(A). Assign the Owner role to User1, and then instruct User1 to configure access management for Azure resources.
(B). Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
(C). Assign the Global administrator role to User1, and then modify the default conditional access policies.
(D). Assign the Owner role to User1, and then modify the default conditional access policies.
Correct Answer: C
No one is given default access to the root management group.
Azure AD Global Administrators are the only users that can elevate themselves to gain access.
Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
ChatGpt
To ensure that User1 can assign a policy to the tenant root management group, you should assign User1 the "Policy Contributor" or "Global Administrator" role at the tenant level.
- Sign in to the Azure portal as a Global Administrator.
- Go to Azure Active Directory.
- Select Roles and administrators.
- Find the role you want to assign to the user, such as "Policy Contributor" or "Global Administrator".
- Select the role, and then select Add assignments.
- In the Add assignments blade, search for and select the user account User1.
- Select the Save button to complete the assignment.
With this role assignment, User1 will have the necessary permissions to assign policies to the tenant root management group.
NO.175 *
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.

Subscription1 contains the virtual machines in the following table.

In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Basic Load Balancer: Backend pool endpoints for Virtual machines in a single availability set or virtual machine scale set.
Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.
Box 1: Yes VM1 and VM are in the Availability Set.
Box 2: No Both VMs are not part of any Availability Set or Scale Set.
Box 3: No Both VMs are not part of any Availability Set or Scale Set.
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/skus
Reference:https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
NO.176 **
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image. You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Modify the extensionProfile section of the Azure Resource Manager template.
B. Create an automation account.
C. Upload a configuration script.
D. Create a new virtual machine scale set in the Azure portal.
E. Create an Azure policy.
Suggested Answer: A D 🗳️
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to configure the VMs as they come online so they are running the production software.
References:https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc
To automate the deployment of a virtual machine scale set that has web server components installed, you should perform the following two actions:
- Use a custom script extension: You can use a custom script extension to run a script that installs the web server components during the virtual machine provisioning process. The custom script can be executed using the Azure CLI, Azure PowerShell, or the Azure portal.
- Use an Azure Resource Manager template: You can also automate the deployment of the virtual machine scale set and install the web server components by using an Azure Resource Manager (ARM) template. In the template, you can specify the custom script extension and configure it to run the script that installs the web server components. The ARM template can be deployed using the Azure CLI, Azure PowerShell, or the Azure portal.
With these two actions, you can automate the deployment of a virtual machine scale set and ensure that the web server components are installed during the virtual machine provisioning process.
NO.177 *
You have an Azure subscription that uses the public IP addresses shown in the following table.

You need to create a public Azure Standard Load Balancer. Which public IP addresses can you use?
A. IP1, IP2, and IP3
B. IP2 only
C. IP3 only Most Voted
D. IP1 and IP3 only
Suggested Answer: C 🗳️
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU resources.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
NO.178 *
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
References:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NO.179
You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have Azure virtual machines that have the network configurations shown in the following table:

For NSG1, you create the inbound security rule shown in the following table:

For NSG2, you create the inbound security rule shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.

Inbound traffic
For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there's one, and then the rules in a network security group associated to the network interface, if there's one. This includes intra-subnet traffic as well.
- VM1: The security rules in NSG1 are processed, since it's associated to Subnet1 and VM1 is in Subnet1. Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
- VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. Since VM2 doesn't have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
- VM3: Since there's no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
- VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.
Outbound traffic
For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there's one, and then the rules in a network security group associated to the subnet, if there's one. This includes intra-subnet traffic as well.
- VM1: The security rules in NSG2 are processed. Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
- VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 doesn't have a network security group associated to it. The rules in NSG1 are processed.
- VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. If not, the traffic is allowed by the AllowInternetOutbound default security rule in NSG2, since a network security group isn't associated to Subnet2.
- VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.
출처 : Network security group - how it works | Microsoft Learn
NO.180
You have the Azure virtual machines shown in the following table.

VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.

