NO.351 *
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines. You need to delete the Recovery Services vault. What should you do first?
A. From the Recovery Service vault, delete the backup data.
B. Modify the disaster recovery properties of each virtual machine.
C. Modify the locks of each virtual machine.
D. From the Recovery Service vault, stop the backup of each backup item.
Suggested Answer: D ๐ณ๏ธ
You can't delete a Recovery Services vault if it is registered to a server and holds backup data.
If you try to delete a vault, but can't, the vault is still configured to receive backup data.Remove vault dependencies and delete vaultIn the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items.
In this menu, you can stop and delete Azure File Servers, SQLServers in Azure VM, and Azure virtual machines.

Reference:https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
NO.352
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1. You successfully deploy the following Azure Resource Manager template.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: Yes -
Box 2: Yes -VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No -Reference:https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region
NO.353 *
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
โ Number of methods required to reset: 2
โ Methods available to users: Mobile phone, Security questions
โ Number of questions required to register: 3
โ Number of questions required to reset: 3
You select the following security questions:
โ What is your favorite food?
โ In what city was your first job?
โ What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Answer: NO, NO, YES
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
NO.354
You have an Azure web app named webapp1. You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1. You need to ensure that webapp1 can access the data hosted on VM1. What should you do?
A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway
Suggested Answer: C๐ณ๏ธ
C. Connect webapp1 to VNET1 "The App Service virtual network integration feature enables your apps to access resources in or through a virtual network."
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
D. Deploy an Azure Application Gateway "Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications."
see here: https://learn.microsoft.com/en-us/azure/application-gateway/overview
NO.355
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

Box 1: 10 years -The yearly backup point occurs to 1 March and its retention period is 10 years.
Box 2: 36 months -The monthly backup point occurs on the 1of every month and its retention period is 36 months.st
NO.356
You have an Azure virtual machine named VM1 that runs Windows Server 2016. You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
Does this meet the goal?
A Yes
B No
Suggested Answer: B
Instead:
You create an Azure Log Analytics workspace / configure the data settings.
You install the Microsoft Monitoring Agent on VM1.
You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NO.357
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com. You have a Microsoft account that you use to sign in to both tenants. You need to configure the default sign-in tenant for the Azure portal. What should you do?
A. From Azure Cloud Shell, run Set-AzureRmSubscription.
B. From Azure Cloud Shell, run Set-AzureRmContext.
C. From the Azure portal, configure the portal settings.
D. From the Azure portal, change the directory.
Answer: D
To configure the default sign-in tenant for the Azure portal, follow these steps:
Sign in to the Azure portal with your Microsoft account.
> Click on the profile picture in the upper-right corner, then click on "Switch directory."
> Select the tenant that you want to set as the default sign-in tenant.
> Click on the "Use this tenant for all future sign-ins" check box.
Click on "Select."
Now, when you sign in to the Azure portal, you'll be automatically signed in to the tenant you selected as the default.
The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azurerm.profile/set-azurermcontext
NO.358 *
You have an Azure subscription. You activate Enterprise Mobility + Security E5 licenses for all users. You need the users to request approval before they can create virtual machines. What should you configure first?
(A). Azure Active Directory (Azure AD) conditional access policies
(B). Azure Active Directory (Azure AD) Authentication methods
(C). Azure Active Directory (Azure AD) Privileged Identity Management for the Azure resource roles
(D). Azure Active Directory (Azure AD) Privileged Identity Management for the Azure AD directory roles
Answer: C
What is Enterprise Mobility + Security?
Microsoft Enterprise Mobility + Security provides an identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era. Our technologies not only help you protect your organization but also identify breaches before they cause damage.
- Enterprise Mobility + Security E3 includes Azure Active Directory Premium P1, Microsoft Intune, Azure Information Protection P1, Microsoft Advanced Threat Analytics, Azure Rights Management (part of Azure Information Protection) and the Windows Server CAL rights.
- Enterprise Mobility + Security E5 ย includes all the capabilities of Enterprise Mobility + Security E3 plus ย Azure Active Directory Premium (AADP) P2, Azure Information Protection P2, Microsoft Cloud App Security, Azure Active Directory [AD] Identity Protection (as a feature of AADP P2), Azure Advanced Threat Protection, Azure AD Privileged Identity Management (as a feature of AADP P2).
Referance : Enterprise Mobility + Security | Microsoft Volume Licensing
NO.359
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A ๐ณ๏ธ
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
NO.360
You have an Azure subscription named Subscription1. You have a virtualization environment that contains the virtualization servers in the following table.

