Microsoft

AZ-303
Exam Name:
Microsoft Azure Architect Technologies

Questions & Answers

(Retail Version – Full Questions Set)
 Product Questions: 208
Version: 12.0
Topic 1, Contoso, Ltd

Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner
organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:

File servers
Domain controllers
Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client
computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database
A web front end
A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes
Contoso plans to implement the following changes to the infrastructure:

Move all the tiers of App1 to Azure.

Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements
Contoso must meet the following technical requirements:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.

Page | 2
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.
Minimize administrative effort whenever possible.

User Requirements
Contoso identifies the following requirements for users:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service administrator of the Azure subscription.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question: 1

You need to meet the user requirement for Admin1.

What should you do?

A. From the Subscriptions blade, select the subscription, and then modify the Properties.
B. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM)
settings.
C. From the Azure Active Directory blade, modify the Properties.
D. From the Azure Active Directory blade, modify the Groups.

Answer: A

Explanation:
Change the Service administrator for an Azure subscription

Sign in to Account Center as the Account administrator.

Select a subscription.
On the right side, select Edit subscription details.

Scenario: Designate a new user named Admin1 as the service administrator of the Azure
subscription.

References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-
administrator

Question: 2

You need to move the blueprint files to Azure.

What should you do?

A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File
Explorer.
B. Use the Azure Import/Export service.
C. Generate an access key. Map a drive, and then copy the files by using File Explorer.
D. Use Azure Storage Explorer to copy the files.

Page | 3
 Answer: D

Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data
on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob
storage.

Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-
process/move-data-to-azure-blob-using-azure-storage-explorer

Question: 3

You need to implement a backup solution for App1 after the application is moved.
What should you create first?

A. a recovery plan
B. an Azure Backup Server
C. a backup policy
D. a Recovery Services vault

Answer: D

Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected
resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a
recovery point inside the Recovery Services vault.

Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.

References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Question: 4

HOTSPOT

You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Page | 4
 Answer:

Explanation:

Box 1: 3
One virtual network for every tier

Box 2: 1
Only one subnet for each tier, to minimize the number of open ports.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three
tiers:

A SQL database
A web front end
A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.

Question: 5
HOTSPOT

Page | 5
You need to configure the Device settings to meet the technical requirements and the user
requirements.

Which two settings should you modify? To answer, select the appropriate settings in the answer area.

Answer:

Page | 6
Explanation:

Box 1: Selected
Only selected users should be able to join devices

Box 2: Yes
Require Multi-Factor Auth to join devices.

From scenario:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.

Question: 6

You need to recommend an identify solution that meets the technical requirements.

What should you recommend?

Page | 7
A. federated single-on (SSO) and Active Directory Federation Services (AD FS)
B. password hash synchronization and single sign-on (SSO)
C. cloud-only user accounts
D. Pass-through Authentication and single sign-on (SSO)

Answer: D

Explanation:
Active Directory Federation Services is a feature and web service in the Windows Server Operating
System that allows sharing of identity information outside a company’s network.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

References: https://www.sherweb.com/blog/active-directory-federation-services/

Question: 7

You are planning the move of App1 to Azure.

You create a network security group (NSG).

You need to recommend a solution to provide users with access to App1.

What should you recommend?

A. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the
subnets.
B. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the
subnets.
C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet
that contains the web servers.
D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet
that contains the web servers.

Answer: C

Explanation:
As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three
tiers: a SQL database, a web front end, and a processing middle tier.
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Question: 8

HOTSPOT

You need to identify the storage requirements for Contoso.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Page | 8
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.

Box 2: No

Box 3: No

Topic 2, Litware inc.

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on
this exam. You must manage your time to ensure that you are able to complete all questions included
on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is
provided in the case study. Case studies might contain exhibits and other resources that provide
more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your
answers and to make changes before you move to the next section of the exam. After you begin a
new section, you cannot return to this section.

Page | 9
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane
to explore the content of the case study before you answer the questions. Clicking these buttons
displays information such as business requirements, existing environment, and problem statements.
If the case study has an All Information tab, note that the information displayed is identical to the
information displayed on the subsequent tabs. When you are ready to answer a question, click the
Question button to return to the question.

Overview. General Overview

Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services
company named Fabrikam, Ltd.

Overview. Physical Locations

Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco.

Existing Environment. Identity Environment

The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure
Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect.

Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant.

Users at Litware have a UPN suffix of Litware.com

Litware has an internal certification authority (CA) that is trusted by all devices.

The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam
have a UPN suffix of fabrikam.com.

Existing Environment. Azure Environment

Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1
contains the resources shown in the following table.

Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and
assignments to a management group.

Fabrikam does NOT have an Azure environment.

Existing Environment. On-Premises Environment

Page | 10
The on-premises network of Litware contains the resources shown in the following table.

The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs
Windows Server 2019.

Existing Environment. Network Environment

Litware has a site-to-site VPN connection to VNet1.

The Litware and Fabrikam datacenters are not connected.

Requirements. Planned Changes

Litware plans to implement the following changes:

Establish a trust relationship between the Litware and Fabrikam forests.

Migrate data from the on-premises NoSQL datastores to Azure Table storage.
Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1.
Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named
RG1.

Requirements. Deployment Requirements

Litware identifies the following deployment requirements:

The existing ARM templates must be used for deployments to Sub1.

WebApp1 must be deployed to the AKS cluster without having to change the source code.
Requirements. Authentication and Authorization Requirements

Litware identifies the following authentication and authorization requirements:

The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD
Seamless SSO.
The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1.
Company policy must prohibit the creation of guest user accounts in the Litware.com tenant.
You must be able to configure deny permissions for RG1 and for the resources in RG1.
WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1.

Requirements. Security Requirements

Litware identifies the following security requirements:

On-premises Litware users must access KVI by using the private IP address of the key vault.
Azure virtual machines must have all their disks encrypted, including the temporary disks.
Azure Storage must encrypt all data by using keys issued by the internal CA of Litware.
Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks.
The principle of least privilege must be used.

Page | 11
Question: 9
You need to ensure that the NoSQL data is encrypted. The solution must meet the security
requirements.

What should you do first?

A. Upgrade storage2 to StorageV2 (general purpose v2).

B. Create a new general-purpose v2 storage account.
C. Create a new Azure Blob storage account.
D. Modify the Encryption settings of storage2.

Answer: B

Reference:
https://docs.microsoft.com/en-us/azure/storage/common/account-encryption-key-
create?toc=%2Fazure%2Fstorage%2Ftables%2Ftoc.json&tabs=portal

Question: 10

You need to ensure that you can implement Azure AD Seamless SSO for Fabrikam. The solution must
meet the following requirements:

Support the planned changes.

Meet the authentication and authorization requirements.

What should you do?

A. Create a new Azure AD tenant named fabrikam.com

B. From the Fabrikam forest, configure an additional UPN suffix of Litware.com.
C. From the Fabrikam forest, configure all users to have a UPN suffix ofLitware.com.
D. From the Litware.com tenant, add a custom domain named fabrikam com.

Answer: D

Question: 11

DRAG DROP

You need to ensure that the virtual machine disks are encrypted. The solution must meet the security
requirements.

Which three actions should you perform in Sub1 in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.

Page | 12
 Answer:

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-
portal

Question: 12
You need to configure Azure AD Seamless SSO for Fabrikam. The solution must meet the
authentication and authorization requirements.

What should you install first?

A. the Azure AD Connect provisioning agent on SERVER1

B. the Azure AD Connect provisioning agent on DC1
C. Azure AD Connect in staging mode on SERVER1
D. an Azure AD Connect primary server on SERVER1

Answer: A

Explanation:
The Litware and Fabrikam datacenters are not connected.
Azure AD Connect Cloud Sync provides support for synchronizing to an Azure AD tenant from a multi-
forest disconnected Active Directory forest environment.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync

Question: 13

You migrate WebApp1 to Azure.

You need to implement a traffic filtering solution for WebApp1. The solution must meet the security
requirements.

What should you do?

A. Configure the Threat intelligence settings for FW1.

B. Deploy an Azure Application Gateway to VNet1.
C. Deploy Azure Bastion to VNet1

Page | 13
D. Configure an inbound rule on FW1.

Answer: B

Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/overview

Question: 14

HOTSPOT

You need to recommend a solution to provide KV1 with access to the on-premises network of
Litware. The solution must meet the security requirements.

What should you include in the recommendation? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Answer:

Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal

Question: 15
You create and publish the BP1 blueprint.

You need to ensure that you can use BP1 to configure permissions for RG1. The solution must meet
the authentication and authorization requirements.

What should you do?

A. Add a read-only resource lock to Sub1.

B. Assign an Azure role-based access control (Azure RBAC) role to Sub1.
C. Assign an Azure role-based access control (Azure RBAC) role to BP1.
D. Select the Read Only blueprint lock mode for the BP1 assignment.

Page | 14
 Answer: C

Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

Question: 16

HOTSPOT

You plan to migrate WebApp1 to Azure.

You need to implement the AKS cluster that will host WebApp1. The solution must meet the
deployment requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network

Question: 17

You migrate WebApp1 to Azure.

You need to configure the AKS cluster to enable WebApp1 to access KV1. The solution must meet the
authentication and authorization requirements.

Page | 15
What should you do?

A. Configure Azure role-based access control (Azure R8AQ for Kubernetes Authorization.
B. Configure a pod-managed identity.
C. Implement pod security policies.
D. Implement the Secrets Store CSl Driver.

Answer: B

Topic 3, Misc. Questions

Question: 18

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company is deploying an on-premises application named Appl. Users will access App1 by using
a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and
publish App1 by using the Azure AD Application Proxy. You need to ensure that App1 appears in the
My Apps portal for all the users.

Solution: You configure the delegated permission for App1 in Azure AD.
Does this meet the goal?

A. Yes
B. No

Answer: A

Question: 19

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company is deploying an on-premises application named Appl. Users will access App1 by using
a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and
publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the
My Apps portal for all the users.

Solution: You create an offer for App1 and publish the offer to Azure Marketplace.

A. Yes
B. No

Page | 16
 Answer: A

Question: 20

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company is deploying an on-premises application named Appl. Users will access App1 by using
a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and
publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the
My Apps portal for all the users.

Solution: You create a conditional access policy for App1.

A. Yes
B. No

Answer: B

Explanation:
Instead you modify User and Groups for App1.

Reference:
https://cloud.google.com/architecture/identity/integrating-google-services-and-apps-with-azure-ad-
portal#adding_links

Question: 21

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it As a result, these
questions will not appear in the review screen.
You have an Azure Active Directory {Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin 1 discovers that all the
other Identity Governance settings are available.
Admin1 is assigned The User administrator. Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?

A. Yes
B. No

Answer: B

Page | 17
Explanation:
Instead use Azure AD Privileged Identity Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles

References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

Question: 22

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the
other Identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.

You need to ensure that the Admin1 can create access reviews in contoso.com.

Solution: You purchase an Azure Directory Premium P2 license for contoso.com.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Azure AD Privileged Identity Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles

References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

Question: 23

Page | 18
Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the
other Identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.

You need to ensure that Admin1 can create access reviews in contoso.com.

Solution: You create an access package.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity
Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles

References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-
overview

Question: 24

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Page | 19
You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the
other Identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.

You need to ensure that Admin1 can create access reviews in contoso.com.

Solution: You assign the Service administrator role to Admin1.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Azure AD Privileged Identity Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles

References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

Question: 25

You have an Azure SQL database named Db1 that runs on an Azure SQL server named SQLserver1.

You need to ensure that you can use the query editor on the Azure portal to query Db1.

What should you do?

A. Modify the Advanced Data Security settings of Db1

B. Configure the Firewalls and virtual networks settings for SQLserver1
C. Copy the ADO.NET connection string of Db1 and paste the string to the query editor
D. Approve private endpoint connections for SQLserver1

Answer: B

Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-connect-query-portal

Question: 26

Page | 20
HOTSPOT
You have an Azure subscription that contains the Azure SQL servers shown in the following table.

The subscription contains the elastic pool shown in the following table.

The subscription contains the Azure SQL databases shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Page | 21
Explanation:

Note: You cannot add databases from different servers into the same pool

Box 1: Yes
Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2.

Box 2: Yes
Pool3 is empty.

Box 3: Yes
Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1.

References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool

Question: 27
HOTSPOT

You have the Azure SQL Database servers shown in the following table.

You have the Azure SQL databases shown in the following table.

You create a failover group named failover1 that has the following settings:
• Primary server: sqlserver1
• Secondary server: sqlserver2
• Read/Write failover policy: Automatic
• Read/Write grace period (hours): 1 hour

Page | 22
 Answer:

Explanation:

Box 1: Yes
DB1 is on the primary server

Box 2: No
DB3 is on the secondary server.

You can put all or several databases within an elastic pool into the same failover group.

Box 3: No
A failover group is a named group of databases managed by a single server or within a managed
instance that can fail over as a unit to another region in case all or some primary databases become
unavailable due to an outage in the primary region.

The secondary cannot be in the same region as the primary.

Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-overview

Question: 28
Your company plans to develop an application that will use a NoSQL database. The database will be
used to store transactions and customer information by using JSON documents. Which two Azure
Cosmos DB APIs can developers use for the application? Each correct answer presents a complete
solution. NOTE: Each correct selection is worth one point.

A. Cassandra
B. Gremlin (graph)
C. MongoDB
D. Azure Table
E. Core (SQL)

Page | 23
 Answer: B, E

Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/faq

Question: 29

You have two Azure SQL Database managed instances in different Azure regions.
You plan to configure the managed instances in an instance failover group.
What should you configure before you can add the managed instances to the instance failover group?

A. Azure Private Link that has endpoints on two virtual networks

B. an internal Azure Load Balancer instance that has managed instance endpoints in a backend pool
C. an Azure Application Gateway that has managed instance endpoints in a backend pool
D. a Site-to-Site VPN between the virtual networks that contain the instances

Answer: D

Explanation:
For two managed instances to participate in a failover group, there must be either ftoute or a
gateway configured between the virtual networks of the two managed instances to allow network
communication.
You create the two VPN gateways and connect them.
Create the gateway for the virtual network of your primary managed instance using the Azure portal.
Create the gateway for the virtual network of your secondary managed instance using the Azure
portal.
Create a bidirectional connection between the two gateways of the two virtual networks.

Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/failover-group-add-instance-
tutorial?tabs=azure-portal#4---create-a-primary-gateway

Question: 30

You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1
that contains a container named Container 1. The partition key tor Container1 is set to /city.

You plan to change the partition key for Container1

What should you do first?

A. Delete Container1
B. Create a new container in DB1 account.
C. Regenerate the keys for Account1.
D. Implement the Azure CosmosDB.NET SDK

Answer: B

Explanation:
The good news is that there are two features, the Change Feed Processor and Bulk Executor Library,
in Azure Cosmos DB that can be leveraged to achieve a live migration of your data from one
container to another. This allows you to re-distribute your data to match the desired new partition
key scheme, and make the relevant application changes afterwards, thus achieving the effect of

Page | 24
“updating your partition key”.

