Exam4Training

Microsoft AZ-301 Microsoft Azure Architect Design Online Training

Question #1

Testlet 1

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment

Payment Processing System

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET. The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

– Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

– Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

– Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

– Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

– Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

– Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office. The data in the table storage is 50 GB and is not expected to increase.

Current Issues

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements

Planned Changes

Contoso plans to implement the following changes:

– Migrate the payment processing system to Azure.

– Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements

Contoso identifies the following general migration requirements:

– Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

– Whenever possible, Azure managed services must be used to minimize management overhead.

– Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

– If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

– Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

– Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

– Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

– Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

– Ensure that the payment processing system preserves its current compliance status.

– Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

– Minimize the use of on-premises infrastructure services.

– Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

– Minimize the frequency of table scans.

– If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for the collection of security logs for the middle tier of the payment processing system.

What should you include in the recommendation?

  • A . Azure Event Hubs
  • B . Azure Notification Hubs
  • C . the Azure Diagnostics agent
  • D . the Microsoft Monitoring agent

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Scenario: Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

The Azure Diagnostics agent should be used when you want to archive logs and metrics to Azure storage.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

Question #2

Question Set 2

HOTSPOT

You deploy several Azure SQL Database instances.

You plan to configure the Diagnostics settings on the databases as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In the exhibit, the SQL Insights data is configured to be stored in Azure Log Analytics for 90 days.

However, the question is asking for the “maximum” amount of time that the data can be stored which is 730 days.


Question #3

Your company uses Microsoft System Center Service Manager on its on-premises network.

You plan to deploy several services to Azure.

You need to recommend a solution to push Azure service health alerts to Service Manager.

What should you include in the recommendation?

  • A . Azure Notification Hubs
  • B . Azure Event Hubs
  • C . IT Service Management Connector (ITSM)
  • D . Application Insights Connector

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

Question #4

You have an on-premises Hyper-V cluster. The cluster contains Hyper-V hosts that run Windows Server 2016 Datacenter. The hosts are licensed under a Microsoft Enterprise Agreement that has Software Assurance.

The Hyper-V cluster hosts 30 virtual machines that run Windows Server 2012 R2. Each virtual machine runs a different workload. The workloads have predictable consumption patterns.

You plan to replace the virtual machines with Azure virtual machines that run Windows Server 2016. The virtual machines will be sized according to the consumption pattern of each workload.

You need to recommend a solution to minimize the compute costs of the Azure virtual machines.

Which two recommendations should you include in the solution? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  • A . Purchase Azure Reserved Virtual Machine Instances for the Azure virtual machines
  • B . Create a virtual machine scale set that uses autoscaling
  • C . Configure a spending limit in the Azure account center
  • D . Create a lab in Azure DevTest Labs and place the Azure virtual machines in the lab
  • E . Activate Azure Hybrid Benefit for the Azure virtual machines

Reveal Solution Hide Solution

Correct Answer: AE
AE

Explanation:

A: With Azure Reserved VM Instances (RIs) you reserve virtual machines in advance and save up to 80 percent.

E: For customers with Software Assurance, Azure Hybrid Benefit for Windows Server allows you to use your on-premises Windows Server licenses and run Windows virtual machines on Azure at a reduced cost. You can use Azure Hybrid Benefit for Windows Server to deploy new virtual machines with Windows OS.

Reference:

https://azure.microsoft.com/en-us/pricing/reserved-vm-instances/ https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing

Question #5

You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned a Premium P1 license.

You deploy Azure AD Connect.

Which two features are available in this environment that can reduce operational overhead for your company’s help desk? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  • A . Azure AD Privileged Identity Management policies
  • B . access reviews
  • C . self-service password reset
  • D . Microsoft Cloud App Security Conditional Access App Control
  • E . password writeback

Reveal Solution Hide Solution

Correct Answer: CE
Question #6

You are planning the implementation of an order processing web service that will contain microservices hosted in an Azure Service Fabric cluster.

You need to recommend a solution to provide developers with the ability to proactively identify and fix performance issues. The developers must be able to simulate user connections to the order processing web service from the Internet, as well as simulate user transactions. The developers must be notified if the goals for the transaction response times are not met.

What should you include in the recommendation?

  • A . container health
  • B . Azure Network Watcher
  • C . Application Insights
  • D . Service Fabric Analytics

Reveal Solution Hide Solution

Correct Answer: C
Question #7

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription.

What should you include in the recommendation?

  • A . Azure Analysis Services
  • B . Azure Activity Log
  • C . Azure Monitor action groups
  • D . Azure Advisor
  • E . Azure Monitor metrics
  • F . Azure Log Analytics
  • G . Application Insights

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Through activity logs, you can determine:

– what operations were taken on the resources in your subscription

– who started the operation

– when the operation occurred

– the status of the operation

– the values of other properties that might help you research the operation

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit

Question #8

HOTSPOT

You have an Azure App Service Web App that includes Azure Blob storage and an Azure SQL Database instance. The application is instrumented by using the Application Insights SDK.

