Topic 1, Litware Office
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Existing Environment
Network Environment
The Litware offices and the Fabrikam office connect by using a private circuit. Each office connects directly to the Internet.
Identity Environment
The Litware network contains an Active Directory forest named litwareinc.com. The forest and an Azure Active Directory (Azure AD) tenant named litwareinc.com are integrated by using Active Directory Federation Services (AD FS). Litware has an enterprise certification authority (CA).
The Azure subscriptions of Litware are associated to the litwareic.com Azure AD tenant.
Fabrikam also has an Azure AD tenant.
Azure Stack Hub Environment
Litware has the following two Azure Stack Hub integrated systems:
✑ A fully operational integrated system in Boston that connects to the Internet and has the following configurations:
– Is managed by using an administrator management endpoint of: https://adminportal.eastus.litwareinc.com
– Has an Azure App Service deployment that has two dedicated, large web workers
– Currently uses version 2005 of Azure Stack Hub
✑ A newly delivered integrated system in Chicago that is disconnected from the Internet and will be managed by using an administrator management endpoint of: https://adminportal.northcentralus.litwareinc.com
Datacenter Environment
The Chicago datacenter of Litware contains the infrastructure shown in the following table.
Current Problems
During heavy usage, requests to App Service in Boston fail despite low utilization of the web workers.
Requirements
Planned Changes
Litware plans to implement the following changes:
✑ Deploy an Event Hubs resource provider to the integrated system in Boston.
✑ Make Azure Functions available to Azure Stack Hub users in Boston.
✑ Prepare the integrated system in Chicago to be production-ready.
Technical Requirements
Litware identifies the following technical requirements:
✑ Implement an infrastructure to support Azure Functions on the integrated system in Boston.
✑ Provision the certificates required to deploy the Event Hubs resource provider to the integrated system in Boston.
✑ Configure an identity provider for the integrated system in Chicago.
✑ Locate the IP address of the privileged endpoint (PEP) of the integrated system in Chicago.
✑ Ensure that only operators have control over the creation of subscriptions on the integrated system in Chicago.
✑ Provision a certificate to provide access to the Azure Resource Manager endpoint of the integrated system in Chicago.
✑ Identify which PowerShell setting on CLIENT1 and CLIENT2 must be modified to register the integrated system in Chicago.
✑ Implement a management app that will use Azure Resource Manager to inventory the resources of the integrated system in Chicago.
Security and Compliance Requirements
Litware has the following security and compliance requirements:
✑ All infrastructure software must run the latest version, including hotfixes.
✑ Litware must have control over certificate revocations.
Business Requirements
Litware wants to ensure that the users at Fabrikam have secure access to the workloads on the integrated system in Boston.
Updates and Hotfixes
The current hotfixes and updates available for Azure Stack Hub are:
✑ 2005
✑ 2005 hotfix 1
✑ 2005 hotfix 2
✑ 2005 hotfix 3
✑ 2008
✑ 2008 hotfix 1
✑ 2008 hotfix 2
✑ 2011 (latest version)
You need to identify the PEP information for the integrated system in Chicago. The solution must meet the technical requirements.
What should you use?
- A . the HLH configuration file
- B . the Get-AzsRegistrationToken cmdlet
- C . Properties on the Region management blade of the administrator portal
- D . the Help + support blade of the administrator portal
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-privileged-endpoint?view=azs-2008
HOTSPOT
You need to identify the authentication and authorization process for the integrated system in Chicago. The solution must meet the technical requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You need to implement the App Service infrastructure to address the current issues and support the planned changes for Azure Functions in Boston.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Table
Description automatically generated
HOTSPOT
You need to identify the certificate for the integrated system in Chicago. The solution must meet the technical requirements.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
When deploying Azure Stack Hub in disconnected mode it is recommended to use certificates issued by an enterprise certificate authority. This is important because clients accessing Azure Stack Hub endpoints must be able to contact the certificate revocation list (CRL).
HOTSPOT
You need to register the northcentralus region.
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You need to identify the procedure for creating the subscriptions on the integrated system in Chicago. The solution must meet the technical requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application
Description automatically generated
You need to implement the management app. The solution must meet the technical requirements.
What should you use?
- A . a PowerShell session to litwareinc.com
- B . a browser session to litwareinc.com
- C . a PowerShell remoting session to the PEP
- D . a browser session to the administrator portal
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-manage-portals?view=azs-2008
Topic 2, Northwind Traders
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
A company named Northwind Traders has a main office and a datacenter. All development occurs at the main office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named northwind.com. The forest and an Azure Active Directory (Azure AD) tenant named northwind.onmicrosoft.com are integrated by using Active Directory Federation Service (AD FS).
All Azure subscriptions use the northwind.onmicrosoft.com Azure AD tenant.
Northwind Traders uses an Enterprise Agreement (EA) subscription.
All operators are global administrators in northwind.onmicrosoft.com.
Azure Stack Hub Environment
Northwind Traders has the following five Azure Stack Hub integrated systems:
✑ One integrated system that connects to an internet-facing network and has the following configurations:
– The region name is int1.
– The operators do not have access to the user subscriptions.
– The integrated system is used for customer and partner applications.
– The partners and customers of NorthWind Traders use guest user accounts to access various user resources.
✑ Two integrated systems that connect to a private network, are accessed only from inside the company, and have the following configurations:
– The integrated systems are dedicated to research and development.
– One integrated system has a region name of priv1, and the other has a region name of priv2.
– The integrated systems are used for various data rendering, AI workloads, inference, and data visualization.
✑ Two integrated systems that are dedicated to application development and have the following configurations:
– The integrated systems are disconnected from the Internet. The workloads in the user subscriptions have Internet access.
– One integrated system has a region name of dev1, and the other has a region name of dev2.
– Both regions are used only by developers at Northwind Traders.
The external domain name of all the integrated systems is northwind.com. All the integrated systems have Azure App Service and the Azure Kubernetes Service (AKS) engine deployed.
The computer of the operator in each region has all the prerequisite software installed for managing Azure Stack Hub.
