NO.1
You need to prepare the environment to meet the authentication requirements.Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
B. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
C. Join the client computers in the Miami office to Azure AD.
D. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.
by srinu1234 at June 10, 2020, 10:26 a.m.
NO.28 *
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscriptionnamed Subscription1. Adatum contains a group named Developers. Subscription1 contains aresource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Devresource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal?
(A). Yes
(B). No
Answer: B
The Logic App Operator role only lets you read, enable and disable logic app. With it you can view thelogic app and run history, and enable/disable. Cannot edit or update the definition.You would need the Logic App Contributor role.
Reference:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roleshttps://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
NO.29
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data. Does the solution meet the goal?
A. Yes
B. No
Answer: B
Since it is not possible to change the usage model of an existing provider as it is right now, you haveto create a new one and reactivate your existing server with activation credentials from the newprovider.
Reference:https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
NO.30 **
You have an Azure subscription that contains a storage account.You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.You need to transfer the data to the storage account by using the Azure Import/Export service.In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.Select and Place:
Suggested Answer:
At a high level, an import job involves the following steps:
Step 1: Attach an external disk to Server1 and then run waimportexport.exe.
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you. Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job.
Update the delivery tracking number in the import job details and submit the import job.The drives are received and processed at the Azure data center.The drives are shipped using your carrier account to the return address provided in the import job.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NO.31 *
You have an Azure App Service plan named AdatumASP1 that uses the P2v2 pricing tier. AdatumASP1 hosts Ml Azure web app named adatumwebapp1. You need to delegate the management of adatum webapp1 to a group named Devs. Devs must be able to perform thefollowing tasks:
- Add deployment slots.
- View the configuration of AdatumASP1.
- Modify the role assignment for adatumwebapp1.
Which role should you assign to the Devs group?
(A). Owner
(B). Contributor
(C). Web Plan Contributor
(D). Website Contributor
Answer: A
Owner : Correct Choice
The Owner role lets you manage everything, including access to resources.
Contributor : Incorrect ChoiceWith contributor role you can Add deployment slots and View the configuration of App service planbut you can't Modify the role assignment. For this you need User Access Administrator or Owner role.So this is incorrect.
Web Plan Contributor : Incorrect ChoiceThe Web Plan Contributor role lets you manage the web plans for websites, but not access to them.So this option is incorrect.
Website Contributor : Incorrect ChoiceThe Website Contributor role lets you manage websites (not web plans), but not access to them. Sothis is incorrect option.
Note:As per least privilege principle it is not advisable to provide owner role to any group, rather youshould create custom RBAC role with custom policy and use that role for this operation. However asthis option is not available here so only option to go with owner role.
Reference:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portalhttps://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
NO.32
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: ASP1 ASP3 -Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux. Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1 -ASP.NET apps can be hosted on Windows only.
Reference:https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#
NO. 33
You have an Azure subscription that contains the resources in the following table.
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.LB1 is configured as shown in the LB1 exhibit. (Click the Exhibit tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer: *
I think this is right (VM1, VM2 same availability set = Yes, Probe1.htm on VM1 and VM2, LB1 with balance between them = Yes, If rule 1 deleted, LB1 will blance all requests between VM1 and VM2 on all ports = No) based on:
- Basic SKU doesn't allow flexibility in Availability Sets https://docs.microsoft.com/en-us/azure/load-balancer/concepts-limitations#skus
- Rule1 health probe looks for /Probe1.htm - if it is present on both VMs, LB1 will balance between them
- https://docs.microsoft.com/en-gb/azure/load-balancer/load-balancer-custom-probe-overview - Basic SKU, Probe down behaviour = All probes down, all TCP flows expire.
NO.34
You have an Azure virtual machine named VM1 that runs Windows Server 2019.You save VM1 as a template named Template1 to the Azure Resource Manager library.You plan to deploy a virtual machine named VM2 from Template1.What can you configure during the deployment of VM2?
A. virtual machine size
B. operating system
C. administrator username
D. resource group
Answer: D
D. If you try to deploy your own template in the portal, there are 3 available options - "Subscription", "Resource Group", "Location". Resource group is the only one of the three options available in this list of answers.
NO.35 **
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains 500 user accounts.You deploy Microsoft Office 365. You configure Office 365 to use the user accounts in adatum.com.You configure 60 users to connect to mailboxes in Microsoft Exchange Online.You need to ensure that the 60 users use Azure Multi-Factor Authentication (MFA) to connect to the Exchange Online mailboxes. The solution must only affect connections to the Exchange Online mailboxes.What should you do?
