Azure Certi 104-3 : 211 ~ 260

NO.211

You sign up for Azure Active Directory (Azure AD) Premium. You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain. What should you configure in Azure AD?

A. Providers from the MFA Server blade

B. Device settings from the Devices blade

C. General settings from the Groups blade

D. User settings from the Users blade

문제보기

Suggested Answer: B 🗳️
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:\1. Sign in to your Azure portal as a global administrator or device administrator.\2. On the left navbar, click Azure Active Directory.\3. In the Manage section, click Devices.\4. On the Devices page, click Device settings.\5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
Reference:https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

NO.212 *

You plan to move a distributed on-premises app named App1 to an Azure subscription. After the planned move, App1 will be hosted on several Azure virtual machines. You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance. What should you create?

A. one virtual machine scale set that has 10 virtual machines instances.

B. one Availability Set that has three fault domains and one update domain

C. one Availability Set that has 10 update domains and one fault domain

D. one virtual machine scale set that has 12 virtual machines instances

Suggested Answer: C 🗳️
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Reference:http://www.thatlazyadmin.com/azure-fault-update-domains/

NO.213

You plan to deploy an Azure container instance by using the following Azure Resource Manager template.

img

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template. NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

NO.214 **

You have an Azure Active Directory (Azure AD) tenant that has Azure AD Privileged Identity Management configured. You have 10 users who are assigned the Security Administrator role for the tenant. You need the users to verify whether they still require the Security Administrator role.
What should you do?

(A). From Azure AD Identity Protection, configure a user risk policy.

(B). From Azure AD Privileged Identity Management, create an access review.

(C). From Azure AD Identity Protection, configure the Weekly Digest.

(D). From Azure AD Privileged Identity Management, create a conditional access policy.

Answer: B

Reference: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-howto-start-security-review

To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles. You can also configure recurring access reviews that occur automatically.

Access review is a feature in Azure Active Directory (Azure AD) that enables organizations to review and manage user access to resources on a regular basis. An access review allows an owner or administrator of a resource to periodically review the access of other users to that resource, and either approve or revoke their access. This feature can help organizations ensure that users only have access to the resources that they need to do their job, and that access is appropriate and up-to-date.

You have a Microsoft 365 subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. You need to recommend an Azure AD Privileged Identity Management (PIM) solution that meets the following requirements:
✑ Administrators must be notified when the Security administrator role is activated.
✑ Users assigned the Security administrator role must be removed from the role automatically if they do not sign in for 30 days.
Which Azure AD PIM setting should you recommend configuring for each requirement? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point. Hot Area:

img

It is absolutely

  1. Roles
  2. Access Reviews

Roles > Settings > Send notifications when eligible members activate this role Access Reviews > New > Duration > 30 days, End Never Upon completion settings > If reviewer doesn't respond > Remove access Alerts only alert on issues (stale accounts, users not using PIM etc - it does not action anything, not does it alert on when users are enabling PIM access as they should - which is what the question is asking)

NO.215 *

You have an Azure Kubernetes Service (AKS) cluster named AKS1. You need to configure cluster autoscaler for AKS1.Which two tools should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

A. the kubectl command

B. the az aks command

C. the Set-AzVm cmdlet

D. the Azure portal

E. the Set-AzAks cmdlet

문제보기

Suggested Answer: B, D 🗳️
Correct Answer: B and D We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed. A: kubectl command is used for configuring Kubernetes and not AKS cluster. B: The az aks command is used for the AKS cluster configuration. C: Set-AzVm cmdlet is used for VMs. D: Azure portal, under node pools, press scale, then choose auto scale. E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster. AKS clusters can scale in one of two ways: - The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. Reference: https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

NO.216

You have an Azure subscription. You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion. How should you complete the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

img

ested Answer:

img

Reference:https://medium.com/charot/deploy-azure-bastion-preview-using-an-arm-template-15e3010767d6

NO.217

You create an Azure VM named VM1 that runs Windows Server 2019. VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

img

You need to enable Desired State Configuration for VM1. What should you do first?

A. Connect to VM1.

B. Start VM1.

C. Capture a snapshot of VM1.

D. Configure a DNS name for VM1.

문제보기

Suggested Answer: B 🗳️
Status is Stopped (Deallocated). The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure. The VM needs to be started.

