Azure Certi 104-1 : 100 ~ 160

NO.101

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password?

(A). Azure Active Directory (AD) Identity Protection and an Azure policy
(B). a Recovery Services vault and a backup policy
(C). an Azure Key Vault and an access policy
(D). an Azure Storage account and an access policy

Answer: C
You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.  

NO.102

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
A virtual network that has a subnet named Subnet1
Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
Priority: 100
Source: Any Source
port range: *
Destination: *
Destination port range: 3389
Protocol: UDP
Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1. You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1. Does this meet the goal?

(A). Yes
(B). No

Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdpconnection

NO.103

You have an Azure subscription. You need to implement a custom policy that meet the following requirements:
*Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso.
*Ensures that resource group can be created from the Azure portal.
*Ensures that compliance reports in the Azure portal are accurate.
How should you complete the policy? To answer, select the appropriate options in the answers area.

Answer :
Box 1: "Microsoft.Resources/subscriptions/resourceGroups"

Box 2: Append -
Should be Append imho Effect Azure Policy supports the following types of effect: Append: adds the defined set of fields to the request
Audit: generates a warning event in activity log but doesn't fail the request
AuditIfNotExists: generates a warning event in activity log if a related resource doesn't exist
Deny: generates an event in the activity log and fails the request
DeployIfNotExists: deploys a related resource if it doesn't already exist
Disabled: doesn't evaluate resources for compliance to the policy rule
EnforceOPAConstraint (preview): configures the Open Policy Agent admissions controller with Gatekeeper v3 for self-managed Kubernetes clusters on Azure (preview)
EnforceRegoPolicy (preview): configures the Open Policy Agent admissions controller with Gatekeeper v2 in Azure Kubernetes Service
Modify: adds, updates, or removes the defined tags from a resource

Exam AZ-103 topic 1 question 27 discussion - ExamTopics

Microsoft Discussion, Exam AZ-103 topic 1 question 27 discussion.

ExamTopics Logo

NO.104

You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?

A. the subnets on VNet1 only
B. the subnets on VNet2 and VNet3 only
C. the subnets on VNet2 only
D. the subnets on VNet3 only Most Voted
E. the subnets on VNet1, VNet2, and VNet3

Suggested Answer: D 🗳️
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

NO.105

You have an Azure subscription. You deploy a virtual machine scale set that is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic NOTE: Each correct selection is worth one point.Hot Area:

NO.106

You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com. You have a Microsoft account that you use to sign in to both tenants.You need to configure the default sign-in tenant for the Azure portal.What should you do?

A. From Azure Cloud Shell, run Set-AzureRmSubscription.

B. From Azure Cloud Shell, run Set-AzureRmContext.

C. From the Azure portal, configure the portal settings.

D. From the Azure portal, change the directory.

Hide Answer

Suggested Answer: D 🗳️

To configure the default sign-in tenant for the Azure portal:

1. Log in to the Azure portal with an account that has the necessary permissions.
2. Click on the profile icon in the top-right corner of the screen.
3. Click on "Switch directory."
4. Select the desired tenant from the list of available tenants.
5. The selected tenant will be set as the default sign-in tenant for the Azure portal.

Note: The ability to switch between tenants depends on the permissions of the account you're logged in with. If you don't have the necessary permissions, you may not be able to switch tenants in the Azure portal.

The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.
References:https://docs.microsoft.com/en-us/powershell/module/azurerm.profile/set-azurermcontext
Yes, you can set the default sign-in tenant for the Azure portal from Azure Cloud Shell using the Set-AzureRmContext cmdlet.

Here is an example of how you can set the default sign-in tenant:

sqlCopy codeConnect-AzureRmAccount
Get-AzureRmTenant | Select-Object -ExpandProperty TenantId
Set-AzureRmContext -TenantId <TenantId>

Replace <TenantId> with the desired tenant ID that you obtained from the Get-AzureRmTenant cmdlet. This will set the selected tenant as the default sign-in tenant for the Azure portal.

NO.107

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.Does this meet the goal?

A. Yes

B. No

Hide Answer

Suggested Answer: B 🗳️
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

NO.108

Your company registers a domain name of contoso.com. You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10. You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue.
Solution: You create a PTR record for www in the contoso.com zone.Does this meet the goal?

A. Yes

B. No

Hide Answer

Suggested Answer: B 🗳️
Modify the Name Server (NS) record.
References:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the 'A' record, which provides the IP address associated with a domain name.

DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name.

I think, the correct answer should be B. To delegate domain DNS management to Azure DNS management, NS record should be registered at domain registrar's DNS management, not at Azure DNS management.

What is NS of DNS?

NS stands for "Name Server" in the context of DNS (Domain Name System).
Name servers are specialized servers that store and manage DNS records for a domain name. When a client device needs to resolve a domain name to an IP address, it sends a DNS query to a DNS resolver, which in turn sends a query to one or more name servers to retrieve the DNS records for the requested domain.

The NS record is a type of DNS record that specifies the authoritative name servers for a domain name. It lists the domain names of the name servers that are authoritative for the domain and is used to delegate authority for a subdomain to a different set of name servers.

For example, if you have a domain name "example.com" and you want to delegate authority for a subdomain "subdomain.example.com" to a different set of name servers, you would create NS records for "subdomain.example.com" that list the domain names of the name servers that are authoritative for the subdomain. When a DNS query is made for a resource record in the subdomain, the DNS resolver will use the NS records to determine the name servers that are authoritative for the subdomain and send a query to them.

Answer from ChatGPT.

NO.109

You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data?

A. Azure Data Lake Store

B. a virtual machine

C. the Azure File Sync Storage Sync Service

D. Azure Blob storage

Suggested Answer: D 🗳️
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. The maximum size of an Azure Files Resource of a file share is 5 TB.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

NO.110

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?

A. Get-Event Event | where {$_.EventType ""eq "error"}

B. Get-Event Event | where {$_.EventType == "error"}

C. search in (Event) * | where EventType ""eq "error"

D. search in (Event) "error"

E. select *from Event where EventType == "error"

F. Event | where EventType is "error"

Suggested Answer: D 🗳️
To search a term in a specific table, add in (table-name) just after the search operator

(A). Event | where EventType is "error"(B). Event | search "error"(C). select * from Event where EventType == "error"(D). Get-Event Event | where {$_.EventType -eq "error"}Answer: B

To search a term in a specific table, add in (table-name) just after the search operator
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries

NO.111

You have an Azure subscription that contains a resource group named RG26. RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.

SQLDB01 is backed up to RGV1. When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.You need to delete RG26. What should you do first?

A. Delete VM1

B. Stop VM1

C. Stop the backup of SQLDB01

D. Delete sa001

Suggested Answer: C 🗳️

You can't delete a vault that contains backup data. So in this case at first you have to delete thebackup of 'SQLD01' before you attempt to delete the vault.
Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

NO.112

You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.

Adatum.com has the following configurations:
✑ Users may join devices to Azure AD is set to User1.
✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com. You need to identify the local Administrator group membership on Computer1. Which users are members of the local Administrators group?

A. User1 only

B. User2 only

C. User1 and User2 only

D. User1, User2, and User3 only

E. User1, User2, User3, and User4

Suggested Answer: C 🗳️
Users may join devices to Azure AD
- This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.

Additional local administrators on Azure AD joined devices
- You can select the users that are granted local administrator rights on a device.

Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted local administrator rights by default.
Reference:https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

NO.113

You have an Azure Active Directory (Azure AD) tenant. You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal. Which three settings should you configure? To answer, select the appropriate settings to the answer area. NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

References:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

NO.114

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1. You need to connect VM1 to VNET2.
Solution: You turn off VM1, and then you add a new network interface to VM1. Does this meet the goal?

A. Yes

B. No

Answer: B
--------------------
VM1 connects to VNET1. You need to connect VM1 to VNET2.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1.
Does this meet the goal?

A. Yes

B. No

Hide Answer
Suggested Answer: A 🗳️
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

NO.115

You have an Azure subscription named Sub1. You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:
✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: an internal load balancerAzure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Box 2: an application gateway that uses the WAF tierAzure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.Reference:https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

NO.116

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

The status of VM1 is Running. You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)

You assign the policy by using the following parameters:

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

Hide Answer

정답 Y N N

answers are Y N N
we can move resources when the policy is applied
you can infact deallocate the VM or restart it but the VM won't be deallocated when the policy is applied , wording of the question isn't good
when try to change the address space you will get error due to the policy tried it in the lab

Reference:https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

NO.117

You create an Azure web app named WebApp1. WebApp1 has the autoscale settings shown in the following exhibit.

The scale out and scale in rules are configured to have a duration of 10 minutes and a cool down time of five minutes. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. Each correct selection is worth one point.