You need to design a monitoring solution for the web app.

Which Azure monitoring services should you use? To answer, select the appropriate Azure monitoring services in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Note: You can select Logs from either the Azure Monitor menu or the Log Analytics workspaces menu.

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview


Question #9

DRAG DROP

You have an Azure Active Directory (Azure AD) tenant. All user accounts are synchronized from an on-premises Active Directory domain and are configured for federated authentication. Active Directory Federation Services (AD FS) servers are published for external connections by using a farm of Web Application Proxy servers.

You need to recommend a solution to monitor the servers that integrate with Azure AD.

The solution must meet the following requirements:

– Identify any AD FS issues and their potential resolutions.

– Identify any directory synchronization configuration issues and their potential resolutions

– Notify administrators when there are any issues affecting directory synchronization or AD FS operations.

Which monitoring solution should you recommend for each server type? To answer, drag the appropriate monitoring solutions to the correct server types. Each monitoring solution may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #10

You plan to deploy 200 Microsoft SQL Server databases to Azure by using Azure SQL Database and Azure SQL Database Managed Instance.

You need to recommend a monitoring solution that provides a consistent monitoring approach for all deployments.

The solution must meet the following requirements:

– Support current-state analysis based on metrics collected near real-time, multiple times per minute, and maintained for up to one hour

– Support longer term analysis based on metrics collected multiple times per hour and maintained for up to two weeks.

– Support monitoring of the number of concurrent logins and concurrent sessions.

What should you include in the recommendation?

  • A . dynamic management views
  • B . trace flags
  • C . Azure Monitor
  • D . SQL Server Profiler

Reveal Solution Hide Solution

Correct Answer: C

Question #11

DRAG DROP

You plan to move several apps that handle critical line-of-business (LOB) services to Azure. Appropriate personnel must be notified if any critical resources become degraded or unavailable. You need to design a monitoring and notification strategy that can handle up to 100 notifications per hour.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate

actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Step 1: Create a resource group containing the critical resources.

In step 2 the action group should be created within this Resource Group.

Step 2: Create an action group for alerts to email addresses.

You configure an action to notify a person by email or SMS, they receive a confirmation indicating they have been added to the action group.

The rate limit thresholds are:

SMS: No more than 1 SMS every 5 minutes.

Voice: No more than 1 Voice call every 5 minutes.

Email: No more than 100 emails in an hour.

Step 3: Monitor service health for incidents and action required notifications

An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered.

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting


Question #12

DRAG DROP

You manage a solution in Azure.

The solution is performing poorly.

You need to recommend tools to determine causes for the performance issues.

What should you recommend? To answer, drag the appropriate monitoring solutions to the correct scenarios. Each monitoring solution may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Azure Monitor

Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. This makes metrics particularly suited for alerting and fast detection of issues.

Box 2: Azure Log Analytics

Log data collected by Azure Monitor is stored in a Log Analytics workspace, which is based on Azure Data Explorer. Logs in Azure Monitor are especially useful for performing complex analysis across data from a variety of sources.

Box 3: Azure Log Analytics

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-logs


Question #13

DRAG DROP

You have standard Load balancer configured to support three virtual machines on the same subnet. You need to recommend a solution to notify administrators when the load balancer fails.

Which metrics should you recommend using to test the load balancer? To answer, drag the appropriate metrics to the correct conditions. Each metric may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Backend instance health: Health Probe Status

Health Probe Status (DIP Availability): Standard Load Balancer uses a distributed health-probing service that monitors your application endpoint’s health according to your configuration settings. This metric provides an aggregate or per-endpoint filtered view of each instance endpoint in the load balancer pool. You can see how Load Balancer views the health of your application, as indicated by your health probe configuration.

Outbound port exhaustion: SNAT connection Count

SNAT connections: Standard Load Balancer reports the number of outbound flows that are masqueraded to the Public IP address front end. Source network address translation (SNAT) ports are an exhaustible resource. This metric can give an indication of how heavily your application is relying on SNAT for outbound originated flows. Counters for successful and failed outbound SNAT flows are reported and can be used to troubleshoot and understand the health of your outbound flows.

Reference:

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics


Question #14

Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

When the Next button is available, click it to access the lad section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

You may now click next to proceed to the lab.

WebDev01 is used only for testing purposes.

You need to reduce the costs to host WebDev01.

What should you modify? NOTE: To answer this question, sign in to the Azure portal and explore the Azure resource groups.

  • A . the disk type of WebDev01
  • B . the networking properties of WebDev01
  • C . the storage type of the storage account
  • D . the properties of the storage account

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The storage type can be changed to Block blobs to save money.

References: https://azure.microsoft.com/en-us/pricing/details/storage/

Question #15

Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

When the Next button is available, click it to access the lad section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

You may now click next to proceed to the lab.