Current Problems
You identify the following issues in the current environment:
✑ The priv2 region recently experienced a catastrophic failure.
✑ The developers report high chargeback costs for the dev1 region.
✑ The int1 region runs a high number of Windows virtual machines that use pay-as-you-use images.
✑ The Northwind Traders partners and customers report that use of the guest user accounts is too complex.
✑ Users in the priv1 region recently deployed NCas_v4 virtual machines for various AI workload. The users discover that the virtual machines do not use GPUs.
Requirements
Planned Changes
Northwind Traders plans to implement the following changes:
✑ Remove all guest user accounts.
✑ Change the DNS forwarder of the priv1 region.
✑ Change the billing model and registration name of the int1 region.
✑ After the catastrophic failure, restore the priv2 region to its original state.
✑ Provide each partner with its own dedicated user subscription that will use its own dedicated Azure AD tenant.
Technical Requirements
Northwind Traders identifies the following technical requirements:
✑ Minimize hardware and software costs.
✑ Standardize all datacenter workloads on Azure Stack Hub.
✑ In the priv1 region, implement a disaster recovery plan for App Service.
✑ Whenever possible, implement solutions by using the minimum amount of administrative effort.
✑ In the dev2 region, update the AKS Base Ubuntu image to the latest version in Azure Stack Hub Marketplace.
✑ Whenever possible, implement solutions by using built-in tools, features, and services without acquiring additional third-party tools.
✑ For the users’ virtual machines and the associated resources in the dev1 and dev2 regions, implement a business continuity and disaster recovery plan that includes an automated failback process.
✑ If changes to the Azure Stack Hub infrastructure cause workload downtime outside of planned maintenance windows, notify all users in the region where the downtime occurred and schedule a maintenance window.
DRAG DROP
You schedule a planned maintenance window.
You need to perform an Azure Stack Hub update in the dev1 region. The solution must meet the technical requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated
You need to recommend a business continuity and disaster recovery plan for the dev1 and dev2 regions that meets the technical requirements.
Which two recommendations should you make? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Implement the Infrastructure Backup Service
- B . Use an Azure Marketplace backup tool in each region to protect the virtual machines that run in the other region
- C . Implement Azure Site Recovery
- D . Use Infrastructure as Code (IaC) by using Azure Resource Manager templates
DRAG DROP
You need to change the int1 region to use the capacity model. The solution must meet the technical requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Notify all the users in the int1 region and schedule a maintenance window.
Step 2: Select the subscription that was used to perform the initial registration.
Note: You need to change the int1 region to use the capacity model.
Change the billing model and registration name of the int1 region.
The int1 region runs a high number of Windows virtual machines that use pay-as-you-use images.
Change billing model, how features are offered, or re-register your instance
This section applies if you want to change the billing model, how features are offered, or you want to re-register your instance. For all of these cases, you call the registration function to set the new values. You don’t need to first remove the current registration.
# select the subscription used during the registration Select-AzSubscription -Subscription ‘<Registration subscription ID from portal>’
# rerun registration with new BillingModel (or same billing model in case of re-registration) but using other parameters values from portal
Set-AzsRegistration -PrivilegedEndpointCredential $YourCloudAdminCredential – PrivilegedEndpoint $YourPrivilegedEndpoint -BillingModel ‘<New billing model>’ – RegistrationName ‘<Registration name from portal>’ -ResourceGroupName ‘<Registration resource group from portal>’
Step 3: Run the Set-AzsRegistration cmdlet.
You can use Set-AzsRegistration to register Azure Stack Hub with Azure and enable or disable the offer of items in the marketplace and usage reporting.
To run the cmdlet, you need:
A global Azure subscription of any type.
To be signed in to Azure PowerShell with an account that’s an owner or contributor to that subscription.
DRAG DROP
You need to change the int1 region to use the capacity model. The solution must meet the technical requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
As part of the planned changes for the int1 region, you need to remove all the user subscriptions and the associated resources. The solution must meet the technical requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Run the Set-AzsuserSubscription cmdlet against to the administrator management endpoint.
- B . From the Azure portal, remove all the guest user accounts.
- C . From the administrator portal, delete all the user subscriptions.
- D . From the user portal delete all the resources in the user subscriptions.
You need to resolve the performance issue reported by the users in the priv1 region.
What should you do?
- A . Redeploy the virtual machines to a new Azure Stack Hub node
- B . Install the NVIDIA drivers on the virtual machines
- C . Install the AMD drivers on the virtual machines
- D . Add an additional scale unit node
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/n-series-amd-driver-setup
You remove all the workloads from the int1 region and change the registration model to capacity.
You prepare additional Azure AD tenants for each partner.
You need to configure multitenancy.
Which two actions should you perform for each guest tenant? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Run the Register-AzSWithMyDirectoryTenant cmdlet and specify
https://management.int1.
northwind.com as the endpoint. - B . Run the Register-AzSGuestDirectoryTenant cmdlet and specify
https://management.int1.
northwind.com as the endpoint. - C . Run the Register-AzSGuestDirectoryTenant cmdlet and specify https:// adminmanagement.int1. northwind.com as the endpoint.
- D . Change the registration model to pay-as-you-use.
- E . Run the Register-AzSWithMyDirectoryTenant cmdlet and specify https://adminmanagement.int1. northwind.com as the endpoint.
A,C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-enable-multitenancy?view=azs-2008
You need to implement disaster recovery for the priv1 region to meet the technical requirements.
Which main components should you include in the disaster recovery plan?
- A . Option A
- B . Option B
- C . Option C
- D . Option D
You need to change the DNS forwarder of the priv1 region.
Which two actions should you perform? Each correct answer presents part of the solution? NOTE: Each correct selection is worth one point.
- A . Run the Register-CustomDnsServer cmdlet
- B . Run the Add-DnsServerForwarder cmdlet
- C . Run the Set-AzsDnsForwarder cmdlet
- D . Connect to the administrator management endpoint of the priv1 region
- E . Connect to privileged endpoint (PEP) of the priv1 region
C,E
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-configure-dns?view=azs-2008
HOTSPOT
You are troubleshooting the chargeback issues of the dev1 region.