You need to ping VM2 from VM1. Which DNS names can you use to ping VM2?
A. comp2.contoso.com and comp4.contoso.com only
B. comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com
C. comp2.contoso.com only
D. comp1.contoso.com and comp2.contoso.com only
E. comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only
Suggested Answer: C 🗳
️Reference:https://medium.com/azure-architects/exploring-azure-private-dns-be65de08f780 https://simpledns.plus/help/dns-record-types
Comp 1 - TXT - it's just a text record used for domain validation, and is not used for resolving address
Comp2 - A Record - the actual record for IPv4-to-Domain resolution (others are CNAME and AAAA).
Comp 3 - CNAME - This is CNAMing to another computer and not Comp2
Comp4 - PTR - this record does not resolve to an IP. It resolves to a domain name.
NO.181
You have an Azure Storage account named storage1 that stores images. You need to create a new storage account and replicate the images in storage1 to the new account by using object replication. How should you configure the new account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Reference:https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
To use object replication in Azure Storage, you need to create a Blob storage account. Object replication is only available for Blob storage accounts, not for general-purpose storage accounts or file storage accounts.
When creating the new Blob storage account, you can select the replication options you prefer, such as "Locally Redundant Storage" or "Geo-Redundant Storage". This will determine the level of redundancy and availability of your data in the new account.
what is storage v2 account ?
Azure Storage v2 accounts are the latest version of Azure Storage accounts and offer several improvements over previous versions. Some of the key features of Azure Storage v2 accounts include:
- Increased scalability: Azure Storage v2 accounts allow you to store unlimited amounts of data, making them ideal for large-scale applications.
- Improved performance: Azure Storage v2 accounts are designed for better performance and lower latency, compared to previous versions.
- Enhanced security: Azure Storage v2 accounts provide improved security features, including Azure Active Directory-based authentication and virtual network service endpoints.
- Enhanced analytics: Azure Storage v2 accounts provide built-in analytics capabilities, including Azure Monitor metrics and Azure Log Analytics logs.
In summary, Azure Storage v2 accounts offer a range of improvements over previous versions, making them a more flexible and scalable solution for storing and managing your data in the cloud.
can storage v2 account replicate?
Yes, Azure Storage v2 accounts can replicate data using object replication. Object replication allows you to copy data within the same storage account or between different storage accounts within the same or different regions. Object replication is available for Blob storage accounts, including Azure Storage v2 accounts.
To use object replication with an Azure Storage v2 account, you can follow the steps outlined in my previous answer:
- Create a new Azure Storage v2 account and configure it as a replica destination in your source storage account.
- Create an object replication policy in the source storage account that specifies the new storage v2 account as the target.
- Start the replication process and monitor it to ensure all data is successfully copied to the new storage v2 account.
Azure Storage provides several different types of objects for storing data, including:
- Blob storage: Blob storage is used for storing unstructured data such as images, videos, audio files, and documents. Blob storage supports three types of blobs: block blobs, append blobs, and page blobs.
- File storage: File storage is used for storing SMB-based file shares that can be accessed by cloud and on-premises applications.
- Queue storage: Queue storage is used for storing and retrieving messages in a queue, which can be used for communication between application components.
- Table storage: Table storage is used for storing structured, non-relational data using a key-value model.
- Disk storage: Disk storage is used for storing managed virtual hard disks (VHDs) that can be used as the disks for virtual machines.
NO.182 *
You have an Azure subscription that contains the virtual machines shown in the following table.

You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Correct Answer: B - No You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP. The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
NO.183 **
You need to configure the alerts for VM1 and VM2 to meet the technical requirements. Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

Answer is
- Create a log Analytics Workspace
- Collect windows performance counter from the Log Analytics agents (which collects disk space %)
3. Create an alert rule
Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters
NO.184
You have peering configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: vNET6 only -Peering status to both VNet1 and Vnet2 are disconnected.
Box 2: delete peering1 -Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/ https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
NO.185 **
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3. The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the AccessControl tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point. Hot Area:

