NO.301 *
You have an Azure subscription that contains the file shares shown in the following table.
You have the on-premises file shares shown in the following table.
You create an Azure file sync group named Sync1 and perform the following actions:
✑ Add share1 as the cloud endpoint for Sync1.
✑ Add data1 as a server endpoint for Sync1.
✑ Register Server1 and Server2 to Sync1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: No -A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.
Box 2: Yes -Data2 is located on Server2 which is registered to Sync1.
Box 3: No -Data3 is located on Server3 which is not registered to Sync1.
Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal%2Cproactive-portal#create-a-sync-group-and-a-cloud-endpoint
NO.302
You have an Azure File sync group that has the endpoints shown in the following table.
Cloud tiering is enabled for Endpoint3. You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2. On which endpoints will File1 and File2 be available within 24 hours of adding the files?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Correct Answer: File1: Endpoint1 only It is a cloud endpoint, and it is scanned by the detection job every 24 hours.
File2: Endpoint1, Endpoint2 and Endpoint3 With the on-premises servers the file is scanned and synced automatically after it's being added.
Note: They changed the question in Exam from "within 24 hours" to "after 24 hours". So, the answer is: File1: Endpoint1, Endpoint2 and Endpoint3 File2: Endpoint1, Endpoint2 and Endpoint3
File1: Endpoint1 only It is a cloud endpoint, and it is scanned by the detection job every 24 hours.
Note: They changed the question in Exam from "within 24 hours" to "after 24 hours". So, the answer is: File1: Endpoint1, Endpoint2 and Endpoint3
NO.303
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1. In which location can you create NIC1?
A. East US and North Europe only
B. East US only
C. East US, West Europe, and North Europe
D. East US and West Europe only
Suggested Answer: B 🗳️
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
A virtual network is required when you create a NIC. Select the virtual network for the network interface. You can only assign a network interface to a virtual network that exists in the same subscription and location as the network interface. Once a network interface is created, you cannot change the virtual network it is assigned to. The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
NO.304
You have an Azure subscription named Subscription1. You have 5 TB of data that you need to transfer to Subscription1. You plan to use an Azure Import/Export job. What can you use as the destination of the imported data?
A. Azure Data Lake Store
B. a virtual machine
C. the Azure File Sync Storage Sync Service
D. Azure Blob storage
Suggested Answer: D 🗳️
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.The maximum size of an Azure Files Resource of a file share is 5 TB.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
(A). Azure SQL Database
(B). Azure File Storage
(C). An Azure Cosmos DB database
(D). The Azure File Sync Storage Sync Service
(E). Azure Data Factory
(F). A virtual machine
NO.305
You have an Azure web app named App1. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier. You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You add a triggered WebJob to App1. Does this meet the goal?
A. Yes
B. No
Correct Answer: B 🗳️
You need to change to Basic pricing Tier.Note: The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Basic tier has no such cap.
References:https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
You have an Azure web app named Appl.
App1 runs in an Azure App Service plan named Plan1.
Plan1 is associated to the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes.
You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan1 to Basic.
Does this meet the goal?
(A). Yes
(B). No
Answer: A The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Basic tier has no such cap.
Reference: https://azure.microsoft.com/en-us/pricing/details/app-service/windows
NO.306 **
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1. The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that contains a security group named Group1. You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role for share1. What should you do first?
A. Enable Active Directory Domain Service (AD DS) authentication for storage1.
B. Grant share-level permissions by using File Explorer.
C. Mount share1 by using File Explorer.
D. Create a private endpoint.
Suggested Answer: A 🗳️
Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
- Select or create an Azure AD tenant.
- To support authentication with Azure AD credentials, you must enable Aure AD Domain Services for your Azure AD tenant.Etc. Note: The Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.
Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable
NO.307
Your company registers a domain name of contoso.com. You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10. You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue.
Solution: You modify the name servers at the domain registrar.
Does this meet the goal?
(A). Yes
(B). No
Answer: A Modify the Name Server (NS) record.
Reference: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
Solution: You create a PTR record for www in the contoso.com zone. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Modify the Name Server (NS) record.References:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
NO.308
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 6 virtual machines -The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.
Box 2: 2 virtual machnes -The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot be reduced to0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.References:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
NO.309 **
You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine. Template1 contains the following text:
The variables section in Template1 contains the following text:"location": "westeurope" The resources section in Template1 contains the following text:
You need to deploy the virtual machine to the West US location by using Template1.What should you do?