Reference:
https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/

Question: 31

HOTSPOT

From Azure Cosmos DB, you create the containers shown in the following table.

You add the following item to Container1.

You plan to add items to Azure Cosmos DB as shown in the following table.

You need to identify which items can be added successfully to Container1 and Container2.

Page | 25
What should you identify for each container? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Answer:

Page | 26
Question: 32

You have the virtual machines shown in the following table.

You deploy an Azure bastion named Bastion1 to VNET1.

To which virtual machines can you connect by using Bastion1?

A. VM1 only
B. VM1 and VM2 only
C. VM2 and VM3 only
D. VM1, VM2, and VM3

Answer: A

Explanation:
Connect to a VM through Azure Bastion.
When you click on Connect in an Azure VM, you have an additional option called Bastion. In order to
get this option, the Azure VM must belong to the same virtual network as the Azure Bastion.

Reference:
https://www.starwindsoftware.com/blog/overview-of-microsoft-azure-bastion

Question: 33

You have an Azure subscription.

You create a custom role in Azure by using the following Azure Resource Manager template.

Page | 27
You assign the role to a user named User1.

Which action can User1 perform?

A. Delete virtual machines.

B. Create resource groups.
C. Create virtual machines.
D. Create support requests

Answer: D

Explanation:
The "Microsoft.Support/*" operation will allow the user to create support tickets.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Question: 34

HOTSPOT
You have a hierarchy of management groups and Azure subscriptions as shown in the following table.

Page | 28
You create the Azure resources shown in the following table.

You assign roles to users as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point

Answer:

Explanation:

Box 1: Yes
You have assigned the role, so you can remove it.

Box 2: Yes
Contributor role: Grants full access to manage all resources, but does not allow you to assign roles in

Page | 29
Azure RBAC.

Box 3: No

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

Question: 35

You have Azure virtual machines that have Update Management enabled. The virtual machines are
configured as shown in the following table.

You need to ensure that all critical and security updates are applied to each virtual machine every
month. What is the minimum number of update deployments you should create?

A. 4
B. 6
C. 1
D. 2

Answer: A

Explanation:
One for the Windows VMs, and for each type of Linux VM.

Reference:
https://docs.microsoft.com/en-us/azure/automation/update-management/overview

Question: 36

You have an Azure Active Directory (Azure AD) tenant linked to an Azure subscription. The tenant
contains a group named Admins.
You need to prevent users, except for the members of Admins, from using the Azure portal and Azure
PowerShell to access the subscription.

What should you do?

A. From Azure AD, configure the User settings.

B. From the Azure subscription, assign an Azure policy.
C. From Azure AD, create a conditional access policy.
D. From the Azure subscription, configure Access control (IAM).

Answer: C

Page | 30
Explanation:
Typically, you use Conditional Access to control access to your cloud apps. You can also set up policies
to control access to Azure management.

The policy you create applies to all Azure management endpoints, including the following:
Azure portal
Azure Resource Manager provider
Classic Service Management APIs
Azure PowerShell
Visual Studio subscriptions administrator portal
Azure DevOps
Azure Data Factory portal

To create a policy for Azure management, you select Microsoft Azure Management under Cloud apps
when choosing the app to which to apply the policy.

Incorrect Answers:
A: From User Settings you can only restrict access to Azure Portal, not access to Azure Powershell.

Note: Microsoft allows restricting standard user access to Azure Active Directory administration
portal.

1. Log in to Azure portal as Global Administrator

Page | 31
2. Go to Azure Active Directory | User Settings
3. Then click on Yes under Restrict access to Azure AD administration portal

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-
management

https://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/

Question: 37

HOTSPOT
You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to enhance security for the virtual machines in RG1 to meet the following requirements:
• Prevent Group1 from assigning external IP addresses to the virtual machines.
• Ensure that Group1 can establish an RDP connection to the virtual machines through a shared
external IP address.
What should you use to meet each requirement? To answer, select the appropriate options in the
answer are
a. NOTE: Each correct selection is worth one point.

Page | 32
 Answer:

Explanation:

Box 1: Azure Policy

There is a built-in policy in the Azure Policy service that allows you to block public IPs on all NICs of a
VM.

Note: Azure Policy is a powerful tool in your Azure toolbox. It allows you to enforce specific
governance principals you want to see implemented in your environment. Some key examples of
what Azure Policy allows you to do is:

Automatically tag resources

Block VMs from having a public IP
Enforce specific regions
Enforce VM size

Box 2: Azure Bastion

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access
to your virtual machines directly through the Azure Portal.
Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your
Virtual Network (VNet) using SSL without any exposure through public IP addresses.

Incorrect Answers:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services
over an optimized route over the Azure backbone network. Endpoints allow you to secure your
critical Azure service resources to only your virtual networks. Service Endpoints enables private IP
addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address
on the VNet.

Page | 33
Reference:
https://blog.nillsf.com/index.php/2019/11/02/using-azure-policy-to-deny-public-ips-on-specific-
vnets/

https://azure.microsoft.com/en-us/services/azure-bastion/

Question: 38

You have Azure virtual machines deployed to three Azure regions. Each region contains a single
virtual network that has four virtual machines on the same subnet. Each virtual machine runs an
application named App1. App1 is accessible by using HTTPS. Currently, the virtual machines are
inaccessible from the internet.
You need to use Azure Front Door to load balance requests for App1 across all the virtual machines.
Which additional Azure service should you provision?

A. a public Azure Load Balancer

B. Azure Traffic Manager
C. an internal Azure Load Balancer
D. Azure Private Link

Answer: C

Explanation:
Can we deploy Azure Load Balancer behind Front Door?
Azure Front Door needs a public VIP or a publicly available DNS name to route the traffic to.
Deploying an Azure Load Balancer behind Front Door is a common use case.

Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq

Question: 39

You create the Azure resources shown in the following table.

You attempt to add a role assignment to a resource group as shown in the following exhibit.

Page | 34
What should you do to ensure that you can assign VM2 the Reader role for the resource group?

A. Modify the Reader role at the subscription level.

B. Configure just in time (JIT) VM access on VM2.
C. Configure Access control (IAM) on VM2.
D. Assign a managed identity to VM2.

Answer: C

Explanation:
After you've configured an Azure resource with a managed identity, you can give the managed
identity access to another resource, just like any security principal.

Use Azure RBAC to assign a managed identity access to another resource

After you've enabled managed identity on an Azure resource, such as an Azure VM or Azure virtual
machine scale set:
Sign in to the Azure portal using an account associated with the Azure subscription under which you
have configured the managed identity.
Navigate to the desired resource on which you want to modify access control. In this example, we are
giving an Azure virtual machine access to a storage account, so we navigate to the storage account.
Select the Access control (IAM) page of the resource, and select + Add role assignment. Then specify
the Role, Assign access to, and specify the corresponding Subscription. Under the search criteria
area, you should see the resource. Select the resource, and select Save.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/howto-assign-access-portal

Question: 40

You have SQL Server on an Azure virtual machine named SQL1.

You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for the
virtual machines. The backups must meet the following requirements:
• Meet a recovery point objective (RPO) of 15 minutes.

Page | 35
• Retain the backups for 30 days.
• Encrypt the backups at rest.
What should you provision as part of the backup solution?

A. Azure Key Vault

B. an Azure Storage account
C. a Recovery Services vault
D. Elastic Database jobs

Answer: B

Explanation:
An Azure storage account is used for storing Automated Backup files in blob storage. A container is
created at this location to store all backup files. The backup file naming convention includes the date,
time, and database GUID.

Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/automated-backup

Question: 41

You have an Azure Container Registry and an Azure container instance.

You pull an image from the registry, and then update the local copy of the image.
You need to ensure that the updated image can be deployed to the container instance. The solution
must ensure that you can deploy the updated image or the previous version of the image.
What should you do?

A. Run the docker image push command and specify the tag parameter.
B. Run the az image copy command and specify the tag parameter.
C. Run the az aks update command and specify the attach-acr parameter.
D. Run the kubectl apply command and specify the dry-run parameter.

Answer: A

Explanation:
The command 'docker image push' pushes an image or a repository to a registry.

https://docs.docker.com/engine/reference/commandline/image_push/

https://docs.microsoft.com/en-us/cli/azure/ext/image-copy-extension/image

https://docs.microsoft.com/en-us/cli/azure/aks

https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-apply

Question: 42

HOTSPOT
You have an Azure logic app named App1 and an Azure Service Bus queue named Queue1.
You need to ensure that App1 can read messages from Queue1. App1 must authenticate by using
Azure Active Directory (Azure AD).
What should you do? To answer, select the appropriate options in the answer area.

Page | 36
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

On App1: Turn on the managed identity

To use Service Bus with managed identities, you need to assign the identity the role and the
appropriate scope. The procedure in this section uses a simple application that runs under a
managed identity and accesses Service Bus resources.

Once the application is created, follow these steps:

Go to Settings and select Identity.
Select the Status to be On.
Select Save to save the setting.

On Queue1: Configure Access Control (IAM)

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based
access control (RBAC). Azure Service Bus defines a set of built-in RBAC roles that encompass common
sets of permissions used to access Service Bus entities and you can also define custom roles for
accessing the data.

Assign RBAC roles using the Azure portal

Page | 37
In the Azure portal, navigate to your Service Bus namespace. Select Access Control (IAM) on the left
menu to display access control settings for the namespace. If you need to create a Service Bus
namespace.
Select the Role assignments tab to see the list of role assignments. Select the Add button on the
toolbar and then select Add role assignment.

Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/authenticate-application

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-
identity

Question: 43

You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1.

An administrator plans to manage Clus1 from an Azure AD-joined device.

You need to ensure that the administrator can deploy the YAML application manifest file for a
container application.

You install the Azure CLI on the device.

Which command should you run next?

A. kubectl get nodes

B. az aks install-cli
C. kubectl apply –f app1.yaml
D. az aks get-credentials --resource-group RG1 --name Clus1

Answer: C

Explanation:
kubectl apply –f appl.yaml applies a configuration change to a resource from a file or stdin.

References:
https://kubernetes.io/docs/reference/kubectl/overview/

https://docs.microsoft.com/en-us/cli/azure/aks

Question: 44

You create a container image named Image1 on a developer workstation.

You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1.
You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use
Image1.
To which storage type should you upload Image1?

A. Azure Container Registry

B. an Azure Storage account that contains a blob container
C. an Azure Storage account that contains a file share
D. Azure Container Instances

Page | 38
 Answer: A

Explanation:
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure
portal, go to Container settings from the web app and update the Image source, Registry and save.

References:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux

Question: 45

You have an Azure Service Bus and two clients named Client1 and Client2.

You create a Service Bus queue named Queue1 as shown in the exhibit. (Click the Exhibit tab.)

Page | 39
Client1 sends messages to Queue1 as shown in the following table.

Page | 40
Client2 reads the messages from Queue1 at 12:01:05.

How will the messages be presented to Client2?

A. Client2 will read four messages in the following order: M3, M2, M1, and then M3.
B. Client2 will read three messages in the following order: M3, M2, and then M1.
C. Client2 will read four messages in the following order; M3, M1, M2, and then M3.
D. Client2 will read three messages in the following order: M1, M2. and then M3
E. Client2 will read three messages in the following order: M3, M1, and then M2.

Answer: B

Explanation:
Duplicate is enabled, and the duplication detection window is set to 10 minutes. The second M3
message in the queue will be discarded.

Note 1: Duplicate detection enables the sender resend the same message, and the queue or topic
discards any duplicate copies.

Note 2: Queues offer First In, First Out (FIFO) message delivery to one or more competing
consumers. That is, receivers typically receive and process messages in the order in which they were
added to the queue, and only one message consumer receives and processes each message.

References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-
subscriptions

https://docs.microsoft.com/en-us/azure/service-bus-messaging/duplicate-detection

Question: 46

You have an on-premises virtual machine named VM1 configured as shown in the following exhibit.

Page | 41
VM is started.

You need to create a new virtual machine image in Azure from VM1.

Which three actions should you perform before you create the new image? Each correct answer
presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Remove the Backup (volume shadow copy) integration service

B. Generalize VM1
C. Run Add-AzureRmVhd and specify a blob service container as the destination
D. Run Add-AzureRmVhd and specify a file share as the destination
E. Reduce the amount of memory to 16 GB
F. Convert the disk type to VHD

Answer: BCF

Question: 47

HOTSPOT

You have an Azure subscription that contains the resource groups shown in the following table.

Page | 42
RG1 contains the virtual machines shown in the following table.

RG2 contains the virtual machines shown in the following table.

All the virtual machines are configured to use premium disks and are accessible from the Internet.

VM1 and VM2 are in an available set named AVSET1. VM3 and VM4 are in the same availability zone
and are in an availability set named AVSET2. VM5 and VM6 are in different availability zones.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Page | 43
Explanation:

Box 1: Yes
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we
[Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least
99.95% of the time.

Box 2: No
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.

Box 3: Yes
VM5 and VM6 are in different availability zones.

For all Virtual Machines that have two or more instances deployed across two or more Availability
Zones in the same Azure region, we [Microsoft] guarantee you will have Virtual Machine Connectivity
to at least one instance at least 99.99% of the time.

References:
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/

Question: 48
HOTSPOT

Your network contains an on-premises Active Directory domain named contoso.com that contains a
user named User1. The domain syncs to Azure Active Directory (Azure AD). You have the Windows 10
devices shown in the following table.

The User Sign-In settings are configured as shown in the following exhibit.

Page | 44
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point

Answer:

Explanation:

Box 1: Yes

Seamless SSO needs the user's device to be domain-joined only, but it is not used on Azure AD Joined
or Hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD
registered devices works based on the primary refresh token.

Box 2: No

Box 3: No

Reference:

Page | 45
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Question: 49

You have an Azure subscription named Subscription1 that contains an Azure virtual network named
VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.

You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution
must minimize cost.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Create a VPN gateway that uses the VpnGw1 SKU.

B. Create a connection.
C. Create a local site VPN gateway.
D. Create a gateway subnet.
E. Create a VPN gateway that uses the Basic SKU.

Answer: ABC

References:
https://docs.microsoft.com/en-za/archive/blogs/canitpro/step-by-step-configuring-a-site-to-site-
vpn-gateway-between-azure-and-on-premise

Question: 50

You plan to create an Azure Storage account named storage! that will store blobs and be accessed by
Azure Databricks.
You need to ensure that you can set permissions for individual blobs by using Azure Active Directory
(Azure AD) authentication.

Which Advanced setting should you enable for storage1?

A. Hierarchical namespace
B. Large file shares
C. Blob soft delete
D. NFSv3

Answer: A

Explanation:

Question: 51

No. Access control via ACLs is enabled for a storage account as long as the Hierarchical Namespace
(HNS) feature is turned ON.