A. From the multi-factor authentication page, configure the Multi-Factor Auth status for each user
B. From Azure Active Directory admin center, create a conditional access policy
C. From the multi-factor authentication page, modify the verification options
D. From the Azure Active Directory admin center, configure an authentication method
Answer: A
Reference:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
NO.36*
You have an Azure subscription named Subscription1.You create an Azure Storage account named contosostorage, and then you create a file share named data.Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.NOTE: Each correct selection is worth one point.Select and Place:
Box 1: contosostorage -The name of account -
Box 2: file.core.windows.net -
Box 3: data -The name of the file share is data.
Access an Azure file share via its UNC path
You don't need to mount the Azure file share to a particular drive letter to use it. You can directly access your Azure file share using the UNC path by entering the following into File Explorer. Be sure to replace storageaccountname with your storage account name and myfileshare with your file share name:\\storageaccountname.file.core.windows.net\myfileshare
https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows#access-an-azure-file-share-via-its-unc-path
Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
NO.37
You have three offices and an Azure subscription that contains an Azure Active Directory(Azure AD) tenant.You need to grant user management permissions to a local administrator in each office.What should you use?
(A). Azure AD roles
(B). administrative units
(C). access packages in Azure AD entitlement management
(D). Azure roles
Answer: B
Reference:https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
To grant user management permissions to a local administrator in each office, you should use Azure AD administrative units. Administrative units are a feature in Azure AD that allow you to delegate administrative permissions to specific groups of users or administrators. You can create an administrative unit for each office and then assign a local administrator to manage the users and groups within that unit. Azure AD roles, Azure roles, and access packages in Azure AD entitlement management are also used to grant permissions to users and groups, but they are not designed specifically for delegating administrative permissions to specific groups of users or administrators based on their location or organizational structure. Therefore, they are not the best option for granting user management permissions to local administrators in each office. So, the correct answer is B. administrative units.
NO.38
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure LoadBalancer.The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.You verify that the Load Balancer rules are configured correctly.You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.Does this meet the goal?
A. Yes
B. No
Suggested Answer: B🗳️
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Community vote distribution
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. Does this meet the goal?
(A). Yes
(B). No
Answer: B
NO.39 *
You have an Azure subscription that contains a web app named webapp1. You need to add acustom domain named www.contoso.com to webapp1. What should you do first?
(A). Upload a certificate.
(B). Add a connection string.
(C). Stop webapp1.
(D). Create a DNS record.
Answer: D
NO.40
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:✑ Name: LB1✑ Type: Internal✑ SKU: Standard✑ Virtual network: VNET1You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
NO.41
You manage a virtual network named VNet1 that is hosted in the West US Azure region.VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.Solution: From Azure Network Watcher, you create a packet capture.Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
NO.42 **
You have an Azure subscription that contains the following resources:
✑ a virtual network named VNet1
✑ a replication policy named ReplPolicy1
✑ a Recovery Services vault named Vault1
✑ an Azure Storage account named Storage1
You have an Amazon Web Services (AWS) EC2 virtual machine named VM1 that runs Windows Server 2016.You need to migrate VM1 to VNet1 by using Azure Site Recovery. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
Correct Answer:
Step 1: Deploy an EC2 virtual machine as a configuration server
Use an EC2 instance that's running Windows Server 2012 R2 to create a configuration server and register it with your recovery vault.
Step 2: Install Azure Site Recovery Unified Setup
Download Microsoft Azure Site Recovery Unified Setup and install it on the VM.
Step 3: Enable replication for each VM that you want to migrate.References:https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-aws-azure
NO.43 *
You have Azure subscription that includes following Azure file shares:
You have the following on-premises servers:
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1.For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Correct Answer: NNYBox 1: No A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint.
Box 2: No Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group.
Box 3: Yes Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is syncing to a unique sync group.
Reference: https://docs.microsoft.com/en-us/answers/questions/110822/azure-file-sync-multiple-sync-directories-for-same.html https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
NO.44 *
You have an Azure virtual machine named VM1.You use Azure Backup to create a backup of VM1 named Backup1.After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1. You need to ensure that all the changes to VM1 are restored. Which change should you perform again?
A. Modify the size of VM1.
B. Reset the password for the built-in administrator account.
C. Add a data disk.
D. Copy Budget.xls to Data.
Suggested Answer: D 🗳️Reference:https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore
The correct answer is D, i.e., copy the file again. a. You don't need to resize the VM after backup. The latest size will be applicable. b. The latest credentials will work. c. This one is a bit ambiguous. The additional data disk will not be deleted after the restoration. However, you will have to attach it again to the VM. D. The file will be lost and needs to be created again.