Answer:

Box 1: one instance -August 8, 2018 is outside the schedule of the scale condition 1, and Default instance count is 1.

Box 2: two instances -The Default instance count of scale condition 1 is 4, and the Scale in rule decreases the count with 1.
References:https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-autoscale-best-practices

NO.118

You have an Azure web app named App1. You need to monitor the availability of App1 by using a multi-step web test. What should you use in Azure Monitor?

A. Azure Service Health

B. Azure Application Insights

C. the Diagnostic settings

D. metrics

Hide Answer

Suggested Answer: B 🗳️
Upload the web test
1. In the Application Insights portal on the Availability pane select Add Classic test, then select Multi-step as the SKU.
2. Upload your multi-step web test.
3. Set the test locations, frequency, and alert parameters.
4. Select Create.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep
Multistep web tests have been deprecated. We recommend using TrackAvailability() to submit custom availability tests instead of multistep web tests. With TrackAvailability() and custom availability tests, you can run tests on any compute you want and use C# to easily author new tests.

NO.119

You have the web apps shown in the following table.

You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modifications to the application code. What should you do on each app?  To answer, select the appropriate options in the answer area.

Suggested Answer:

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps

NO.120

You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?

A. Yes

B. No

Suggested Answer: A 🗳️
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

NO.121

You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.

You deploy virtual machines to Subscription1 as shown in the following table.

You plan to deploy the virtual machines shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

NO.122

You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1 and a virtual machine named VM1 that runs WindowsServer 2016. Storageaccount1 contains the disk files for VM1. You apply a ReadOnly lock to RG1. What can you do from the Azure portal?

A. Generate an automation script for RG1.
B. View the keys of storageaccount1.
C. Start VM1.
D. Upload a blob to storageaccount1.

Suggested Answer: A, B , D🗳️ ???
A read-only lock on a storage account prevents users from listing the account keys. The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys, which provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys must use Azure AD credentials to access blob or queue data.  A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue). So B, C, D are incorrect. We are left with A, seems to be correct.

If you apply a ReadOnly lock to RG1, you will not be able to perform any actions that may modify or delete resources within the resource group. Therefore, you cannot start VM1 or upload a blob to storageaccount1, as these actions would modify resources within RG1.
However, you can perform the following actions from the Azure portal with a ReadOnly lock applied to RG1:

A. Generate an automation script for RG1: You can still view the configuration of resources in RG1 and generate an automation script that describes the resources and their settings. This can be useful for auditing or replicating the resources in another environment.

B. View the keys of storageaccount1: You can view the access keys of storageaccount1, which allow you to access the storage account and its contents. This is because ReadOnly locks only prevent modification or deletion of resources, but do not prevent read-only access.
Therefore, the correct answers are A and B.
from ChatGPT

----------------------
(A). Generate an automation script for RG1.(B). View the keys of storageaccount1.(C). Upload a blob to storageaccount1.(D). Start VM1.

Answer: C
Applying locks can lead to unexpected results because some operations that don't seem to modifythe resource actually require actions that are blocked by the lock. Locks are inherited to all of itsresources if it applies on resource group level.
Upload a blob to storageaccount1 is possible if we have readonly lock on RG1 since we are trying to modify the data not resource properties. When a R/O lock is put on a resource, you lock it's properties not the resource. So while a read onlylock is present on a storage account(inherited from a resource group), a file can still be uploaded tothe already existing container of a storage account.

Incorrect Answers:

Generate an automation script for RG1 is NOT possible in read only mode.
A read-only lock on a storage account prevents all users from listing the keys. The list keys operationis handled through a POST request because the returned keys are available for write operations. When we tried to read the Access Key of the Storage Account , get the below message. Access blocked The resource is locked Cannot access the data plane because of a read lock on theresource or its parent.
A read-only lock on a resource group that contains a virtual machine prevents all users from startingor restarting the virtual machine. These operations require a POST request.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resourcesNO.123

NO,123

You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure LoadBalancer. The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. Does this meet the goal?

A. Yes

B. No

Hide Answer

Suggested Answer: A 🗳️

The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.

Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

NO.124

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the [email protected] sign in. Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: Unable to invite user [email protected]" Generic authorization exception.`You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant. What should you do?