Note 1: We [Microsoft] are pleased to share the general availability of Azure Active Directory (AD)
based access control for Azure Storage Blobs and Queues. Enterprises can now grant specific data
access permissions to users and service identities from their Azure AD tenant using Azure’s Role-

Page | 46
based access control (RBAC).

Note 2: Azure Data Lake Storage Gen2 implements an access control model that supports both Azure
role-based access control (Azure RBAC) and POSIX-like access control lists (ACLs).

You can associate a security principal with an access level for files and directories. These associations
are captured in an access control list (ACL). Each file and directory in your storage account has an
access control list. When a security principal attempts an operation on a file or directory, An ACL
check determines whether that security principal (user, group, service principal, or managed
identity) has the correct permission level to perform the operation.

Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-
control-lists-on-files-and-directories

https://azure.microsoft.com/en-us/blog/azure-storage-support-for-azure-ad-based-access-control-
now-generally-available/

Question: 52

Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

You plan to install Azure AD Connect and enable SSO.

You need to specify which user to use to enable SSO. The solution must use the principle of least
privilege.
Which user should you specify?

A. User4
B. User1
C. User3
D. User2

Answer: B

Explanation:
You need to have domain administrator credentials for each Active Directory forest that:
You synchronize to Azure AD through Azure AD Connect.
Contains users you want to enable for Seamless SSO.

Note: The domain administrator credentials are not stored in Azure AD Connect or in Azure AD.
They're used only to enable Seamless SSO through Azure AD Connect.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Page | 47
Question: 53

DRAG DROP

You have an Azure subscription that contains the resources shown in the following table.

In RG2, you need to create a new virtual machine named VM2 that will connect to VNET1. VM2 will
use a network interface named VM2_Interface.

In which region should you create VM2 and VM2_Interface? To answer, drag the appropriate regions
to the correct targets. Each region may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Page | 48
VM2: West US
In RG2, which is in West US, you need to create a new virtual machine named VM2.

VM2_interface: East US
VM2 will use a network interface named VM2_Interface to connect to VNET1, which is in East US.

References:
https://docs.microsoft.com/en-us/azure/virtual-network/associate-public-ip-address-vm

Question: 54
HOTSPOT

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following
exhibit.

The subscription contains the Azure SQL databases shown in the following table.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Page | 49
 Answer:

Explanation:

Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher.
The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.

Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower.
The initial instance count is 4 and thus cannot be reduced to 0 as the minimum instances is set to 2.
Instances are only added when the CPU threshold reaches 80%.

References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns

Question: 55
You have an Azure subscription named Subscription1 that is used by several departments at your
company. Subscription1 contains the resources in the following table.

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named

Page | 50
Storage2 by using a single Azure Resource Manager template.

You need to view the template used for the deployment.

From which blade can you view the template that was used for the deployment?

A. Container1
B. VM1
C. Storage2
D. RG1

Answer: D

Explanation:
You can verify the deployment by exploring the resource group from the Azure portal

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-manager-
tutorial

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-
create-first-template?tabs=azure-powershell

Question: 56

A company plans to use third-party application software to perform complex data analysis processes.
The software will use up to 500 identical virtual machines (VMs) based on an Azure Marketplace VM
image.

You need to design the infrastructure for the third-party application server. The solution must meet
the following requirements:

The number of VMs that are running at any given point in time must change when the user workload
changes.
When a new version of the application is available in Azure Marketplace it must be deployed without
causing application downtime.
Use VM scale sets.
Minimize the need for ongoing maintenance.

Which two technologies should you recommend? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. single storage account

B. autoscale
C. single placement group
D. managed disks

Answer: BD

Introduction to Azure managed disks https://docs.microsoft.com/en-us/azure/virtual-

machines/windows/managed-disks-overview "Using managed disks, you can create up to 50,000 VM

Page | 51
disks of a type in a subscription per region, allowing you to create thousands of VMs in a single
subscription. This feature also further increases the scalability of virtual machine scale sets by
allowing you to create up to 1,000 VMs in a virtual machine scale set using a Marketplace image."

Question: 57

HOTSPOT

You have Azure Storage accounts as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Answer:

Page | 52
Explanation:

Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-
purpose v1 (GPv1) accounts, and Blob storage accounts.

General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for
blobs, files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting
only block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have
the latest features or the lowest per gigabyte pricing.

References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options

Question: 58
DRAG DROP

You have virtual machines (VMs) that run a mission-critical application.

You need to ensure that the VMs never experience down time.

What should you recommend? To answer, drag the appropriate solutions to the correct scenarios.
Each solution may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Answer:

Page | 53
Explanation:

Box 1: Scale set

A virtual machine scale set allows you to deploy and manage a set of identical, auto scaling virtual
machines.

Box 2: Availability Set

An Availability Set is a logical grouping capability for isolating VM resources from each other when
they're deployed. Azure makes sure that the VMs you place within an Availability Set run across
multiple physical servers, compute racks, storage units, and network switches. If a hardware or
software failure happens, only a subset of your VMs are impacted and your overall solution stays
operational. Availability Sets are essential for building reliable cloud solutions.

Box 3: Fault domain

A fault domain is a logical group of underlying hardware that share a common power source and
network switch, similar to a rack within an on-premises datacenter. As you create VMs within an
availability set, the Azure platform automatically distributes your VMs across these fault domains.
This approach limits the impact of potential physical hardware failures, network outages, or power
interruptions.

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-create-vmss

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

Question: 59
You have an Azure subscription that contains the resources shown in the following table.

Subnet1 is on VNET1. VM1 connects to Subnet1.

You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Create a subnet named GatewaySubnet on VNET1.

B. Delete Subnet1.
C. Modify the address space used by Subnet1.
D. Modify the address space used by VNET1
E. Create a local network gateway.

Page | 54
 Answer: B, D

Question: 60

Your company has an office in Seattle.

You have an Azure subscription that contains a virtual network named VNET1.

You create a site-to-site VPN between the Seattle office and VNET1.

VNET1 contains the subnets shown in the following table.

You need to redirect all Internet-bound traffic from Subnet1 to the Seattle office.

What should you create?

A. a route for Subnet1 That uses the virtual network gateway as the next hop
B. a route for GatewaySubnet that uses the virtual network gateway as the next hop
C. a route for GatewaySubnet that uses the local network gateway as the next hop
D. a route for Subnet1 that uses The local network gateway as the next hop

Answer: A

Explanation:
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP
address that is not within the address prefix of any other route in a subnet's route table. When a
subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next
hop type. We need to create a custom route in Azure to use a virtual network gateway in the Seattle
office as the next hop.

References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Question: 61

You create an Azure virtual machine named VM1 in a resource group named RG1.

You discover that VM1 performs slower than expected.

You need to capture a network trace on VM1.

What should you do?

A. From Diagnostic settings for VM1. configure the performance counters to include network

Page | 55
counters.
B. From the VM1 blade, configure Connection troubleshoot.
C. From the VM1 blade, install performance diagnostics and run advanced performance analysis
D. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.

Answer: C

Explanation:
The performance diagnostics tool helps you troubleshoot performance issues that can affect a
Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks
on known issues and best practices, and complex problems that involve slow VM performance or
high usage of CPU, disk space, or memory.

Advanced performance analysis, included in the performance diagnostics tool, includes all checks in
the performance analysis, and collects one or more of the traces, as listed in the following sections.
Use this scenario to troubleshoot complex issues that require additional traces. Running this scenario
for longer periods will increase the overall size of diagnostics output, depending on the size of the
VM and the trace options that are selected.

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics

Question: 62

HOTSPOT

You have several Azure virtual machines on a virtual network named VNet1.

You configure an Azure Storage account as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

Page | 56
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Never

Box 2: Never
After you configure firewall and virtual network settings for your storage account, select Allow
trusted Microsoft services to access this storage account as an exception to enable Azure Backup
service to access the network restricted storage account.

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-
with-azure-storage-firewalls-and-virtual-networks/

Question: 63
HOTSPOT
You create and save an Azure Resource Manager template named Template1 that includes the

Page | 57
following four sections.

You deploy template1.

For each of the following statement, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Page | 58
Question: 64

A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-
premises and Azure-based VMs communicate using ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails.
Failover connections must use the Internet and must not require Multiprotocol Label Switching
(MPLS) support.
You need to recommend a solution that provides continued operations.
What should you recommend?

A. Set up a second ExpressRoute connection.

B. Increase the bandwidth of the existing ExpressRoute connection.
C. Increase the bandwidth for the on-premises internet connection.
D. Set up a VPN connection.

Answer: D

References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/expressroutevpn-failover

Question: 65

HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Page | 59
 Answer:

Question: 66
You have an Azure subscription that contains an Azure Log Analytics workspace. You have a resource
group that contains 100 virtual machines. The virtual machines run Linux. You need to collect events
from the virtual machines to the Log Analytics workspace. Which type of data source should you
configure in the workspace?

A. Syslog
B. Linux performance counters
C. custom fields

Answer: A

https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
Explanation:
Syslog is an event logging protocol that is common to Linux. Applications will send messages that
may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent
for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The
agent then sends the message to Azure Monitor where a corresponding record is created.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

Question: 67

HOTSPOT

You have an Azure subscription that includes an Azure key vault named Vault1.

Page | 60
You create the Azure virtual machines shown in the following table.

You enable Azure Disk Encryption for all the virtual machines and use the –VolumeType All
parameter.

You add data disks to the virtual machines as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Premium and standard, but not basic, account types support disk encryption.
Disk encryption requires managed disks.

References:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

Page | 61
Question: 68
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server
2016 Datacenter image. You need to ensure that when the scale set virtual machines are
provisioned, they have web server components installed. Which two actions should you perform?
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. Create a new virtual machine scale set in the Azure portal.

B. Create an automation account.
C. Upload a configuration script.
D. Modify the extensionProfile section of the Azure Resource Manager template.
E. Create an Azure policy.

Answer: AD

References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

Question: 69

You have an Azure subscription that contains a resource group named RG1. RG1 contains multiple
resources.

You need to trigger an alert when the resources in RG1 consume $1,000 USD.

What should you do?

A. From Cost Management + Billing, add a cloud connector.

B. From the subscription, create an event subscription.
C. From Cost Management + Billing create a budget.
D. From RG1, create an event subscription.

Answer: C

Explanation:
Create budgets to manage costs and create alerts that automatically notify you are your stakeholders
of spending anomalies and overspending.

To set it up, go to the Azure Portal, select 'Cost Management + Billing' -> 'Cost Management' -> 'Go to
Cost Management'.

Page | 62
Note: Cost alerts are automatically generated based when Azure resources are consumed. Alerts
show all active cost management and billing alerts together in one place. When your consumption
reaches a given threshold, alerts are generated by Cost Management. There are three types of cost
alerts: budget alerts, credit alerts, and department spending quota alerts.

Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/getting-started

Question: 70

You create a new Azure subscription. You create a resource group named RG1. In RG1. you create the
resources shown in the following table.

You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the
solution.

A. a point-to-site configuration
B. a local network gateway
C. a VNet-to-VNet connection
D. a VPN gateway
E. a site-to-site connection

Answer: BD

Page | 63
Explanation:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure
virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a
VPN device, a local network gateway, located on-premises that has an externally facing public IP
address assigned to it.

Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-
premises VPN device.

References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-
manager-portal

Question: 71

You have an Azure subscription.

You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit.
(Click the Exhibit tab.)

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual
machines.

What should you modify on VM1?

Page | 64
A. the hard drive
B. Integration Services
C. the memory
D. the network adapters
E. the processor

Answer: A

Explanation:
From the exhibit we see that the disk is in the VHDX format.

Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must
prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the
VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You
can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding
disk to fixed-sized.

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-
image?toc=azure virtual-machines windows toc.json

Question: 72

You have an Azure subscription that contains 10 virtual machines on a virtual network.
You need to create a graph visualization to display the traffic flow between the virtual machines.
What should you do from Azure Monitor?

A. From Activity log, use quick insights.

B. From Metrics, create a chart.
C. From Logs, create a new query.
D. From Workbooks, create a workbook.

Answer: D

Workbooks support visualizing arbitrary graphs based on data from logs to show the relationships
between monitoring entities.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported

Question: 73

HOTSPOT

You plan to create an Azure Storage account in the Azure region of East US 2.

You need to create a storage account that meets the following requirements:

Replicates synchronously
Remains available if a single data center in the region fails

How should you configure the storage account? To answer, select the appropriate options in the
answer area.

Page | 65
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a
single region.

LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.

Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.

References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

Page | 66
Question: 74
HOTSPOT

You play to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager
template.

You need to complete the template.

What should you include in the template? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Answer:

Page | 67
Explanation:

Within your template, the dependsOn element enables you to define one resource as a dependent
on one or more resources. Its value can be a comma-separated list of resource names.

Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources:

Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces

Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more
resources. The resource depends on two other resources:

Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks

Page | 68
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-create-
templates-with-dependent-resources

Question: 75
HOTSPOT

You network contains an Active Directory domain named adatum.com and an Azure Active Directory
(Azure AD) tenant named adatum.onmicrosoft.com.

Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

Page | 69
You need to implement Azure AD Connect. The solution must follow the principle of least privilege.

Which user accounts should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Page | 70
Box 1: User5
In Express settings, the installation wizard asks for the following:

AD DS Enterprise Administrator credentials

Azure AD Global Administrator credentials

The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These
credentials are only used during the installation and are not used after the installation has
completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in
Active Directory can be set in all domains.

Box 2: UserA
Azure AD Global Admin credentials are only used during the installation and are not used after the
installation has completed. It is used to create the Azure AD Connector account used for
synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.

References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-
accounts-permissions

Question: 76

You have an Azure subscription that contains 100 virtual machines.

You have a set of Pester tests in PowerShell that validate the virtual machine environment.
You need to run the tests whenever there is an operating system update on the virtual machines. The
solution must minimize implementation time and recurring costs.
D18912E1457D5D1DDCBD40AB3BF70D5D
Which three resources should you use to implement the tests? Each correct answer presents part of
the solution.
NOTE: Each correct selection is worth one point.

A. Azure Automation runbook

B. an alert rule
C. an Azure Monitor query
D. a virtual machine that has network access to the 100 virtual machines
E. an alert action group

Answer: ABE

Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook

https://techsnips.io/snips/how-to-create-and-test-azure-monitor-alerts/?page=13

Question: 77

HOTSPOT

You have an Azure subscription that contains the resource groups shown in the following table.

Page | 71
You create an Azure Resource Manager template named Template1 as shown in the following
exhibit.

From the Azure portal, you deploy Template1 four times by using the settings shown in the following
table.

What is the result of the deployment? To answer, select the appropriate options in the answer area.

Page | 72
NOTE: Each correct selection is worth one point.

Answer:

Question: 78
HOTSPOT

You have an Azure subscription that contains multiple resource groups. You create an availability set
as shown in the following exhibit.

Page | 73
You deploy 10 virtual machines to AS1.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: 6
Two out of three update domains would be available, each with at least 3 VMs.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the
same time.