NO.45 *
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.You need to view the template used for the deployment.From which blade can you view the template that was used for the deployment?
A. VM1
B. RG1
C. storage2
D. container1
Suggested Answer: B 🗳️View template from deployment history
- Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
- You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
- The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
NO.46
Your company has 100 users located in an office in Paris.The on-premises network contains the servers shown in the following table.
You create a new subscription. You need to move all the servers to Azure.Solution: You use the Data Migration Assistant tool.Does this meet the goal?
A. Yes
B. No
Correct Answer: B 🗳️
The Data Migration Assistant tool is used to assess on-premises SQL Server instance(s) migrating to Azure SQL database(s).
NO.47
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.You receive a notification that VM1 will be affected by maintenance.You need to move VM1 to a different host immediately.Solution: From the Overview blade, you move the virtual machine to a different subscription.Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
You would need to redeploy the VM.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
NO.48 *
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.You need to connect VNet1 to VNet2.What should you do first?
A. Move VM1 to Subscription2.
B. Modify the IP address space of VNet2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Suggested Answer: C 🗳️
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant. Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating. The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.
References:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
NO.49 *
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Ans: No. You alter the grant control, not session control
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditionalaccess-policy-all-users-mfa:Under Access controls > Grant, select Grant access, Require multi-factor authentication, and selectSelect.
NO.50 *
You have an Azure subscription that contains several virtual machines and an Azure Log Analytics workspace named Workspace1.You create a log search query as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 14 days -Two weeks will be covered.
Note: Startofweek returns the start of the week containing the date, shifted by an offset, if provided. Start of the week is considered to be a Sunday. Endofweek returns the end of the week containing the date, shifted by an offset, if provided.Last day of the week is considered to be a Saturday.
Box 2: The render operator renders results in as graphical output. Timechart is a Line graph, where the first column is x-axis, and should be datetime. Other columns are y-axes. In this case the Y axis has avg(CounterValue) Values.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview https://docs-analytics-eus.azurewebsites.net/queryLanguage/query_language_renderoperator.html
My understanding of this is:
Startofweek
Returns the start of the week containing the date, shifted by an offset, if provided. Start of the week is considered to be a Sunday. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/startofweekfunction
EndofWeek
Returns the end of the week containing the date, shifted by an offset, if provided. Last day of the week is considered to be a Saturday. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/startofweekfunction
Lets say you run the Query 24/9
24/9 - 9 days = sat 15/9 -> Start of that week is sun 9/9
24/9 - 2 days = sat 22/9 -> End of that week is sat 22/9
9/9 to 22/9 = 14 days
NO.51
Your company has a main office in Australia and several branch offices in Asia.The company's data center uses a VMware virtualization infrastructure to host several virtualized servers.You purchase an Azure subscription and plan to move all virtual machines to Azure to a resource group in the Australia Southeast location.You need to create an Azure Migrate migration project.Which geography should you select?
A. Central India
B. Australia Central
C. Australia Southeast
D. United States
Suggested Answer: C
In Project Details, specify the project name, and geography in which you want to create the project.
Create and manage projects - Azure Migrate | Microsoft Learn
NO.52 *
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server2016 Datacenter by using an Azure Marketplace image.You need to complete the storageprofile section of the template.How should you complete the storageProfile section? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
"¦"storageProfile": {"imageReference": {"publisher": "MicrosoftWindowsServer","offer": "WindowsServer","sku": "2016-Datacenter","version": "latest"},"¦References:https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
SKU stands for Stock Keeping Unit, which is a unique identifier assigned to a product or service to distinguish it from other products or services. In Azure, the term SKU refers to a specific configuration of a resource or service that determines its pricing and capabilities. For example, the SKU of an Azure Virtual Machine determines its size, performance, and features, and therefore affects its price. Different SKUs may have different pricing tiers and limitations, allowing customers to choose the best SKU to suit their needs and budget.
| offer | string | Specifies the offer of the platform image or marketplace image used to create the virtual machine. |
|---|---|---|
| publisher | string | The image publisher. |
| sharedGalleryImageId | string | Specified the shared gallery image unique id for vm deployment. This can be fetched from shared gallery image GET call. |
| sku | string | The image SKU. |
| version | string | Specifies the version of the platform image or marketplace image used to create the virtual machine. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available. Please do not use field 'version' for gallery image deployment, gallery image should always use 'id' field for deployment, to use 'latest' version of gallery image, just set '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/images/{imageName}' in the 'id' field without version input. |
NO.53 *
You have an Azure subscription that contains the public load balancers shown in the following table.