You need to query the usage for each tenant subscription.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Administrator management endpoint
Note: The developers report high chargeback costs for the dev1 region.
Two integrated systems that are dedicated to application development and have the following configurations:
✑ The integrated systems are disconnected from the Internet. The workloads in the user subscriptions have Internet access.
✑ One integrated system has a region name of dev1, and the other has a region name of dev2.
✑ Both regions are used only by developers at Northwind Traders.
The request gets consumption details for the requested subscriptions and for the requested time frame. There is no request body.
This usage API is a provider API, so the caller must be assigned an Owner, Contributor, or Reader role in the provider’s subscription.
Method, Request URI
GET
https://{armendpoint}/subscriptions/{subId}/providers/Microsoft.Commerce.Admin/subscriberUsageAggregates?reportedStartTime={reportedStartTime}&reportedEndTime={reportedEndTime}&aggregationGranularity={granularity}&subscriberId={sub1.1}&api-version=2015-06-01-preview&continua
Arguments
* armendpoint
Azure Resource Manager endpoint of your Azure Stack Hub environment. The Azure Stack Hub convention is that the name of the Azure Resource Manager endpoint is in the format https://adminmanagement.{domain-name}. For example, for the Azure Stack Development Kit (ASDK), if the domain name is local.azurestack.external, then the Resource Manager endpoint is https://adminmanagement.local.azurestack.external.
* subId
Subscription ID of the user who makes the call.
* Etc.
Box 2: Get-AzsSubscriberUsage
Retrieve usage information
PowerShell
To generate the usage data, you should have resources that are running and actively using the system; for example, an active virtual machine (VM), or a storage account containing some data. If you’re not sure whether you have any resources running in the Azure Stack Hub Marketplace, deploy a VM, and verify the VM monitoring blade to make sure it’s running. Use the following PowerShell cmdlets to view the usage data:
✑ Install PowerShell for Azure Stack Hub.
✑ Configure the Azure Stack Hub user or the Azure Stack Hub operator PowerShell environment.
✑ To retrieve the usage data, call the Get-AzsSubscriberUsage PowerShell cmdlet: Get-AzsSubscriberUsage -ReportedStartTime "2017-09-06T00:00:00Z"
The priv2 region is redeployed according to the planned changes.
You need to restore App Service.
Which three components should you restore? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . the App Service roles and services
- B . the file server share content
- C . the infrastructure backup
- D . the worker role virtual machine
- E . the App Service databases
- F . the default domain certificate
A,B,E
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/app-service-recover?view=azs-2008
Topic 3, Trey Research
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
General overview
Trey Research is a pharmaceutical company that has an office in Boston.
Existing environment
Identity Environment
The on-premises network contains an Active Directory forest named treyresearch.net. The forest contains a user named User1.
The forest syncs to an Azure AD tenant named treyresearch.net by using Azure AD Connect.
Trey Research has an internal certification authority (CA).
Compute Environment
The datacenter in the Boston office contains a computer named CLIENT1 that runs Windows 10. CLIENT1 is an administrative workstation that connects directly to the Azure
Stack Hub integrated system.
Planned changes and requirements
Planned changes
Trey Research identifies the following planned changes:
✑ Change the Azure Stack Hub integrated system registration to use an Azure subscription named Subscription3 that has a GUID of 12345678-1234-1234-1234-222222222222.
✑ Configure the integrated system to resolve external names by using a DNS Server that has an IP address of 10.100.100.100.
✑ Implement the App Service resource provider and the Event Hubs resource provider on the integrated system/
✑ Publish a custom cloud-init built image of a Linux virtual machine to Azure Stack Hub Marketplace on the integrated system.
✑ Create a new cloudadmin user named User2.
✑ Assign the delegated provider role to User1.
Azure Stack Hub Requirements
Trey Research identifies the following Azure Stack Hub requirements:
✑ Azure Stack Hub integrated system logs must be forwarded to an external security information and event management (SIEM) system named SIEM1. SIEM1 requires TCP with mutual authentication and TLS 1.2 encryption.
✑ A default Microsoft SQL Server instance will host the database of the App Service resource provider.
✑ The infrastructure of the integrated system must be backed up as frequently as possible.
✑ The integrated system backups must be retained for 28 days.
Business Requirements
Minimize software and licensing costs.
HOTSPOT
You need to configure the Azure Stack Hub infrastructure backups. The solution must meet the Azure Stack Hub requirements.
What should you do in the Azure Stack Hub administrator portal? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 4
The infrastructure of the integrated system must be backed up as frequently as possible.
Enable backup for Azure Stack Hub from the administrator portal
The frequency in hours determines how often backups are created. The default value is 12.
Scheduler supports a maximum of 12 and a minimum of 4.
Box 2: Azure key vault
The integrated system backups must be retained for 28 days.
Online retention policy. This specifies the time period during which daily, weekly, monthly, and yearly backups are retained in the Azure Site Recovery vault that’s associated with the local MABS instance.
You need to configure the log forwarding. The solution must meet the Azure Stack Hub requirements.
What should you do?
- A . Connect to 192.168.101.101 and run the Set-EventLogLevel and Add-AzLogProfile cmdlets.
- B . Connect to 192.168.100.224 and run the Set-SyslogServer and Set-SyslogClient cmdlets.
- C . Connect to 192.168.100.224 and run the Set-EventLogLevel and Add-AzLogProfile cmdlets.
- D . Connect to 192.168.101.101 and run the Set-SyslogServer and Set-SyslogClient cmdlets.
D
Explanation:
Integrate Azure Stack Hub with monitoring solutions using syslog forwarding
The syslog channel exposes audits, alerts, and security logs from all the components of the Azure Stack Hub infrastructure. Use syslog forwarding to integrate with security monitoring solutions and to retrieve all audits, alerts, and security logs to store them for retention.