Page | 74
As you create VMs within an availability set, the Azure platform automatically distributes your VMs
across these update domains. This approach ensures that at least one instance of your application
always remains running as the Azure platform undergoes periodic maintenance.

Box 2: the West Europe region and the RG1 resource group

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions-and-availability

Question: 79
You have a virtual network named VNet1 as shown in the exhibit.

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named Vnet2 in the same region. VNet2 has an
address space of 10.2.0.0/16.

You need to create the peering.

What should you do first?

A. Modify the address space of VNet1.

B. Configure a service endpoint on VNet2
C. Add a gateway subnet to VNet1.

Page | 75
D. Create a subnet on VNet1 and VNet2.

Answer: A

Explanation:
The virtual networks you peer must have non-overlapping IP address spaces.

References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-
peering#requirements-and-constraints

Question: 80

HOTSPOT

You have an Azure Resource Manager template for a virtual machine named Template1. Template1
has the following parameters section.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Page | 76
 Answer:

Explanation:

Box 1: Yes
The Resource group is not specified.

Box 2: No
The default value for the operating system is Windows 2016 Datacenter.

Box 3: Yes
Location is no default value.

References:
https://docs.microsoft.com/bs-latn-ba/azure/virtual-machines/windows/ps-template

Question: 81
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their changed to a less
expensive offering.
Which Wade should you use?

A. Metrics
B. Monitor
C. Customer insights
D. Advisor

Answer: D

Page | 77
References:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

Question: 82

HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the
users shown in the following table.

The tenant contains computers that run Windows 10. The computers are configured as shown in the
following table.

You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Page | 78
Explanation:

Enterprise State Roaming provides users with a unified experience across their Windows devices and
reduces the time needed for configuring a new device.

Box 1: Yes

Box 2: No

Box 3: Yes

References:
https://docs.microsoft.com/en-us/azure//////active-directory/devices/enterprise-state-roaming-
overview

Question: 83
HOTSPOT

You have an Azure Resource Manager template named Template1 in the library as shown in the
following exhibit.

Page | 79
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Answer:

Page | 80
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax

Question: 84
HOTSPOT

Your company hosts multiple websites by using Azure virtual machine scale sets (VMSS) that run
Internet Information Server (IIS).

All network communications must be secured by using end to end Secure Socket Layer (SSL)
encryption. User sessions must be routed to the same server by using cookie-based session affinity.

The image shown depicts the network traffic flow for the websites to the VMSS.

Use the drop-down menus to select the answer choice that answers each question.

NOTE: Each correct selection is worth one point.

Page | 81
 Answer:

Explanation:

Box 1: Azure Application Gateway

You can create an application gateway with URL path-based redirection using Azure PowerShell.

Box 2: Path-based redirection and Websockets

Reference:
https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/tutorial-url-redirect-powershell

Question: 85
DRAG DROP

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual
machines connect to the virtual networks.

The virtual networks have the address spaces and the subnets configured as shown in the following
table.

You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts
on VNet1 and VNet2 can communicate.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Page | 82
 Answer:

Explanation:

Step 1: Remove peering between Vnet1 and VNet2.

You can't add address ranges to, or delete address ranges from a virtual network's address space
once a virtual network is peered with another virtual network. To add or remove address ranges,
delete the peering, add or remove the address ranges, then re-create the peering.

Step 2: Add the 10.44.0.0/16 address space to VNet1.

Step 3: Recreate peering between VNet1 and VNet2

References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

Question: 86

You have an Azure App Service app.

You need to implement tracing for the app. The tracing information must include the following:

Page | 83
Usage trends
AJAX call responses
Page load speed by browser
Server and browser exceptions

What should you do?

A. Configure IIS logging in Azure Log Analytics.

B. Configure a connection monitor in Azure Network Watcher.
C. Configure custom logs in Azure Log Analytics.
D. Enable the Azure Application Insights site extension.

Answer: D

Explanation:
For web pages, Application Insights JavaScript SDK automatically collects AJAX calls as dependencies.

Note: Some of the things you can track or collect are:

What are the most popular webpages in your application, at what time of day and where is that
traffic coming from?
Dependency rates or response times and failure rates to find out if there’s an external service that’s
causing performance issues on your app, maybe a user is using a portal to get through to your
application and there are response time issues going through there for instance.
Exceptions for both server and browser information, as well as page views and load performance
from the end users’ side.

Reference:
https://azure.microsoft.com/en-us/blog/ajax-collection-in-application-insights/

https://blog.pragmaticworks.com/what-is-application-insights

Question: 87

HOTSPOT

You have an Azure subscription named Subscription1. Subscription1 contains the resources in the
following table:

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An
administrator named Admin1 creates an Azure virtual machine VM1 in RG1. VM1 uses a disk named
Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.

You need to move the custom application to VNet2. The solution must minimize administrative

Page | 84
effort.

Which two actions should you perform? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

We cannot just move a virtual machine between networks. What we need to do is identify the disk

Page | 85
used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target
virtual network and then attach the original disk to it.

Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-
vnet-on-azure/

https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-
azure-vm-between-vnets

Question: 88
You have an Azure subscription that contains the storage accounts shown in the following table.

You enable Azure Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Azure ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. storagecontoso1
B. storagecontoso2
C. storagecontoso3
D. storagecontoso4
E. storaaecontoso5

Answer: AB

Advanced threat protection for Azure Storage is currently available only for Blob Storage.
https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-
protection?tabs=azure-portal

Question: 89

HOTSPOT

Your company has an Azure Container Registry named Registry1.

You have an Azure virtual machine named Server1 that runs Windows Server 2019.

From Server1, you create a container image named image1.

You need to add image1 to Registry1.

Which command should you run on Server1? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Page | 86
 Answer:

Explanation:

An Azure container registry stores and manages private Docker container images, similar to the way
Docker Hub stores public Docker images. You can use the Docker command-line interface (Docker
CLI) for login, push, pull, and other operations on your container registry.

Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli

https://docs.docker.com/engine/reference/commandline/push/

Question: 90
HOTSPOT
You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.

Page | 87
 Answer:

Question: 91
DRAG DROP

You are designing a solution to secure a company’s Azure resources. The environment hosts 10
teams. Each team manages a project and has a project manager, a virtual machine (VM) operator,
developers, and contractors.

Page | 88
Project managers must be able to manage everything except access and authentication for users. VM
operators must be able to manage VMs, but not the virtual network or storage account to which they
are connected. Developers and contractors must be able to manage storage accounts.

You need to recommend roles for each member.

What should you recommend? To answer, drag the appropriate roles to the correct employee types.
Each role may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Answer:

Question: 92

You have an Azure virtual machine named VM1 and an Azure Active Directory (Azure AD) tenant
named adatum.com.
D18912E1457D5D1DDCBD40AB3BF70D5D
VM1 has the following settings:
IP address: 10.10.0.10
System-assigned managed identity: On

You need to create a script that will run from within VM1 to retrieve the authentication token of
VM1.
Which address should you use in the script?

A. vm1.adatum.com.onmicrosoft.com
B. 169.254.169.254
C. 10.10.0.10
D. vm1.adatum.com

Page | 89
 Answer: B

Explanation:
Your code that's running on the VM can request a token from the Azure Instance Metadata Service
identity endpoint, accessible only from within the VM:
http://169.254.169.254/metadata/identity/oauth2/token

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/overview

Question: 93

HOTSPOT

Your company has a virtualization environment that contains the virtualization hosts shown in the
following table.

The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption
(BitLocker).

You plan to migrate the virtual machines to Azure by using Azure Site Recovery.

You need to identify which virtual machines can be migrated.

Which virtual machines should you identify for each server? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 90
 Answer:

Explanation:

Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.

References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-
requirements

Question: 94

You are designing an Azure solution.

The solution must meet the following requirements:
* Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules
* Provide SSL offloading capabilities

Page | 91
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?

A. server-level firewall rules

B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Load Balancer

Answer: B

If you require "SSL offloading", application layer treatment, or wish to delegate certificate
management to
Azure, you should use Azure's layer 7 load balancer Application Gateway instead of the Load
Balanacer.
References: https://docs.microsoft.com/en-us/azure/application-gateway/overview

Question: 95

HOTSPOT

You have an Azure Active Directory (Azure AD) tenant.

You need to create a conditional access policy that requires all users to use multi-factor
authentication when they access the Azure portal.

Which three settings should you configure? To answer, select the appropriate settings to the answer
area.

NOTE: Each correct selection is worth one point.

Page | 92
Answer:

Page | 93
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-
access-policies

Question: 96
You are implementing authentication for applications in your company. You plan to implement self-
service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure
AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

A. Short Message Service (SMS) messages

B. Authentication app
C. Email addresses
D. Security questions
E. App passwords

Answer: AB

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-
methods

SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don't need to know a
username and password to access applications and services. The user instead enters their registered
mobile phone number, receives a text message with a verification code, and enters that in the sign-in
interface.

Users can also verify themselves using a mobile phone or office phone as secondary form of
authentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).

The Authenticator app provides an additional level of security to your Azure AD work or school
account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the
Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an

Page | 94
additional verification option during self-service password reset (SSPR) or Azure Multi-Factor
Authentication events.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-
methods

Question: 97

Your company has the groups shown in the following table.

The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant
named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the
Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?

A. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.

B. Purchase an Azure AD Premium P1 license for each user in the Managers group.
C. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
D. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.

Answer: B

Explanation:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise
Mobility + Security (EMS) license.

References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-
enable

Question: 98

HOTSPOT

You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the
following table.

Page | 95
You enable self-service password reset (SSPR) for Group1.

You configure the Notifications settings as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Yes
Notify all admins when other admins reset their passwords: Yes.

Box 2: No

Page | 96
Notify users on password resets: No.

Box 3: No

Notify users on password resets

If this option is set to Yes, then users resetting their password receive an email notifying them that
their password has been changed. The email is sent via the SSPR portal to their primary and
alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.

Notify all admins when other admins reset their passwords

If this option is set to Yes, then all administrators receive an email to their primary email address on
file in Azure AD. The email notifies them that another administrator has changed their password by
using SSPR.

Example: There are four administrators in an environment. Administrator A resets their password by
using SSPR. Administrators B, C, and D receive an email alerting them of the password reset.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

Question: 99

Your company has an Azure subscription.

You enable multi-factor authentication (MFA) for all users.

The company’s help desk reports an increase in calls from users who receive MFA requests while
they work from the company’s main office.

You need to prevent the users from receiving MFA requests when they sign in from the main office.

What should you do?

A. From Azure Active Directory (Azure AD), configure organizational relationships.

B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Conditional access in Azure Active Directory (Azure AD), create a named location.

Answer: B

Explanation:
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to
consider configuring some of the available settings. One of the most important features is a trusted
IPs list. This will allow you to whitelist a range of IPs for your network. This way, when users are in
the office, they will not get prompted with MFA, and when they take their devices elsewhere, they
will. Here’s how to do it:

Log in to your Azure Portal.

Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.

Page | 97
References:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/

The Trusted IPs feature of Azure Multi-Factor Authentication bypasses multi-factor authentication
prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your
on-premises environments to when users are in one of those locations, there's no Azure Multi-Factor
Authentication prompt.

Question: 100

You have an application named App1 that does not support Azure Active Directory (Azure AD)
authentication.
You need to ensure that App1 can send messages to an Azure Service Bus queue. The solution must
prevent Appl from listening to the queue.
What should you do?

A. Modify the locks of the Queue

B. Configure Access control (IAM) for the Service Bus
C. Configure Access control (IAM) for the queue.
D. Add a shared access policy to the queue

Answer: D

Explanation:
There are two ways to authenticate and authorize access to Azure Service Bus resources: Azure
Activity Directory (Azure AD) and Shared Access Signatures (SAS).
Each Service Bus namespace and each Service Bus entity has a Shared Access Authorization policy
made up of rules.

Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-authentication-and-
authorization

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas

Question: 101

An administrator plans to create a function app in Azure that will have the following settings:
Runtime stack: .NET Core
Operating System: Linux
Plan type: Consumption
Enable Application Insights: Yes
You need to ensure that you can back up the function app.
Which settings should you recommend changing before creating the function app?
D18912E1457D5D1DDCBD40AB3BF70D5D

A. Runtime stack
B. Enable Application Insights
C. Operating System
D. Plan type

Page | 98
 Answer: D

Explanation:
The Backup and Restore feature requires the App Service plan to be in the Standard, Premium or
Isolated tier.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup#requirements-and-restrictions

Question: 102

HOTSPOT

You have an Azure subscription.

You plan to deploy an app that has a web front end and an application tier.

You need to recommend a load balancing solution that meets the following requirements:

Internet to web tier:

- Provides URL-based routing
- Supports connection draining
- Prevents SQL injection attacks
Web tier to application tier:
- Provides port forwarding
- Supports HTTPS health probes
- Supports an availability set as a backend pool

Which load balancing solution should you recommend for each tier? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Page | 99
Explanation:

Box 1: An Azure Application Gateway that has a web application firewall (WAF)
Azure Application Gateway offers a web application firewall (WAF) that provides centralized
protection of your web applications from common exploits and vulnerabilities. Web applications are
increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection
and cross-site scripting are among the most common attacks.

Application Gateway operates as an application delivery controller (ADC). It offers Secure Sockets
Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based
routing, ability to host multiple websites, and security enhancements.

Box 2: An internal Azure Standard Load Balancer

The internet to web tier is the public interface, while the web tier to application tier should be
internal.

Note: When using load-balancing rules with Azure Load Balancer, you need to specify a health probes
to allow Load Balancer to detect the backend endpoint status.
Health probes support the TCP, HTTP, HTTPS protocols.

References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

Question: 103

You have 10 Azure virtual machines on a subnet named Subnet1. Subnet1 is on a virtual network
named VNet1.
You plan to deploy a public Azure Standard Load Balancer named LB1 to the same Azure region as the
10 virtual machines.
You need to ensure that traffic from all the virtual machines to the internet flows through LB1. The
solution must prevent the virtual machines from being accessible on the internet.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add health probes to LB1.

B. Add the network interfaces of the virtual machines to the backend pool of LB1.
C. Add an inbound rule to LB1.
D. Add an outbound rule to LB1.

Page | 100
E. Associate a network security group (NSG) to Subnet1.
F. Associate a user-defined route to Subnet1.

Answer: ABD

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-
portal2

Question: 104

You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual
machines shown in the following table.

KeyVault1 has an access policy that provides several users with Create Key permissions.

You need to ensure that the users can only register secrets in KeyVault1 from VM1.

What should you do?

A. Create a network security group (NSG) that is linked to Subnet1.

B. Configure the Firewall and virtual networks settings for KeyVault1.
C. Modify the access policy for KeyVault1.
D. Configure KeyVault1 to use a hardware security module (HSM).

Answer: C

Explanation:
You grant data plane access by setting Key Vault access policies for a key vault.