You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual machines.You need to create the virtual machines for the planned solution.How should you create the virtual machines? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: be created in the same availability set or virtual machine scale set.
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
Box 2: be connected to the same virtual network
The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
Reference:https://www.petri.com/comparing-basic-standard-azure-load-balancers
NO.54
You have an Azure Storage account named storage1.You plan to use AzCopy to copy data to storage1.You need to identify the storage services in storage1 to which you can copy the data.Which storage services should you identify?
A. blob, file, table, and queue
B. blob and file only
C. file and table only
D. file only
E. blob, table, and queue only
Suggested Answer: B 🗳️
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.Incorrect Answers:A, C, E: AzCopy does not support table and queue storage services.D: AzCopy supports file storage services, as well as blob storage services.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
NO.55
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: 10.244.0.0/16 -The Pod CIDR.Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address range once the cluster is deployed if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16 -The --service-cidr is used to assign internal services in the AKS cluster an IP address.Reference:https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
NO.56 **
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.To which Azure resources can you assign Policy1 and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Answer : ???
Opinion
In the scope field at the "Basics" tab i was able to select "Tenant Root Group" or "Management Group1" with the optional entries of Subscription and Resource group So ""you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1"" As for the second answer about the exclusions, i was able to select all the items in the scope EXCEPT the Tenant Root Group Therefore the correct answer would be ""ManagementGroup1,Subscription1,RG11 and VM1""
On the Assign Policy page, set the Scope by selecting the ellipsis and then selecting either a management group or subscription. Optionally, select a resource group. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then use the Select button at the bottom of the Scope page.
This example uses the Contoso subscription. Your subscription will differ.
- Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope. Exclusions are optional, so leave it blank for now.
Ref: Quickstart: New policy assignment with portal - Azure Policy | Microsoft Learn
NO.57
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.How should you configure the rule? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1)Destination: 10.1.0.11 (VM2) Priority: 110
NO.58 *
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.Solution: You assign the Reader role at the subscription level to Admin1. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Your account must meet one of the following to enable traffic analytics:Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq "Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor."
NO.59 *
You are configuring serverless computing in Azure.You need to receive an email message whenever a resource is created in or deleted from a resource group. Which three actions should you perform in sequence?To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
Answer:
- create a blank logic app
- add event grid trigger, when a resource in a resource group is either created or deleted.
- add a condition to send email notification. https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
NO.60
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts. Does that meet the goal?
A. Yes
B. No
Answer: A
Only a global administrator can add users to this tenant.Reference:https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
NO.61 *
You have an Azure subscription named Subscription1 that contains an Azure virtual networknamed VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solutionmust minimize cost.Which three actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.
(A). Create a local site VPN gateway.
(B). Create a VPN gateway that uses the VpnGw1 SKU.
(C). Create a VPN gateway that uses the Basic SKU.
(D). Create a gateway subnet.
(E). Create a connection.
Answer: A,B,E
Explanation:
1)For a site to site VPN, you need a local gateway, a gateway subnet, a VPN gateway, and a connection to connect the local gateway and the VPN gateway. That would be four answers in this question. However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute connection, VNET1 must already be configured with a gateway subnet so we don't need another one.
2) Create a Connection: You need to link the ExpressRoute gateway to the ExpressRoute circuit. Afterthis step has been completed, the connection between your on-premises network and Azure throughExpressRoute will be established. Hence this is correct option.
Create a local site VPN gateway : This will allow you to provide the local gateway settings, forexample public IP and the on-premises address space, so that the Azure VPN gateway can connect to it. Hence this is correct option.
Create a VPN gateway that uses the VpnGw1 SKU : The GatewaySku is only supported for VpnGw1,VpnGw2, VpnGw3, Standard, and High Performance VPN gateways.
ExpressRoute-VPN Gatewaycoexist configurations are not supported on the Basic SKU.
The VpnType must be RouteBased. Hencethis is correct option.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resourcemanager-portalhttps://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resourcemanagerhttps://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-arm
NO.62 *
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway namedVPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.You need to ensure that you can connect Client1 to VNet2. What should you do?
A. Select Use the remote virtual network's gateway or Route Server on VNet1 to VNet2 peering.
B. Select Use the remote virtual network s gateway or Route Server on VNet2 to VNet1 peering.
C. Download and re-install the VPN client configuration package on Client1.
D. Enable BGP on VPNGW1.
Suggested Answer: C 🗳️
After changes in topology it is needed to re-install the VPN client Answer is C
NO.63 *
You have an Azure subscription that contains the resources shown in the following table.