Desired State Configuration (DSC) extension

Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

NO.218

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.

img

Which user can perform each configuration? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

img
image-20230207112314605

NO.219

You have an Azure Service Bus and a queue named Queue1. Queue1 is configured as shown in the following exhibit.

img

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point.Hot Area:

img

d Answer:

img

Answer1 is clear, It will move to DeadLetter after 2hours and stays there until manually deleted. Since by default PeekLock shall be enabled in Queue. Answer2, It will be deleted automaticallay (Meaning after read, it is declared as settlement) The receiving client initiates settlement of a received message with a positive acknowledgment when it calls Complete at the API level. This indicates to the broker that the message has been successfully processed and the message is removed from the queue or subscription. https://docs.microsoft.com/en-us/azure/service-bus-messaging/message-transfers-locks-settlement

NO.220

You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

img

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do?

A. Modify the protocol of Rule4

B. Delete Rule1

C. For Rule5, change the Action to Allow and change the priority to 401

D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.

문제보기

Suggested Answer: C 🗳️
HTTPS uses port 443.Rule2, with priority 500, denies HTTPS traffic.Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.Note:There are several versions of this question in the exam. The question has two possible correct answers:\1. Change the priority of Rule3 to 450.\2. For Rule5, change the Action to Allow and change the priority to 401.Other incorrect answer options you may see on the exam include the following:✑ Modify the action of Rule1.✑ Change the priority of Rule6 to 100.✑ For Rule4, change the protocol from UDP to Any.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

NO.221

Your company has a main office in London that contains 100 client computers. Three years ago, you migrated to Azure Active Directory (Azure AD). The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.  A remote user named User1 is unable to join a personal device to Azure AD from a home network. You verify that other users can join their devices to Azure AD. You need to ensure that User1 can join the device to Azure AD. What should you do?

A. From the Device settings blade, modify the Users may join devices to Azure AD setting.

B. From the Device settings blade, modify the Maximum number of devices per user setting.

C. Create a point-to-site VPN from the home network of User1 to Azure.

D. Assign the User administrator role to User1.

문제보기

Suggested Answer: B 🗳️

The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD.  If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.Incorrect Answers:A: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None. The default is All.C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.References:https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-ad-join/

NO.222

You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

image-20230207114355903

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.

For contoso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)

image-20230207114418049

You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the internet. You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?

(A). Update the DNS suffix on VM1 to be adatum.com.

(B). Create an SRV record in the contoso.com zone.

(C). Configure the name servers for adatum.com at the domain register.

(D). Modify the Access control (IAM) settings for link1.

Answer: C

Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.

Reference: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal


You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the following table.

img

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. You create a virtual network link for contoso.com as shown in the following exhibit.

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point. Hot Area:

img

Suggested Answer:

img

Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

Correct Answer: All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2 and VM3 will auto-register their host records to contoso.com. None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com) Box 1: Yes Auto registration is enabled for private Azure DNS zone named contoso.com. Box 2: Yes Auto registration is enabled for private Azure DNS zone named contoso.com. Box 3: No None of the VM will auto-register to the public Azure DNS zone named adatum.com  Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

NO.223

You have an Azure subscription that contains an Azure Storage account named storageaccount1. You export storageaccount1 as an Azure Resource Manager template. The template contains the following sections.

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one pointHot Area:

img

Suggested Answer:

img

Reference:https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json

Box 1- Yes. VirtualNetworkRules & IpRules are blank, with the default action Allow.
Box 2- Yes. Individual blobs can be set to the archive tier - ref.vhttps://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Bob 3. No. To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments: A data access role, such as Storage Blob Data Contributor, The Azure Resource Manager Reader role Ref.https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

NO.224

You plan to deploy five virtual machines to a virtual network subnet. Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.  What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

img

문제보기

Suggested Answer:

img

Box 1: 5 -A public and a private IP address can be assigned to a single network interface.

Box 2: 1 -You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses

NO.225 **

You have an Azure subscription. You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks. How should you complete the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

img

문제보기

Suggested Answer:

img

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#syntax

Add the copy element to the resources section of your template to set the number of items for a property. The copy element has the following general format:
The count property specifies the number of iterations you want for the property https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#property-iteration
Use the length function on the array to specify the count for iterations, and copyIndex to retrieve the current index in the array.

NO.226*

You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager. Subscription1 contains a virtual machine named VM1. You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent. What should you do first?