A user named Steve-11234827@ExamUsers.com cannot modify the properties of the web app.

You need to ensure that Steve-11234827@ExamUsers.com can modify the web app properties.

What should you do?

NOTE: To answer this question, sign in to the Azure portal and explore the Azure resource groups.

  • A . Remove the resource lock from the resource group
  • B . Remove the resource lock from the web app
  • C . Modify the permissions on the web app
  • D . Modify the permissions on the resource group

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Note: resource – A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources.

References:

https://docs.microsoft.com/sv-se/azure/azure-resource-manager/management/lock-resources

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Question #16

You are designing an Azure web app.

You need to ensure that users who have impaired vision can use the app.

Which reference material should you use when designing the app?

  • A . Accessibility in Windows Dev Center
  • B . Azure Application Architecture Guide
  • C . Web Content Accessibility Guidelines
  • D . Cloud Application Architecture Guide

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

How Microsoft integrates accessibility Microsoft’s obligation to accessibility is guided by three main principles: transparency, inclusivity and accountability. In developing our products and services, we take into account leading global accessibility standards, including:

EN 301 549

U.S. Section 508 Web Content Accessibility Guidelines (WCAG)

References:

https://www.microsoft.com/en-us/trust-center/compliance/accessibility

Question #17

HOTSPOT

You have an Azure subscription that contains the Microsoft SQL servers shown in the following table.

The subscription contains the storage accounts shown in the following table.

You create the Azure SQL databases shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Yes

Be sure that the destination is in the same region as your database and server.

Box 2: No

Box 3: No

References: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing


Question #18

HOTSPOT

You have an Azure subscription that contains the resources shown in the following table.

You create an Azure SQL database named DB1 that is hosted in the East US region.

To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends SQLInsights to Workspace1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selections is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: No

You archive logs only to Azure Storage accounts.

Box 2: Yes

Box 3: Yes

Sending logs to Event Hubs allows you to stream data to external systems such as third-party SIEMs and other log analytics solutions.

Note: A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), then create multiple settings. Each resource can have up to 5 diagnostic settings.

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings


Question #19

Testlet 1

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment

Payment Processing System

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET. The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

– Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

– Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

– Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

– Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

– Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

– Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office. The data in the table storage is 50 GB and is not expected to increase.

Current Issues

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements

Planned Changes

Contoso plans to implement the following changes:

– Migrate the payment processing system to Azure.

– Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements

Contoso identifies the following general migration requirements:

– Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

– Whenever possible, Azure managed services must be used to minimize management overhead.

– Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

– If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

– Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

– Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

– Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

– Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

– Ensure that the payment processing system preserves its current compliance status.

– Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

– Minimize the use of on-premises infrastructure services.

– Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

– Minimize the frequency of table scans.

– If a region fails, ensure that the historical transaction query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

HOTSPOT

You need to recommend a solution for configuring the Azure Multi-Factor Authentication (MFA) settings.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Premium 1

Azure AD Premium P1 – is an enterprise level edition which provides identity management for on-premise users, remote users and hybrid users accessing applications both locally and over the cloud.

Incorrect:

Not Premium 2: PIM not required. Azure AD Premium P2 – is an edition includes all of the features of Azure AD Premium P1 with the addition of Identity Protection and Privileged Identity Management (PIM).

Box 2: Allow access and require multi-factor authentication

Azure Multi-Factor Authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins.

Box 3: Allow access and require authentication registration

In order for users to be able to respond to MFA prompts, they must first register for Azure Multi-Factor Authentication.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-mfa-policy


Question #20

HOTSPOT

You need to design a solution for securing access to the historical transaction data.

What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #21

HOTSPOT

You need to recommend a solution for the users at Contoso to authenticate to the cloud-based services and the Azure AD-integrated applications.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #22

Testlet 2

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam, Berlin, and Rome.

Existing Environment

Active Directory Environment

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only.

Network Infrastructure

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders.

WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements

Planned Changes

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements

Fabrikam identifies the following technical requirements:

– Web site content must be easily updated from a single point.

– User input must be minimized when provisioning new app instances.

– Whenever possible, existing on-premises licenses must be used to reduce cost.

– Users must always authenticate by using their corp.fabrikam.com UPN identity.

– Any new deployments to Azure must be redundant in case an Azure region fails.

– Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

– An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

– Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on-premises network.

Database Requirements

Fabrikam identifies the following database requirements:

– Database metrics for the production instance of WebApp1 must be available for analysis so that database administrators can optimize the performance settings.

– To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

– Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements

Fabrikam identifies the following security requirements:

– Company information including policies, templates, and data must be inaccessible to anyone outside the company.

– Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

– Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

– All administrative access to the Azure portal must be secured by using multi-factor authentication.

– The testing of WebApp1 updates must not be visible to anyone outside the company.

What should you include in the identity management strategy to support the planned changes?