Cmdlets to configure syslog forwarding
Configuring syslog forwarding requires access to the privileged endpoint (PEP). Two PowerShell cmdlets have been added to the PEP to configure the syslog forwarding:
### cmdlet to pass the syslog server information to the client and to configure the transport protocol, the encryption and the authentication between the client and the server
Set-SyslogServer [-ServerName <String>] [-ServerPort <UInt16>] [-NoEncryption] [-SkipCertificateCheck] [-SkipCNCheck] [-UseUDP] [-Remove]
### cmdlet to configure the certificate for the syslog client to authenticate with the server
Set-SyslogClient [-pfxBinary <Byte[]>] [-CertPassword <SecureString>]
Reference: https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-integrate-security
DRAG DROP
You need to update the Azure Stack Hub integrated system registration to support the planned changes.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Step 1: Run Get-AzsRegistrationToken
Change the Azure Stack Hub integrated system registration to use an Azure subscription named Subscription3 that has a GUID of 12345678-1234-1234-1234-222222222222.
Get-AzsRegistrationToken
Get-AzsRegistrationToken generates a registration token from the input parameters.
To register the Azure Stack Hub resource provider with Azure, start PowerShell ISE as an administrator and use PowerShell cmdlets with the EnvironmentName parameter set to the appropriate Azure subscription type.
Step 2: Run the Register-AszEnvironment cmdlet and specify the CRegistrationToken
$Token parameter.
Step 3: Run the Select-AzSubscription cmdlet and specify the CSubscription 12345678-1234-1234-1234-222222222222 parameter.
To change the azure subscription using PowerShell, we can use the Select-AZSubscription command. When you use this command, you can use either the subscription ID, Subscription Name, or the Tenant ID.
Step 4: Run Set-AszRegistration.
Before proceeding, in the same PowerShell session, verify again that you’re signed in to the correct Azure PowerShell context.
This context is the Azure account that was used to register the Azure Stack Hub resource provider. In the same PowerShell session, run the Set-AzsRegistration cmdlet:
$CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> – Message "Enter the cloud domain credentials to access the privileged endpoint." $RegistrationName = "<unique-registration-name>" Set-AzsRegistration `
-PrivilegedEndpointCredential $CloudAdminCred `
-PrivilegedEndpoint <PrivilegedEndPoint computer name> ` -AgreementNumber <EA agreement number> ` -BillingModel Capacity `
-RegistrationName $RegistrationName
You need to create User2. The solution must support the planned changes.
What should you use?
- A . the tenant portal
- B . Azure Stack Hub Administrator Resource Management Endpoint
- C . HLH
- D . ASZ-ERCS01
A
Explanation:
Create a new cloudadmin user named User2.
Add a new Azure Stack Hub user account in Azure Active Directory (Azure AD)
Before you can test offers and plans and create resources, you’ll need a user account for the Azure Stack Hub user portal. You create a user account in your Azure AD tenant, by using the Azure portal or PowerShell.
Reference: https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-add-new-user-aad
You need to support the planned changes for User1.
Which service should you include?
- A . Microsoft.Subscriptions
- B . Microsoft.KeyVault
- C . Microsoft.Storage
- D . Microsoft.Compute
A
Explanation:
Assign the delegated provider role to User1.
Delegation steps
There are two steps to setting up delegation:
You need to support the planned changes for User1.
Which service should you include?
- A . Microsoft.Subscriptions
- B . Microsoft.KeyVault
- C . Microsoft.Storage
- D . Microsoft.Compute
A
Explanation:
Assign the delegated provider role to User1.
Delegation steps
There are two steps to setting up delegation:
You need to support the planned changes for User1.
Which service should you include?
- A . Microsoft.Subscriptions
- B . Microsoft.KeyVault
- C . Microsoft.Storage
- D . Microsoft.Compute
A
Explanation:
Assign the delegated provider role to User1.
Delegation steps
There are two steps to setting up delegation:
HOTSPOT
You need to create a certificate for the Event Hubs resource provider. The solution must support the planned changes.
How should you configure the certificate? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Subject Alternative Name
Implement the App Service resource provider and the Event Hubs resource provider on the integrated system/
Only the Subject Alternative Name is used.
Box 2: DNS Name = =*.eventhub.east.azurestack.treyresearch.net
Event Hubs prerequisites
Procure public key infrastructure (PKI) SSL certificates for Event Hubs.
The Subject Alternative Name (SAN) must adhere to the following naming pattern:
CN=*.eventhub.<region>.<fqdn>. Subject Name may be specified, but it’s not used by Event Hubs when handling certificates. Only the Subject Alternative Name is used. See PKI certificate requirements for the full list of detailed requirements.
HOTSPOT
You need to create the planned changes and meet the business requirements.
Which subscription should you use to host the SQL Server instance, and what should you configure on the instance? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated
Box 1: The Default Provider Subscription
A default Microsoft SQL Server instance will host the database of the App Service resource provider.
In Azure Stack Hub Subscriptions, select the Default Provider Subscription. Azure App Service on Azure Stack Hub must be deployed in the Default Provider Subscription.
Box 2:
Enter the SQL Server details for the server instance used to host the App Service resource provider database and then select Next. The installer validates the SQL connection properties.
Graphical user interface, website
Description automatically generated
DRAG DROP
You need to create the Linux virtual machine image. The solution must support the planned changes.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Create a config.file and save the file as Sloud-init.txt file.
Publish a custom cloud-init built image of a Linux virtual machine to Azure Stack Hub Marketplace on the integrated system.
Add Linux images to the Azure Stack Hub Marketplace
1: Create a cloud-init.txt file with your cloud-config
Step 2: Upload the file to Azure Stack Hub storage account.
2: Reference cloud-init.txt during the Linux VM deployment
Upload the file to an Azure storage account, Azure Stack Hub storage account, or GitHub repository reachable by your Azure Stack Hub Linux VM.
Step 3: Provision on Azure Stack Hub virtual machine by using Az PowerShell moduel. You can create an Ubuntu Server 16.04 LTS virtual machine (VM) by using Azure Stack Hub PowerShell.