A. Create an automation runbook

B. Deploy a function app

C. Deploy the IT Service Management Connector (ITSM)

D. Create a notification

문제보기

Suggested Answer: C 🗳️
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as theMicrosoft System Center Service Manager. With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

Correct Answer: C
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. ITSMC supports connections with the following ITSM tools: ServiceNow, System Center Service Manager, Provance, Cherwell.
bReference: https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/itsmc-overview

NO.227*

You have an Azure Active Directory (Azure AD) tenant named contoso.com that is synced to an Active Directory domain. The tenant contains the users shown in the following table.

The users have the attribute shown in the following table.

image-20230207121727835

You need to ensure that you can enable Azure Multi-Factor Authentication (MFA) for all four users.
Solution: You add a mobile phone number for User2 and User4.
Does this meet the Goal?

(A). Yes

(B). No

Answer: B

User3 requires a user account in Azure AD.
Note: Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authenticationmethod


Your network contains an Active Directory domain named contoso.com that is synced to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The tenant contains only default domain names. The domain contains the users shown in the following table.

img

The users have value sets for their user account as shown in the following table.

img

You plan to enable Azure Multi-Factor Authentication (MFA) by using the following bulk update file named File1.

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.

img

Answer is Yes, No, No

For the 2nd box, you can assign MFA either via email or phone number. Its not a must that a phone number will be included. This is what I do everyday at work.
Box 3: No -Phone number for User3 is already available.
Reference:https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication

NO.228

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

A. MX

B. NSEC

C. PTR

D. RRSIG

문제보기

Suggested Answer: A 🗳️
To verify your custom domain name (example)\1. Sign in to the Azure portal using a Global administrator account for the directory.\2. Select Azure Active Directory, and then select Custom domain names.\3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.\4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:There are several versions of this question in the exam. The question can have two correct answers:\1. MX\2. TXTThe question can also have other incorrect answer options, including the following:\1. SRV\2. NSEC3
Reference:https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

NO.229

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

img

Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Yes. Remember you goal! "You need to create a new network interface named NIC2 for VM1." You can pretty much ignore everything expect for the location of VM1. The question only asked if you can create a new NIC for VM1 in westus not if you can connect it to any subnets or vNets. "Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created. You can't change the virtual network. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted." https://learn.microsoft.com/en-us/azure/virtual-network/network-overview#network-interfaces

NO.230 *

You have an Azure web app named webapp1. Users report that they often experience HTTP 500 errors when they connect to webapp1. You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details. What should you do first?

A. From webapp1, enable Web server logging

B. From Azure Monitor, create a workbook

C. From Azure Monitor, create a Service Health alert

D. From webapp1, turn on Application Logging

문제보기

Suggested Answer: A 🗳️

To resolve this you need to catch connection error. When the connection fails for webapp, it happens on web server, not within application. You can find out the web server log by below steps: Open the web application --> Go to Application Service logs --> Go to Web server logging (there are multiple switches there) You can also see the errors live going to "Log stream" pane. To ensure that you will get web server log, you have to enable it.

Reference: https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

NO.231**

You need to ensure that you can grant Group4 Azure RBAC read only permissions to all the Azure file shares. What should you do?

(A). On storagel and storage4, change the Account kind type to StorageV2 (general purpose v2).

(B). Recreate storage2 and set Hierarchical namespace to Enabled.

(C). On storage2, enable identity-based access for the file shares.

(D). Create a shared access signature (SAS) for storagel, storage2, and storage4. Answer: A

A. On storage2, enable identity-based access for the file shares.

B. Recreate storage2 and set Hierarchical namespace to Enabled.

C. On storage1 and storage4, change the Account kind type to StorageV2 (general purpose v2).

D. Create a shared access signature (SAS) for storage1, storage2, and storage4.

문제보기

Suggested Answer: A 🗳️
Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS).
Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

I think is A, because storage1 and storage2 have enabled Azure Active Directory Domain services. I think that you have to enable in storage 2 identity-based access for the file shares too.  https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#enable-identity-based-authentication

NO.232

You have an Azure subscription that contains the resources shown in the following table.

img

The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:Microsoft.Network/virtualNetworks, Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named V2, and then connect VM2 to VNET1. What should you do first?

A. Remove Microsoft.Network/virtualNetworks from the policy.

B. Create an Azure Resource Manager template.

C. Remove Microsoft.Compute/virtualMachines from the policy.

D. Add a subnet to VNET1.

문제보기

Suggested Answer: C 🗳️
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.Virtual Networks and Virtual Machines are prohibited.
Reference:https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

NO.233**

You have an Azure subscription that contains the virtual networks shown in the following table.

img

The subscription contains the private DNS zones shown in the following table.

img

You add virtual network links to the private DNS zones as shown in the following table.