The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker). You plan to use Azure Site Recovery to migrate the virtual machines to Azure. Which virtual machines can you migrate?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point. Hot Area:

Server1:
VM1 - Can't be migrated because BitLocker is enabled
VM2 - Can't be migrated because the OS disk is larger then the allowed 2048 GB for Generation 1 VMs (max. of 300 GB for gen 2)
VM3 - Can be migrated
Server2:
VMA - Can be migrated
VMB - Can be migrated
VMC - Can't be migrated as data disk is larger then the allowed 4095 TB
Summary Hyper-v and VMWare
- OS Architecture Both 64 Bits, except WS2008 in Hyper-v
- OS Disk Size Both up to 2TB, except VM G2 up to 300GB in Hyper-v
- Data Disk Both up to 4TB, except replication MHDD up to 8TB in VMWare
- Shared VHD Both not supported
- FC disk Both not supported
- BitLocker Both not supported
- Hard disk format VHD, VHDX only in Hyper-v
So: VM1 exclude, BitLocker enabled. VM2 exclude, it have 3TB of OS, up to 2TB. VMC exclude, it have Data Disk 6TB, up to 4TB.
NO.361 **
You have an Azure subscription. The subscription includes a virtual network named VNet1. Currently, VNet1 does not contain any subnets. You plan to create subnets on VNet1 and to use application security groups to restrict the traffic between the subnets. You need to create the application security groups and to assign them to the subnets. Which four cmdlets should you run in sequence?
To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.Select and Place:

Suggested Answer:

To create application security groups and assign them to subnets in an Azure virtual network, you can use the following four Azure PowerShell cmdlets:
New-AzApplicationSecurityGroup
: This cmdlet creates a new application security group.New-AzVirtualNetworkSubnetConfig
: This cmdlet creates a new subnet configuration for the virtual network.Add-AzApplicationSecurityGroupToSubnet
: This cmdlet assigns an application security group to a subnet.Set-AzVirtualNetwork
: This cmdlet updates the virtual network with the new subnet configuration and application security group assignment.
Here is an example script that demonstrates the usage of these cmdlets:
# Create the application security groups
$asg1 = New-AzApplicationSecurityGroup -Name "ASG1" -ResourceGroupName "MyResourceGroup"
$asg2 = New-AzApplicationSecurityGroup -Name "ASG2" -ResourceGroupName "MyResourceGroup"
โ
# Create the subnet configurations
$subnet1 = New-AzVirtualNetworkSubnetConfig -Name "Subnet1" -AddressPrefix "10.0.1.0/24" -ApplicationSecurityGroup $asg1
$subnet2 = New-AzVirtualNetworkSubnetConfig -Name "Subnet2" -AddressPrefix "10.0.2.0/24" -ApplicationSecurityGroup $asg2
โ
# Get the virtual network
$vnet = Get-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "MyResourceGroup"
โ
# Update the virtual network with the new subnets and application security group assignments
$vnet.Subnets.Add($subnet1)
โ
NO.362 *
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines that run WindowsServer 2016.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery. You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1. You need to add Host1 to ASR1.
What should you do?
(A). Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.
Install the Azure Site Recovery Provider on Host1 and register the server.
(B). Download the installation file for the Azure Site Recovery Provider.
Download the storage account key.
Install the Azure Site Recovery Provider on Host1 and register the server.
(C). Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
(D). Download the installation file for the Azure Site Recovery Provider.
Download the storage account key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
Answer: A
Below are the steps you need to perform in this scenario. Refer the link mentioned in the reference section.
Download the installation file for the Azure Site Recovery Provider
To set up the source environment, you create a Hyper-V site and add to that site the Hyper-V hosts containing VMs that you want to replicate. Then, you download and install the Azure Site Recovery Provider and the Azure Recovery Services agent on each host, and register the Hyper-V site in the vault.