Note 1: Grant our VM’s system-assigned managed identity access to the Key Vault.
Select Access policies and click Add new.
In Configure from template, select Secret Management.
Choose Select Principal, and in the search field enter the name of the VM you created earlier. Select
the VM in the result list and click Select.
Click OK to finishing adding the new access policy, and OK to finish access policy selection.

Note 2: Access to a key vault is controlled through two interfaces: the management plane and the
data plane. The management plane is where you manage Key Vault itself. Operations in this plane
include creating and deleting key vaults, retrieving Key Vault properties, and updating access
policies. The data plane is where you work with the data stored in a key vault. You can add, delete,
and modify keys, secrets, and certificates.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/tutorial-windows-vm-access-nonaad

Page | 101
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault2

Question: 105

HOTSPOT

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.

Which user can perform each configuration? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: User1 and User3 only.

The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them.

Box 2: User1
The Security Admin role: In Security Center only: Can view security policies, view security states, edit
security policies, view alerts and recommendations, dismiss alerts and recommendations.

Page | 102
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question: 106

You have resources in three Azure regions. Each region contains two virtual machines. Each virtual
machine has a public IP address assigned to its network interface and a locally installed application
named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front
Door.
What should you implement?

A. Azure Private Link

B. service endpoints
C. network security groups (NSGs) with service tags
D. network security groups (NSGs) with application security groups

Answer: C

Explanation:
Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP address
space and Azure's infrastructure services only. Refer the IP details below for ACLing your backend:
Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4
backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your
network security groups.
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq

Question: 107

You have an Azure key vault named KV1.

You need to ensure that applications can use KV1 to provision certificates automatically from an
external certification authority (CA).
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. From KV1, create a certificate issuer resource.

B. Obtain the CA account credentials.
C. Obtain the root CA certificate.
D. From KV1, create a certificate signing request (CSR).
E. From KV1, create a private key,

Answer: CD

Explanation:
C: Obtain the root CA certificate (step 4 in the picture below)

D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below)

Note:
Creating a certificate with a CA not partnered with Key Vault

Page | 103
This method allows working with other CAs than Key Vault's partnered providers, meaning your
organization can work with a CA of its choice.

The following step descriptions correspond to the green lettered steps in the preceding diagram.

In the diagram above, your application is creating a certificate, which internally begins by creating a
key in your key vault.
Key Vault returns to your application a Certificate Signing Request (CSR).
Your application passes the CSR to your chosen CA.
Your chosen CA responds with an X509 Certificate.
Your application completes the new certificate creation with a merger of the X509 Certificate from
your CA.

Reference:
https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios

Question: 108

You create the following Azure role definition.

Page | 104
You need to create Role1 by using the role definition.

Which two values should you modify before you create Role1? Each correct answer presents part of
the solution.

NOTE: Each correct selection is worth one point.

A. AssignableScopes
B. Description
C. DataActions
D. IsCustom
E. Id

Answer: AD

Explanation:
Part of example:
"IsCustom": true,

"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"

The following shows what a custom role looks like as displayed in JSON format. This custom role can
be used for monitoring and restarting virtual machines.

{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",

Page | 105
 "Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Question: 109

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.

Solution: You add the following line to the Dockerfile.

Copy-Item File1.txt C:\Folder1\File1.txt

You then build the container image.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Copy-Item is not supported. Copy is the correct command to copy a file to the container image.

Page | 106
References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

https://docs.docker.com/engine/reference/builder/

Question: 110

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.

Solution: You add the following line to the Dockerfile.

COPY File1.txt /Folder1/

You then build the container image.

Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
Copy is the correct command to copy a file to the container image.

References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

https://docs.docker.com/engine/reference/builder/

Question: 111

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Page | 107
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.

Solution: You add the following line to the Dockerfile.

COPY File1.txt C:/Folder1/

You then build the container image.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Copy is the correct command to copy a file to the container image but the root directory is specified
as '/' and not as 'C:/'.

References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

https://docs.docker.com/engine/reference/builder/

Question: 112

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.

Solution: You add the following line to the Dockerfile.

ADD File1.txt C:/Folder1/

You then build the container image.

Page | 108
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Copy is the correct command to copy a file to the container image. The ADD command can also be
used. However, the root directory is specified as '/' and not as 'C:/'.

Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

https://docs.docker.com/engine/reference/builder/

Question: 113

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.

Solution: You add the following line to the Dockerfile.

XCOPY File1.txt C:\Folder1\

You then build the container image.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Copy is the correct command to copy a file to the container image. Furthermore, the root directory is
specified as '/' and not as 'C:/'.

References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

https://docs.docker.com/engine/reference/builder/

Page | 109
Question: 114

Your network contains an on-premises Active Directory domain named contoso.com that contains a
member server named Server1.
You have the accounts shown in the following table.

You are installing Azure AD Connect on Server1.

You need to specify the account for Azure AD Connect synchronization. The solution must use the
principle of
least privilege.
Which account should you specify?

A. CONTOSO\User2
B. SERVER1\User4
C. CONTOSO\User1
D. CONTOSO\User3

Answer: A

Explanation:
The default Domain User permissions are sufficient

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-
permissions

Question: 115

HOTSPOT

A company runs multiple Windows virtual machines (VMs) in Azure.

The IT operations department wants to apply the same policies as they have for on-premises VMs to
the VMs running in Azure, including domain administrator permissions and schema extensions.

You need to recommend a solution for the hybrid scenario that minimizes the amount of
maintenance required.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 110
 Answer:

Explanation:

Box 1: Join the VMs to a new domain controller VM in Azure

Azure provides two solutions for implementing directory and identity services in Azure:
(Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by
deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common
when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or
ExpressRoute connection.
Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises
Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.

Box 2: Set up VPN connectivity.

This architecture is more common when the on-premises network and the Azure virtual network
(VNet) are connected by a VPN or ExpressRoute connection.

References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

Question: 116

You have an Azure subscription that contains the web apps shown in the following table.

Page | 111
For which web app can you configure a WebJob?

A. WebApp4
B. WebApp3
C. WebApp1
D. WebApp2

Answer: A

Explanation:
Publishing a .NET Core WebJob to App Service from Visual Studio uses the same tooling as publishing
an
ASP.NET Core app.
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-dotnet-deploy-vs

Question: 117

The developers at your company request that you create databases in Azure Cosmos DB as shown in
the following table.

You need to create the Azure Cosmos DB databases to meet the developer request. The solution
must minimize costs.

What are two possible ways to achieve the goal? Each correct answer presents a complete solution.

Page | 112
NOTE: Each correct selection is worth one point.

A. Create three Azure Cosmos DB accounts, one for the databases that use the Core (SQL) API, one
for CosmosDB2, and one for CosmosDB4.
B. Create two Azure Cosmos DB accounts, one for CosmosDB2 and CosmosDB4 and one for
CosmosDB1 and CosmosDB3.
C. Create one Azure Cosmos DB account for each database.
D. Create three Azure Cosmos DB accounts, one for the databases that use the MongoDB API, one for
CosmosDB1, and one for CosmosDB3.

Answer: BD

Explanation:

Note:
Microsoft recommends using the same API for all access to the data in a given account.

One throughput provisioned container per subscription for SQL, Gremlin API, and Table accounts.
Up to three throughput provisioned collections per subscription for MongoDB accounts.
The throughput provisioned on an Azure Cosmos container is exclusively reserved for that container.
The container receives the provisioned throughput all the time.

Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/set-throughput#set-throughput-on-a-container

Question: 118

You have three Azure SQL Database servers shown in the following table.

You plan to specify sqlserver1 as the primary server in a failover group.

Which servers can be used as a secondary server?

A. sqlserver4 and sqlserver5 only

B. sqlserver2 and sqlserver3 only
C. sqlserver1 and sqlserver3 only
D. sqlserver2 and sqlserver4 only

Answer: D

Page | 113
Explanation:
The Resource Group must be the same.
The secondary server can have another location.
The secondary server cannot be the same as the primary server.

Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-configure

Question: 119

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.

You need to enable multi-factor authentication (MFA) for the users in Group1 only.

Solution: From the Azure portal, you configure an authentication method policy.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
We should use a Conditional Access policy.

Note: There are two ways to secure user sign-in events by requiring multi-factor authentication in
Azure AD. The first, and preferred, option is to set up a Conditional Access policy that requires multi-
factor authentication under certain conditions. The second option is to enable each user for Azure
Multi-Factor Authentication. When users are enabled individually, they perform multi-factor
authentication each time they sign in (with some exceptions, such as when they sign in from trusted
IP addresses or when the remembered devices feature is turned on).

Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended
approach. Changing user states is no longer recommended unless your licenses don't include
Conditional Access as it requires users to perform MFA every time they sign in.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Question: 120

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

Page | 114
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.

You need to enable multi-factor authentication (MFA) for the users in Group1 only.

Solution: From Multi-Factor Authentication, you select Bulk update, and you provide a CSV file that
contains the members of Group1.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
We should use a Conditional Access policy.

Note: There are two ways to secure user sign-in events by requiring multi-factor authentication in
Azure AD. The first, and preferred, option is to set up a Conditional Access policy that requires multi-
factor authentication under certain conditions. The second option is to enable each user for Azure
Multi-Factor Authentication. When users are enabled individually, they perform multi-factor
authentication each time they sign in (with some exceptions, such as when they sign in from trusted
IP addresses or when the remembered devices feature is turned on).

Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended
approach. Changing user states is no longer recommended unless your licenses don't include
Conditional Access as it requires users to perform MFA every time they sign in.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Question: 121

HOTSPOT

You have a web server app named App1 that is hosted in three Azure regions.

You plan to use Azure Traffic Manager to distribute traffic optimally for App1.

You need to enable Real User Measurements to monitor the network latency data for App1.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 115
 Answer:

Explanation:

Box 1: Select Generate key

You can configure your web pages to send Real User Measurements to Traffic Manager by obtaining a
Real User Measurements (RUM) key and embedding the generated code to web page.

Obtain a Real User Measurements key

The measurements you take and send to Traffic Manager from your client application are identified
by the service using a unique string, called the Real User Measurements (RUM) Key. You can get a
RUM key using the Azure portal, a REST API, or by using the PowerShell or Azure CLI.

To obtain the RUM Key using Azure portal:

From a browser, sign in to the Azure portal. If you don’t already have an account, you can sign up for
a free one-month trial.
In the portal’s search bar, search for the Traffic Manager profile name that you want to modify, and
then click the Traffic Manager profile in the results that the displayed.
In the Traffic Manager profile blade, click Real User Measurements under Settings.
Click Generate Key to create a new RUM Key.

Box 2: Embed the Traffic Manager JavaScript code snippet.

Embed the code to an HTML web page

Page | 116
After you have obtained the RUM key, the next step is to embed this copied JavaScript into an HTML
page that your end users visit.

This example shows how to update an HTML page to add this script. You can use this guidance to
adapt it to your HTML source management workflow.
Open the HTML page in a text editor
Paste the JavaScript code you had copied in the earlier step to the BODY section of the HTML (the
copied code is on line 8 & 9, see figure 3).

Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-create-rum-web-pages

Question: 122

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition
key for Container1 is set to /day. Container1 contains the items shown in the following table.

Page | 117
You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.

Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

A. Yes
B. No

Answer: A

Question: 123

HOTSPOT

You network contains an Active Directory domain that is synced to Azure Active Directory (Azure AD)
as shown in the following exhibit.

Page | 118
You have a user account configured as shown in the following exhibit.

Page | 119
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Page | 120
 Answer:

Explanation:

Box 1: No
Password writeback is disabled.

Note: Having a cloud-based password reset utility is great but most companies still have an on-
premises directory where their users exist. How does Microsoft support keeping traditional on-
premises Active Directory (AD) in sync with password changes in the cloud? Password writeback is a
feature enabled with Azure AD Connect that allows password changes in the cloud to be written back
to an existing on-premises directory in real time.

Box 2: No

Box 3: Yes
Yes, there is an Edit link for Location Info.

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

Question: 124
HOTSPOT

You have an Azure subscription named Subscription1.

Subscription1 contains the virtual machines in the following table:

Page | 121
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is
enabled on NIC3. Routing is enabled on VM3.

You create a route table named RT1 that contains the routers in the following table.

You apply RT1 to Subnet1 and Subnet2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Page | 122
Explanation:

IP forwarding enables the virtual machine a network interface is attached to:

Receive network traffic not destined for one of the IP addresses assigned to any of the IP
configurations assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network
interface's IP configurations.

The setting must be enabled for every network interface that is attached to the virtual machine that
receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic
whether it has multiple network interfaces or a single network interface attached to it.

Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on
VM3, VM3 can connect to VM1.

Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1
to connect to VM2 via VM3.

References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

https://www.quora.com/What-is-IP-forwarding

Question: 125
HOTSPOT

Your network contains an on-premises Active Directory domain. The domain contains the Hyper-V
failover clusters shown in the following table.

You plan to assess and migrate the virtual machines by using Azure Migrate.

What is the minimum number of Azure Migrate appliances and Microsoft Azure Recovery Services
(MARS) agents required?

NOTE: Each correct selection is worth one point.

Page | 123
 Answer:

Explanation:

Box 1: 3
One appliance for each cluster.

Box 2: 12
One MARS agent for each node.

Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-migrate-hyper-v

Question: 126
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 contains 50
virtual machines. Twenty-five of the virtual machines are web servers and the other 25 are
application servers.
You need to filter traffic the web servers and the application servers by using application security
groups.
Which additional resources should you provision?

Page | 124
A. Azure Private Link
B. a network security group (NSG)
C. a user-defined route
D. Azure-firewall

Answer: B

Explanation:
Application security groups enable you to configure network security as a natural extension of an
application's structure, allowing you to group virtual machines and define network security policies
based on those groups.

You can filter network traffic inbound to and outbound from a virtual network subnet with a network
security group.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

Question: 127

Your on-premises network contains several Hyper-V hosts.

You have an hybrid deployment of Azure Active Directory (Azure AD).
You create an Azure Migrate project.
You need to ensure that you can evaluate virtual machines by using Azure Migrate.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Deploy the Azure Migrate appliance to an on-premises Hyper-V host.

B. Deploy the Microsoft Monitoring Agent to each Hyper-V virtual machine.
C. Assign the migrate account to the administrator group on each Hyper-V host.
D. Deploy the Azure Migrate appliance as an Azure virtual machine.
E. Deploy the Microsoft Monitoring Agent to each Hyper-V host.
F. Assign the migrate account to the Administrators group on each Hyper-V virtual machine.

Answer: AB

Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-hyper-v#set-up-the-appliance

https://docs.microsoft.com/en-us/azure/migrate/migrate-support-matrix-hyper-v#agent-based-
dependency-analysis-requirements

Question: 128

You have an Azure subscription that contains the Azure SQL Database servers shown in the following
table.

The SQL Database servers have the elastic pools shown in the following table.

Page | 125
SQL1 has the SQL databases shown in the following table.