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

img

ref: https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

  1. Yes
  2. Yes. You can link VNET1 to Zone3.com A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone associated with it.
  3. No. Auto registration is already enabled on Zone 1. When you add a link from VNET2 to Zone

After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs hosted in that virtual network can access the private DNS zone. Every private DNS zone has a collection of virtual network link child resources. Each one of these resources represents a connection to a virtual network. A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.

Registration virtual network

When creating a link between a private DNS zone and a virtual network. You have the option to enable autoregistration. With this setting enabled, the virtual network becomes a registration virtual network for the private DNS zone. A DNS record gets automatically created for any virtual machines you deploy in the virtual network. DNS records will also be created for virtual machines already deployed in the virtual network.

From the virtual network perspective, private DNS zone becomes the registration zone for that virtual network. A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone associated with it.

Resolution virtual network

If you choose to link your virtual network with the private DNS zone without autoregistration, the virtual network is treated as a resolution virtual network only. DNS records for virtual machines deployed this virtual network won't be created automatically in the private zone. However, virtual machines deployed in the virtual network can successfully query for DNS records in the private zone. These records include manually created and auto registered records from other virtual networks linked to the private DNS zone.

One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it.

NO.234**

You are building a custom Azure function app to connect to Azure Event Grid. You need to ensure that resources are allocated dynamically to the function app. Billing must be based on the executions of the app. What should you configure when you create the function app?

A. the Windows operating system and the App Service plan hosting plan

B. the Docker container and an App Service plan that uses the B1 pricing tier

C. the Windows operating system and the Consumption plan hosting plan

D. the Docker container and an App Service plan that uses the S1 pricing tier

문제보기

Suggested Answer: C 🗳️
References:https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale

Answer is C: The main word that gives it away is billing only based on function execution. It is the consumption(dynamic) plan of function apps that gives you that behavior.

Azure Functions runs in two different modes: Consumption plan and Azure App Service plan. The Consumption plan automatically allocates compute power when your code is running. Your app is scaled out when needed to handle load, and scaled down when code is not running.

Incorrect Answers: B:
When you run in an App Service plan, you must manage the scaling of your function app.
Reference: https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-azure-function

NO.235

You have an Azure subscription that contains the following storage account:

img

You need 10 create a request to Microsoft Support to perform a live migration of storage1 to Zone Redundant Storage (ZRS) replication. How should you modify storage1 before the Live migration?

A.  Set the replication to Locally-redundant storage (LRS)

B. Disable Advanced threat protection

C. Remove the lock

D. Set the access tier to Hot

If you want to live migrationfrom RA-GRS to ZRS, at first you have to Switch the storage tier to LRS and then only you can request a live migration.

img

NO.236*

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

A. a Microsoft 365 group that uses the Assigned membership type

B. a Security group that uses the Assigned membership type

C. a Microsoft 365 group that uses the Dynamic User membership type

D. a Security group that uses the Dynamic User membership type

E. a Security group that uses the Dynamic Device membership type

Suggested Answer: AC 🗳️
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted. You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Reference:https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide

NO.237

You have a Microsoft SQL Server Always On availability group on Azure virtual machines. You need to configure an Azure internal load balancer as a listener for the availability group. What should you do?

A. Create an HTTP health probe on port 1433.

B. Set Session persistence to Client IP.

C. Set Session persistence to Client IP and protocol.

D. Enable Floating IP.

문제보기

Suggested Answer: D 🗳️
References:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener

"Enable floating IP" is a feature in Azure Internal Load Balancer (ILB) that allows for the IP address of the load balancer to move from one backend virtual machine to another in the event of a failure. When enabled, this feature provides high availability for the services hosted behind the ILB.

By default, the IP address of an ILB is assigned to a single backend virtual machine. With floating IP enabled, in the event of a failure, the IP address can be moved to another virtual machine in the backend pool, allowing for continuous availability of the service. This can also be used to perform maintenance on the primary virtual machine without affecting the availability of the service.

Here's how to enable floating IP on an ILB in Azure:

  1. Go to the Azure portal and navigate to your ILB.
  2. Go to the "Settings" section and select "Floating IP."
  3. Enable the "Floating IP" option.
  4. Save the changes.