  • A . Move all the domain controllers from corp.fabrikam.com to virtual networks in Azure.
  • B . Deploy domain controllers for corp.fabrikam.com to virtual networks in Azure.
  • C . Deploy a new Azure AD tenant for the authentication of new R&D projects.
  • D . Deploy domain controllers for the rd.fabrikam.com forest to virtual networks in Azure.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on-premises network. (This requires domain controllers in Azure)

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails. (This requires domain controllers on-premises)

Question #23

HOTSPOT

To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #24

Question Set 3

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains a resource group named RG1. You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

– The researchers must be allowed to create Azure virtual machines.

– The researchers must only be able to create Azure virtual machines by using specific Azure Resource

Manager templates.

Solution: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #25

A company named Contoso Ltd., has a single-domain Active Directory forest named contoso.com.

Contoso is preparing to migrate all workloads to Azure. Contoso wants users to use single sign-on (SSO) when they access cloud-based services that integrate with Azure Active Directory (Azure AD). You need to identify any objects in Active Directory that will fail to synchronize to Azure AD due to

formatting issues. The solution must minimize costs.

What should you include in the solution?

  • A . Azure Advisor
  • B . Microsoft Office 365 IdFix
  • C . Azure AD Connect Health
  • D . Password Export Server version 3.1 (PES v3.1) in Active Directory Migration Tool (ADMT)

Reveal Solution Hide Solution

Correct Answer: B
Question #26

HOTSPOT

Your company has an API that returns XML data to internal applications. You plan to migrate the applications to Azure. You also plan to allow the company’s partners to access the API.

You need to recommend an API management solution that meets the following requirements:

– Internal applications must receive data in the JSON format once the applications migrate to Azure.

– Partner applications must have their header information stripped before the applications receive the data.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-add-products

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-policies

https://docs.microsoft.com/en-us/azure/api-management/transform-api


Question #27

You have an Azure subscription. You need to recommend a solution to provide developers with the ability to provision Azure virtual machines.

The solution must meet the following requirements:

– Only allow the creation of the virtual machines in specific regions.

– Only allow the creation of specific sizes of virtual machines.

What should include in the recommendation?

  • A . conditional access policies
  • B . Azure Policy
  • C . Azure Resource Manager templates
  • D . role-based access control (RBAC)

Reveal Solution Hide Solution

Correct Answer: B
Question #28

HOTSPOT

Your company has 20 web APIs that were developed in-house.

The company is developing 10 web apps that will use the web APIs. The web apps and the APIs are registered in the company’s Azure Active Directory (Azure AD) tenant. The web APIs are published by using Azure API Management.

You need to recommend a solution to block unauthorized requests originating from the web apps from reaching the web APIs.

The solution must meet the following requirements:

– Use Azure AD-generated claims.

– Minimize configuration and management effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #29

HOTSPOT

You are designing an access policy for the sales department at your company. Occasionally, the developers at the company must stop, start, and restart Azure virtual machines. The development team changes often. You need to recommend a solution to provide the developers with the required access to the virtual machines.

The solution must meet the following requirements:

– Provide permissions only when needed.

– Use the principle of least privilege.

– Minimize costs.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #30

Your network contains an on-premises Active Directory forest.

You discover that when users change jobs within your company, the membership of the user groups are not being updated. As a result, the users can access resources that are no longer relevant to their job.

You plan to integrate Active Directory and Azure Active Directory (Azure AD) by using Azure AD Connect.

You need to recommend a solution to ensure that group owners are emailed monthly about the group memberships they manage.

What should you include in the recommendation?

  • A . Azure AD access reviews
  • B . Tenant Restrictions
  • C . Azure AD Identity Protection
  • D . conditional access policies

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Question #31

HOTSPOT

You are designing a software as a service (SaaS) application that will enable Azure Active Directory (Azure AD) users to create and publish surveys. The SaaS application will have a front-end web app and a back-end web API. The web app will rely on the web API to handle updates to customer surveys.

You need to design an authorization flow for the SaaS application.

The solution must meet the following requirements:

– To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens.

– The web app must authenticate by using the identities of individual users.

What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://docs.microsoft.com/lb-lu/azure/architecture/multitenant-identity/web-api https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-dotnet-webapi


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #32

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Create a system-assigned Managed Identities for Azure resource

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance.

Box 2: An Azure Instance Metadata Service Identity

See step 3 and 5 below.

How a system-assigned managed identity works with an Azure VM


Question #38

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

  • A . Configure an AD FS claims provider trust between the AD FS infrastructures of Fabrikam and Contoso.
  • B . In the Azure AD tenant of Contoso, enable Azure Active Directory Domain Services (Azure AD DS). Create a one-way forest trust that uses selective authentication between the Active Directory forests of Contoso and Fabrikam.
  • C . In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.
  • D . In the Azure AD tenant of Contoso, create cloud-only user accounts for the Fabrikam developers.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest

* A one-way trust is required from production environment to the admin forest.

* Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing­privileged-access-reference-material

Question #39

You have a hybrid deployment of Azure Active Directory (Azure AD).

You need to recommend a solution to ensure that the Azure AD tenant can be managed only from the computers on your on-premises network.

What should you include in the recommendation?

  • A . Azure AD roles and administrators
  • B . a conditional access policy
  • C . Azure AD Application Proxy
  • D . Azure AD Privileged Identity Management

Reveal Solution Hide Solution

Correct Answer: B
Question #40

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains two administrative user accounts named Admin1 and Admin2.

You create two Azure virtual machines named VM1 and VM2.

You need to ensure that Admin1 and Admin2 are notified when more than five events are added to the security log of VM1 or VM2 during a period of 120 seconds. The solution must minimize administrative tasks.

What should you create?

  • A . two action groups and one alert rule
  • B . one action group and one alert rule
  • C . five action groups and one alert rule
  • D . two action groups and two alert rules

Reveal Solution Hide Solution

Correct Answer: B

Question #41

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains several administrative user accounts.

You need to recommend a solution to identify which administrative user accounts have NOT signed in during the previous 30 days.

Which service should you include in the recommendation?

  • A . Azure AD Identity Protection
  • B . Azure Activity Log
  • C . Azure Advisor
  • D . Azure AD Privileged Identity Management (PIM)

Reveal Solution Hide Solution

Correct Answer: D
Question #42

HOTSPOT

Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys.

Several departments have the following requests to support the applications:

You need to recommend the appropriate Azure service for each department request.

What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #43

You manage a single-domain, on-premises Active Directory forest named contoso.com. The forest functional level is Windows Server 2016. You have several on-premises applications that depend on Active Directory. You plan to migrate the applications to Azure. You need to recommend an identity solution for the applications.

The solution must meet the following requirements:

– Eliminate the need for hybrid network connectivity.

– Minimize management overhead for Active Directory.

What should you recommend?

  • A . In Azure, deploy an additional child domain to the contoso.com forest.
  • B . In Azure, deploy additional domain controllers for the contoso.com domain.
  • C . Implement a new Active Directory forest in Azure.
  • D . Implement Azure Active Directory Domain Services (Azure AD DS).

Reveal Solution Hide Solution

Correct Answer: B
Question #44

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a network security group (NSG) named NSG1. Assign Project1admins the Owner role for NSG1. Assign the App2Dev the Contributor role for NSG1.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

You should use a separate subscription for Project2.

Question #45

HOTSPOT

You manage a network that includes an on-premises Active Directory Domain Services domain and an Azure Active Directory (Azure AD).

Employees are required to use different accounts when using on-premises or cloud resources. You must recommend a solution that lets employees sign in to all company resources by using a single account. The solution must implement an identity provider.

You need provide guidance on the different identity providers.

How should you describe each identity provider? To answer, select the appropriate description from each list in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box1: User management occurs on-premises. Azure AD authenticates employees by using on-premises passwords.

Azure AD Domain Services for hybrid organizations

Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them.

Example: Litware Corporation has deployed Azure AD Connect, to synchronize identity information from their on-premises directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, their credential hashes for authentication (password hash sync) and group memberships.

User accounts, group memberships, and credentials from Litware’s on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.

Box 2: User management occurs on-premises. The on-promises domain controller authenticates employee credentials.

You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed


Question #46

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains a resource group named RG1.

You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

– The researchers must be allowed to create Azure virtual machines.

– The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: On RG1, assign a custom role-based access control (RBAC) role to the ResearchUsers group.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.

Question #47

A company deploys Azure Active Directory (Azure AD) Connect to synchronize identity information from their on-premises Active Directory Domain Services (AD DS) directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, credential hashes for authentication (password sync), and group memberships. The company plans to deploy several Windows and Linux virtual machines (VMs) to support their applications.

The VMs have the following requirements:

– Support domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

– Allow users to sign in to the domain using their corporate credentials and connect remotely to the VM by using Remote Desktop.

You need to support the VM deployment.

Which service should you use?

  • A . Azure AD Domain Services
  • B . Azure AD Privileged Identity Management
  • C . Azure AD Managed Service Identity
  • D . Active Directory Federation Services (AD FS)

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview

Question #48

DRAG DROP

A company has an existing web application that runs on virtual machines (VMs) in Azure.

You need to ensure that the application is protected from SQL injection attempts and uses a layer-7 load balancer. The solution must minimize disruption to the code for the existing web application.

What should you recommend? To answer, drag the appropriate values to the correct items. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Azure Application Gateway

Azure Application Gateway provides an application delivery controller (ADC) as a service. It offers various layer 7 load-balancing capabilities for your applications.

Box 2: Web Application Firwewall (WAF)

Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits.

This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9.

There are rules that detects SQL injection attacks.

References:

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview


Question #49

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use the Azure traffic analytics solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question #50

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.