VM1 and VM2 run a website that is configured as shown in the following table.
LB1 is configured to balance requests to VM1 and VM2.You configure a health probe as shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that the health probe functions correctly.What should you do?
(A). On LB1, change the Unhealthy threshold to 65536.
(B). On LB1, change the port to 8080.
(C). On VM1 and VM2, create a file named Probe1.htm in the C:\intepub\wwwroot\Temp folder.
(D). On VM1 and VM2, create a file named Probe1.htm in the C:\intepub\wwwroot\SiteA\Tempfolder.
Answer: D
Load balancing provides a higher level of availability and scale by spreading incoming requests acrossvirtual machines (VMs). You can use the Azure portal to create a Standard load balancer and balanceinternal traffic among VMs.To load balance successfully between VM1 and VM2 you have to place the html file in the path mentioned in the Probe1 configuration.Reference:https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-internalportal
NO.64 *
Your company has 100 users located in an office in Paris.The on-premises network contains the servers shown in the following table.
You create a new subscription. You need to move all the servers to Azure.Solution: You use Azure Site Recovery. Does this meet the goal?
(A). Yes
(B). No
Answer: A
As an organization you need to adopt a business continuity and disaster recovery (BCDR) strategythat keeps your data safe, and your apps and workloads online, when planned and unplannedoutages occur.Azure Recovery Services contributes to your BCDR strategy:
- Site Recovery service: Site Recovery helps ensure business continuity by keeping business apps andworkloads running during outages. Site Recovery replicates workloads running on physical and virtualmachines (VMs) from a primary site to a secondary location. When an outage occurs at your primarysite, you fail over to secondary location, and access apps from there. After the primary location isrunning again, you can fail back to it.
- Backup service: The Azure Backup service keeps your data safe and recoverable.Site Recovery can manage replication for:
- Azure VMs replicating between Azure regions.
- On-premises VMs, Azure Stack VMs, and physical servers.Reference:https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
You create a new subscription. You need to move all the servers to Azure.Solution: You run azcopy.exe.Does this meet the goal?
A. Yes
B. No
Correct Answer: B
You create a new subscription. You need to move all the servers to Azure.Solution: You use the Data Migration Assistant tool.Does this meet the goal?
A. Yes
B. No
Correct Answer: B 🗳️The Data Migration Assistant tool is used to assess on-premises SQL Server instance(s) migrating to Azure SQL database(s).
NO.65 *
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.VM1 hosts a frontend application that connects to VM2 to retrieve data.Users report that the frontend application is slower than usual.You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.Which Azure Network Watcher feature should you use?
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
D. NSG flow logs
Suggested Answer: C 🗳️
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint
Incorrect Answers:A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does.D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG.Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
NO.66 *
You are deploying a containerized web application in Azure.When deploying the web app, which of the following are valid container image sources?
(A). Virtual machine
(B). Docker hub
(C). ACR
(D). On-premises
Answer: B,C
When you create a web app from a Docker image, you configure the following properties:
- The registry that contains the image. The registry can be Docker Hub, Azure Container Registry(ACR), or some other private registry.
- The image :This item is the name of the repository.
- The tag : This item indicates which version of the image to use from the repository. By convention,the most recent version is given the tag latest when it's built.
- Startup File :This item is the name of an executable file or a command to be run when the image isloaded. It's equivalent to the command that you can supply to Docker when running an image fromthe command line by using docker run. If you're deploying a ready-to-run, containerized app thatalready has the ENTRYPOINT and/or COMMAND values configured, you don't need to fill this in.Reference:https://docs.microsoft.com/en-us/learn/modules/deploy-run-container-app-service/4-deploy-webapp
NO.67
You have an Azure subscription.You deploy a virtual machine scale set that is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphicNOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
NO.68
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of193.77.134.10.For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: Yes -You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
Box 2: No -You can set DNS servers per VM or cloud service to override the default network settings.
Box 3: Yes -You can set DNS servers per VM or cloud service to override the default network settings.Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns
NO.69
You have an Azure web app named App1 that has two deployment slots named Production and Staging. Each slot has the unique settings shown in the following table.
You perform a slot swap.What are the configurations of the Production slot after the swap? To answer, select the appropriate options in the answer area.: Each correction is worth one point.
NOTE -Hot Area:
Answer : ON / App1-prod.contoso.com
Answer in ON and app1-pro.contoso.com as Websockets follow the original slot where its moved to
Ref : https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots#what-happens-during-aswap
NO.70 *
You need to create a bar chart that shows the number of distinct computers that have sentheartbeats each week. How should you complete the Log Analytics query? To answer, select theappropriate options in the answer area. NOTE; Each correct selection is worth one point.