With floating IP enabled, Azure will automatically move the IP address from the primary virtual machine to the secondary virtual machine in the event of a failure. This provides high availability for your services and ensures that the IP address remains accessible even if the primary virtual machine becomes unavailable.

NO.238

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event.Which query should you run in Workspace1?

A. Get-Event Event | where {$_.EventType ""eq "error"}

B. Get-Event Event | where {$_.EventType == "error"}

C. search in (Event) * | where EventType ""eq "error"

D. search in (Event) "error"

E. select *from Event where EventType == "error"

F. Event | where EventType is "error"

문제보기

Suggested Answer: D 🗳️
To search a term in a specific table, add in (table-name) just after the search operator
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal

NO.239

You have an Azure subscription. You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)

img

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines. What should you modify on VM1?

A. the processor

B. the memory

C. Integration Services

D. the hard drive

E. the network adapters

Suggested Answer: D 🗳️
From the exhibit we see that the disk is in the VHDX format.Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.References:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=azurevirtual-machineswindowstoc.json

NO.240*

You have a public load balancer that balances ports 80 and 443 across three virtual
machines. You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only. Whatshould you configure?

(A). a load balancing rule
(B). a new public load balancer for VM3
(C). an inbound NAT rule
(D). a frontend IP configuration

Answer: C

To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
an inbound NAT rule :
Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM. Hence this option is Correct
a load balancing rule : Incorrect Choice
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
a new public load balancer for VM3 : Incorrect Choice
This option will not help you since this will route all traffic to VM3 only.
a frontend IP configuration : Incorrect Choice
When you define an Azure Load Balancer, a frontend and a backend pool configuration are connected with rules. The health probe referenced by the rule is used to determine how new flows are sent to a node in the backend pool. The frontend (aka VIP) is defined by a 3-tuple comprised of an
IP address (public or internal), a transport protocol (UDP or TCP), and a port number from the loadbalancing rule. The backend pool is a collection of Virtual Machine IP configurations (part of the NIC resource) which reference the Load Balancer backend pool.
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal
https://pixelrobots.co.uk/2017/08/azure-load-balancer-for-rds/

NO.241 **

You need to deploy two Azure web apps named WebApp1 and WebApp2. The web apps have the following requirements:

✑ WebApp1 must be able to use staging slots
✑ WebApp2 must be able to access the resources located on an Azure virtual network

What is the least costly plan that you can use to deploy each web app?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

img

문제보기

Correct Answer:

img

S1-production is a pricing tier of the Azure App Service plan that can be used to deploy web apps. It offers features such as dedicated virtual machine resources, auto-scaling, and staging slots. If S1-production meets the requirements of your web apps WebApp1 and WebApp2, then it can be used as a suitable pricing tier for their deployment.

References:https://azure.microsoft.com/en-au/pricing/details/app-service/windows/https://azure.microsoft.com/en-gb/pricing/details/app-service/plans/

NO.242*

You plan to move services from your on-premises network to Azure. You identify several virtual machines that you believe can be hosted in Azure. The virtual machines are shown in the following table.

img

Which two virtual machines can you access by using Azure migrate? Each correct answer presents a complete solution. Each correct selection is worth one point. NOTE:

A. Sea-CA01

B. Hou-NW01

C. NYC-FS01

D. Sea-DC01

E. BOS-DB01

Answer: C,E

Azure Migrate provides a centralized hub to assess and migrate to Azure on-premises servers, infrastructure, applications, and data.It provides the following:
Unified migration platform: A single portal to start, run, and track your migration to Azure.
Range of tools: A range of tools for assessment and migration.
Azure Migrate tools include Server Assessment and Azure Migrate: Server Migration. Azure Migrate also integrates with other Azure services and tools, and with independent software vendor (ISV) offerings.