Correct Answer: Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD. However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope.
All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC). Admin1 has elevated access, so he is also User Access Admin (RBAC). To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner.
Box 1: Yes Admin1 has elevated access, so he is User Access Admin. This is valid.
Box 2: Yes Admi3 is Owner of the Subscription. This is valid.
Box 3: No Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
NO.186 **
You recently created a new Azure subscription that contains a user named Admin1. Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using AzurePowerShell and receives the following error message: User failed validation to purchase resources. Error message:
Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.`You need to ensure that Admin1 can deploy the Marketplace resource successfully. What should you do?
A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
B. From the Azure portal, register the Microsoft.Marketplace resource provider
C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet Most Voted
D. From the Azure portal, assign the Billing administrator role to Admin1
Suggested Answer: C 🗳️
Reference:https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?view=azps-4.1.0
The Set-AzMarketplaceTerms cmdlet saves the terms object for given publisher id(Publisher), offer id(Product) and plan id(Name) tuple
NO.187
You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the resources shown in the following table.

VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1. RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: Yes -
You can move storage -
Box 2: No -You can't move to a new resource group a NIC that is attached to a virtual machine.
Box 3: No -Azure Public IPs are region specific and can't be moved from one region to another.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-publicip-powershell
NO.188
You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do?
A. Modify the protocol of Rule4
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Suggested Answer: C 🗳️
HTTPS uses port 443.Rule2, with priority 500, denies HTTPS traffic.Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note: There are several versions of this question in the exam. The question has two possible correct answers:\1. Change the priority of Rule3 to 450.\2. For Rule5, change the Action to Allow and change the priority to 401.Other incorrect answer options you may see on the exam include the following:✑ Modify the action of Rule1.✑ Change the priority of Rule6 to 100.✑ For Rule4, change the protocol from UDP to Any.Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
(A). For Rule4. change the protocol from UDP to Any
(B). Modify the protocol of Rule4.
(C). Modify the action of Rule1.
(D). Change the priority of Ru1e3 to 450
Answer: D Rule 2 is blocking HTTPS access (port 443) and has a priority of 500.
Changing Rule 3 (ports 60-500) and giving it a lower priority number will allow access on port 443.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.
Incorrect Answers: A: HTTPS uses port 443. Rule6 only applies to ports 150 to 300. C, D: Rule 1 blocks access to port 80, which is used for HTTP, not HTTPS. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
NO.189
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
OR On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A 🗳️
The Contributor role can manage all resources (and add resources) in a Resource Group.
Answer: A The Logic App Contributor role lets you manage logic app, but you can't change access to them.
It provides access to view, edit, and update a logic app.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
NO.190
You have an Azure Storage account named storage1. You have an Azure App Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity. You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
✑ Minimize the number of secrets used.
✑ Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