A. From the Users settings blade, modify the External collaboration settings.

B. From the Custom domain names blade, add a custom domain.

C. From the Organizational relationships blade, add an identity provider.

D. From the Roles and administrators blade, assign the Security administrator role to Admin1.

Suggested Answer: A 🗳️Reference:https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-AD-gests/td-p/274742

correct answer checked in portal . Go to Azure AD--users--user settings --scroll down.--External users Manage external collaboration settings

NO.125

You manage a virtual network named VNet1 that is hosted in the West US region. Two virtual machines named VM1 and VM2, both running Windows Server, are on VNet1. You need to monitor traffic between VM1 and VM2 for a period of five hours. As a solution, you propose to create a connection monitor in Azure Network Watcher. Does thissolution meet the goal?
(A). Yes
(B). No
Answer: A
The connection monitor capability in Azure Network Watcher monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM andthe endpoint.

_____________

You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?

• A. Yes
• B. No

Hide Answer

Suggested Answer: B 🗳️
Use the Connection Monitor feature of Azure Network Watcher.
References:https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

NO.126

You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements. Which storage account should you identify?

A. storage1

B. storage2

C. storage3

D. storage4

Suggested Answer: B 🗳️

For at least two reasons, storage2 is the only candidate:
- Location: The storage account used must be in the same region as the NSG.
- Retention is available only if you use General Purpose v2 Storage accounts (GPv2).
Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

NO.127

You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup. You delete VM1. You need to remove the backup data stored for VM1. What should you do first?

• A. Delete the Recovery Services vault.
• B. Delete the storage account.
• C. Stop the backup
• D. Modify the backup policy.

Suggested Answer: C

In the 'stop backup' option, you need to change the option to "delete backup data", so the correct answer is C.

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If youtry to delete a vault, but can't, the vault is still configured to receive backup data.
Reference:https://azure.microsoft.com/en-in/updates/azure-vm-backup-policy-management/

NO.128

You have an Azure subscription that contains 100 virtual machines. You regularly create and delete virtual machines. You need to identify unattached disks that can be deleted. What should you do?

A. From Azure Cost Management, view Cost Analysis

B. From Azure Advisor, modify the Advisor configuration

C. From Microsoft Azure Storage Explorer, view the Account Management properties

D. From Azure Cost Management, view Advisor Recommendations

(A). From Microsoft Azure Storage Explorer, view the Account Management properties.
(B). From Azure Cost Management, create a Cost Management report.
(C). From the Azure portal, configure the Advisor recommendations.

Answer: A
You can find unused disks in the Azure Storage Explorer console. Once you drill down to the Blobcontainers under a storage account, you can see the lease state of the residing VHD (the lease statedetermines if the VHD is being used by any resource) and the VM to which it is leased out. If you findthat the lease state and the VM fields are blank, it means that the VHD in question is unused.

ChatGpt

Yes, you can use Microsoft Azure Storage Explorer to identify and delete unattached disks in your Azure subscription. To do this, follow these steps:

1. Open Microsoft Azure Storage Explorer and connect to your Azure subscription.
2. In the left-hand navigation panel, click on "Disks" to view a list of all disks in your subscription.
3. From the list of disks, identify the unattached disks and right-click on each disk that you want to delete.
4. Select "Delete Disk" from the context menu, and confirm the deletion by clicking "Yes" in the confirmation dialog box.

By using Microsoft Azure Storage Explorer, you can manage your Azure storage resources, including disks, from a single interface, making it easier to identify and delete unattached disks.

NO.129

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSVfile that contains the names and email addresses of 500 external users. You need to create a quest user account in contoso.com for each of the 500 external users.
Solution: from Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?
(A). Yes
(B). No

Answer: A
ChatGpt
Yes, using the Bulk create user operation in Azure AD from the Azure portal can help to meet the goal of creating 500 quest user accounts for external users with the names and email addresses specified in the CSV file.

NO.130

You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements. Which role should you assign to each user? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

Hide Answer

Suggested Answer:

Reference:https://docs.microsoft.com/en-us/azure/governance/policy/overview

Correct answer check: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor

NO.131

You have a Basic App Service plan named ASP1 that hosts an Azure App Service named App1. You need to configure a custom domain and enable backups for App1. What should you do first?

(A). Configure a WebJob for App1.

(B). Scale up ASP1.

(C). Scale out ASP1.

(D). Configure the application settings for App1.

Answer: B

The Answer should be Scale up ASP1 The basic plan does not support backup/restore. The Backup and Restore feature requires the App Service plan to be in the Standard, Premium or Isolated tier. For more information about scaling your App Service plan to use a higher tier, see Scale up an app in Azure.
Since in question its a Basic service plan app hence first thing need to do it to Scale up the service plan so that backup can be enabled on App1.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to.
For more info : https://azure.microsoft.com/en-in/pricing/details/app-service/plans/ https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up

NO.132

You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the resource group.