Download the vault registration key
Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.

Install the Azure Site Recovery Provider on Host1.
Install the downloaded setup file (AzureSiteRecoveryProvider.exe) on each Hyper-V host that you want to add to the Hyper-V site. Setup installs the Azure Site Recovery Provider and Recovery Services agent on each Hyper-V host.
Register the server
In Registration, after the server is registered in the vault, select Finish.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
NO.363 **
You plan to migrate an on-premises Hyper-V environment to Azure by using Azure Site Recovery. The Hyper-V environment is managed by using MicrosoftSystem Center Virtual Machine Manager (VMM). The Hyper-V environment contains the virtual machines in the following table:

Which virtual machine can be migrated by using Azure Site Recovery?
A. FS1
B. CA1
C. DC1
D. SQL1
Answer: D
DC1 : Not supported as it is Gen2 and OS disk size is greater than 300 GB
FS1 : Not supported as it is Gen2 and Linux VM. Linux Generation 2 VMs aren't supported.
CA1 : Not supported as bitlocker is enabled. BitLocker must be disabled before you enable replication for a VM.
SQL1: Supported
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vmrequirements
NO.364 *
You have an Azure web app named WebApp1. You need to provide developers with a copy of WebApp1 that they can modify without affecting the production WebApp1. When the developers finish testing their changes, you must be able to switch the current line version of WebApp1 to the new version.
Which command should you run prepare the environment?
To answer, select the appropriate options in the answer area.Each correct selection is worth one point. NOTE: Hot Area:

Answers

Box 1: New-AzureRmWebAppSlot -
The New-AzureRmWebAppSlot cmdlet creates an Azure Web App Slot in a given a resource group that uses the specified App Service plan and data center.
Box 2: -SourceWebApp -
https://docs.microsoft.com/en-us/powershell/module/azurerm.websites/new-azurermwebappslot
You have an Azure web app named WebApp1 that runs in an Azure App Service plan named ASP1. ASP1 is based on the D1 pricing tier. You need to ensure that WebApp1 can be accessed only from computers on your on-premises network. The solution must minimize costs. What should you configure?
To answer, select the appropriate options in the answer area.Each correct selection is worth one point.NOTE:Hot Area:

Correct Answer:

Box 1: B1 -B1 (Basic) would minimize cost compared P1v2 (premium) and S1 (standard).
Box 2: Cross Origin Resource Sharing (CORS)Once you set the CORS rules for the service, then a properly authenticated request made against the service from a different domain will be evaluated to determine whether it is allowed according to the rules you have specified.
Note: CORS (Cross Origin Resource Sharing) is an HTTP feature that enables a web application running under one domain to access resources in another domain. In order to reduce the possibility of cross-site scripting attacks, all modern web browsers implement a security restriction known as same-origin policy.This prevents a web page from calling APIs in a different domain. CORS provides a secure way to allow one origin (the origin domain) to call APIs in another origin.
References:https://azure.microsoft.com/en-us/pricing/details/app-service/windows/ https://docs.microsoft.com/en-us/azure/cdn/cdn-cors
NO.365
You purchase a new Azure subscription named Subscription1. You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup. You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.What should you do?
To answer, select the appropriate options in the answer area,NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: A Recovery Services vaultA Recovery Services vault is an entity that stores all the backups and recovery points you create over time.
Box 2: A backup policy
-What happens when I change my backup policy? When a new policy is applied, schedule and retention of the new policy is followed.
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faqImplement and manage storage
NO.366
You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was deployed using default drive settings. You sign in to VM1 as a user named User1 and perform the following actions:
โ Create files on drive C.
โ Create files on drive D.
โ Modify the screen saver timeout.
โ Change the desktop background.
You plan to redeploy VM1.Which changes will be lost after you redeploy VM1?
A. the modified screen saver timeout
B. the new desktop background
C. the new files on drive D
D. the new files on drive C
Correct Answer: C
For Windows Server, the temporary disk is mounted as โD:\โ.
For Linux based VMโs the temporary disk is mounted as โ/dev/sdb1โ.
Reference: https://www.cloudelicious.net/azure-vms-and-their-temporary-storage
NO.367 *
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com. Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege. Which user accounts should you use in Adatum.com and Adatum.onmicrosoft.com to implement Azure AD Connect?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: User5 -In Express settings, the installation wizard asks for the following: AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory.
These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.
Box 2: UserA -Azure AD Global Admin credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
Reference:https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
NO.368 **
You have an Azure subscription that contains the virtual machines shown in the following table:

VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections. Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules. NSG2 uses the default rules and the following custom incoming rule:
โ Priority: 100
โ Name: Rule1
โ Port: 3389
โ Protocol: TCP
โ Source: Any
โ Destination: Any
โ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

Answer is correct .
No, Yes, Yes.
No: Subnet1 ย has default rules which denies any port open for inbound rules. VM1 is in Subnet1.
Yes: VM2 has custom rule allowing RDP port / Subnets without Network Security Groups (NSGs) do not block RDP traffic by default on Azure.
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
NO.369
You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop. You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80. What should you do?
A. Change the DenyWebSites outbound security rule.
B. Change the Port_80 inbound security rule.
C. Disassociate the NSG from a network interface.
D. Associate the NSG to Subnet1.
Suggested Answer: D ๐ณ๏ธ
You can associate or dissociate a network security group from a network interface or subnet.The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
References:https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
NO.370
Your company registers a domain name of contoso.com. You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10. You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue.
Solution: You create a PTR record for www in the contoso.com zone. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B ๐ณ๏ธ
Modify the Name Server (NS) record.
References:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
NO.371
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet. You add a network interface named Interface1 to VM1 as shown in the exhibit. (Click the Exhibit tab.)

From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails. You need to establish a Remote Desktop connection to VM1. What should you do first?
A. Change the priority of the RDP rule.
B. Attach a network interface.
C. Delete the DenyAllInBound rule.
D. Start VM1.
Suggested Answer: D ๐ณ๏ธ
Incorrect Answers:A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.B: The network interface has already been added to VM.C: The Outbound rules are fine.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
D - is correct if the VM was started it would have shown the public IPv4 address. Since it's deallocated it shows just the name of the public IP resource.
NO.372
You have an Azure subscription that contains an Azure Storage account. You plan to copy an on-premises virtual machine image to a container named vmimages. You need to create the container for the planned image. Which command should you run?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point. Hot Area:

Suggested Answer:

Correct Answer: azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages' Similar to OS Images, a VM Image is a collection of metadata and pointers to a set of VHDs (one VHD per disk) stored as page blobs in Azure Storage. ย Reference:
azcopy
Create a container or file share represented by the given resource URL.
azcopy make [resourceURL] [flags]
azcopy make "https://[account-name].[blob,file,dfs].core.windows.net/[top-level-resource-name]"
NO.373 **
You have an Azure subscription that contains the resources shown in the following table:

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6. You deploy a virtual network named VNET2 to RG6. Which tags apply to VNET1 and VNET2?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:
Correct answer is: VNET1 will only have Department: D1 tag & VNET 2 will only have Label : Value1 tag
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
NO.374 **
You have an Azure subscription that contains a virtual network named VNet1. VNet 1 has two subnets named Subnet1 and Subnet2. VNet1 is in the West Europe Azure region. The subscription contains the virtual machines in the following table.