Box 1: Access Control (IAM) Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal.
Box 2: Shared access signatures (SAS) We need temp access for App2, so we need to use SAS.
NO.191 *
You have an Active Directory forest named contoso.com. You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled. You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs. You need to ensure that the synchronization completes successfully. What should you do?
A. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
B. From Synchronization Service Manager, run a full import.
C. From Azure PowerShell, run Start-AdSyncSyncCycle ""PolicyType Initial.
D. Run Azure AD Connect and disable staging mode.
Suggested Answer: D 🗳️
Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.
References:https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-hash-synchronization#no-passwords- are-synchronized-troubleshoot-by-using-the-troubleshooting-task
D is correct "Suppose you have an Azure AD Connect with Password Hash Synchronization feature enabled. When you enable staging mode, the server stops synchronizing password changes from on-premises AD. When you disable staging mode, the server resumes synchronizing password changes from where it last left off. If the server is left in staging mode for an extended period of time, it can take a while for the server to synchronize all password changes that had occurred during the time period." https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server
NO.192 **
A web developer creates a web application that you plan to deploy as an Azure web app. Users must enter credentials to access the web application. You create a new web app named WebApp1 and deploy the web application to WebApp1. You need to disable anonymous access to WebApp1. What should you configure?
A. Access control (IAM)
B. Advanced Tools
C. Deployment credentials
D. Authentication/Authorization
문제보기 (https://www.examtopics.com/exams/microsoft/az-100/view/24/#)
Correct Answer: D 🗳️
To disable anonymous access to a web application deployed in Azure App Service, you need to configure authentication and authorization settings in Azure portal. Here are the steps to achieve this:
- Open the Azure portal and navigate to your WebApp1.
- In the left-hand menu, select "Authentication/Authorization".
- In the "Authentication/Authorization" blade, set "App Service Authentication" to "On".
- Under "Action to take when request is not authenticated", select "Log in with Azure Active Directory".
- Under "Supported account types", select the appropriate option for your scenario (e.g. "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" if you want users to be able to sign in with their Azure AD or Microsoft personal accounts).
- Under "Authorization providers", you can select which providers you want to enable for your web app. For example, you might want to allow users to sign in with their Azure AD accounts or with social identities such as Facebook, Google, or Twitter.
- Save your changes.
After completing these steps, users will be required to sign in with valid credentials before accessing your web application deployed in WebApp1.
References:
- [1] Azure documentation: Configure authentication and authorization in Azure App Service https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
- [2] Microsoft Learn: Secure your cloud apps with Azure App Service authentication and authorization https://docs.microsoft.com/en-us/learn/modules/secure-cloud-apps-with-app-service/
References:https://docs.microsoft.com/en-us/biztalk/core/guidelines-for-resolving-iis-permissions-problems
NO.193
You need to create an Azure Storage account that meets the following requirements:
✑ Minimizes costs
✑ Supports hot, cool, and archive blob tiers
✑ Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: StorageV2 -You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Box 2: Standard_GRS -Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.Incorrect Answers:Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
NO.194
You have an Azure App Service plan named AdatumASP1 that hosts several Azure web apps. You discover that the web apps respond slowly. You need to provide additional memory and CPU resources to each instance of the web apps. What should you do?
A. Add continues WebJob that use the multi-instance scale
B. Scale out AdatumASP1
C. Add a virtual machine scale set
D. Scale up AdatumASP1
Correct Answer: D 🗳️
References:https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/app-service/web-sites-scale.md
NO.195 *
You have an Azure subscription that contains the storage accounts shown in the following table.

You need to identify which storage account can be converted to zone-redundant storage (ZRS) replication by requesting a live migration from Azure support. What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Suggested Answer: B 🗳️
ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Incorrect Answers:A, not C: Live migration is supported only for storage accounts that use LRS replication. If your account uses GRS or RA-GRS, then you need to first change your account's replication type to LRS before proceeding. This intermediary step removes the secondary endpoint provided by GRS/RA-GRS. Also, only standard storage account types support live migration. Premium storage accounts must be migrated manually.
D: ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
NO.196
You have an Azure virtual machine named VM1. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1. You need to specify which resource type to monitor. What should you specify?
A. metric alert
B. Azure Log Analytics workspace
C. virtual machine
D. virtual machine extension
Answer: B
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations.
Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
NO.197
You have an Azure subscription that contains a user named User1. You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege. Which role-based access control (RBAC) role should you assign to User1?
A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Virtual Machine Administrator Login
Suggested Answer: C 🗳️
Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as administrator.
Reference:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
NO.198
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only. NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM. Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
References:https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
NO.199 *
You have an Azure subscription that contains the resources shown in the following table.

You need to load balance HTTPS connections to vm1 and vm2 by using lb1. Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:

Suggested Answer:

Answer is correct:
- Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
- Create a backend pool and health probes.
- Create a load balancer rule.
NO.200
You have an Azure Kubernetes cluster in place.
You have to deploy an application using an Azure Container registry image.
Which of the following command can be used for this requirement?
A. az kubernetes deploy
B. kubectl apply
C. New-AzKubernetes set
D. docker run
kubectl apply : Correct Choice
The kubectl command can be used to deploy applications to a Kubernetes cluster.
az kubernetes deploy :Incorrect ChoiceThis command is used to manage Azure Kubernetes Services. This is not used to deploy applications to a Kubernetes cluster.
New-AzKubernetes set:Incorrect ChoiceThis command is used to create a new managed Kubernetes cluster. This is not used to deploy applications to a Kubernetes cluster.
docker run:Incorrect ChoiceThis is run command in a new container. This is not used to deploy applications to a Kubernetes cluster.
NO.201
You have the App Service plan shown in the following exhibit.