Which cmdlet should you run to deploy the template?

A. New-AzResource

B. New-AzResourceGroupDeployment

C. New-AzTenantDeployment

D. New-AzDeployment

Suggested Answer: B 🗳️
Deployment scope. You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands.
To deploy to a resource group, use New-AzResourceGroupDeployment.
Incorrect:
Not C: To deploy to a tenant, use New-AzTenantDeployment.
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
To deploy to a management group, use New-AzManagementGroupDeployment.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a resource group.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell

NO.133

You have the Azure virtual machines shown in the following table.

VNET1, VNET2, and VNET3 are peered.

VM4 has a DNS server that is authoritative for a zone named Contoso.com and contains the recordsshown in the following table.

VNET1 and VNET2 are linked to an Azure private DNS zone named contoso.com that contains the records shown in the following table.

The virtual networks are configured to use the DNS servers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

Box 1: Yes -VM1 is in VNET1. In VNET1 Server1 resolves to 131.107.3.3

Box 2: No -VM2 is in VNET2. VNET2 uses custom DNS server 192.168.05

Box 3: Yes

After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs hosted in that virtual network can access the private DNS zone. Every private DNS zone has a collection of virtual network link child resources. Each one of these resources represents a connection to a virtual network. A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.

NO.134

You have an Azure virtual machine that runs Windows Server 2019 and has the followingconfigurations:

Name: VM1
Location: West US
Connected to: VNET1
Private IP address: 10.1.0.4
Public IP address: 52.186.85.63
DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.

You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Link to Question

Correct Answer:
Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set. To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.

Reference:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

NO.135

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:

User3 is the owner of Group1. Group2 is a member of Group1. You configure an access review named Review1 as shown in the following exhibit:

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Reference:https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

NO.136

You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com. You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources. What should you do first?

A. From on-premises network, deploy Active Directory Federation Services (AD FS).

B. From Azure AD, add and verify a custom domain name.

C. From on-premises network, request a new certificate that contains the Active Directory domain name.

D. From the server that runs Azure AD Connect, modify the filtering options.

Suggested Answer: B

UPN mismatch can be removed after adding domain of you on-prem to Azure AD, so option B is correct.
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/hybrid/tshoot-connect-objectsync#upn-suffix-is-not-verified-with-azure-ad-tenant

What is UserPrincipalName?
UserPrincipalName is an attribute that is an Internet-style login name for a user based on the Internet standard RFC 822.

UPN format
A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix is joined with the suffix using the "@" symbol. For example, "[email protected]". A UPN must be unique among all security principal objects within a directory forest.

Answer: B
Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD.  Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix.

The status values can be one of the following:
State: VerifiedAzure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign inby using their on-premises credentials.
State: Not verifiedAzure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffixof the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization ifthe domain isn't verified.
Action Required: Verify the custom domain in Azure AD.

NO.137

You have an Azure subscription named Subscription1.  Subscription1 contains two Azure virtual machines named VM1 and VM2. VM1 and VM2 run Windows Server 2016. VM1 is backed up daily by Azure Backup without using the Azure Backup agent. VM1 is affected by ransomware that encrypts data. You need to restore the latest backup of VM1. To which location can you restore the backup?  To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

Link To Problem

Box 1: Any Windows computer that has Internet connectivity For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the requirements. Any computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the Internet. Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.

Box 2: VM1 or a new Azure virtual machine only For restoring a VM, you can choose 'Create new' or 'Replace existing'.

Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#system-requirements

NO.138

You have an Azure subscription that contains the resources shown in the following table.

VM1 connects to VNET1. You need to connect VM1 to VNET2.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1. Does this meet the goal?

A. Yes

B. No

Answer: A
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1. Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but youcannot change the VNet.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

NO.139

You have an Azure subscription that contains 100 virtual machines.You regularly create and delete virtual machines.
You need to identify unused disks that can be deleted. What should you do?

(A). From Azure Advisor, modify the Advisor configuration.

(B). From Azure Cost Management view Cost Analysis.

(C). From Azure Cost Management view Advisor Recommendations.

(D). From Microsoft Azure Storage Explorer, view the Account Management properties.