What will occur if you add DB1 to Pool1?

A. The vCores on DB1 will decrease to two.

B. The maximum data size of Pool1 will increase to 22 GB.
C. The maximum data size of DB1 will decrease to 6 GB.
D. The vCores on Pool1 will increase to four.

Answer: D

Question: 129

Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD)
tenant.

You deploy Azure AD Connect and configure pass-through authentication?

Your Azure subscription contains several web apps that are accessed from the Internet.

You plan to enable Azure Multi-Factor Authentication (MFA) for the Azure tenant.

You need to recommend a solution to prevent users from being prompted for Azure MFA when they
access the web apps from the on-premises network.

What should you include in the recommendation?

A. a site-to-site VPN between the on-premises network and Azure

B. an Azure policy
C. an Azure ExpressRoute circuit
D. trusted IPs

Answer: D

Explanation:
The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed
or federated tenant. The feature bypasses two-step verification for users who sign in from the
company intranet. The feature is available with the full version of Azure Multi-Factor Authentication,
and not the free version for administrators.

References:

Page | 126
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-
mfasettings#trusted-ips

Question: 130

You have an Azure Storage account named storage! that is accessed by several applications.
An administrator manually rotates me access keys for storage1.
After the rotation the applications fail to access the storage account
A developer manually modifies the applications to resolve the issue.
You need to implement a solution to rotate the access keys automatically. The solution must
minimize the need to update the applications once the solution is implemented.
What should you include in the solution?

A. Azure Key Vault

B. an Azure Dewed State Configuration (DSC) extension
C. Azure Logic Apps
D. an Azure AD enterprise application

Answer: A

Explanation:
Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you
regularly rotate and regenerate your keys. Using Azure Key Vault makes it easy to rotate your keys
without interruption to your applications. You can also manually rotate your keys.

Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage

Question: 131

HOTSPOT

You have an Azure subscription that contains the virtual networks shown in the following table.

You create an Azure Cosmos DB account as shown in the exhibit. (Click the Exhibit tab.)

Page | 127
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Answer:

Page | 128
Explanation:

Box 1: No
Connectivity Method: Private Network

Box 2: Yes
Private endpoint: Endpoint1 (Core (SQL)) (Vnet1)
VM1 is in Vnet1.

Box 3: No
VM2 is not in Vnet1.

Reference:
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal

Question: 132
You download an Azure Resource Manager template based on an existing virtual machine. The
template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the
password from being stored in plain text.
What should you create to store the password?

A. a Recovery Services vault and a backup policy

B. an Azure Key Vault and an access policy
C. an Azure Storage account and an access policy
D. Azure Active Directory (AD) identity protection and an Azure policy

Answer: B

Question: 133

HOTSPOT

You have an Azure subscription that contains the resources shown in the following table.

Page | 129
You need to deploy a load-balancing solution for two Azure web apps named App1 and App2 to meet
the following requirements:

App1 must support command injection protection.

App2 must be able to use a static public IP address.
App1 must have a Service Level Agreement (SLA) of 99.99 percent.
App2 load balancing solution must be able to autoscale.

Which resource should you use as the load-balancing solution for each app? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

App1=AGW1 and App2 =AGW2 .

refer to link below https://azure.microsoft.com/en-us/blog/taking-advantage-of-the-new-azure-
application-gateway-v2/

Question: 134
HOTSPOT

You have an Azure subscription named Subscription1.

In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as
shown in the following exhibit.

Page | 130
Alert1 alert criteria is triggered every minute.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Answer:

Page | 131
Explanation:

Box 1: 60
One alert per minute will trigger one email per minute.

Box 2: 12
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.

Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular
phone number, email address or device. Rate limiting ensures that alerts are manageable and
actionable.

The rate limit thresholds are:

SMS: No more than 1 SMS every 5 minutes.
Voice: No more than 1 Voice call every 5 minutes.
Email: No more than 100 emails in an hour.
Other actions are not rate limited.

References:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/monitoring-and-
diagnostics/monitoring-overview-alerts.md

Question: 135
HOTSPOT

You network contains an Active Directory domain that is synced to Azure Active Directory (Azure AD)
as shown in the following exhibit.

Page | 132
You have a user account configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Page | 133
 Answer:

Explanation:

Box 1: No
Password writeback is disabled.

Note: Having a cloud-based password reset utility is great but most companies still have an on-
premises directory where their users exist. How does Microsoft support keeping traditional on-
premises Active Directory (AD) in sync with password changes in the cloud? Password writeback is a
feature enabled with Azure AD Connect that allows password changes in the cloud to be written back
to an existing on-premises directory in real time.

Box 2: No

Box 3: Yes
Yes, there is an Edit link for Location Info.

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

Question: 136
DRAG DROP

You have an Azure virtual machine named VM1 that runs Windows Server 2016.

You install a line-to-business application on VM1.

Page | 134
You need to create an Azure virtual machine by using VM1 as a custom image.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Step 1: Run sysprep.exe on VM1.

If a template, or system image is used, System administrators must run the Sysprep tool to clear the
SID information. The Sysprep tool is usually one of the last tasks performed by a system
administrator when building a server image/template, that way each clone of the template will
generalize a new unique SID for every server image copied from the template and will prepare the
server for a first time boot.

The end result is a System template that functions as a new unique build every time it is deployed.

Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized
To create an image, the VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set
the state of the VM as generalized with Set-AzVm so that the Azure platform knows the VM is ready
for use a custom image

Step 3: Create a virtual machine scale set

Now create a scale set with New-AzVmss that uses the -ImageName parameter to define the custom
VM image created in the previous step.

Page | 135
References:
https://thesolving.com/server-room/when-and-how-to-use-sysprep/

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-use-custom-image-
powershell

Question: 137
You have the following Azure Active Directory (Azure AD) tenants
• Contosoonmicrosoft.com Linked to a Microsoft Office 365 tenant and syncs to an Active Directory
forest named contoso.com by using password hash synchronization
• Contosoazure onmicrosoft.com Linked to an Azure subscription named Subscription1.
You need to ensure that you can assign the users in contoso.com access to the resources in
Subscription1. What should you do?

A. Configure contosoxHVTttcrosoft.com to use pass-through authentication.

B. Associate Subscription1 to contoso.onmicrosoft.com Reassign all the roles in Subscnption1.
C. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.
onmicrosoft.com.
D. Configure Active Directory federation Services (AD FS) federation between
contosoazure.onmicrosoft.com and contoso.com.

Answer: C

Explanation:
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365.

Note: The most common topology is a single on-premises forest, with one or multiple domains, and a
single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The
express installation of Azure AD Connect supports only this topology.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies

Question: 138

in the following table.

The subscription contains the storage accounts shown in the following table.

You create a Recovery Services vault named Vault1 in RG1 in the West US location.

You need to identify which storage accounts can be used to archive the diagnostics logs of Vault1.

Page | 136
Which storage accounts should you identify?

A. storage1 only
B. storage2 only
C. storage3 only
D. storage1 or storage2 only
E. storage1 or stoage3 only

Answer: D

Question: 139

DRAG DROP
You have an Azure subscription that contains a Basic App Service plan named webapp1plan.
Webapp1plan contains a web app named webapp1.
You need to deploy a new version of webapp1. The solution must meet the following requirements:
• Enable testing of new versions before their production release.
Minimize downtime of webapp1 during the deployment.
• Minimize costs.
Which four actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Answer:

Question: 140

You have an Azure key vault named KV1.

You need to implement a process that will digitally sign the blobs stored in Azure Storage. What is
required in KV1 to sign the blobs?

A. a key
B. a secret
C. a certificate

Answer: B

Explanation:
Use an Azure key vault secret to key of your blob storage account container.

Page | 137
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/integrate-databricks-blob-storage

Question: 141

HOTSPOT

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following
exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

Page | 138
 Answer:

Explanation:

4 virtual machines
4 virtual machines

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
autoscale-portal

Question: 142
You have a resource group named RG1 that contains the following:
• A virtual network that contains two subnets named Subnet 1 and AzureFirewallSubnet
• An Azure Storage account named contososa1
• An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that contososa1 is accessible from Subnet 1 over the Azure backbone network.
What should you do?

A. Create a stored access policy for contososa1.

B. Remove the Azure firewall-
C. implement a virtual network service endpoint.
D. Modify the Firewall and virtual networks settings for contososa1.

Answer: C

Virtual Network (VNet) service endpoints extend your virtual network private address space and the
identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure
your critical Azure service resources to only your virtual networks. Traffic from your VNet to the
Azure service always remains on the Microsoft Azure backbone network.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-
overview

Question: 143

Page | 139
Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition
key for Container1 is set to /day. Container1 contains the items shown in the following table.

You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.

Solution: You run the following query.

You set the EnableCrossPartitionQuery property to False.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery
property is set to true, it will return Item1 and Item3.

Reference:

Page | 140
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where

Question: 144

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition
key for Container1 is set to /day. Container1 contains the items shown in the following table.

You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.

Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

A. Yes
B. No

Answer: B

Page | 141
Explanation:
Returns Item1, Item2, Item3, and Item4.

Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where

Question: 145

HOTSPOT

You deploy an Azure virtual machine scale set named VSSI that contains 30 virtual machine instances
across three zones in the same Azure region. The instances host an application named App1 that
must be accessible by using HTTP and HTTPS traffic. Currently, VSS1 is inaccessible from the internet.

You need to use Azure Load Balancer to provide access to App1 across all the instances from the
internet by using a single IP address.

What should you configure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Question: 146
You have several Azure web apps trial use access keys to access databases.
You plan to migrate the access keys to Azure Key Vault. Each app must authenticate by using Azure
Active Directory (Azure AD) to gain access to the access keys
What should you create m Azure to ensure that the apps can access the access keys?

A. managed identities
B. Azure policies
C. an App Service plan
D. managed applications

Answer: A

Explanation:
Azure Key Vault provides a way to securely store credentials and other secrets, but your code needs
to authenticate to Key Vault to retrieve them. Managed identities for Azure resources overview helps
to solve this problem by giving Azure services an automatically managed identity in Azure AD. You

Page | 142
can use this identity to authenticate to any service that supports Azure AD authentication, including
Key Vault, without having to display credentials in your code.

Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

Question: 147

You set the multi-factor authentication status for a user named admin1@contosos.com to Enabled.
Adman 1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin 1 use when accessing the Azure portal?

A. on app password, a text message that contacts a verification code, and a verification code sent
from the Microsoft Authenticator app.
B. a phone call, an email message that contains a verification code, and a te*t message that contains
an app password
C. a phone call, a text, message that contains a verification code, and a notification on a verification
code sent from the Microsoft Authenticator app
D. an app password, a text message that contains a verification code, and a notification sent from the
Microsoft Authenticator app

Answer: C

Explanation:
The Microsoft Authenticator app can help prevent unauthorized access to accounts and stop
fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the
notification, and if it's legitimate, select Verify. Otherwise, they can select Deny.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-
methods

Question: 148

You have an Azure SQL database named DB1.

You plan to create the following four tables in DB1 by using the following code:

A. Table 1
B. Table 2
C. Table 3
D. Table 4

Answer: B

Question: 149

You have an Azure subscription that contains the respond groups shown in the following table.

Page | 143
You have the Azure SQL servers shown in the following table.

You create an Azure SQL database named DB1 on Sql1 in an elastic pool named Pool1.
You need to create an Azure SOL database named DB2 In Pool 1.
Where should you deploy DB2?

A. Sql1
B. Sql 2
C. Sql 3
D. Sql 4

Answer: A

Explanation:
The databases in an elastic pool are on a single Azure SQL Database server and share a set number of
resources at a set price.

Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool

Question: 150

HOTSPOT

You plan to deploy five virtual machines to a virtual network subnet.

Each virtual machine will have a public IP address and a private IP address.

Each virtual machine requires the same inbound and outbound security rules.

What is the minimum number of network interfaces and network security groups that you require?
To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 144
 Answer:

By Default Inbound and Outbound Security Rules are same for all VMs. Therefore, if default rules
suffice, then there is no need for NSG at all. 5 NICs and 1 NSG for non-default Inbound and Outbound
Rules 5 Nics and 0 NSG for default Inbound and Outbound Rules.

Question: 151
You have an Azure subscription named Subscription1.
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?

A. the Azure PerformanceDiagnostics extension

B. Azure Analytic Services
C. Linux Diagnostic Extension (LAD) 10
D. Azure HDinsight

Page | 145
 Answer: A

Explanation:
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to
install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional
monitoring and diagnostics data to be retrieved from the VM.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring

Question: 152

You Wave an Acme Directory forest named contoso.com.

You install and configure Azure AD Connect to use password hath synchronization as the single sign-
on (SSO) method Staging mode is enabled
You review the synchronization results and discover that the Synchronization Service Manager does
not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?

A. From Synchronization Service Manager, run a full import

B. From Azure PowerShell, run Start-AdSyncCycle -PolicyType initial.
C. Run Azure AD Connect and set the SSO method to Pass-through Authentication
D. Run Azure AD Connect and disable staging mode.

Answer: D

Explanation:
In staging mode, the server is active for import and synchronization, but it does not run any exports.
A server in staging mode is not running password sync or password writeback, even if you selected
these features during installation. When you disable staging mode, the server starts exporting,
enables password sync, and enables password writeback.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-operations

Question: 153

Your on-premises network contains 100 virtual machines that run Windows Server 2019.
You have an Azure subscription that contains an Azure Log Analytics workspace named Workspace1.
You need to collect errors from the Windows event logs on the virtual machines.
Which two actions should you perform' Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Configure the Data Collection settings for Workspace1.

B. Deploy the Microsoft Monitoring Agent
C. Create an Azure Event Grid domain
D. Create an Azure Sentinel workspace.
E. Configure Windows Event Forwarding on the virtual machines

Page | 146
 Answer: AB

Explanation:
The Azure Log Analytics agent collects telemetry from Windows and Linux virtual machines in any
cloud, on-premises machines, and those monitored by System Center Operations Manager and
sends it collected data to your Log Analytics workspace in Azure Monitor.

Note: You may also see the Log Analytics agent referred to as the Microsoft Monitoring Agent (MMA)
or OMS Linux agent.

Data is collected using the Log Analytics agent, which reads various security-related configurations
and event logs from the machine and copies the data to your workspace for analysis.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Question: 154

HOTSPOT

You have an on-premises data center and an Azure subscription. The data center contains two VPN
devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway
subnet.

You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure
VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption
that is longer than two minutes.

What is the minimum number of public IP addresses, virtual network gateways, and local network
gateways required in Azure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 147
 Answer:

Explanation:

Box 1: 2
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

Box 2: 2
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any
planned maintenance or unplanned disruption that happens to the active instance, the standby
instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.

Box 3: 2
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

Question: 155
You create an Azure Kubernetes Service (AKS) duster and an Azure Container Registry.
You need to perform continuous deployments of a containerized application to the AKS cluster as
soon as the image updates in the registry.
What should you use to perform the deployments?