A. Modify the location in the resources section to westus
B. Select West US during the deployment
C. Modify the location in the variables section to westus
Suggested Answer: A 🗳️
NO.310 *
You have an Azure subscription named Subscription1. In Subscription1, you create an Azure web app named WebApp1. WebApp1 will access an external service that requires certificate authentication. You plan to require the use of HTTPS to access WebApp1. You need to upload certificates to WebApp1. In which formats should you upload the certificate? To answer, select the appropriate options in the answer area.: Each correct selection is worth one point.
NOTE -Hot Area:
Correct Answer:
A PFX file contains the public key file (SSL Certificate) and its unique private key file. This is required for HTTPS access. The web app will distribute the public key (in a CER file) to clients that connect to the web app. The CER file is an SSL Certificate which has the public key of the external service. The external service will have the private key associated with the public key contained in the CER file.
NO.311
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises ActiveDirectory domain. You have a server named DirSync1 that is configured as a DirSync server. You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet. Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: b 🗳️Reference:https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-powershell-start-adsyncsynccycle/
Answer is B ( No ) Initial will perform a full sync and add the user account created but it will take time, Delta, will kick off a delta sync and bring only the last change, so it will be "immediately" and will fulfill the requirements.
NO.312 **
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VM1. VM1 is in a resource group named RG1. VM1 runs services that will be used to deploy resources to RG1. You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. What should you do first?
A. From the Azure portal, modify the Access control (IAM) settings of RG1.
B. From the Azure portal, modify the Policies settings of RG1.
C. From the Azure portal, modify the Access control (IAM) settings of VM1.
D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
[Hide Answer](https://www.examtopics.com/discussions/microsoft/view/21338-exam-az-103-topic-4-question-40-discussion/#)
Suggested Answer: D 🗳️
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
References:https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
A managed identity from Azure Active Directory allows your app to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. User assigned managed identities can be used on Virtual Machines and Virtual Machine Scale Sets. Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity
NO.313 **
You have an Azure subscription that contains the resources shown in the following table.
VMSS1 is set to VM (virtual machines) orchestration mode. You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1. Which resource group and location should you use to deploy VM1?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: RG1, RG2, or RG3 -The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that metadata is stored.
Box 2: West US only -Note: Virtual machine scale sets will support 2 distinct orchestration modes:ScaleSetVM : " Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. VM (virtual machines) : " Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
NO.314 **
You have an Azure virtual machine named VM1 that runs Windows Server 2016. You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
Does this meet the goal?(Question Series)
Yes
No
Answer is No
Instead: You create an Azure Log Analytics workspace and configure the data settings.
You install the Microsoft Monitoring Agent on VM1.
You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NO.315
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.References:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Solution: You modify the Azure Active Directory (Azure AD) authentication policies. Does this meet this goal?
(A). Yes
(B). No
Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NO.316
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that is configured for hybrid coexistence with the on-premises ActiveDirectory domain. The tenant contains the users shown in the following table.
Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com. Which users should you enable for Azure MFA?
A. User1 only
B. User1, User2, and User3 only
C. User1 and User2 only
D. User1, User2, User3, and User4
E. User2 only
You have an Azure Active Directory (Azure AD) tenant named contoso.com that is synced to an Active Directory domain.
The tenant contains the users shown in the following table.
The users have the attributes shown in the following table.
You need to ensure that you can enable Azure Multi-Factor Authentication (MFA) for all four users.
Solution: You add an office phone number for User2.
Does this meet the goal?
(A). Yes
(B). No
Answer: B
User3 requires a user account in Azure AD. Note: Your Azure AD password is considered an authentication method. It is the one method that
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authenticationmethods
NO.317
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services vaults named RSV1 and RSV2. VM2 is backed up to RSV1. You need to back up VM2 to RSV2. What should you do first?
A. From the RSV1 blade, click Backup items and stop the VM2 backup
B. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Suggested Answer: C 🗳️
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
This is wrong answer, first step should be stopping the backup
If you want to change the recovery service vault you need to disassociate the previous RSV and delete the backup data.
To delete backup data, you need to stop the backup first. So:
- Stop the backup in RSV1 (D)
- Remove the backup data.
- Disassociate the VM in RSV1.
- Associate the VM in RSV2.
NO.318
You have an Azure subscription that contains the resources in the following table.You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1. LB1 is configured as shown in the LB1 exhibit. (Click the Exhibit tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
NO.319 **
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. Does the solution meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Community vote distribution
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?