Answer:
You have several Azure virtual machines that run Windows Server 2019. You need to identify the distinct event IDs of each virtual machine as shown in the following table.
How should you complete the Azure Monitor query? To answer, drag the appropriate values to the correct locations. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.NOTE: Each correct selection is worth one point.Select and Place:
Suggested Answer:
Summarise / makeset(EventID)
Both queries will return distinct event IDs for each virtual machine, but the way the event IDs are presented is different.
The first query, "Event - | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makeset(EventID) by Computer" will return a set of distinct event IDs for each virtual machine, so it will eliminate the duplicate event IDs and will present the event IDs in an unordered format.
The second query, "Event - | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makelist(EventID) by Computer" will return a list of all the event IDs for each virtual machine, including duplicates and will present the event IDs in an ordered format. So, it depends on the use case, if you want to identify the distinct events and eliminate the duplicates, it is better to use the first query. If you want to see all the events including the duplicates, it's better to use the second query.
NO.71 *
You need to add VM1 and VM2 to the backend pool of LB1. What should you do first?
(A). Create a new NSG and associate the NSG to VNET1/Subnet1.
(B). Connect VM2 to VNET1/Subnet1.
(C). Redeploy VM1 and VM2 to the same availability zone.
(D). Redeploy VM1 and VM2 to the same availability set.
Answer: D
NO.72 *
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Answer:
NO/YES/NO
vnet1 uses azure dns. vnet2 is linked to azure private zone contoso.com, but vnet2 uses 10.0.0.4 server1 dns.
server2 nic 2 is in vnet1, but nic specifies 10.0.0.4 dns. server3 nic 3 is in vnet2, and uses 10.0.0.4 dns inherited from vnet2. . 10.0.0.4 server1 dns has no host2 record. 10.0.0.4 server1 dns says host1 is at the .15 address. .
no, server2 can't resolve host2. yes, server2 resolves host1 to the .15 address. no, server3 can't resolve host2.
NO.73
You have the Azure virtual machines shown in the following table.
You have a Recovery Services vault that protects VM1 and VM2.You need to protect VM3 and VM4 by using Recovery Services.What should you do first?
A. Create a new backup policy.
B. Configure the extensions for VM3 and VM4.
C. Create a storage account.
D. Create a new Recovery Services vault.
Suggested Answer: D 🗳️A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure servicesReferences:https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
NO.74
You have an Azure DNS zone named adatum.com.You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.What should you do?
A. Create an A record named *.research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an NS record named research in the adatum.com zone.
Suggested Answer: D 🗳️You need to create a name server (NS) record for the zone.References:https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
NO.75 *
You have an Azure subscription.You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will bepart of the same availability set.You need to ensure that as many virtual machines as possible are available if the fabric fails or duringservicing.How should you configure the template? To answer, select the appropriate options in the answerarea.NOTE: Each correct selection is worth one point
Suggested Answer: ExplanationUse two fault domains.2 or 3 is max value, depending on which region you are in.Use 20 for platformUpdateDomainCountIncreasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.References:https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks https://github.com/Azure/acs-engine/issues/1030
there are limits on the number of update domains and fault domains that can be used within an availability set in Azure.
- The maximum number of update domains is 20.
- The maximum number of fault domains is 3.
These limits are imposed to ensure the availability and resiliency of the application. When creating an availability set, it is recommended to spread VMs across multiple update and fault domains to ensure maximum availability.
NO.76
You have an Azure virtual machine that runs Windows Server 2019 and has the followingconfigurations:
- Name: VM1
- Location: West US
- Connected to: VNET1
- Private IP address: 10.1.0.4
- Public IP addresses: 52.186.85.63
- DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.Which zones should you identify? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Reference:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
Correct Answer: Box 1: Private Box 2: Private You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set. To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.
NO.77 *
You have an Azure subscription that contains the following resources:100 Azure virtual machines20 Azure SQL databases50 Azure file sharesYou need to create a daily backup of all the resources by using Azure Backup.What is the minimum number of backup policies that you must create?
(A). 1
(B). 2
(C). 3
(D). 150
(E). 170
Answer: C
There is a limit of 100 VMs that can be associated to the same backup policy from portal. Werecommend that for more than 100 VMs, create multiple backup policies with same schedule ordifferent schedule.One policy for VMS, one for SQL databases, and one for the file shares.Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq
NO.78
You have the Azure virtual networks shown in the following table.
To which virtual networks can you establish a peering connection from VNet1?