A. an Azure Pipelines release pipeline

B. an Azure Automation runbook
C. an Azure Resource Manager template
D. a kubectl script from a CRON job

Page | 148
 Answer: A

Explanation:
You can implement a Continuous Deployment pipeline.

Example:

What the pipeline accomplishes :

Stage 1: The code gets pushed in the Github. The Jenkins job gets triggered automatically. The
Dockerfile is checked out from Github.

Stage 2: Docker builds an image from the Dockerfile and then the image is tagged with the build
number. Additionally, the latest tag is also attached to the image for the containers to use.

Stage 3: We have default deployment and service YAML files stored on the Jenkins server. Jenkins
makes a copy of the default YAML files, make the necessary changes according to the build and put
them in a separate folder.

Stage 4: kubectl was initially configured at the time of setting up AKS on the Jenkins server. The YAML
files are fed to the kubectl util which in turn creates pods and services.

Reference:
https://medium.com/velotio-perspectives/continuous-deployment-with-azure-kubernetes-service-
azure-container-registry-jenkins-ca337940151b

Question: 156

You create an Azure Kubernetes Service (AKS) cluster configured as shown in the exhibit. (Click the
Exhibit tab.)

Page | 149
You deploy a containerized application named App1 to the agentPool node pool.

You need to create a containerized application named App2 that runs on four nodes of size DS3 v2.

What should you do first?

A. Create a new node pool.

B. modify the autoscaling settings for the agentPool node.
C. Enable virtual nodes for the AKS cluster.
D. Upgrade the AKS cluster.

Answer: A

Page | 150
Explanation:
Changing the agent size is not allowed. In the future Microsft plans to support multiple node pools
wherein you can create different pools with different VM sizes.

Reference:
https://github.com/Azure/AKS/issues/132

Question: 157

You have an Azure web app that runs in a Premium App Service plan.
Developers plan to update the app weekly.
You need to ensure that the app can be twitched from the current version to the new version. The
solution must meet the following requirements
• Provide the developers with the ability to test the app m Azure prior to switching versions Testing
must use the same app instance
• Ensure that the app version can be rolled back.
• Minimize downtime.
what should you do?

A. Create a deployment slot.

B. Add an instance of the app to the scale set
C. Copy the App Service plan.
D. Create an Azure Active Directory (Azure AD) enterprise application

Answer: A

Explanation:
Azure Functions deployment slots allow your function app to run different instances called "slots".
Slots are different environments exposed via a publicly available endpoint. One app instance is
always mapped to the production slot, and you can swap instances assigned to a slot on demand.

There are a number of advantages to using deployment slots. The following scenarios describe
common uses for slots:
Different environments for different purposes: Using different slots gives you the opportunity to
differentiate app instances before swapping to production or a staging slot.
Easy fallbacks: After a swap with production, the slot with a previously staged app now has the
previous production app. If the changes swapped into the production slot aren't as you expect, you
can immediately reverse the swap to get your "last known good instance" back.
Prewarming

Reference:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-deployment-slots

Question: 158

Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition

Page | 151
key for Container1 is set to /day. Container1 contains the items shown in the following table.

You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.

Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
Returns Item1 and Item2 only.

Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where

https://docs.microsoft.com/en-
us/dotnet/api/microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure
-dotnet

Question: 159

Page | 152
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases
named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side
transactions across DB1 and D&2.
Solution: You deploy DB1 and DB2 to an Azure SQL Database managed instance.
Does this meet the goal?

A. Yes
B. No

Answer: B

Question: 160

You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases
named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side
transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases on the some Azure SQL Database server.
Does this meet the goal?

A. Yes
B. NO

Answer: B

Question: 161

You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases
named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side
transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Does this meet the goal?

A. Yes
B. NO

Answer: A

Explanation:
Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when
SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be
controlled.

Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure

Page | 153
Question: 162

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named
contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local
domain sync to Azure AD.

Solution: You use Azure AD Connect to customize the synchronization options.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Synchronization Rules Editor to create a synchronization rule.

Note: Filtering what objects are synced to Azure AD is a common request and there are many
instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so
that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g.,
john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

Question: 163

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named

Page | 154
contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local
domain sync to Azure AD.

Solution: You use Synchronization Rules Editor to create a synchronization rule.

Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances
where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only
users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com
would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI or PowerShell.

Through GUI:
Using The Synchronization Rules Editor

1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.

2. Click the Add new rule button on the View and manage your synchronization rules window.
3. Fill out the appropriate fields on the Description tab and click Next >.
4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute
filter, and click Next >.

Attribute: userPrincipalName
Operator: ENDSWITH
Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN
suffix will NOT be synced with Office 365.

Page | 155
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

Question: 164

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named
contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local
domain sync to Azure AD.

Solution: You use the Synchronization Service Manager to modify the Active Directory Domain
Services (AD DS) Connector.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Synchronization Rules Editor to create a synchronization rule.

Page | 156
Note: Filtering what objects are synced to Azure AD is a common request and there are many
instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so
that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g.,
john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

Question: 165

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition
key for Container1 is set to /day. Container1 contains the items shown in the following table.

You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.

Solution: You run the following query.

SELECT id FROM c

Page | 157
 WHERE c.day = "Mon" OR c.day = "Tue"

You set the EnableCrossPartitionQuery property to False.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery
property is set to true, it will return Item1, Item2, and Item3.

Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where

https://docs.microsoft.com/en-
us/dotnet/api/microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure
-dotnet

Question: 166

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named
contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local
domain sync to Azure AD.

Solution: You use the Synchronization Service Manager to modify the Metaverse Designer tab.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Synchronization Rules Editor to create a synchronization rule.

Note: Filtering what objects are synced to Azure AD is a common request and there are many

Page | 158
instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so
that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g.,
john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

Question: 167

You have an Azure subscription named Subscription1.

You create several Azure virtual machines in Subscription1. All of the virtual machines belong to the
same virtual network.
You have an on-premises Hyper-V server named Server1. Server1 hosts a virtual machine named
VM1.
You plan to replicate VM1 to Azure.
You need to create additional objects in Subscription1 to support the planned deployment.
Which three objects should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Hyper-V site
B. Azure Recovery Services Vault
C. storage account
D. replication policy
E. Azure Traffic Manager instance
F. endpoint

Answer: ABD

"There's no need to specify storage accounts to store the backup data. The Recovery Services vault
and the Azure Backup service handle that automatically." (Source: https://docs.microsoft.com/en-
us/azure/backup/backup-create-rs-vault)

Question: 168

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named
contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local
domain sync to Azure AD.
What should you do?

A. Use the Synchronization Service Manager to modify the Metaverse Designer tab.
B. Use Azure AD Connect to customize the synchronization options.
C. Use the Synchronization Rules Editor to create a synchronization rule.
D. Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS)
Connector.

Answer: C

Explanation:

Page | 159
Filtering what objects are synced to Azure AD is a common request and there are many instances
where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only
users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com
would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI or PowerShell.

Through GUI:
Using The Synchronization Rules Editor

1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.

2. Click the Add new rule button on the View and manage your synchronization rules window.
3. Fill out the appropriate fields on the Description tab and click Next >.
4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute
filter, and click Next >.

Attribute: userPrincipalName
Operator: ENDSWITH
Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN
suffix will NOT be synced with Office 365.

Reference:

Page | 160
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

Question: 169

You have an Azure SQL database named DB1.

You plan to create the following four tables in DB1 by using the following code.

Page | 161
You need to identify which table must be created last.

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

A. Table1

Page | 162
B. Table2
C. Table3
D. Table4

Answer: B

Explanation:
Table1 references Table4. Therefore Table4 must be created before Table1.

Table2 references Table1 and Table3. Therefore Table1 and Table3 must be created before Table2.

Note: FOREIGN KEY REFERENCES is a constraint that provides referential integrity for the data in the
column or columns. FOREIGN KEY constraints require that each value in the column exists in the
corresponding referenced column or columns in the referenced table. FOREIGN KEY constraints can
reference only columns that are PRIMARY KEY or UNIQUE constraints in the referenced table or
columns referenced in a UNIQUE INDEX on the referenced table.

Incorrect Answers:
A: Table1 is referenced by Table2 and should be crated before Table2.
C: Table3 is referenced by Table2 and should be crated before Table2.
D: Table4 is referenced by Table1 and should be crated before Table1.

Reference:
https://docs.microsoft.com/en-us/sql/t-sql/statements/create-table-transact-sql?view=sql-server-
ver15

Question: 170

You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1
that contains a container named Container1. The partition key for Container1 is set to /city.

You plan to change the partition key for Container1.

What should you do first?

A. Delete Container1.
B. Create a new Azure Cosmos DB account.
C. Implement the Azure Cosmos DB.NET.SDK.
D. Regenerate the keys for Account1.

Answer: B

Explanation:
The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to
achieve a live migration of your data from one container to another. This allows you to re-distribute
your data to match the desired new partition key scheme, and make the relevant application changes
afterwards, thus achieving the effect of “updating your partition key”.

Incorrect Answers:
A: It is not possible to “update” your partition key in an existing container.

Reference:
https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/

Page | 163
Question: 171

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases
named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support erver-side
transactions across DB1 and DB2.

Solution: You deploy DB1 and DB2 as Azure SQL databases each on a different Azure SQL Database
server.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

Note: Understanding distributed transactions.

When both the database management system and client are under the same ownership (e.g. when
SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be
controlled.

Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure

Question: 172

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases
named DB1 and DB2.

You plan to move DB1 and DB2 to Azure.

Page | 164
You need to implement Azure services to host DB1 and DB2. The solution must support server-side
transactions across DB1 and DB2.

Solution: You deploy DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

Note: Understanding distributed transactions.

When both the database management system and client are under the same ownership (e.g. when
SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be
controlled.

Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure

Question: 173

HOTSPOT
You plan to implement an access review to meet the following requirements:

The access review must be enforced until otherwise configured.

Each user or group that has access to the Azure environment must be in the scope of the access
review.
The access review must be completed within two weeks.
A lack of response must not cause changes in the operational environment.

An administrator creates the access review shown in the answer area.

Which two sections of the access review should you modify to meet the requirements? To answer,
select the appropriate sections in the answer area.

NOTE: Each correct selection is worth one point.

Page | 165
Answer:

Page | 166
Page | 167
Explanation:

Area 1: Start date..End Date

The access review must be enforced until otherwise configured. We set End: Never

The access review must be completed within two weeks. We set Duration (in days) to 14

Area 2: Upon completion settings

A lack of response must not cause changes in the operational environment. We set 'If reviewers don't
respond: No change (which leave user's access unchanged)

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

Question: 174
You are creating an app that will transcribe speech-to-text in Chinese. The app will use the Speech
service in Azure and will authenticate by using a service principal. You configure the app to use the
Application ID of the service principal and the client secret Which other value should you add to the
app to authenticate to the Speech service?

A. Subscription ID
B. Tenant ID
C. Application Name
D. Resource Group ID

Answer: D

Question: 175

You have an Azure subscription that contains the resources shown in the following table.

A certificate named Certificate! is stored in Vault!

You need to grant VM1 and VM2 access to Certificate1 by using the same security principal.
What should you do?

A. Create an Azure Active Directory (Azure AD) user. Create an access policy for Vaultl. Assign the
access policy to the user. Configure a user-assigned managed identity forVMl andVM2.
B. Create a managed identity. Assign the Key Vault Reader role-based access control (RBAC) role for
Vault 1 to the managed identity. Configure a system-assigned managed identity for VM1 and VM2.
C. Create an Azure Active Directory (Azure AD) user. Assign the Key Vault Reader role-based access
control (RBAC) role for Vaultl to the user. Configure a user-assigned managed identity for VM1 and
VM2.
D. Create a managed identity. Add the Vaultl access policy to the managed identity. Configure a user-
assigned managed identity for VM1 and VM2.

Answer: C

Page | 168
Question: 176

HOTSPOT

Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP
address space of 10.0.0.0/16 and contains the subnets in the following table.

Answer:

Box 1: 10.0.0.0/16 Address prefix destination-> Vnet 1 (Address space of Vnet1)

Box 2: Virtual appliance Next hop type VM1 ->Virtual Appliance. You can specify IP address of VM 1
when configuring next hop as Virtual appliance.
Box 3: Gateway Subnet Assigned to This route is to be followed by Gateway Subnet for the incoming
traffic. You can associate routing table to the Subnet from Rout Table -> subnet ->Associate.
Question: 177
You manage a solution in Azure that consists of a single application which runs on a virtual machine
(VM).
Traffic to the application has increased dramatically.
The application must not experience any downtime and scaling must be dynamically defined.
You need to define an auto-scale strategy to ensure that the VM can handle the workload.
Which three options should you recommend? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Deploy application automatic vertical scaling.

B. Create a VM availability set.
C. Create a VM scale set.
D. Deploy application automatic horizontal scaling.
E. Deploy a custom auto-scale implementation.

Page | 169
 Answer: CDE

https://stackoverflow.com/questions/38112816/difference-in-azure-availability-sets-and-scale-sets

Question: 178

You have an Azure subscription that contains the Azure virtual machines shown in the following
table.

You create an Azure key vault named Vaultl in the East US location.
You need to identify which virtual machines can enable Azure Disk Encryption by using Vaultl.
Which virtual machines should you identify?

A. VM1.VM2, and VM4 only

B. VM1.VM2, and VM3 only
C. VM2 and VM3 only
D. VM3 only

Answer: A

Question: 179

You monitor Azure virtual machines by using Azure Monitor.

You plan to restart the virtual machines when CPU usage exceeds 95 percent for more than 30
minutes.
You need to create an alert in Azure Monitor to restart the virtual machines. The solution must
minimize administrative effort.
Which type of action should you use in the alert?

A. Automation Runbook
B. Logic App
C. Webhook
D. ITSM

Answer: A

Automation runbooks allows you to automatically perform standard remediations in response to VM

alerts, like restarting or stopping the VM.

Previously, during VM alert rule creation you were able to specify an Automation webhook to a
runbook in order to run the runbook whenever the alert triggered. However, this required you to do
the work of creating the runbook, creating the webhook for the runbook, and then copying and
pasting the webhook during alert rule creation. With this new release, the process is much easier
because you can directly choose a runbook from a list during alert rule creation, and you can choose
an Automation account which will run the runbook or easily create an account.

Page | 170
Reference:
https://azure.microsoft.com/en-us/blog/automatically-remediate-azure-vm-alerts-with-automation-
runbooks/

Question: 180

You have an Azure subscription that contains a policy-based virtual network gateway named GW1
and a virtual network named VNetl. You need to ensure that you can configure a point to-site
connection from an on-premises computer to VNetV. Which two actions should you perform? Each
correct answer presents part of the solution. NOTE: Each correct selection is worth one point

A. Delete GW1.
B. Reset GW1.
C. Add a service endpomt to VNetl.
D. Add a connection to GW1.
E. Add a public IP address space to VNetl.
F. Create a route-based virtual network gateway.