Assessment and migration: In the Azure Migrate hub, you can assess and migrate:
Servers: Assess on-premises servers and migrate them to Azure virtual machines or Azure VMware Solution (AVS) (Preview).
Databases: Assess on-premises databases and migrate them to Azure SQL Database or to SQL Managed Instance.
Web applications: Assess on-premises web applications and migrate them to Azure App Service by using the Azure App Service Migration Assistant.
Virtual desktops: Assess your on-premises virtual desktop infrastructure (VDI) and migrate it to Windows Virtual Desktop in Azure.
Data: Migrate large amounts of data to Azure quickly and cost-effectively using Azure Data Box products.
Based on this information let's analyze each option:

NYC-FS01 : Its role "Server" fall under above categories. Hence it can be accessed by using Azure migrate.
BOS-DB01 : Its role "server" fall under above categories. Hence it can be accessed by using Azure migrate.
Sea-CA01 : Its role "CA" does not fall under above categories. Hence it can not be accessed by using Azure migrate.
Hou-NW01 : Its role "DNS" does not fall under above categories. Hence it can not be accessed by using Azure migrate
Sea-DC01 : Its role "DC" does not fall under above categories. Hence it can not be accessed by using Azure migrate.

Reference: https://docs.microsoft.com/en-us/azure/migrate/migrate-services-overview

NO.243

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️
Your account must meet one of the following to enable traffic analytics:Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

NO.244**

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

VNET1 contains a virtual network gateway named VNG1 that uses policy-based routing and has a single Site-to-Site VPN connection to an on-premises datacenter. You need to Implement ExpressRoute, The solution must include a Site-to-Site VPN as a backup. Which four actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

image-20230207161444295
image-20230207161541083

1 - Delete VNG1.
2 - Deploy an ExpressRoute gateway.
3 - Create a route-based VPN gateway in a subnet of/27.
4 - Create a subnet of /28 named GatewaySubnet2.

NO.245*

You have an Azure subscription named Subscription1. In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as shown in the following exhibit.

img

Alert1 alert criteria is triggered every minute. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

Box 1: 60 -One alert per minute will trigger one email per minute.
Box 2: 12 -No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate limiting ensures that alerts are manageable and actionable. The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting

NO.246 **

You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.You need to enable two-step verification for Azure users. What should you do?

A. Create an Azure AD conditional access policy.

B. Configure a playbook in Azure Security Center.

C. Enable Azure AD Privileged Identity Management.

D. Install an MFA Server.

문제보기

Suggested Answer: A 🗳️
References:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Conditional Access policies enforce registration, requiring unregistered users to complete registration at first sign-in, an important security consideration.

NO.247

You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.

img

You add 14 virtual machines to WEBPROD-AS-USE2. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.Hot Area:

img

uggested Answer:

img

Box 1: 2 -There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.

Box 2: 7 -There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault domain so 7 VMs will be offline.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

NO.248 **

You have Azure Storage accounts as shown in the following exhibit.

img

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point. Hot Area:

img

문제보기

Suggested Answer:

img

Box 1: storageaccount1 and storageaccount2 only

Box 2: All the storage accounts

-Note: The three different storage account options are:
General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts
General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.

References:https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options

NO.249*

You have an Azure subscription that contains two virtual machines named VM1 and VM2. You create an Azure load balancer. You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2. Which two additional load balancer resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. a frontend IP address

B. an inbound NAT rule

C. a virtual network

D. a backend pool

E. a health probe

문제보기

Suggested Answer: DE 🗳️Reference:https://docs.microsoft.com/en-us/azure/load-balancer/components

D and E. You can't create a LB without FrontEnd IP, so if we have a LB we also have a FrontEnd IP already. You can however create a LB without a backend pool and without any rules. If you want to add a rule to your LB later you have to create a backend pool and health probe first. Those are mandatory properties for a rule. I also tested it in my lab to be sure.

NO.250

Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1. What should you deploy?

A. an Azure Application Gateway

B. an Azure Active Directory (Azure AD) Application Proxy

C. an Azure Virtual Network Gateway

문제보기

Suggested Answer: C 🗳️
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
Incorrect Answers:B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

NO.251

You have an Azure web app named webapp1. You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1. You need to ensure that webapp1 can access the data hosted on VM1. What should you do?

A. Deploy an internal load balancer

B. Peer VNET1 to another virtual network

C. Connect webapp1 to VNET1

D. Deploy an Azure Application Gateway

문제보기

Suggested Answer: C 🗳️

C is the correct answer. By connecting webapp1 to VNET1 (answer C), the web app will be able to access the data hosted on VM1 through the virtual network. The other options do not directly address the requirement to allow webapp1 access to the data hosted on VM1.
An internal load balancer and a peered virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted on VM1.
An Azure Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing, but it would not directly allow webapp1 to access the data hosted on VM1.