You need to deploy an application gateway named AppGW1 to VNet1. What should you do first?
A. Add a service endpoint.
B. Add a virtual network.
C. Move VM3 to Subnet1.
D. Stop VM1 and VM2.
Suggested Answer: *C ๐ณ๏ธ
If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway. Verify that you have a working virtual network with a valid subnet. Make sure that no virtual machines or cloud deployments are using the subnet. The application gateway must be by itself in a virtual network subnet.
References:https://social.msdn.microsoft.com/Forums/azure/en-US/b09367f9-5d01-4cda-9127-b7a506a0a151/cant-create-application-gateway?forum=WAVirtualMachinesVirtualNetwork https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway
NO.375
You have an Azure subscription named Subscription1 that contains the resources shown in the following table:

You plan to configure Azure Backup reports for Vault1. You are configuring the Diagnostics settings for the AzureBackupReports log. Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answers
Hide answer

Box 1: storage3 only -Vault1 and storage3 are both in West Europe.
Box 2: Analytics3 -Vault1 and Analytics3 are both in West Europe.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports
NO.376 **
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage. You need to use AzCopy to copy data to the blob storage and file storage in storage1. Which authentication method should you use for each type of storage?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Box 1:Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
Box 2:Only Shared Access Signature (SAS) token is supported for File storage.
Authorize AzCopy
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.
Use this table as a guide:
Storage type | Currently supported method of authorization |
---|---|
Blob storage | Azure AD & SAS |
Blob storage (hierarchical namespace) | Azure AD & SAS |
File storage | SAS only |
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
NO.377 **
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:
โ Operating system: Windows Server 2016
โ Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.Hot Area:


Explanation
the Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 1
Below is clearly mentioned in the official Website "The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total instance count, subject to a minimum batch size of one virtual machine. There is no minimum scale set size requirement and scale sets with 5 or fewer instances will have 1 VM ย per upgrade batch (minimum batch size)." So, 20% from 4 ~1
Reference:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
NO.378 *
You have an Azure App Services web app named App1. You plan to deploy App1 by using Web Deploy. You need to ensure that the developers of App1 can use their Azure AD credentials to deploy content to App1. The solution must use the principle of least privilege. What should you do?
A. Assign the Owner role to the developers
B. Configure app-level credentials for FTPS
C. Assign the Website Contributor role to the developers
D. Configure user-level credentials for FTPS
B is wrong because:
"To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. These credentials are not the same as your Azure subscription credentials."
https://learn.microsoft.com/en-us/azure/app-service/deploy-configure-credentials?tabs=cli
Correct is C.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributorMicrosoft.Resources/deployments/*
- Create and manage a deployment
Then I copy/paste the whole question with the answers and the answer is: The correct answer is C: Assign the Website Contributor role to the developers.
By assigning the Website Contributor role to the developers, you can ensure that they have the appropriate permissions to deploy content to the web app using Web Deploy. The Website Contributor role provides users with the ability to deploy content and manage files for the web app, which is sufficient for deploying content using Web Deploy.
Configuring user-level credentials for FTPS (Option D) would not be appropriate in this scenario, as you want to use Web Deploy, not FTPS.
Assigning the Owner role (Option A) would provide the developers with more permissions than they need, and is not the principle of least privilege.
Configuring app-level credentials for FTPS (Option B) would not be appropriate in this scenario, as you want to use Web Deploy, not FTPS.
NO.379 *
You plan to back up an Azure virtual machine named VM1. You discover that the Backup Pre-Check status displays a status of Warning. What is a possible cause of the Warning status?
A. VM1 is stopped.
B. VM1 does not have the latest version of WaAppAgent.exe installed.
C. VM1 has an unmanaged disk.
D. A Recovery Services vault is unavailable.
Suggested Answer: B ๐ณ๏ธ
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues.
References:https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/
NO.380 **
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1. You need to move the custom application to VNet2. The solution must minimize administrative effort.Which two actions should you perform?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Reference:https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/ https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
NO.381
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts. Does that meet the goal?
A. Yes
B. No
Answer is B.
Looks like the question was definitely reworded at some point messing up the answer voting and comments. Global admin's won't automatically get the global admin role in a newly created tenant, the owner needs to grant the permission anew.
https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global
Solution: You instruct User3 to create the user accounts.
(A). Yes
(B). No
Answer: B
Only a global administrator can add users to this tenant.
Reference: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
NO.382
You have an Azure policy as shown in the following exhibit.