(A). Yes
(B). No
Answer: B
- Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
중략....
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
NO.320 **
You have a deployment template named Template1 that is used to deploy 10 Azure web apps. You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.What should you identify?
A. five Azure Application Gateways
B. one App Service plan
C. 10 App Service plans
D. one Azure Traffic Manager
E. one Azure Application Gateway
Suggested Answer: B 🗳️
You create Azure web apps in an App Service plan.
Reference:https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
NO.321 **
You onboard 10 Azure virtual machines to Azure Automation State Configuration. You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select. Select and Place:
Correct Answer:
1: Upload a configuration to Azure Automation State Configuration
2: Compile a configuration into a node configuration
3: Check the compliance status of the node.
Step 1: Create and upload a configuration to Azure Automation
Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
NO.322
You have an Azure subscription that contains the virtual machines shown in the following table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections. Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules. NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Answer is correct . No, Yes, Yes.
No: VM1 has default rules which denies any port open for inbound rules
Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
NO.323
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected toVNET1. You successfully deploy the following Azure Resource Manager template.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: Yes -
Box 2: Yes -VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No -Reference:https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
NO.324 **
You have an Azure subscription that contains the storage accounts shown in the following table.
You plan to manage the data stored in the accounts by using lifecycle management rules. To which storage accounts can you apply lifecycle management rules?
A. storage1 only
B. storage1 and storage2 only
C. storage3 and storage4 only
D. storage1, storage2, and storage3 only
E. storage1, storage2, storage3, and storage4
Suggested Answer: D 🗳️
Reference:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal
Answer is correct .
The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block blobs storage accounts, Azure Data Lake Storage Gen2 accounts.
NO.325 **
You have two Azure virtual machines named VM1 and VM2.
VM1 has a single data disk named Disk1. You need to attach Disk1 to VM2.
The solution must minimize downtime for both virtual machines.Which four actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
1 - Stop VM1. 2 - Detach Disk1 from VM1. 3 - Start VM1. 4 - Attach Disk1 to VM2
You sould start VM1 before attaching the disk to VM2 in order to minimize downtime. So the order should be: Stop VM1, Detach Disk from V1, Start VM1, Attach Disk To VM2
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk https://docs.microsoft.com/en-us/azure/lab-services/devtest-lab-attach-detach-data-disk
NO.326
You have a registered DNS domain named contoso.com. You create a public Azure DNS zone named contoso.com. You need to ensure that records created in the contoso.com zone are resolvable from the internet. What should you do?
A. Create NS records in contoso.com.
B. Modify the SOA record in the DNS domain registrar.
C. Create the SOA record in contoso.com.
D. Modify the NS records in the DNS domain registrar.
Suggested Answer: D 🗳️
Reference:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
NO.327
You have an Azure subscription that contains the resources shown in the following table.
VM1 connects to VNET1. You need to connect VM1 to VNET2.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1. Does this meet the goal?
A. Yes
B. No
Answer: A - NO.138 same
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet.
Terrible wordings. No one mentioned that VM1 is recreated on West US or not. If the question means the VM1 is recreated (within VNET1), the answer is No. If the question means the VM1 is recreated in VNET2, the answer should be Yes. You should choose the Virtual network while creating the VM. The key word - "then you create a new network interface for VM1 connect it to VNET2". If you create the VM within East Asia, you no need to mention that you create another NIC for the VM for connection.
So I guess the question means the VM is recreated within West US and create an additional network interface to connect to VNet2. -> There is 2 NICs for the VM1. In this case, the answer is No.
NO.328
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.References:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
Does this meet the goal?
Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NO.329
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1. Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
Solution: From the RG1 blade, you click Deployments.
Does this meet the goal?
(A). Yes
(B). No
Answer: A
- Select the resource group (Here RG1) you want to examine.
- Select the link under Deployments.
NO.330
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not support multiple active instances. At the end of each month, CPU usage for VM1 peaks when App1 runs.You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.What task should you include in the runbook?
A. Add the Azure Performance Diagnostics agent to VM1.
B. Modify the VM size property of VM1. Most Voted
C. Add VM1 to a scale set.
D. Increase the vCPU quota for the subscription.
E. Add a Desired State Configuration (DSC) extension to VM1.
Suggested Answer: * B* 🗳️Reference:https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration
If you have a CPU/performance issue then the solution is to scale up (increase VM size) or to scale out (scale set) given that the App does not support multiple instances then scale up is the obvious choice.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm
NO.331 **
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1. Which changes should you apply to VM1 as you configure slb1?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Change the private IP address of VM1 to static
Box 1: Remove the public IP address from VM1
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource.