NO.252 **

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

img

In storage1, you create a blob container named blob1 and a file share named share1.Which resources can be backed up to Vault1 and Vault2?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point. Hot Area:

img

Suggested Answer:

img

Box 1: VM1 only -VM1 is in the same region as Vault1. File1 is not in the same region as Vautl1. SQL is not in the same region as Vault1. Blobs cannot be backup up to service vaults. Note: To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.

Box 2: Share1 only. Storage1 is in the same region (West USA) as Vault2. Share1 is in Storage1. Note: After you select Backup, the Backup pane opens and prompts you to select a storage account from a list of discovered supported storage accounts.

They're either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services vault.Reference:https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/backup-afs

NO.253

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template. You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use?

A. Deployment Center in Azure App Service

B. A Desired State Configuration (DSC) extension

C. the New-AzConfigurationAssignment cmdlet

D. a Microsoft Intune device configuration profile


(A). Azure Active Directory (Azure AD) Application Proxy

(B). Azure Application Insights

(C). Azure Custom Script Extension

(D). the New-AzConfigurationAssignement cmdlet

Answer: C

The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software installation, or any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time. The Custom Script extension integrates with Azure Resource Manager templates, and can also be run using the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API. You can use the Custom Script Extension with both Windows and Linux VMs.

문제보기

Suggested Answer: B 🗳️
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver. az vm extension set \--resource-group myResourceGroup \--vm-name myVM --name customScript \--publisher Microsoft.Azure.Extensions \--settings '{"commandToExecute": "apt-get install -y nginx"}Note:There are several versions of this question in the exam. The question has two correct answers:\1. a Desired State Configuration (DSC) extension\2. Azure Custom Script ExtensionThe question can have other incorrect answer options, including the following:✑ the Publish-AzVMDscConfiguration cmdlet✑ Azure Application InsightsReference:https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration

NO.254 **

You have an Azure subscription that contains a storage account named account1. You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of131.107.1.0/24. You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24. You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1.
✑ Ensure that you can attach the disks to VM1.
✑ Prevent all other access to account1.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. From the Firewalls and virtual networks blade of account1, add VNet1.

B. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.

C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.

D. From the Firewalls and virtual networks balde of account1, select Selected networks.

E. From the Service endpoints blade of VNet1, add a service endpoint.

문제보기

Answer is C & D

✑ Ensure that you can upload the disk files to account1. --> C
✑ Ensure that you can attach the disks to VM1. --> this is not affected by the firewall rules
✑ Prevent all other access to account1. --> D Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. REST access to page blobs is protected by network rules. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

NO.255

You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.

img

You need to provide internet users with access to the applications that run in Cluster1. Which IP address should you include in the DNS record for Cluster1?

A. 131.107.2.1

B. 10.0.10.11

C. 172.17.7.1

D. 192.168.10.2

문제보기

Suggested Answer: A 🗳️

Community vote distribution

NO.256

You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table:

img

Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.

img

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routers in the following table.

img

You apply RT1 to Subnet1 and Subnet2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

img
img

NO.257

You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.

img

You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.

img

You need to identify the minimum number of alert rules and action groups required for the planned monitoring. How many alert rules and action groups should you identify?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4 You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3 You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.

NO.258

You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.What should you deploy?

A. all three virtual machines in a single Availability Zone

B. all virtual machines in a single Availability Set

C. each virtual machine in a separate Availability Zone

D. each virtual machine in a separate Availability Set

문제보기

Suggested Answer: C 🗳️
Use availability zones to protect from datacenter level failures.Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

NO.259

You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named You enable Azure AD Privileged Identity Management. You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs. What should you do first?

A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.

B. From Subscription1 edit the members of the Lab Creator role.

C. From Azure AD Identity Protection, creates a user risk policy.

D. From Azure AD Privileged Identity Management, discover the Azure resources of Conscription.

Correct Answer: A

Explanation As a Privileged Role Administrator you can:* Enable approval for specific roles* Specify approver users and/or groups to approve requests* View request and approval history for all privileged roles
References:https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NO.260

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.Does the solution meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️Reference:https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-powershell-start-adsyncsynccycle/

Answer is B ( No )

Initial will perform a full sync and add the user account created but it will take time,

Delta, will kick off a delta sync and bring only the last change, so it will be "immediately" and will fulfill the requirements.

You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.

Solution: You restart the NetLogon service on a domain controller. Does the solution meet the goal

(A). Yes

(B). No

Answer: B

igotoo

igotoo