Make sure to reference the cloud-init.txt as a part of the -CustomData flag: $VirtualMachine =Set-AzVMOperatingSystem -VM $VirtualMachine ` -Linux `
-ComputerName "MainComputer" `
-Credential $cred -CustomData "#include https://cloudinitstrg.blob.core.windows.net/strg/cloud-init.txt"
You need to configure name resolution to support the planned changes.
Which PowerShell cmdlet should you run?
- A . Sec-DnsServer
- B . Regiscer-CuscomDnsServer
- C . Set-AzSDnsForwarder
- D . Set-DNSClientServerAddress
B
Explanation:
Configure the integrated system to resolve external names by using a DNS Server that has an IP address of 10.100.100.100.
Resolving external DNS names from Azure Stack Hub
To resolve DNS names for endpoints outside Azure Stack Hub (for example: www.bing.com), you need to provide DNS servers that Azure Stack Hub can use to forward DNS requests for which Azure Stack Hub isn’t authoritative. For deployment, DNS servers that Azure Stack Hub forwards requests to are required in the Deployment Worksheet (in the DNS Forwarder field). Provide at least two servers in this field for fault tolerance. Without these values, Azure Stack Hub deployment fails. You can edit the DNS Forwarder values with the Set-AzSDnsForwarder cmdlet after deployment.
Configure conditional DNS forwarding
Important
This only applies to an AD FS deployment.
To enable name resolution with your existing DNS infrastructure, configure conditional forwarding.
To add a conditional forwarder, you must use the privileged endpoint.
For this procedure, use a computer in your datacenter network that can communicate with the privileged endpoint in Azure Stack Hub.
You need to configure name resolution to support the planned changes.
Which PowerShell cmdlet should you run?
- A . Sec-DnsServer
- B . Regiscer-CuscomDnsServer
- C . Set-AzSDnsForwarder
- D . Set-DNSClientServerAddress
B
Explanation:
Configure the integrated system to resolve external names by using a DNS Server that has an IP address of 10.100.100.100.
Resolving external DNS names from Azure Stack Hub
To resolve DNS names for endpoints outside Azure Stack Hub (for example: www.bing.com), you need to provide DNS servers that Azure Stack Hub can use to forward DNS requests for which Azure Stack Hub isn’t authoritative. For deployment, DNS servers that Azure Stack Hub forwards requests to are required in the Deployment Worksheet (in the DNS Forwarder field). Provide at least two servers in this field for fault tolerance. Without these values, Azure Stack Hub deployment fails. You can edit the DNS Forwarder values with the Set-AzSDnsForwarder cmdlet after deployment.
Configure conditional DNS forwarding
Important
This only applies to an AD FS deployment.
To enable name resolution with your existing DNS infrastructure, configure conditional forwarding.
To add a conditional forwarder, you must use the privileged endpoint.
For this procedure, use a computer in your datacenter network that can communicate with the privileged endpoint in Azure Stack Hub.
You need to configure name resolution to support the planned changes.
Which PowerShell cmdlet should you run?
- A . Sec-DnsServer
- B . Regiscer-CuscomDnsServer
- C . Set-AzSDnsForwarder
- D . Set-DNSClientServerAddress
B
Explanation:
Configure the integrated system to resolve external names by using a DNS Server that has an IP address of 10.100.100.100.
Resolving external DNS names from Azure Stack Hub
To resolve DNS names for endpoints outside Azure Stack Hub (for example: www.bing.com), you need to provide DNS servers that Azure Stack Hub can use to forward DNS requests for which Azure Stack Hub isn’t authoritative. For deployment, DNS servers that Azure Stack Hub forwards requests to are required in the Deployment Worksheet (in the DNS Forwarder field). Provide at least two servers in this field for fault tolerance. Without these values, Azure Stack Hub deployment fails. You can edit the DNS Forwarder values with the Set-AzSDnsForwarder cmdlet after deployment.
Configure conditional DNS forwarding
Important
This only applies to an AD FS deployment.
To enable name resolution with your existing DNS infrastructure, configure conditional forwarding.
To add a conditional forwarder, you must use the privileged endpoint.
For this procedure, use a computer in your datacenter network that can communicate with the privileged endpoint in Azure Stack Hub.
You provision a new certificate to support the planned changes.
You need to validate the certificate.
Which PowerShell module should you install first?
- A . Az.Websites
- B . AzureRM.TemplateValidator
- C . AzureStack
- D . Microsoft.AzureStack.ReadinessChecker
D
Explanation:
Use the Azure Stack Hub Readiness Checker tool to validate that generated public key infrastructure (PKI) certificates which are suitable for pre-deployment. Validate certificates by leaving enough time to test and reissue certificates if necessary.
The Readiness Checker tool performs the following certificate validations:
* Parse PFX
Checks for valid PFX file, correct password, and whether the public information is protected by the password.
* Expiry Date
Checks for minimum validity of seven days.
* Signature algorithm
Checks that the signature algorithm isn’t SHA1.
* Private Key
Checks that the private key is present and is exported with the local machine attribute.
* Etc.
Note: Perform core services certificate validation
Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:
You provision a new certificate to support the planned changes.
You need to validate the certificate.
Which PowerShell module should you install first?
- A . Az.Websites
- B . AzureRM.TemplateValidator
- C . AzureStack
- D . Microsoft.AzureStack.ReadinessChecker
D
Explanation:
Use the Azure Stack Hub Readiness Checker tool to validate that generated public key infrastructure (PKI) certificates which are suitable for pre-deployment. Validate certificates by leaving enough time to test and reissue certificates if necessary.
The Readiness Checker tool performs the following certificate validations:
* Parse PFX
Checks for valid PFX file, correct password, and whether the public information is protected by the password.
* Expiry Date
Checks for minimum validity of seven days.
* Signature algorithm
Checks that the signature algorithm isn’t SHA1.
* Private Key
Checks that the private key is present and is exported with the local machine attribute.
* Etc.
Note: Perform core services certificate validation
Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:
You provision a new certificate to support the planned changes.
You need to validate the certificate.
Which PowerShell module should you install first?