A. VNet2 and VNet3 only
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2, VNet3, and VNet4
Suggested Answer: C 🗳️
References:https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portalTo w
NO.79
You have an app named App1 that runs on an Azure web app named webapp1.The developers at your company upload an update of App1 to a Git repository named Git1.Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Swap the slots
B. Deploy the App1 update to webapp1-prod, and then test the update
C. Stop webapp1-prod
D. Deploy the App1 update to webapp1-test, and then test the update
E. Stop webapp1-test
Suggested Answer: AD 🗳️
Answer is correct. 1.Deploy the App to “webapp1-test” which is staging environment and test it there. 2.Once the test is success swap the slots, so the new changes will be available under production.
You can validate web app changes in a staging deployment slot before swapping it with theproduction slot. Deploying an app to a slot first and swapping it into production makes sure that allinstances of the slot are warmed up before being swapped into production. This eliminatesdowntime when you deploy your app. The traffic redirection is seamless, and no requests aredropped because of swap operations. You can automate this entire workflow by configuring autoswap when pre-swap validation isn't needed.After the swap you can deploy the App1 update to webapp1-test, and then test the update. If thechanges swapped into the production slot aren't as per your expectation then you can perform same swap immediately to get your "last known good site" back.
Reference:https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
NO.80
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1. Does this meet the goal?
(A). Yes
(B). No
Answer: A
Your account must meet one of the following to enable traffic analytics:Your account must have any one of the following Azure roles at the subscription scope: owner,contributor, reader, or network contributor.Reference:https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
NO.81 **
You have an Azure Active Directory (Azure AD) tenant named contoso.com. Multi-factorauthentication (MFA) is enabled for all users. You need to provide users with the ability to bypass MFA for 10 days on devices to which they have successfully signed in by using MFA. What should you do?
(A). From the multi-factor authentication page, configure the users' settings.
(B). From Azure AD, create a conditional access policy.
(C). From the multi-factor authentication page, configure the service settings.
(D). From the MFA blade in Azure AD, configure the MFA Server settings.
Answer: C
Enable remember Multi-Factor Authentication Sign in to the Azure portal.On the left, select Azure Active Directory > Users.Select Multi-Factor Authentication. Under Multi-Factor Authentication, select service settings. On the Service Settings page, manage remember multi-factor authentication, select the Allow usersto remember multi-factor authentication on devices they trust option. Set the number of days to allow trusted devices to bypass two-step verification . The default is 14 days.Select Save.
Reference: Configure Azure AD Multi-Factor Authentication - Microsoft Entra | Microsoft Learn
NO.82 *
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set. You need to ensure that as many virtual machines as possible are available if the fabric fails or duringservicing. How should you configure the template? To answer, select the appropriate options in the answerarea. NOTE: Each correct selection is worth one point.
Answer:
Reference:https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-diskshttps://github.com/Azure/acs-engine/issues/1030
NO.83 *
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party registrar. You need to ensure that you can create Azure AD users that have names containing a suffix of@contoso.com. Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:
Suggested Answer:
- Add the custom domain name to your directory
- Add a DNS entry for the domain name at the domain name registrar
- Verify the custom domain name in Azure AD
Reference:https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
NO.84
You implement The planned changes for NSG1 and NSG2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Answer :
I think the Answers should be: YYN
VM1 has inbound rules, so no restriction on outbound. VM2 has outbound rules, so no restrictions on inbound. Hence VM1 can establish RDP to VM2.
VM2 —ping—> VM3: Yes(no restriction other than outbound RDP)
VM2 —RDP—> VM3: No(outbound RDP is not allowed on VM2)
Please correct me if I am wrong. Tmrw I have my exam.
NO.85
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️A Backend Pool configured by IP address has the following limitations:✑ Standard load balancer only
Reference:https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
NO.86
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
(A). Yes
(B). No
Answer: A
Your account must meet one of the following to enable traffic analytics:Your account must have any one of the following Azure roles at the subscription scope: owner,contributor, reader, or network contributor.Reference:https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
NO.87
You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data?
(A). Azure Data Lake Store
(B). a virtual machine
(C). the Azure File Sync Storage Sync Service
(D). Azure Blob storage
Answer: D
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storageand Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
NO.88 *
Your company has offices in New York and Los Angeles. You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1. Each network uses the address spaces shown in the following table:
You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office. What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box1 : Set-AzureRmVirtualNetworkGatewayDefaultSite
Box2 : 0.0.0.0/0
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
It says: Forced tunneling must be associated with a VNet that has a route-based VPN gateway. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
NO.89 **
You have an Azure subscription that contains the resources shown in the following table.