Answer: D

NO.140

You are configuring Azure Active Directory (AD) Privileged Identity Management.
You need to provide a user named Admin1 with read access to a resource group named RG1 for only one month. The user role must be assigned immediately.
What should you do?

A. Assign an active role.

B. Assign an eligible role.

C. Assign a permanently active role.

D. Create a custom role and a conditional access policy.

Suggested Answer: B 🗳️
Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not all-day, every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
References:https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NO.141

You deploy an Azure Application Gateway. You need to ensure that all the traffic requesting https://adatum.com/internal resources is directed to an internal server pool and all the traffic requesting https://adatum.com/external resources is directed to an external server pool.
What should you configure on the Application Gateway?

(A). URL path-based routing

(B). multi-site listeners

(C). basic routing

D). SSL termination

Answer: A

URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths ofthe request.In the question there are two different path from where the traffic is getting generated as below https://adatum.com/internalhttps://adatum.com/external
So in this case we can use URL path-based routing feature of Application Gateway.

NO.142

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts. Does that meet the goal?

A. Yes

B. No

Suggested Answer: B 🗳️
Only a global administrator can add users to this tenant.
Reference: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User4 to create the user accounts. Does that meet the goal?(A). yes
(B). No

Answer: B

NO.143

You have an Azure subscription that contains an Azure file share. You have an on-premises server named Server1 that runs Windows Server 2016. You plan to set up Azure File Sync between Server1 and the Azure file share. You need to prepare the subscription for the planned Azure File Sync. Which two actions should you perform in the Azure subscription?

Show Suggested Answer

First Action: Create a Storage Sync Service
Second Action: Create a sync group
These are the only actions you perform in the Azure Subscription. Install Azure File Sync Agent and Server Registration are performed from the server endpoints, which in this case is the on-premise server named Server1.

Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deploymentguide?tabs=azure-portal

NO.144

You have the Azure virtual machines shown in the following table.

A DNS service is installed on VM1.You configure the DNS servers settings for each virtual network as shown in the following exhibit.

You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1. What should you do?

A. Configure a conditional forwarder on VM1

B. Add service endpoints on VNET1

C. Add service endpoints on VNET2 and VNET3

D. Configure peering between VNET1, VNET2, and VNET3

Show Suggested Answer

Correct Answer: D
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

NO.145

You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.Peering for VNET1 is configured as shown in the following exhibit.

Peering for VNET2 is configured as shown in the following exhibit.

Peering for VNET3 is configured as shown in the following exhibit.

How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Hide Answer

Suggested Answer:

Box 1. VNET2 and VNET3 -

Box 2: VNET1 -
Gateway transit is disabled.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

NO.146

You have an Azure tenant that contains two subscriptions named Subscription1 andSubscription2. In Subscription1, you deploy a virtual machine named Server1 that runs Windows Server 2016. Server1 uses managed disks. You need to move Server1 to Subscription2. The solution must minimize administration effort.
What should you do first?

(A). In Subscription2, create a copy of the virtual disk.

(B). From Azure PowerShell, run the Move-AzureRmResource cmdlet.

(C). Create a snapshot of the virtual disk.

(D). Create a new virtual machine in Subscription2.

Answer: B

To move existing resources to another resource group or subscription, use the Move-AzureRmResource cmdlet.
Reference:https://docs.microsoft.com/en-ok in/azure/azure-resource-manager/resource-group-moveresources#moveresources

NO.147

You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following table:

You create the Azure policies shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.  NOTE: Each correct selection is worth one point.Hot Area:

Link To Question
Answer:
- NO: Subscription 1 under ManagementGroup21 is not allowed to create a VNET as it inherites the policy frmo the Tenant Root Group.
- NO: Subscription 2 under ManagementGroup12 i allowed to create a VNET which restricts to create a VM.
- YES: Go to Managegement Groups blade, righ click on the 3 dots next to ManageMentGRoup11, click +Add subscription here. Select Subscription 1 and it is moved to this MG.

Reference:https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#movingmanagement-groups-and-subscriptions

NO.148

You have an Azure subscription that contains a storage account named storage1. You have the devices shown in the following table.

From which devices can you use AzCopy to copy data to storage1?

A. Device 1 only

B. Device1, Device2 and Device3

C. Device1 and Device2 only

D. Device1 and Device3 only

Suggested Answer: B 🗳️

NO.149

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. You hire a temporary vendor. The vendor uses a Microsoft account that has a sign-in of [email protected].
You need to ensure that the vendor can authenticate to the tenant by using [email protected]. What should you do?