- A . Az.Websites
- B . AzureRM.TemplateValidator
- C . AzureStack
- D . Microsoft.AzureStack.ReadinessChecker
D
Explanation:
Use the Azure Stack Hub Readiness Checker tool to validate that generated public key infrastructure (PKI) certificates which are suitable for pre-deployment. Validate certificates by leaving enough time to test and reissue certificates if necessary.
The Readiness Checker tool performs the following certificate validations:
* Parse PFX
Checks for valid PFX file, correct password, and whether the public information is protected by the password.
* Expiry Date
Checks for minimum validity of seven days.
* Signature algorithm
Checks that the signature algorithm isn’t SHA1.
* Private Key
Checks that the private key is present and is exported with the local machine attribute.
* Etc.
Note: Perform core services certificate validation
Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:
You provision a new certificate to support the planned changes.
You need to validate the certificate.
Which PowerShell module should you install first?
- A . Az.Websites
- B . AzureRM.TemplateValidator
- C . AzureStack
- D . Microsoft.AzureStack.ReadinessChecker
D
Explanation:
Use the Azure Stack Hub Readiness Checker tool to validate that generated public key infrastructure (PKI) certificates which are suitable for pre-deployment. Validate certificates by leaving enough time to test and reissue certificates if necessary.
The Readiness Checker tool performs the following certificate validations:
* Parse PFX
Checks for valid PFX file, correct password, and whether the public information is protected by the password.
* Expiry Date
Checks for minimum validity of seven days.
* Signature algorithm
Checks that the signature algorithm isn’t SHA1.
* Private Key
Checks that the private key is present and is exported with the local machine attribute.
* Etc.
Note: Perform core services certificate validation
Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:
Topic 4, Misc. Questions
You plan to deploy an Azure Stack Hub integrated system that will be disconnected from the internet. The integrated system region name is region1, and the external domain is name is contoso.local.
You need to ensure that the generated certificate signing request (CSR) has the correct
subjects and subject alternative names (SAN).
Which name must you include in the CSR?
- A . graph.region1.contoso.local
- B . graph.local.azurestack.external
- C . *.hosting.region1.azurestack.local
- D . *.adminhosting.region 1.azurestack.local
D
Explanation:
You can deploy and use Azure Stack Hub without a connection to the internet. However, with a disconnected deployment, you’re limited to an Active Directory Federation Services (AD FS) identity store and the capacity-based billing model. Because multitenancy requires the use of Azure Active Directory (Azure AD), multitenancy isn’t supported for disconnected deployments.
The implementation of Extension Host requires two wild card SSL certificates, one for the Admin portal and one for the Tenant portal.
Note: Certificate requirements
The extension host implements two new domain namespaces to guarantee unique host entries for each portal extension. The new domain namespaces require two additional wildcard certificates to ensure secure communication.
The table shows the new namespaces and the associated certificates:
Table
Description automatically generated
Example:
$regionName = ‘east’# The region name for your Azure Stack Hub deployment
$externalFQDN = ‘azurestack.contoso.com’ # The external FQDN for your Azure Stack Hub deployment
Starting Certificate Request Process for Deployment CSR generating for following SAN(s):
*.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.b lob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azur estack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.c om,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso. com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:UsersusernameDocumentsAzureStackCSRDeployment_east_azurestack_contoso_c om_SingleCSR_CertRequest_20200710165538.req Certreq.exe output: CertReq: Request Created
Reference:
https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-disconnected-deployment
https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-extension-host-prepare
https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-get-pki-certs
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Stack Hub integrated system.
The security department at your company wants a list of all the users who can manage the integrated system from the privileged endpoint (PEP).
You need to create the list.
Solution: You connect to the administrator portal and view the users who are assigned the Owner role for the default provider subscription.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/reference/pep-2002/get-cloudadminuserlist
HOTSPOT
You have an Azure Stack Hub integrated system.
The Volumes list for the integrated system is shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
DRAG DROP
You have an Azure Stack Hub integrated system. The current VIP pool uses a subnet of 192.168.203.0/24 and has routing configured to use BGP.
In the administrator portal, you receive an alert that the public IP addresses are at 95 percent utilization.
You need to add 192.168.204.0/24 to the public IP address pool.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text
Description automatically generated
Add public IP addresses
Add the IP address range to Azure Stack Hub
✑ In a browser, go to your administrator portal dashboard. For this example, we’ll use https://adminportal.local.azurestack.external.
✑ Sign in to the Azure Stack Hub administrator portal as a cloud operator. (Step 1)
✑ On the default dashboard, find the Region management list and select the region
you want to manage. For this example, we use local.
✑ Find the Resource providers tile and click on the network resource provider. (Step 2)
✑ Click on the Public IP pools usage tile. (Step 2)
✑ Click on the Add IP pool button. (Step 3)
✑ Provide a name for the IP pool. The name you choose helps you easily identify the IP pool. You can’t use a special character like "/" in this field. It’s a good practice to make the name the same as the address range, but that isn’t required.
✑ Enter the address block you want to add in CIDR notation. For example: 192.168.203.0/24
✑ When you provide a valid CIDR range in the Address range (CIDR block) field the Start IP address, End IP address and Available IP addresses fields will automatically populate. They’re read-only and automatically generated so you can’t change these fields without modifying the value in the Address range field.
✑ After you review the info on the blade and confirm that everything looks correct, select Ok to commit the change and add the address range to Azure Stack Hub.
HOTSPOT
You have a disconnected Azure Stack Hub integrated system that will be used in production.
You need to obtain a token to register the integrated system.
How should you complete the PowerShell script? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: $false
Get-AzsRegistrationToken generates a registration token from the input parameters.
Parameter: UsageReportingEnabled True/False
Azure Stack Hub reports usage metrics by default. Operators with capacity uses or supporting a disconnected environment need to turn off usage reporting. Allowed values for this parameter are: True, False.
Box 2: Capacity
BillingModel String
The billing model that your subscription uses.
Allowed values for this parameter are:
Capacity, PayAsYouUse, and Development.