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
✑ Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?
A. a frontend IP address
B. a load balancing rule
C. a health probe
D. a backend pool
Suggested Answer: A 🗳️
Since you only need to provide Remote Desktop access to VM1 and VM2 from the internet using port 3389, you don't need a load balancing rule, backend pool, or health probe. You only need a frontend IP address.
NO.90
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3. Peering for VNET1 is configured as shown in the following exhibit.
Peering for VNET2 is configured as shown in the following exhibit.
Peering for VNET3 is configured as shown in the following exhibit.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1. VNET2 and VNET3 -
Box 2: VNET1 -Gateway transit is disabled.Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
NO.91 **
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs Windows Server 2016 and is part of an availability set. VM1 has virtual machine-level backup enabled. VM1 is deleted. You need to restore VM1 from the backup. VM1 must be part of the availability set. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
Correct Answer:
Restoring a VM or all disks from VM backup involves two major steps:
Step 1: Select a restore point for restore.
- Sign in to the Azure portal.
- On the Azure menu, select Browse. In the list of services, type Recovery Services. The list of services adjusts to what you type. When you see Recovery
Services vaults, select it.
Step 2: Select the restore type, create a new VM or restore disks, and specify the required parameters.
A restored VM doesn't have an availability value set. We recommend using the restore disks option to add an availability set when you create a VM fromPowerShell or templates by using restored disks.
Step 3: After the restore disks operation is finished, use the template that was generated as part of the restore operation to create a new VM with a configuration different from the backup configuration.
You also can use it to customize names of resources that were created during the process of creating a new VM from a restore point.When you create the special network configuration for VMs, you must use PowerShell to create VMs from the restored disks.To fully re-create the VMs after restoring to disk, follow these steps:Restore the disks from a Recovery Services vault by using PowerShell.
References:https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#use-templates-to-customize-restore-vm
NO.92 **
You have an Azure subscription that contains the identities shown in the following table.
User1, Principal1, and Group1 are assigned the Monitoring Reader role. An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role. You create an alert rule named Alert1 that uses AG1. You need to identitfy who will receive an email notification when Alert1 is triggered. Who should you identify?
A. User1 and Principal1 only
B. User1, User2, Principal1, and Principal2
C. User1 only
D. User1 and User2 only
Suggested Answer: C 🗳️
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
In this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.
NO.93 **
You have the Azure resources shown on the following exhibit.
You plan to track resource usage and prevent the deletion of resources.To which resources can you apply locks and tags? To answer, select the appropriate options in theanswer area.NOTE: Each correct selection is worth one point.
Answer:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lockresources?tabs=jsonhttps://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tagresources?tabs=json
NO.94
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1. RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: Yes -
You can move storage -
Box 2: No -You can't move to a new resource group a NIC that is attached to a virtual machine.
Box 3: No -Azure Public IPs are region specific and can't be moved from one region to another.Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-publicip-powershell
NO.95
You create an App Service plan named Plan1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable. You need to create a staging slot for Plan1. What should you do first?
A. From Plan1, scale up the App Service plan
B. From webapp1, modify the Application settings
C. From webapp1, add a custom domain
D. From Plan1, scale out the App Service plan
Suggested Answer: A 🗳️
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines(VMs), custom domains and certificates, staging slots, autoscaling, and more.You scale up by changing the pricing tier of the App Service plan that your app belongs to.
Reference:https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots, autoscaling, and more.Incorrect:Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
NO.96
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️You would need to redeploy the VM.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
Solution: From the Redeploy blade, you click Redeploy. Does this meet the goal?
(A). Yes
(B). No
Answer: A
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and thenpowers it back on, retaining all your configuration options and associated resources.
NO.97
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups. You need to send a report to the finance department. The report must detail the costs for each department. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
Suggested Answer:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.
- Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
- Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to populate.
- You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
NO.98
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
References:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You join Computer2 to Azure Active Directory (Azure AD). Does this meet the goal?
(A). Yes
(B). No
Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NO.99
Your company has 100 users located in an office in Paris. The on-premises network contains the servers shown in the following table.
You create a new subscription. You need to move all the servers to Azure.
Solution: You use Azure Site Recovery. Does this meet the goal?
A. Yes
B. No
Correct Answer: A
NO.100
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password?
A. an Azure Key Vault and an access policy
B. an Azure Storage account and an access policy
C. a Recovery Services vault and a backup policy
D. Azure Active Directory (AD) Identity Protection and an Azure policy
Suggested Answer: A 🗳️
You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the password is never put in plain text in the template parameter file.
Reference:https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/