(A). From Windows PowerShell, run the New-AzureADUser cmdlet and specify the -UserPrincipalName [email protected] parameter.

(B). From the Azure portal, add a custom domain name, create a new Azure AD user, and then specify [email protected] as the username.

(C). From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the -UserPrincipalName [email protected] parameter.

(D). From the Azure portal, add a new guest user, and then specify [email protected] as the emailaddress.

Answer: D

UserPrincipalName - contains the UserPrincipalName (UPN) of this user. The UPN is what the user will use when they sign in into Azure AD. The common structure is @, so for Abby Brown in Contoso.com,the UPN would be [email protected]
Example: To create the user, call the New-AzureADUser cmdlet with the parameter values:powershell New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown"-PasswordProfile$PasswordProfile -MailNickName "AbbyB" -UserPrincipalName"[email protected]"
Reference:https://docs.microsoft.com/bs-cyrl-ba/powershell/azure/active-directory/new-usersample?view=azureadps-2.0

NO.150

You have an on-premises network that you plan to connect to Azure by using a site-to-site VPN. In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16. VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24. You need to create a site-to-site VPN to Azure. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select. Select and Place:

Hide Answer

Suggested Answer:

The answers are in order and are correct. Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...
1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created next.
2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what is available for answers, the prem side is now configured)
Now for the premice side.
3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection

Tutorial - Connect an on-premises network and a virtual network: S2S VPN: Azure portal - Azure VPN Gateway | Microsoft Learn

NO.151

You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1. Tenant1 contains the users in the following table.

You need to add an Azure AD Privileged Identity Management application to Tenant1. Which account can you use?

A. [email protected]

B. [email protected]

C. [email protected]

D. [email protected]

Hide Answer

Suggested Answer: C 🗳️
References:https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. GlobalAdministrators, Security Administrators, Global readers, and Security Readers can also viewassignments to Azure AD roles in Privileged Identity Management.Only owner can create an subscription and only global administrator can perform Privileged IdentityIT Certification Guaranteed, The Easy Way!120Management changes. So you can create subscription with external user and then promote him toglobal administrator to get things done.As it is mentioned as it is associated with azure tenant so that tenant has an AD domain. So in azureAD the default domain ends with onmicrosoft.com. So you can't have Hotmail IDs there. Moreoveralways remember the principle of least privileges, when you can get your job done with GlobalAdministrator then you should not look for owner for security purpose.[email protected] : Correct ChoiceAs Admin1 is Global Administrator and part of default AD domain so Admin1 can add an Azure ADPrivileged Identity Management application to Tenant1[email protected] : Incorrect ChoiceAs per the above Admin3 is not Global Administrator, so this option is incorrect.[email protected] : Incorrect ChoiceAs per the above Admin2 is not Global Administrator, so this option is incorrect.[email protected] : Incorrect ChoiceAlthough this user is Global Administrator but referring to the least privileges principal and defaultdomain consideration this option is incorrect.

NO.152

You have an Azure subscription named Subscription1. In Subscription1, you create an Azure file share named share1. You create a shared access signature (SAS) named SAS1 as shown in the following exhibit.

To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

Box 1: Will have no access -
The IP 193.77.134.1 does not have access on the SAS.
Box 2:
Storage account key: To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are not currently supported for mounting. 2nd question: "will be prompted for credentials"

Reference:
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storageexplorer?tabs=windows
https://feedback.azure.com/forums/217298-storage/suggestions/14498352-allow-azure-files-sharesto-be-mounted-using-sas-s
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
http://www.rebeladmin.com/2018/03/step-step-guide-create-azure-file-share-map-windows-10/

NO.153

You create the following resources in an subscription:
An Azure Container Registry instance named Registry1.
An Azure Kubernetes Service (AKS) cluster named Cluster1.
You create a container image named App 1 on your administrative workstation. You need to deploy App1 to cluster 1. What should you do first?

(A). Run the aa aks create command.

(B). Create a host pool on Cluster1

(C). Upload App1 to Registry 1.

(D). Run the kubect1 apply command.

Answer:  C

NO.154

You create an Azure subscription that is associated to a basic Azure Active Directory (AzureAD) tenant.
You need to receive an email notification when any user activates an administrative role. What should you do?

(A). Purchase Azure AD Premium 92 and configure Azure AD Privileged Identity Management.

(B). Purchase Enterprise Mobility + Security E3 and configure conditional access policies.