Note:

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question #51

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Install and configure the Log Analytics and Dependency Agents on all VMs. Use the Wire Data solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question #52

HOTSPOT

A company plans to implement an HTTP-based API to support a web app. The web app allows customers to check the status of their orders.

The API must meet the following requirements:

– Implement Azure Functions

– Provide public read-only operations

– Do not allow write operations

You need to recommend configuration options.

What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Allowed authentication methods: GET only Authorization level: Anonymous

The option is Allow Anonymous requests. This option turns on authentication and authorization in App Service, but defers authorization decisions to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers.

This option provides more flexibility in handling anonymous requests. References:

https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization


Question #53

Your network contains an on-premises Active Directory forest named contoso.com. The forest is synced to an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure AD Domain Services (Azure AD DS) domain named contoso-aad.com.

You have an Azure Storage account named Storage1 that contains a file share named Share1.

You configure NTFS permissions on Share1. You plan to deploy a virtual machine that will be used by several users to access Share1.

You need to ensure that the users can access Share1.

Which type virtual machine should you deploy?

  • A . a virtual machine that runs Windows Server 2016 and is joined to the contoso.com domain
  • B . a virtual machine that runs Windows 10 and is joined to the contoso-add.com domain
  • C . a virtual machine that runs Windows 10 and is hybrid Azure AD joined to the contoso.com domain
  • D . an Azure virtual machine that runs Windows Server 2016 and is joined to the contoso-add.com domain

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

You join the Windows Server virtual machine to the Azure AD DS-managed domain, here named contoso­aad.com.

Note: Azure Files supports identity-based authentication over SMB (Server Message Block) (preview) through Azure Active Directory (Azure AD) Domain Services. Your domain-joined Windows virtual machines (VMs) can access Azure file shares using Azure AD credentials.

Incorrect Answers:

B, C: Azure AD authentication over SMB is not supported for Linux VMs for the preview release. Only Windows Server VMs are supported.

References:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-enable#mount-a-file­share-from-a-domain-joined-vm

Question #54

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution: Deploy one Azure Key Vault to each region. Create two Azure AD service principals. Configure the virtual machines to use Azure Disk Encryption and specify a different service principal for the virtual machines in each region.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

You would also have to import Import the security keys from the HSM into each Azure key vault.

Reference:

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad

Question #55

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution: Export a security key from the on-premises HSM. Create one Azure AD service principal. Configure the virtual machines to use Azure Storage Service Encryption.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys. The Key Vault has to be in the same region as the VM that will be encrypted.

Reference: https://www.ciraltos.com/azure-disk-encryption-v2/

Question #56

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution:

– Deploy one Azure key vault to each region

– Export two security keys from the on-premises HSM

– Import the security keys from the HSM into each Azure key vault

– Create two Azure AD service principals

– Configure the virtual machines to use Azure Disk Encryption

– Specify a different service principal for the virtual machines in each region

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys. The Key Vault has to be in the same region as the VM that will be encrypted.

Note: If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM.

References:

https://www.ciraltos.com/azure-disk-encryption-v2/

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad

Question #57

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use Azure Advisor to analyze the network traffic.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Note: Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.

With Advisor, you can:

Get proactive, actionable, and personalized best practices recommendations. Improve the performance, security, and high availability of your resources, as you identify opportunities to reduce your overall Azure spend. Get recommendations with proposed actions inline.

References:

https://docs.microsoft.com/en-us/azure/advisor/advisor-overview

Question #58

Your network contains an Active Directory domain named contoso.com that is federated to an Azure Active Directory (Azure AD) tenant. The on-premises domain contains a VPN server named Server1 that runs Windows Server 2016.

You have a single on-premises location that uses an address space of 172.16.0.0/16.

You need to implement two-factor authentication for users who establish VPN connections to Server1.

What should you include in the implementation?

  • A . In Azure AD, create a conditional access policy and a trusted named location
  • B . Install and configure Azure MFA Server on-premises
  • C . Configure an Active Directory Federation Services (AD FS) server on-premises
  • D . In Azure AD, configure the authentication methods. From the multi-factor authentication (MFA) service settings, create a trusted IP range

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

You need to download, install and configure the MFA Server.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

Question #59

HOTSPOT

You configure the Diagnostics settings for an Azure SQL database as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #60

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Install and configure an Azure AD Connect server to use password hash synchronization and

select the Enable single sign-on option.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A

Question #61

You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam, Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the Microsoft 365 E5 plan.

You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1.

The solution must meet the following requirements:

– To the manager of the developers, send a monthly email message that lists the access permissions to Application1.

– If the manager does not verify an access permission, automatically revoke that permission.

– Minimize development effort.

What should you recommend?