The scale-in settings for the App Service plan are configured as shown in the following exhibit.

The scale out rule is configured with the same duration and cool down time as the scale in rule. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:

Correct Answer:
Box 1: 2
70% for 1h, and then 90% for 5 minutes. So, from the default of 1 it will scale out out 1 more. So, 2 in total.
Box 2: 4
90% for 1h and then 25% for 9minutes. So, from the default of 1 it will it scale in to the max 5 (60/5 = 12, which means 6 times scale out, because we have 5 minutes period of cool down). Then when it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the average of the last 5 minutes is under 30% ), so it will decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling in again, but since only 4 minutes left from 9 minutes (9-5 = 4), it won't scale in again. So, 4 in total.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
NO.202 **
You onboard 10 Azure virtual machines to Azure Automation State Configuration. You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.Select and Place:

Not correct. The right order is:
- Upload a configuration to Azure Automation State Configuration
- Compile a configuration into a node configuration
- Check the compliance status of the node.
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
Which five actions should you perform in sequence?

Reference: https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
NO.203 **
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

From Azure AD Privileged Identity Management (PIM), you configure the settings for the Security Administrator role as shown in the following exhibit.

From PIM, you assign the Security Administrator role to the following groups:
✑ Group1: Active assignment type, permanently assigned
✑ Group2: Eligible assignment type, permanently eligible
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

I think answer should be:
No - this user already has the role assigned and 5 hours is how long the role can be assigned for when an eligible user activates it.
Yes - but not for the reason stated, user 2 is eligible and there are no items required for approval so it will be automatic and assigned for 5 hours
No - this user is already active in the role and will be for 1 month
Reference:https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings
From Azure Active Directory (AD) Privileged Identify Management, you configure the Role settings for the Owner role of an Azure subscription as shown in the following exhibit.

From Azure AD Privileged Identify Management, you assign the Owner role for the subscription to a user named User1, and you set the Assignment type to Active and Permanently eligible.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Answer:

Term or concept | Role assignment category | Description |
---|---|---|
eligible | Type | A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time. |
active | Type | A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role. |
activate | The process of performing one or more actions to use a role that a user is eligible for. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. | |
assigned | State | A user that has an active role assignment. |
activated | State | A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a pre-configured period of time before they need to activate again. |
permanent eligible | Duration | A role assignment where a user is always eligible to activate the role. |
permanent active | Duration | A role assignment where a user can always use the role without performing any actions. |
time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. |
time-bound active | Duration | A role assignment where a user can use the role only within start and end dates. |
just-in-time (JIT) access | A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. | |
principle of least privilege access | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they're authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
NO.204 **
Your company has an Azure subscription named Subscription1. The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records. You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console
✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort. What should you use?
A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console
Answer: A
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.
NO.205 **
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

1st IP Flow Verify : Quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from a virtual machine. IP flow verify is ideal for making sure security rules are being correctly applied. When used for troubleshooting, if IP flow verify doesn’t show a problem, you will need to explore other areas such as firewall restrictions.
2nd. connection troubleshoot : Azure Network Watcher Connection Troubleshoot is a more recent addition to the Network Watcher suite of networking tools and capabilities. Connection Troubleshoot enables you to troubleshoot network performance and connectivity issues in Azure.
NO.206 **
You have an azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
(A). Register the Microsoft.Insights resource provider
(B). Add an Azure Network Watcher connection monitor
(C). Register the Microsoft.LogAnalytics provider
(D). Enable Azure Network Watcher in the East US Azure region
(E). Create an Azure Storage account
(F). Enable Azure Network Watcher flow logs
Answer: A,D,F
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Correct Answer: A, D, F
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
1. Create a VM with a network security group - Already available
2. Enable Network Watcher - Since 2018, Network Watcher has been enabled by default on any subscription with a Virtual Network
3. Register the Microsoft.Insights provider
4. Configure Azure Storage account.
5. Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
6. Download logged data
7. View logged data To record the successful and failed connection requests, we should use Azure Network Watcher flow logs.
The Network Watcher is already enabled in the region, and we can utilize the Network Watcher NSG's flow log functionality. For that, we need to register the microsoft.insights resource provider and create a storage account for storing the flow logs.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
NO.207
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?
A. MX
B. NSEC
C. PTR
D. RRSIG
Suggested Answer: A 🗳️
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type. Note:There are several versions of this question in the exam.
The question can have two correct answers:\1. MX\2. TXT
The question can also have other incorrect answer options, including the following:\1. SRV\2. NSEC3
Reference:https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
----------------------------------------------------------------------------------
(A). NSEC
(B). PTR
(C). DNSKEY
(D). TXT
Answer: D
TXT : Correct Choice
You need to go to your hosting domain registrar and add in a TXT record.