Default SG: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
NO.332 **
Your network contains an Active Directory domain that is synced to Azure Active Directory (Azure AD) as shown in the following exhibit.
You have a user account configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: No -Password writeback is disabled.
Note: Having a cloud-based password reset utility is great but most companies still have an on-premises directory where their users exist. How does Microsoft support keeping traditional on-premises Active Directory (AD) in sync with password changes in the cloud? Password writeback is a feature enabled with AzureAD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time.
Box 2: No -
Box 3: Yes -Yes, there is an Edit link for Location Info.References:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic NOTE: Each correct selection is worth one point.
Answer:
NO.333 **
You have a hybrid infrastructure that contains an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The tenant contains the users shown in the following table.
You plan to share a cloud resource to the All Users group. You need to ensure that User1, User2, User3, and User4 can connect successfully to the cloud resource.
What should you do first?
(A). Create a user account of the member type for User4.
(B). Create a user account of the member type for User3.
(C). Modify the Directory-wide Groups settings.
(D). Modify the External collaboration settings.
Answer: C
Ensure that "Enable an 'All Users' group in the directory" policy is set to "Yes" in your Azure Active Directory (AD) settings in order to enable the "All Users" group for centralized access administration.
This group represents the entire collection of the Active Directory users, including guests and external users, that you can use to make the access permissions easier to manage within your directory.
Incorrect Answers: A, B: User3 and User4 are guests already.
Note: By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role.
External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests.
Reference: https://www.cloudconformity.com/knowledge-base/azure/ActiveDirectory/enable-all-usersgroup.html
NO.334
You have an Azure subscription. You create the Azure Storage account shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 3
-Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent of 3 copies(replicas) of your data within the primary location as described in our SOSP paper; this ensures that we can recover from common failures (disk, node, rack) without impacting your storage account's availability and durability.
Box 2: Access tier -Change the access tier from Hot to Cool.
Note: Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner.
The available access tiers include:Hot - Optimized for storing data that is accessed frequently.Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours).Reference:https://azure.microsoft.com/en-us/blog/data-series-introducing-locally-redundant-storage-for-windows-azure-storage/ https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
NO.335 **
You are developing an Azure web app named WebApp1.WebApp1 uses an Azure App Service plan named Plan1 that uses the B1 pricing tier. You need to configure WebApp1 to add additional instances of the app when CPU usage exceeds 70 percent for 10 minutes. Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
Correct Answer:
Box 1: From the Scale up (App Service Plan) settings blade, change the pricing tier
The B1 pricing tier only allows for 1 core. We must choose another pricing tier.
Box 2: From the Scale out (App Service Plan) settings blade, enable autoscale\
1. Log in to the Azure portal at http://portal.azure.com\
1. Navigate to the App Service you would like to autoscale.\
2. Select Scale out (App Service plan) from the menu\
3. Click on Enable autoscale. This activates the editor for scaling rules.
Box 3: From the Scale mode to Scale based on metric, add a rule, and set the instance limits.
Click on Add a rule. This shows a form where you can create a rule and specify details of the scaling.
References:https://azure.microsoft.com/en-us/pricing/details/app-service/windows/ https://blogs.msdn.microsoft.com/hsirtl/2017/07/03/autoscaling-azure-web-apps/
NO.336 **
You create an Azure Migrate project named TestMig in a resource group named test-migration. You need to discover which on-premises virtual machines to assess for migration. Which three actions should you perform in sequence?
To answer, select the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggested Answer:
Step 1: Download the OVA file for the collection appliance
Azure Migrate uses an on-premises VM called the collector appliance, to discover information about your on-premises machines.
To create the appliance, you download a setup file in Open Virtualization Appliance (.ova) format, and import it as a VM on your on-premises vCenter Server.
Step 2: Create a migration group in the project For the purposes of assessment, you gather the discovered VMs into groups.
For example, you might group VMs that run the same application. For more precise grouping, you can use dependency visualization to view dependencies of a specific machine, or for all machines in a group and refine the group.
Step 3: Create an assessment in the project
After a group is defined, you create an assessment for it.