(C). Purchase Enterprise Mobility + Security E5 and create a custom alert rule in Azure SecurityCenter.

(D). Purchase Azure AD Premium PI and enable Azure AD Identity Protection.

Answer: A

When key events occur in Azure AD Privileged Identity Management (PIM), email notifications are sent. For example, PIM sends emails for the following events: When a privileged role activation is pending approval
When a privileged role activation request is completed
When a privileged role is activated
When a privileged role is assignedWhen Azure AD PIM is enabled

NO.156

You plan to create a new Azure Active Directory (Azure AD) role. You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege. How should you complete the JSON definition?  To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Show Suggested Answer

Suggested Answer:

Box 1: "*/read", /read lets you view everything, but not make any changes.
Box 2: " Microsoft.Support/" The action Microsoft.Support/* enables creating and management of support tickets.
References:https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NO.156

You have an Azure subscription that contains a resource group named TestRG. You use TestRG to validate an Azure deployment. TestRG contains the following resources:

You need to delete TestRG.  What should you do first?

A. Modify the backup configurations of VM1 and modify the resource lock type of VNET1

B. Remove the resource lock from VNET1 and delete all data in Vault1

C. Turn off VM1 and remove the resource lock from VNET1

D. Turn off VM1 and delete all data in Vault1

Show Suggested Answer

Answer: B
You can't delete a vault that contains backup data. You must remove the delete locks before trying to delete a resource group. When you delete a resource group, all of its resources are also deleted. Deleting a resource group deletes all of its template deployments and currently stored operations.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resourcegroup?tabs=azure-powershell

NO.157

You have an Azure subscription that contains the resources shown in the following table.

The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:

• Microsoft.Network/virtualNetwork
• Microsoft.Compute/virtualMachines

In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1. What should you do first?

(A). Remove Microsoft.Network/virtualNetworks from the policy

(B). Create an Azure Resource Manager template

(C). Remove Microsoft.Compute/virtualMachines from the policy

(D). Add a subnet to VNET1

Answer: C

The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.Virtual Networks and Virtual Machines are prohibited.
Reference:https://docs.microsoft.com/en-us/azure/governance/policy/samples/

NO.158

You are troubleshooting a performance issue for an Azure Application Gateway. You need to compare the total requests to the failed requests during the past six hours. What should you use?

(A). Metrics in Application Gateway

(B). Diagnostics logs in Application Gateway

(C). NSG flow logs in Azure Network Watcher

(D). Connection monitor in Azure Network Watcher

Answer: A

Application Gateway currently has seven metrics to view performance counters. Metrics are a feature for certain Azure resources where you can view performance counters in the portal. For Application Gateway, the following metrics are available:
Total Requests
Failed Requests
Current Connections
Healthy Host Count
Response Status
Throughput
Unhealthy Host count
You can filter on a per backend pool basis to show healthy/unhealthy hosts in a specific backend pool

NO.159

You have an Active Directory domain named contoso.com that contains the objects shown in the following table.

The groups have the memberships shown in the following table.

OU1 and OU2 are synced to Azure Active Directory (Azure AD).You modify the synchronization settings and remove OU1 from synchronization. You sync ActiveDirectory and Azure AD.Which objects are in Azure AD?

(A). User4 and Group2 only

(B). User2, Group1, User4, and Group2 only

(C). User1, User2, Group1, User4, and Group2 only

(D). User1, User2, User3, User4, Group1, and Group2

Answer: C

NO.160

You have an Azure virtual machine named VM1 that runs Windows Server 2019. You sign into VM1 as a user named User 1 and perform the following actions:

• Create files on drive C.
• Create files on drive D.
• Modify the screen saver timeout.
• Change the desktop background.

You plan to redeploy VM1. Which changes will be lost after you redeploy VM1?

(A). the modified screen saver timeout

(B). the new desktop background

(C). the new files on drive D

(D). The new files on drive C

Answer: C
https://www.cloudelicious.net/azure-vms-and-their-temporary-storage/https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-nodewindows#:~:text=Redeploy%20Windows%20virtual%20machine%20to%20new%20Azure%20node&text=When%20you%20redeploy%20a%20VM,configuration%20options%20and%20associated%20resources.

Correct Answer: C

For Windows Server, the temporary disk is mounted as “D:\”.

For Linux based VM’s the temporary disk is mounted as “/dev/sdb1”.  Reference: https://www.cloudelicious.net/azure-vms-and-their-temporary-storage