With a disconnected deployment, you’re limited to an Active Directory Federation Services (AD FS) identity store and the capacity-based billing model.
You have an Azure Stack Hub integrated system and an offer to which users can subscribe.
You need to prevent users and operators from creating new user subscriptions based on the offer without affecting the existing user subscriptions.
What should you do?
- A . Change the offer state to Private.
- B . Change the offer state to Decommissioned.
- C . Change the offer state to Public.
- D . Delete the offer and create a new private offer.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-create-offer?view=azs-2008
You have an Azure Slack Hub integrated system.
You receive the following alert: "One or more guest Azure AD tenants must be configured."
You need to identify which Azure AD tenants require configuration.
Which PowerShell cmdlet should you run?
- A . Get-AzsDirectoryTenantidcntifier
- B . Get-AzureADTenantDetail
- C . Get-AzsHealthReport
- D . Get-AzsAlerts
C
Explanation:
Synopsis
Gets the health report of identity application in the Azure Stack home and guest directories
DESCRIPTION
Gets the health report for Azure Stack identity applications in the home directory as well as
guest directories of Azure Stack. Any directories with an unhealthy status need to have
their permissions updated.
EXAMPLE
$adminResourceManagerEndpoint = "https://adminmanagement.local.azurestack.external" $homeDirectoryTenantName = "<homeDirectoryTenant>.onmicrosoft.com" Get-AzsHealthReport -AdminResourceManagerEndpoint $adminResourceManagerEndpoint `
-DirectoryTenantName $homeDirectoryTenantName -Verbose
Reference:
https://github.com/Azure/AzureStack-Tools/blob/master/Identity/AzureStack.Identity.psm1
https://github.com/Azure/AzureStack-Tools/blob/master/Identity/README.md
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You plan to install an update to an Azure Stack Hub integrated system.
You need to verify whether the integrated system is healthy, and whether you can apply the update. You must achieve the goal as quickly as possible.
Solution: From a privileged endpoint (PEP) session, you run
Test-AzureStack CGroup "Default".
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-diagnostic-test?view=azs-2008
HOTSPOT
You plan to deploy a disconnected Azure Stack Hub integrated system.
You need to identify which type of certificate to use for the deployment and the file format for the certificate.
The solution must meet the following requirements:
• Minimize administrative effort.
• Maximize security.
What should identify? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Explanation:
Azure Stack Hub public key infrastructure (PKI) certificate requirements
Azure Stack Hub has a public infrastructure network using externally accessible public IP addresses assigned to a small set of Azure Stack Hub services and possibly tenant VMs. PKI certificates with the appropriate DNS names for these Azure Stack Hub public infrastructure endpoints are required during Azure Stack Hub deployment.
Box 1: A certificate from an internal certification authority (CA)
Your Azure Stack Hub infrastructure must have network access to the certificate authority’s Certificate Revocation List (CRL) location published in the certificate. This CRL must be an http endpoint. Note: for disconnected deployments, certificates issued by a public certificate authority (CA) are not supported, if the CRL endpoint is not accessible.
Features that are impaired or unavailable in disconnected deployments
Azure Stack Hub was designed to work best when connected to Azure, so it’s important to note that there are some features and functionality that are either impaired or completely unavailable in the disconnected mode.
Private/internal Certificate Authority (CA)
No impact – In cases where the deployment uses certificates issued by a private CA, such as an internal CA within an organization, only internal network access to the CRL endpoint is required. Internet connectivity is not required, but you should verify that your Azure Stack Hub infrastructure has the required network access to contact the CRL endpoint defined in the certificates CDP extension.
Box 2: PFX
The certificate format must be PFX, as both the public and private keys are required for Azure Stack Hub installation. The private key must have the local machine key attribute set.
DRAG DROP
You have an Azure Stack Hub integrated system that is disconnected from the Internet.
You need to collect diagnostic logs, but do not have access to an SMB share.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have an Azure Stack Hub integrated system that is disconnected from the internet.
The integrated system has an Azure App Service resource provider.
You generate a new certificate.
You need to rotate the certificate of the App Service identity application to use the new certificate.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From the administrator portal, get the value of the default provider subscription object ID.
- B . From a privileged endpoint (PEP) session, run the Export-Cercificace cmdlet. and then run the Import-Certificace cmdlet
- C . From a privileged endpoint (PEP) session, run the New-Object cmdlet. and then run the import-PfxCertificace cmdlet
- D . From a privileged endpoint (PEP) session, run the New-Objecc cmdlet, and then run the Sec-GraphApplicacion cmdlet
- E . From the administrator portal, get the value of the AzureStack-AppService object ID.
D,E
Explanation:
Your choice of either Azure AD or AD FS is determined by the mode in which you deploy
Azure Stack Hub:
When you deploy it in a connected mode, you can use either Azure AD or AD FS.
When you deploy it in a disconnected mode, without a connection to the internet, only AD FS is supported.
E:
Rotate certificate for AD FS identity application
The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. If the application’s object ID is unknown, follow these steps to discover it:
✑ Go to the Azure Stack Hub administrator portal.
✑ Go to Subscriptions and select Default Provider Subscription.
✑ Select Access Control (IAM) and select the AzureStack-AppService-<guid> application.
✑ Take a note of the Object ID, this value is the ID of the Service Principal that must be updated in AD FS.
D: To rotate the certificate for the application in AD FS, you need to have access to the privileged endpoint (PEP). Then you update the certificate credential using PowerShell.
# Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint
$Creds = Get-Credential
# Create a new Certificate object from the identity application certificate exported as .cer file
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<CertificateFileLocation >")
# Create a new PSSession to the PrivelegedEndpoint VM
$Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)
# Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with the App Service identity application
$SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication – ApplicationIdentifier "<ApplicationObjectId>" -ClientCertificates $using:Cert} $Session | Remove-PSSession
# Output the updated service principal details
$SpObject
Reference:
https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-identity-overview
https://learn.microsoft.com/en-us/azure-stack/operator/app-service-rotate-certificates
HOTSPOT
You have an Azure Stack Hub Integrated system that has the following configurations:
• Deployment virtual machine (DVM) IP address: 10.30.1.253
• First host IP address: 10.30.1.193
• Last host IP address: 10.30.1.254
• Subnet mask: 255.255.255.192
• BMC network: 10.30.1.192/26
• Default gateway: 10.30.1.193
• NTP: 10.31.1.2
• DNS: 8.8.8.8
You need to deploy an Operator Access Workstation (OAW) to the Hardware Lifecycle Host (HLH) and configure the network settings for the OAW.