References:https://docs.microsoft.com/en-us/azure/migrate/migrate-overview
NO.337
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.You need to view the error events from a table named Event.Which query should you run in Workspace1?
A. Get-Event Event | where {$_.EventType ""eq "error"}
B. Get-Event Event | where {$_.EventType == "error"}
C. search in (Event) * | where EventType ""eq "error"
D. search in (Event) "error"
E. select *from Event where EventType == "error"
F. Event | where EventType is "error"
Suggested Answer: D 🗳️
To search a term in a specific table, add in (table-name) just after the search operatorReference:https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
(A). Get-Event Event | where {$_.EventType == "error"}
(B). Event | search "error"
(C). select * from Event where EventType == "error"
(D). Event | where EventType is "error"
Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/dataexplorer/kusto/query/searchoperator?pivots=azuredataexplorer
The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note: There are several versions of this question in the exam. The question has three possible correct answers:
search in (Event) "error"
Event | search "error"
Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
Get-Event Event | where {$_.EventTye -eq "error"}
select * from Event where EventType is "error"
search in (Event) * | where EventType -eq "error"
NO.338 **
You plan to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager template. You need to complete the template. What should you include in the template?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Within your template, the dependsOn element enables you to define one resource as a dependent on one or more resources. Its value can be a comma- separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources: Microsoft.Storage/storageAccountsMicrosoft. Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more resources. The resource depends on two other resources: Microsoft.Network/publicIPAddresses. Microsoft.Network/virtualNetworks
NO.339 **
You have an Azure subscription that contains the storage accounts shown in the following table.
You plan to use AzCopy to copy a blob from container1 directly to share1. You need to identify which authentication method to use when you use AzCopy. What should you identify for each account?
To answer, drag the appropriate authentication methods to the correct accounts. Each method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.NOTE: Each correct selection is worth one point.Select and Place:
Suggested Answer:
Box 1: A shared access signature (SAS) token.
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
For Blob storage you can use Azure AD & SAS.
Note: In the current release, if you plan to copy blobs between storage accounts, you'll have to append a SAS token to each source URL. You can omit the SAS token only from the destination URL.
Box 2: A shared access signature (SAS) token.
For File storage you can only use SAS.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
NO.340
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?
A. Assign User1 the Network Contributor role for RG1.
B. Assign User1 the User Access Administrator role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Suggested Answer: B 🗳️
The User Access Administrator role allows you to manage user access to Azure resources.Reference:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator
NO.341 **
You have an Azure subscription that contains the resources shown in the following table.
VM1 connects to VNET1. You need to connect VM1 to VNET2.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1. Does this meet the goal?
A. Yes
B. No
Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1. Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet. Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
NO.342
You have an Azure subscription. You enable multi-factor authentication for all users. Some users report that the email applications on their mobile device cannot connect to their Microsoft Exchange Online mailbox. The users can access Exchange Online by using a web browser and from Microsoft Outlook 2016 on their computer. You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do?
A. Enable self-service password reset.
B. Create an app password.
C. Reset the Azure Active Directory (Azure AD) password.
D. Reinstall the Microsoft Authenticator app.
Answer: B
If you're enabled for multi-factor authentication, make sure that you have set up app passwords.
Note: During your initial two-factor verification registration process, you're provided with a single app password. If you require more than one, you'll have to create them yourself.
Go to the Additional security verification page.
Reference: https://docs.microsoft.com/en-us/office365/troubleshoot/sign-in/sign-in-to-office-365-azure-intune https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-enduser-app-passwords
NO.343
You have an on-premises server that contains a folder named D:\Folder1.You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata. Which command should you run?
A. https://contosodata.blob.core.windows.net/public
B. azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --snapshot
C. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
D. az storage blob copy start-batch D:\Folder1 https://contosodata.blob.core.windows.net/public
Suggested Answer: C 🗳️
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Incorrect Answers:B:
The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
contosodata.blob.core.windows.net/public
Explanation:
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location.
However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
NO.344 **
You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1. What should you do first?
A. Create a DNS record
B. Add a connection string
C. Upload a certificate.
D. Stop webapp1.
Suggested Answer: A 🗳️
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
Reference:https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
NO.345 **
You have an Azure subscription. You need to transfer 34TB of data from an on-premise Windows 2016 server to your Azure storage account. You need to ensure that the data transfer has zero impact on the network, preserves your existing drives and is the fastest and most secure method.
What should be your first step?