Answer: A, F

Question: 181

You have a server named Server1 that runs Windows Server 2019. Server! is a container host.
You plan to create a container image.
You create the following instructions in a text editor.

You need 10 be able to automate the container image creation by using the instructions. To which file
should you save the instructions?

A. Dockerfile
B. daemon.json
C. dockerconfig.json
D. dockerconfig.sjon

Answer: A

Question: 182

You plan to create an Azure logic app that will access secrets stored in an Azure key vault.
You need to ensure that the logic app can authenticate to the key vault by using Azure Active
Directory (Azure ADJ.
What should you do?

A. Turn on the system-assigned managed identity.

B. Add an Azure Active Directory authorization policy.
C. Create an app registration.
D. Modify the access keys.

Page | 171
 Answer: B

Question: 183

You have a resource group named RG5. The access controls for RG5 are configured as shown in the
following exhibit.

Which users can deploy virtual networks to RG5?

A. User1, User2, and prvi

B. only User1 and User2
C. only User1
D. only prvi and User1

Answer: D

Explanation:
User1, the Network Contributor, can create and manage networks, but not access to them.
Prvi, the Owner, can create and manage resources of all types.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question: 184

Page | 172
You create the user-assigned identities shown in the following table.

You create a virtual machine that has the following configurations:

• Name:VM1
• Location: West US
• Resource group: RG1
Which managed identities can you add to VM1?

A. Identity1 and Identity2 only

B. Identity1 only
C. Identity1, idenity2 and Identity3
D. Identity1 and Identity3 only

Answer: C

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/managed-identities-faq

Question: 185

HOTSPOT

You are designing a virtual network to support a web application. The web application uses Blob
storage to store large images. The web application will be deployed to an Azure App Service Web
App.

You have the following requirements:

Secure all communications by using Secured Socket layer (SSL)

SSL encryption and decryption must be processed efficiently to support high traffic load on the web
application
Protect the web application from web vulnerabilities and attacks without modification to backend
code
Optimize web application responsiveness and reliability by routing HTTP request and responses to
the endpoint with the lowest network latency for the client.

You need to configure the Azure components to meet the requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Page | 173
 Answer:

Explanation:

Box 1: Azure application Gateway

Azure Application Gateway supports end-to-end encryption of traffic. Application Gateway
terminates the SSL connection at the application gateway. The gateway then applies the routing rules
to the traffic, re-encrypts the packet, and forwards the packet to the appropriate back-end server
based on the routing rules defined. Any response from the web server goes through the same
process back to the end user.

Box 2: Azure application Gateway

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

Box 3: Azure Traffic Manager

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic
optimally to services across global Azure regions, while providing high availability and
responsiveness.

References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-
powershell

https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Question: 186
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the

Page | 174
other Identity Governance settings are available,
Admin1 is assigned the User administrator. Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You purchase an Azure Active Directory Premium P2 license for contoso.com
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Azure AD Privileged Identity Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

Question: 187

You have an Azure subscription that contains an Azure Sentinel workspace. Sentinel is configured to
monitor several Azure resources.
You need to send notification emails to resource owners when alerts or recommendations are
generated for a resource.
What should you use?

A. Logic Apps Designer

B. Azure Security Center
C. Azure Pipelines
D. Azure Machine Learning Studio

Answer: A

Explanation:
Currently there is no built-in functionality that notifies you via email if there is an incident that is
generated in Azure Sentinel. However, you can set up an Azure Logic App playbook to send incident
information to your email.

Reference:
https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-
automatically/

Question: 188

DRAG DROP

You have an Azure virtual machine named VM1 that runs Windows Server 2016.

Page | 175
You install a line-of-business application on VM1.

You need to create a scale set by using VM1 as a custom image.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Step 1: Run sysprep.exe on VM1.

The final step to prepare your VM for use as a custom image is to generalize the VM. Sysprep
removes all your personal account information and configurations, and resets the VM to a clean state
for future deployments.

Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized,
To create an image, the VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set
the state of the VM as generalized with Set-AzVm so that the Azure platform knows the VM is ready
for use a custom image. You can only create an image from a generalized VM.
It may take a few minutes to deallocate and generalize the VM.
Then create an image of the VM with New-AzImageConfig and New-AzImage.

Step 3: Create a virtual machine scale set.

Create a scale set with New-AzVmss that uses the -ImageName parameter to define the custom VM
image created in the previous step.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-use-custom-image-
powershell

Question: 189
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Page | 176
You have an Azure subscription.

You have an on-premises file server named Server1 that runs Windows Server 2019.

You manage Server1 by using Windows Admin Center.

You need to ensure that if Server1 fails, you can recover Server1 files from Azure.

Solution: You create an Azure Storage account and an Azure Storage Sync service. You configure
Azure File Sync for Server1.

Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the
flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms
Windows Server into a quick cache of your Azure file share.

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard
Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-
premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached
on Windows Servers with Azure File Sync for fast access near where the data is being used.

Azure file shares can be used to:

Replace or supplement on-premises file servers:

Azure Files can be used to completely replace or supplement traditional on-premises file servers or
NAS devices. Popular operating systems such as Windows, macOS, and Linux can directly mount
Azure file shares wherever they are in the world. Azure file shares can also be replicated with Azure
File Sync to Windows Servers, either on-premises or in the cloud, for performance and distributed
caching of the data where it's being used.

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

Question: 190

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure subscription.

You have an on-premises file server named Server1 that runs Windows Server 2019.

Page | 177
You manage Server1 by using Windows Admin Center.

You need to ensure that if Server1 fails, you can recover Server1 files from Azure.

Solution: From the Azure portal, you create a Recovery Services vault. On Server1, you install the
Azure Backup agent and you successfully perform a backup.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Azure Storage Sync service and configure Azure File.

Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the
flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms
Windows Server into a quick cache of your Azure file share.

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

Question: 191

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure subscription.

You have an on-premises file server named Server1 that runs Windows Server 2019.

You manage Server1 by using Windows Admin Center.

You need to ensure that if Server1 fails, you can recover Server1 files from Azure.

Solution: You register Windows Admin Center in Azure and configure Azure Backup.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead use Azure Storage Sync service and configure Azure File.

Page | 178
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the
flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms
Windows Server into a quick cache of your Azure file share.

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

Question: 192

HOTSPOT

You need to design an authentication solution that will integrate on-premises Active Directory and
Azure Active Directory (Azure AD). The solution must meet the following requirements:

Active Directory users must not be able to sign in to Azure AD-integrated apps outside of the sign-in
hours configured in the Active Directory user accounts.
Active Directory users must authenticate by using multi-factor authentication (MFA) when they sign
in to Azure AD-integrated apps.
Administrators must be able to obtain Azure AD-generated reports that list the Active Directory users
who have leaked credentials.
The infrastructure required to implement and maintain the solution must be minimized.

What should you include in the solution? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Pass-through Authentication with Azure AD Seamless SSO

Azure AD Seamless SSO versus Active Directory Federation Services
Companies with a security requirement to immediately enforce on-premises user account states,
password policies, and sign-in hours might use Azure AD Pass-through Authentication.
You can combine Pass-through Authentication with the Seamless Single Sign-On feature.

Note: Azure AD supports the following authentication methods for hybrid identity solutions.

Page | 179
Azure AD password hash synchronization
Azure AD Pass-through Authentication

Box 2: Azure MFA

One key benefit with Azure AD Pass-through Authentication is that it works seamlessly with Azure
MFA.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

Question: 193

You have an application that is hosted across multiple Azure regions.

You need to ensure that users connect automatically to their nearest application host based on
network latency.
What should you implement?

A. Azure Application Gateway

B. Azure Load Balancer
C. Azure Traffic Manager
D. Azure Bastion

Answer: C

Explanation:
Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic
to your public facing applications across the global Azure regions. Traffic Manager also provides your
public endpoints with high availability and quick responsiveness.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

Question: 194

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company is deploying an on-premises application named App1. Users will access App1 by using
a URL of https://app1.contoso.com.

You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD
Application Proxy.

You need to ensure that App1 appears in the My Apps portal for all the users.

Solution: You modify User and Groups for App1.

Does this meet the goal?

Page | 180
A. Yes
B. No

Answer: A

Explanation:
Assigning users and groups to individual applications in Azure AD controls the visibility of the link.
If you want only a subset of your users to see the link in the Azure AD My Apps portal, configure user
assignment as follows:
In the menu on the left, select Properties.
Set User assignment required to Yes.
Click Save.
In the menu on the left, click Manage > Users and groups.
Click Add user.
Select Users.
Select the users or groups that you want to provision. If you select a group, all members of the group
are provisioned.
Click Select.
Click Assign.
It might take several minutes for a link to show up in the My Apps portal.

Reference:
https://cloud.google.com/architecture/identity/integrating-google-services-and-apps-with-azure-ad-
portal#adding_links

Question: 195

You have an Azure subscription that contains the resources shown in the following table.

You need to grant App1 read-only access to Table1. What should you use?

A. a storage access key

B. an X.509 certificate
C. anonymous public read access
D. a shared access signature (SAS)

Answer: D

Question: 196

You have an Azure subscription that contains a virtual machine named VM1 and a Recovery Services
vault named Vault 1. VM1 runs Linux.
VM1 is backed up to Vault1 daily.
You need to ensure that you can perform application-consistent backups of VM1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Modify the backup policy of VM1.

B. Create the prescript and post-script files and copy the files to VM1.

Page | 181
C. Modify the VMSnapshotScriptPluginConfig.json configuration file and copy the file to VM1.
D. On VM1. install the VM Snapshot Linux extension for Azure Backup.
E. From Vault1, create a new automation task.

Answer: DE

Question: 197

HOTSPOT
You have an Azure App Service web app named webapp1 and an Azure key vault named kv1.
You need to ensure that webapp1 can retrieve secrets stored in kv1.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Question: 198
You have an Azure subscription that contains an Azure Cosmos DB account. The account is in the East
US Azure region and contains three databases. You need to migrate the metadata and databases of
the account to the West US Azure region. The solution must minimize administrative effort. What
should you do first?

A. Create a new account.

B. Add the West US region to the Cosmos DB account.
C. Run the New-AzMigrateProject cmdlet.
D. Run the Hove-AzResource cmdlet.

Answer: B

Question: 199

You have an Azure subscription named Sub1 that has a subscription ID of 12ab3cd4-5e67-8901-f234-
g5hi67jkl8m9.

In Sub1, you create an Azure Storage account named storage1 and a table named Table1.

Which URI should you use to access Table1?

A. https://storage.core.windons.net/12ab3cd4-5e67-8901-f234-g5hi67jkl8m9/storagel/table1
B. https://sub1.core.windows.net/storagel/table1
C. https://table1.table.core.windows.net/storage1

Page | 182
D. https://storagel.table.core.windows.net/table1

Answer: D

Reference:
https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-overview

Question: 200

HOTSPOT

You have an on-premises server that runs Windows Server 2019 and hosts a web app named App1.

You have an Azure subscription named Subscription1.

You plan to migrate App1 to Subsciption1 by using Azure Migrate.

To which type of Azure service will App1 be migrated, and what should you provide during the
migration? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Page | 183
Reference:
https://docs.microsoft.com/en-us/learn/modules/migrate-app-service-migration-assistant/6-
exercise-migration

Question: 201

You have an Azure key vault named KV1 and an Azure web app named WebApp1. WebApp1 runs in a
Shared App Service plan.

You need to grant WebApp1 permissions to KV1.

What should you do?

A. Change to a Standard App Service plan.

B. Add a certificate to WebApp1
C. Change to a Basic App Service plan.
D. Add a managed identity to WebApp1.

Answer: D

Reference:
https://thecodeblogger.com/2020/06/03/azure-web-app-and-managed-identity-to-access-key-vault/

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Question: 202

HOTSPOT

You have an Azure subscription that contains 20 virtual machines. The virtual machines run Windows
Server 2019.

You need to enable Update Management and deploy the required agents to the virtual machines.

What should you do? To answer, select the appropriate options in the answer area.

Page | 184
NOTE: Each correct selection is worth one point.

Answer:

Reference:
https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-
automation-account

Question: 203
You have an Azure Kubernetes Service (AKS) cluster named aks1.

You need to enable the cluster autoscaler on aks1.

Which command should you run in Azure CLI?

A. kubeccl autoscale
B. az aks scale
C. kubectl apply
D. az ales update

Answer: D

Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#create-an-aks-cluster-and-enable-
the-cluster-autoscaler

Question: 204

Page | 185
You have an Azure subscription that contains the virtual networks shown in the following table.

You need to recommend a connectivity solution that will enable the virtual machines on VNET1 and
VNET2 to communicate through the Microsoft backbone infrastructure.

What should you include in the recommendation?

A. Azure ExpressRoute
B. peering
C. a point-to-site VPN
D. a site-to-site VPN

Answer: B

Explanation:
Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the
virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in
the peered virtual networks is routed through the Microsoft backbone infrastructure, much like
traffic is routed between virtual machines in the same virtual network, through private IP addresses
only. Azure supports:
VNet peering - connecting VNets within the same Azure region
Global VNet peering - connecting VNets across Azure regions

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Question: 205

DRAG DROP
You have virtual machines (VMs) that run a mission-critical application.
You need to minimize the possibility that the application will experience downtime.
What should you recommend? To answer, drag the appropriate solutions to the correct scenarios.
Each solution may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Page | 186
Question: 206
You have an Azure subscription that contains 20 virtual machines. The virtual machines require
authenticated access to several Azure resources.
You need to ensure that the virtual machines can authenticate by using Azure Active Directory (Azure
AD).
Solution: You create and configure an app registration in the Azure AD tenant.
Does this meet the goal?

A. Yes
B. No

Answer: A

Question: 207

You have an Azure subscription that contains 20 virtual machines. The virtual machines require
authenticated access to several Azure resources.
You need to ensure that the virtual machines can authenticate by using Azure Active Directory (Azure
AD).
Solution: You configure the Access control (IAM) settings for each virtual machine.
Does this meet the goal?

A. Yes
B. No

Answer: A

Question: 208

You have an Azure subscription that contains 20 virtual machines. The virtual machines require
authenticated access to several Azure resources.
You need to ensure that the virtual machines can authenticate by using Azure Active Directory (Azure
AD).
Solution: You configure the Identity settings for each virtual machine.
Does this meet the goal?

A. Yes
B. No

Answer: B

Page | 187
 Thank You for Purchasing AZ-303 PDF

Test Your Preparation with

Practice Exam Software
Use Coupon “20OFF” for extra 20% discount on purchase of
Practice Test Software. Practice Exam Software helps you validate
your preparation in simulated exam environment.

Download Free Practice Test Demo from Here:

https://www.braindumpsschool.com/Microsoft/AZ-303-dumps.html

Page | 188