  • A . In Azure Active Directory (AD) Privileged Identity Management, create a custom role assignment for the Application1 resources
  • B . Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet
  • C . Create an Azure Automation runbook that runs the Get-AzureRmRoleAssignment cmdlet
  • D . In Azure Active Directory (Azure AD), create an access review of Application1

Reveal Solution Hide Solution

Correct Answer: D
Question #62

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Install and configure an Azure AD Connect server to use pass-through authentication and select the Enable single sign-on option.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #63

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established

Azure Active Directory (Azure AD) environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Configure an AD DS server in an Azure virtual machine (VM). Configure bidirectional replication.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #64

HOTSPOT

You are building an application that will run in a virtual machine (VM). The application will use Managed Service Identity (MSI). The application uses Azure Key Vault, Azure SQL Database, and Azure Cosmos DB. You need to ensure the application can use secure credentials to access these services.

Which authorization methods should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Note: Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/ overview


Question #65

You are designing a security solution for a company’s Azure Active Directory (Azure AD). The company currently uses Azure AD Premium for all employees. Contractors will periodically access the corporate network based on demand.

You must ensure that all employees and contractors are required to log on by using two-factor authentication. The solution must minimize costs.

You need to recommend a solution.

What should you recommend?

  • A . Purchase Azure Multi-Factor Authentication licenses for the employees and the contractors
  • B . Use the Multi-Factor Authentication provider in Azure and configure the usage model for each authentication type
  • C . Use the Multi-Factor Authentication provider in Azure and configure the usage model for each enabled user
  • D . Purchase Azure Multi-Factor Authentication licenses for the contractors only

Reveal Solution Hide Solution

Correct Answer: C
Question #66

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Create an Access Review for Group1.

Does this solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #67

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT

work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: You implement an access package.

Does this solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #68

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group

named Group1. Group1 contains all the administrative user accounts. You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Implement Azure AD Privileged Identity Management.

Does this solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #69

Your company has several Azure subscriptions that are part of a Microsoft Enterprise Agreement. The company’s compliance team creates automatic alerts by using Azure Monitor. You need to recommend a solution to apply the alerts automatically when new subscriptions are added to

the Enterprise Agreement.

What should you include in the recommendation?

  • A . Azure Automation runbooks
  • B . Azure Log Analytics alerts
  • C . Azure Monitor action groups
  • D . Azure Resource Manager templates
  • E . Azure Policy

Reveal Solution Hide Solution

Correct Answer: E
Question #70

You store web access logs data in Azure Blob storage. You plan to generate monthly reports from the access logs. You need to recommend an automated process to upload the data to Azure SQL Database every month.

What should you include in the recommendation?

  • A . Microsoft SQL Server Migration Assistant (SSMA)
  • B . Azure Data Factory
  • C . Data Migration Assistant
  • D . AzCopy

Reveal Solution Hide Solution

Correct Answer: B

Question #71

Your company has the offices shown in the following table.

The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD).

All users connect to an application hosted in Microsoft 365. You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to the application from one of the offices.

What should you include in the recommendation?

  • A . a named location and two Microsoft Cloud App Security policies
  • B . a conditional access policy and two virtual networks
  • C . a virtual network and two Microsoft Cloud App Security policies
  • D . a conditional access policy and two named locations

Reveal Solution Hide Solution

Correct Answer: D
Question #72

HOTSPOT

You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016. You need to centrally monitor all warning events in the System logs of the virtual machines.

What should you include in the solutions? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows


Question #73

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Install and configure an on-premises Active Directory Federation Services (AD FS) server with a trust established between the AD FS server and Azure AD.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Seamless SSO is not applicable to Active Directory Federation Services (ADFS). Instead install and configure an Azure AD Connect server.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Question #74

You have an Azure subscription that contains several resource groups, including a resource group named RG1. RG1 contains several business-critical resources.

A user named admin1 is assigned the Owner role to the subscription.

You need to prevent admin1 from modifying the resources in RG1. The solution must ensure that admin1 can manage the resources in the other resource groups.

What should you use?

  • A . a management group
  • B . an Azure policy
  • C . a custom role
  • D . an Azure blueprint

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Role-based access control (RBAC) focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group.

Incorrect Answers:

A: If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.

B: There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.

D: Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #75

HOTSPOT

You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.

You need to recommend a solution for accessing the secrets during deployments.

The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An advanced access policy for the key vaults

Enable template deployment


Question #82

DRAG DROP

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that uses the Basic license. You plan to deploy two applications to Azure.

The applications have the requirements shown in the following table.

Which authentication strategy should you recommend for each application? To answer, drag the appropriate authentication strategies to the correct applications. Each authentication strategy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Azure AD V2.0 endpoint

Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs, such as Microsoft Graph, or APIs that developers have built. The Microsoft identity platform consists of:

OAuth 2.0 and OpenID Connect standard-compliant authentication service that enables developers to authenticate any Microsoft identity, including:

Work or school accounts (provisioned through Azure AD)

Personal Microsoft accounts (such as Skype, Xbox, and Outlook.com)

Social or local accounts (via Azure AD B2C)

Box 2: Azure AD B2C tenant

Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.