NSEC3 : Incorrect Choice This is Part of DNSSEC.
This is used for explicit denial-of-existence of a DNS record. It is used to prove a name does not exist.
RRSIG : Incorrect Choice This contains a cryptographic signature.
DNSKEY : Incorrect Choice This will verify that the records are originating from an authorized sende
NO.208
You have an Azure subscription that contains two resource groups named RG1 and RG2. RG2 does not contain any resources. RG1 contains the resources in the following table.

Which resource can you move to RG2?
A. W10_OsDisk
B. VNet1
C. VNet3
D. W10
Suggested Answer: B 🗳️
When moving a virtual network, you must also move its dependent resources. For example, you must move gateways with the virtual network. VM W10, which is in Vnet1, is not a dependent resource.
Incorrect Answers:
A: Managed disks don't support move.
C: Virtual networks (classic) can't be moved.
D: Virtual machines with the managed disks cannot be moved.
References:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#virtual-machines-limitations
NO.209 **
You have a general purpose v1 storage account named storageaccount1 that has a private container named container1.
You need to allow read access to the data inside container1, but only within a 14 day window. How do you accomplish this?
A. Create a stored access policy
B. Create a service SAS
C. Create a shared access signatures
D. Upgrade the storage account to general purpose v2
Answer: A,C
A Stored Access Policy allows granular control over a single storage container using a Shared Access Signature (SAS).
A Shared Access Signature (SAS) allows you to have granular control over your storage account, including access to only certain services (i.e. Azure Blobs) and permitting only read, write, delete, list, add, or create access.
A Stored Access Policy in Azure is a predefined set of permissions and constraints for a Shared Access Signature (SAS) that can be applied to one or more blobs or containers within a storage account.
By creating a stored access policy, you can define a set of permissions and constraints once and then use that policy to generate SAS tokens for multiple resources. You can update the policy at any time, and all SAS tokens generated with the policy will inherit the updated permissions and constraints.
Some examples of constraints that can be defined in a stored access policy include the start time and end time of the SAS, the permissions allowed (such as read, write, or delete), and the IP addresses or ranges from which the SAS can be accessed.
NO.210 **
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com. You need to enable two-step verification for Azure users. What should you do?
(A). Create a sign-in risk policy in Azure AD Identity Protection
(B). Enable Azure AD Privileged Identity Management.
(C). Create and configure the Identity Hub.
(D). Configure a security policy in Azure Security Center.
Answer: A
Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.
If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators. With Azure Active Directory Identity Protection, you can: require users to register for multi-factor authentication handle risky sign-ins and compromised users
Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/flows
Sign-in risk policy in Azure AD Identity Protection is a set of conditions and actions that determine how Azure AD Identity Protection evaluates the risk associated with a user sign-in. Based on the risk level, Identity Protection can either block the sign-in, challenge the user with additional authentication, or allow the sign-in to proceed as normal.
For example, you can configure a sign-in risk policy to block sign-ins from unfamiliar IP addresses, or to challenge users who sign in from a high-risk location. The policy can also be based on multiple factors, such as user identity, device, location, and behavior.
The sign-in risk policy is an important component of Azure AD Identity Protection, as it helps you protect your organization's resources by proactively identifying and mitigating risks associated with user sign-ins. By implementing a sign-in risk policy, you can ensure that only trusted users and devices have access to sensitive data and systems.