What is the effect of the policy?
A. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You can create Azure SQL servers in any resource group within Subscription1.
D. You are prevented from creating Azure SQL servers anywhere in Subscription1.
Suggested Answer: A ๐ณ๏ธ
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1
NO.383
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request.What should you configure?
A. Idle Time-out (minutes) to 20
B. Floating IP (direct server return) to Disabled
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP and protocol
Suggested Answer: D ๐ณ๏ธ
You can set the sticky session in load balancer rules with setting the session persistence as the client IP and protocol. Client IP and Protocol specifies that successive requests from the same client IP address and protocol combinations will be handles by the same VM.
References:https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
NO.384
You have an Azure subscription that contains the resources shown in the following table.

You need to configure a proximity placement group for VMSS1. Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Suggested Answer: A ๐ณ๏ธ
Resource Group location of VMSS1 is the RG2 location, which is West US. Only Proximity2, which also in RG2, is location in West USReference:https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups/
NO.385 **
Your on-premises network contains a VPN gateway. You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
What should you configure?
(A). service endpoints
(B). Azure Active Directory (Azure AD) Application Proxy
(C). a network security group (NSG)
(D). Azure Virtual WAN
Answer: ย A
I believe it should be A "Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. "
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
NO.386 **
Your network is configured as shown in the following exhibit.

The firewalls are configured as shown in the following table.

Prod1 contains a vCenter server. You install an Azure Migrate Collector on Test1. You need to discover the virtual machines. Which TCP port should be allowed on each firewall?
To answer, drag the appropriate ports to the correct firewalls. Each port may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.Select and Place:

Suggested Answer:

FW1: Outbound 443 -Collector communicates with Azure Migrate service over SSL 443.
FW2: Outbound 443 -The Collector must be able to communicate with the vCenter Server. By default, it connects to vCenter on 443.
Note: The collector communicates as summarized in the following diagram.

References:https://docs.microsoft.com/en-us/azure/migrate/concepts-collector
NO.387
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)

No devices are connected to VNet1. You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16. You need to create the peering. What should you do first?
A. Configure a service endpoint on VNet2.
B. Add a gateway subnet to VNet1.
C. Create a subnet on VNEt1 and VNet2.
D. Modify the address space of VNet1.
Suggested Answer: D ๐ณ๏ธ
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
NO.388
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B ๐ณ๏ธ
To deploy a YAML file, the command is:kubectl apply -f <file_name>.yamlReference:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Solution: From the Azure CLI, you run the kubectl client.
Does this meet the goal?
(A). Yes
(B). No
Answer: B Installing Azure CLI doesn't mean that Azure Kubernates client is installed. So before running kubectl client command, you have install kubectl, the Kubernetes command-line client. First need to run az aks install-cli to install Kubernetes CLI, which is kubectl
Reference: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest
NO.389 **
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1. An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users. What should you do first?
A. From contoso.com, modify the Organization relationships settings.
B. From contoso.com, create an OAuth 2.0 authorization endpoint.
C. Recreate AKS1.
D. From AKS1, create a namespace.
Suggested Answer: B ๐ณ๏ธReference:https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Answer is correct B
Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol https://docs.microsoft.com/en-us/azure/aks/managed-aad
Answer: B
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster.
To obtain a kubectl configuration context, a user can run the az aks get-credentials command.
When a user then interacts with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD credentials.
This approach provides a single source for user account management and password credentials. The user can only access the resources as defined by the cluster administrator.
Azure AD authentication is provided to AKS clusters with OpenID Connect.
OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol.
For more information on OpenID Connect, see the Open ID connect documentation.
From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.