Azure Active Directory B2C (Azure AD B2C) integrates directly with Azure Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-mfa

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview


Question #83

HOTSPOT

You configure OAuth2 authorization in API Management as shown in the exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Web applications

The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes an app.

Note: The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.

After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

Answers:

Not Headless device authentication:

A headless system is a computer that operates without a monitor, graphical user interface (GUI) or peripheral devices, such as keyboard and mouse.

Headless computers are usually embedded systems in various devices or servers in multi-server data center environments. Industrial machines, automobiles, medical equipment, cameras, household appliances, airplanes, vending machines and toys are among the myriad possible hosts of embedded systems.

Box 2: Client Credentials

How to include additional client data

In case you need to store additional details about a client that don’t fit into the standard parameter set the custom data parameter comes to help:

POST /c2id/clients HTTP/1.1

Host: demo.c2id.com

Content-Type: application/json

Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{

"redirect_uris" : [ "https://myapp.example.com/callback" ],

"data"          : { "reg_type"  : "3rd-party",

"approved"  : true,

"author_id" : 792440 }

}

The data parameter permits arbitrary content packaged in a JSON object. To set it you will need the master registration token or a one-time access token with a client-reg:data scope.

Incorrect Answers:

Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.

Reference:

https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

https://connect2id.com/products/server/docs/guides/client-registration


Question #84

A company has deployed several applications across Windows and Linux Virtual machines in Azure. Log Analytics are being used to send the required data for alerting purposes for the Virtual Machines.

You need to recommend which tables need to be queried for security related queries.

Which of the following would you query for events from Windows Event Logs?

  • A . Azure Activity
  • B . Azure Diagnostics
  • C . Event
  • D . Syslog

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

This is also given in the Microsoft documentation, wherein you would use the Event Table for the queries on events from Windows Virtual machines

Since this is clearly mentioned, all other options are incorrect

For more information on collecting event data from windows virtual machines, please go ahead and visit the below URL.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events


Question #85

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Implement Azure AD Identity Protection for Group1.

Does this solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead implement Azure AD Privileged Identity Management.

Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Question #86

You are designing a solution that will host 20 different web applications.

You need to recommend a solution to secure the web applications with a firewall that protects against common web-based attacks including SQL injection, cross-site scripting attacks, and session hijacks. The solution must minimize costs.

Which three Azure features should you recommend? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  • A . VPN Gateway
  • B . URL-based content routing
  • C . Multi-site routing
  • D . Web Application Firewall (WAF)
  • E . Azure ExpressRoute
  • F . Azure Application Gateway

Reveal Solution Hide Solution

Correct Answer: DEF
DEF

Explanation:

The web application firewall (WAF) in Azure Application Gateway helps protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacks. It comes preconfigured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities. ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN-based solutions. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

Reference: https://azure.microsoft.com/en-us/updates/application-gateway-web-application-firewall-in-public-preview/

https://docs.microsoft.com/en-us/azure/security/fundamentals/overview

Question #87

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Install and configure the Microsoft Monitoring Agent and the Dependency Agent on all VMs. Use the Wire Data solution in Azure Monitor to analyze the network traffic.

Does the solution meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Note: Wire Data looks at network data at the application level, not down at the TCP transport layer. The solution doesn’t look at individual ACKs and SYNs.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question #88

A company has deployed several applications across Windows and Linux Virtual machines in Azure. Log Analytics are being used to send the required data for alerting purposes for the Virtual Machines.

You need to recommend which tables need to be queried for security related queries.

Which of the following would you query for events from Linux system logging?

  • A . Azure Activity
  • B . Azure Diagnostics
  • C . Event
  • D . Syslog

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

This is also given in the Microsoft documentation, wherein you would use the Syslog Table for the queries on events from Linux Virtual machines

Note: Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created.

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslog

Question #89

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource group in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

  • A . Configure an AD FS relying party trust between the Fabrikam and Contoso AD FS infrastructures.
  • B . Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
  • C . In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.
  • D . Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest

– A one-way trust is required from production environment to the admin forest.

– Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts.

References:

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged­access-reference-material

Question #90

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users.

You need to recommend a solution for evaluating the membership of Group1.

The solution must meet the following requirements:

– The evaluation must be repeated automatically every three months.

– Every member must be able to report whether they need to be in Group1.

– Users who report that they do not need to be in Group1 must be removed from Group1 automatically

– Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.

What should you include in the recommendation?

  • A . Implement Azure AD Identity Protection.
  • B . Change the Membership type of Group1 to Dynamic User.
  • C . Create an access review.
  • D . Implement Azure AD Privileged Identity Management.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users.

When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

Question #91

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: Create a new Azure subscription named Project2. Assign Project1admins the Owner role for the Project2 subscription. Assign App2Dev the Contributor role for the Project2 subscription.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Exit mobile version