(A). Start an Import Job via the Azure Portal
(B). Order an Azure Databox via the Azure Portal
(C). Open a ticket with Microsoft Support
(D). Prepare your hard drives using the WAImportExport tool
Answer: B
The Microsoft Azure Data Box cloud solution lets you send terabytes of data into and out of Azure in a quick, inexpensive, and reliable way. https://docs.microsoft.com/en-us/azure/databox/data-box-overvie
NO.346
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data.
Does the solution meet the goal?
A. Yes
B. No
It is a big NO now in 2023. If you still see this question, never say YES.
For me this question is outdated and won`t show up on exam but if it showed up it would be B (No), here is why: Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated, but migration is no longer possible. Multi-factor authentication will continue to be available as a feature in Azure AD Premium licenses. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
NO.347 **
DRAG DROP -You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine. You need to restore the deleted files to an on-premises computer as quickly as possible. Which four actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:
Suggested Answer:
To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Step 0. In the virtual machine's menu, click Backup to open the Backup dashboard.
Step 1. In the Backup dashboard menu, click File Recovery.
Step 2. From the Select recovery point drop-down menu, select the recovery point that holds the files youwant.
By default, the latest recovery point is already selected.
Step 3: To download the software used to copy files from the recovery point, click Download Executable (for Windows Azure VM) or Download Script (for LinuxAzure VM, a python script is generated).
Step 4: Copy the files by using AzCopy
AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands designed for optimal performance. You can copy data between a file system and a storage account, or between storage accounts.
References:https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
NO.348 **
You have 100 Azure subscriptions. All the subscriptions are associated to the same Azure Active Directory (Azure AD) tenant named contoso.com. You are a global administrator. You plan to create a report that lists all the resources across all the subscriptions. You need to ensure that you can view all the resources in all the subscriptions. What should you do?
A. From the Azure portal, modify the profile settings of your account.
B. From Windows PowerShell, run the Add-AzureADAdministrativeUnitMember cmdlet.
C. From Windows PowerShell, run the New-AzureADUserAppRoleAssignment cmdlet.
D. From the Azure portal, modify the properties of the Azure AD tenant.
Suggested Answer: C 🗳️
The New-AzureADUserAppRoleAssignment cmdlet assigns a user to an application role in Azure Active Directory (AD). Use it for the application report.
References:https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
NO.349
You have an Azure subscription.You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod. For the AKS cluster, you need to choose a network type that will support App1. What should you choose?
A. kubenet
B. Azure Container Networking Interface (CNI) Most Voted
C. Hybrid Connection endpoints
D. Azure Private Link
Suggested Answer: B 🗳️
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly.
These IP addresses must be unique across your network space.
Incorrect Answers:A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networkingReference:https://docs.microsoft.com/en-us/azure/aks/concepts-network
You have a service deployed to a Kubernetes cluster. Another application needs to access the service via the private IP address of the pod.
Which of the following would you define as the networking type for the cluster to meet this requirement?
(A). Kubenet
(B). Azure container networking plugin
(C). Service Endpoints
(D). Network security groups
Answer: B
Azure container networking plugin : Correct Choice
With the Azure container networking plugin , every pod gets an IP address allocated.
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly.
These IP addresses must be unique across your network space, and must be planned in advance.
Each node has a configuration parameter for the maximum number of pods that it supports.
The equivalent number of IP addresses per node are then reserved up front for that node.
This approach requires more planning, as can otherwise lead to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.
Nodes use the Azure Container Networking Interface (CNI) Kubernetes plugin.
Kubenet : Incorrect Choice
The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes.
Service Endpoints : Incorrect Choice
Capabilities like service endpoints or UDRs are supported with both kubenet and Azure CNI, the support policies for AKS define what changes you can make.
For example: * If you manually create the virtual network resources for an AKS cluster,
you're supported when configuring your own UDRs or service endpoints.
If the Azure platform automatically creates the virtual network resources for your AKS cluster, it isn't supported to manually change those AKS-managed resources to configure your own UDRs or service endpoints.
Network security groups : Incorrect Choice
A network security group filters traffic for VMs, such as the AKS nodes.
As you create Services, such as a LoadBalancer, the Azure platform automatically configures any network security group rules that are needed.
Reference: https://docs.microsoft.com/en-us/azure/aks/concepts-networ
NO.350
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.Reference:https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
(A). Yes
(B). No
Answer: B
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM resources using Azure resource lock.