Reference: https://kubernetes.io/docs/reference/access-authn-authz/authentication/ https://docs.microsoft.com/en-us/azure/aks/concepts-identity
NO.390
You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do?
A. Modify the protocol of Rule4
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Answer: ย C
Rule 2 is blocking HTTPS access (port 443) and has a priority of 500.
Changing Rule 5 (ports 50-5000) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
NO.391 **
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool. You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data. What should you do?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: An Azure Log Analytics workspaceIn the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions
Box 2: ILB1 -Reference:https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnosticsConfigure and manage virtual networks
Reference: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
NO.392 **
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network. Which tunneling protocol should you use?
A. IKEv1
B. PPTP
C. IKEv2
D. L2TP
Suggested Answer: C ๐ณ๏ธ
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. IKEv2 supports 10 S2S connections, while IKEv1 only supports 1.
Reference:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
NO.393
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A ๐ณ๏ธ
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Solution: From Azure Monitor, you create a metric on Network in and Network Out. Does this meet the goal?
(A). Yes
(B). No
Answer: B
You should use Azure Network Watcher. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
NO.394
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
Does this meet the goal?
(A). Yes
(B). No
Answer: B
Network performance monitor allows you to ย monitor connectivity and latencies across hybrid network architectures, Expressroute circuits, and service/application endpoints. With an data collector set we can count specified network traffic, but we cannot inspect it.
For this we would need a network watcher Packet Capture.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
NO.395 **
You have an Azure subscription that contains two virtual machines as shown in the following table.

You perform a reverse DNS lookup for 10.0.0.4 from VM2. Which FQDN will be returned?
A. vm1.core.windows.net
B. vm1.azure.com
C. vm1.westeurope.cloudapp.azure.com
D. vm1.internal.cloudapp.net
Suggested Answer: D
- All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
- Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine.
- If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two records. One record will be of the form [vmname].[privatednszonename] and the other will be of the form [vmname].internal.cloudapp.net

NO.396
NO.390๊ณผ ๋์ผ ๋ฌธ์
NO.397
You have web apps in the West US, Central US and East US Azure regions. You have the App Service plans shown in the following table.

You plan to create an additional App Service plan named ASP5 that will use the Linux operating system. You need to identify in which of the currently used locations you can deploy ASP5. What should you recommend?
A. West US, Central US, or East US
B. Central US only
C. East US only
D. West US only
Suggested Answer: A ๐ณ๏ธ
Reference:https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
NO.398 **
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table.

You need to modify the JobTitle and UsageLocation attributes for the users. For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1:User1 and User3 only You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory.
Box 2: User1, User2, and User3 Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD Connect).
NO.399 **
Your network contains an on-premises Active Directory forest named contoso.com that contains two domains named contoso.com and east.contoso.com. The forest contains the users shown in the following table.

You plan to sync east.contoso.com to an Azure Active Directory (Azure AD) tenant by using Azure AD Connect. You need to select an account for Azure AD Connect to use to connect to the forest. Which account should you select
(A). User1
(B). User2
(C). User3
(D). User4
Answer: D
It is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accountspermissions
Your network contains an on-premises Active Directory forest named contoso.com. The forest contains the following domains:
โ Contoso.com
โ East.contoso.com
The forest contains the users shown in the following table.

The forest syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: Yes -The UPN of user1 is user1@contoso.com so he can authenticate to Azure AD by using the username user1@contoso.com.
Box 2: No -The UPN of user2 is user2@east.contoso.com so he cannot authenticate to Azure AD by using the username user2@contoso.com.
Box 3: No -The UPN of user3 is user3@fabrikam.com so he cannot authenticate to Azure AD by using the username user3@contoso.com.
by Gus01 at May 4, 2021, 11:31 p.m.
NO.400
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point.Hot Area:

Suggested Answer:

Box 1: 10 years -The yearly backup point occurs to 1 March and its retention period is 10 years.
Box 2: 36 months -The monthly backup point occurs on the 1of every month and its retention period is 36 months.st
by Ankigupta at Dec. 8, 2020, 9:10 p.m.