How should you complete the script? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: .New-OAW.ps1
Create the OAW VM using a script
The following script prepares the virtual machine as the Operator Access Workstation (OAW), which is used to access Microsoft Azure Stack Hub.
✑ Sign in to the HLH with your credentials.
✑ Download OAW.zip and extract the files.
✑ Open an elevated PowerShell session.
✑ Navigate to the extracted contents of the OAW.zip file.
✑ Run the New-OAW.ps1 script.
Example: Example: Deploy on HLH using a Microsoft Image $oawRootPath = "D:oawtest"
$securePassword = Read-Host -Prompt "Enter password for Azure Stack OAW’s local administrator" -AsSecureString
if (Get-ChildItem -Path $oawRootPath -Recurse | Get-Item -Stream Zone* -ErrorAction SilentlyContinue | Select-Object FileName)
{ Write-Host "Execution failed, unblock the script files first" }
else { .New-OAW.ps1 -LocalAdministratorPassword $securePassword }
Syntax:
New-OAW
-LocalAdministratorPassword <Security.SecureString> ` -IPAddress <String> `
-SubnetMask <String> `
-DefaultGateway <String> `
-DNS <String[]> `
-TimeServer<String> `
[-AzureStackCertificatePath <String>] `
[-AzSStampInfoFilePath <String>] `
[-CertificatePassword <Security.SecureString>] `
[-ERCSVMIP <String[]>] `
[-ImageFilePath <String>] `
[-VirtualMachineName <String>] `
[-VirtualMachineMemory <int64>] `
[-VirtualProcessorCount <int>] `
[-VirtualMachineDiffDiskPath <String>] `
[-PhysicalAdapterMACAddress <String>] `
[-VirtualSwitchName <String>] `
[-ReCreate] `
[-AsJob] `
[-Passthru] `
[-WhatIf] `
[-Confirm] `
[<CommonParameters>]
Box 2: 10.30.1.253
Deployment virtual machine (DVM) IP address: 10.30.1.253
Note:
Parameter:
IPAddress (Required)
The static IPv4 address to configure TCP/IP on the virtual machine.
HOTSPOT
You have an Azure Stack Hub integrated system that is enabled for multitenancy and uses an Azure Active Directory (Azure AD) tenant named fabrikam.com as an identity provider.
The integrated system has the following guest directory tenants onboarded and enabled for multitenancy:
✑ com
✑ onmicrosoft.com
✑ onmicrosoft.com
You need to verify whether all the guest directory tenants are registered properly.
How should you complete the PowerShell script? To answer, drag the appropriate cmdlet to the correct targets. Each cmdlet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
DRAG DROP
Your company is a Cloud Solution Provider (CSP).
You plan to create an Azure subscription for a new Azure Stack Hub integrated system and configure Azure Stack Hub to be available to multiple customers. Your company will also have its own workloads deployed to the Azure Stack Hub.
You need to perform the deployment so that usage data for future customers is directed to their Azure subscription.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
A picture containing text
Description automatically generated
HOTSPOT
You deploy an App Service resource provider to an Azure Stack Hub integrated system.
You need to create an offer to deploy an Azure Functions app by using the resource provider.
Which resource provider should you specify in the offer, and which type of subscription should you use to test the functionality of the offer? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated
Box 1: Microsoft.Web
Resource providers for Azure services
Match resource provider to service (Resource provider namespace, Azure service)
* Microsoft.Web App Service Azure Functions
Box 2: Default Provider Subscription
In Azure Stack Hub Subscriptions, select the Default Provider Subscription. Azure App Service on Azure Stack Hub must be deployed in the Default Provider Subscription.
You have an Azure Stack Hub integrated system.
You need to give a new operator access to the privileged endpoint (PEP) as soon as possible.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Run the New-CloudAdminUser cmdlet.
- B . Run the New-AzureADUser cmdlet.
- C . Connect to the PEP.
- D . Connect to and unlock the PEP.
- E . Connect to the administrator management endpoint.
A,C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-privileged-endpoint?view=azs-2008
HOTSPOT
You have an Azure Stack Hub integrated system that uses an Azure Active Directory (Azure AD) tenant named fabrikam.com as an identity provider. The integrated system region name is region1, and the external domain name is fabrikam.com.
The integrated system has the following domains enabled for multitenancy:
✑ fabrikam.onmicrosoft.com
✑ contoso.onmicrosoft.com
✑ fabrikam.com
✑ contoso.com
You need to disable multitenancy for contoso.com.
How should you complete the PowerShell script? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, application
Description automatically generated
DRAG DROP
You deploy an Azure Stack Hub integrated system that contains an Azure App Service deployment. The integrated system uses an Azure Active Directory (Azure AD) identity provider.
You need to provide users with the ability to deploy App Service web apps directly from their GitHub repositories.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You and a Microsoft Support Engineer are troubleshooting an Azure Stack Hub integrated system. The security team at your company requires an audit trail whenever management actions are performed on the integrated system.
You unlock the privileged endpoint (PEP) and perform several troubleshooting tasks that resolve the issue.
Which cmdlet should you run next?
- A . Invoke-AzureStackOnDemandLog
- B . Close-PrivilegedEndpoint
- C . Get-AzureStackLog
- D . Exit-PSSession
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-privileged-
endpoint?view=azs-2008
You have an Azure Stack Hub integrated system.
You plan to apply the latest updates to the integrated system.
You need to identify operational issues that will prevent the updates from being applied.
Which PowerShell cmdlet should you run?
- A . Test-AzureStack
- B . Test-ModuleManifest
- C . Invoke-AzureStackOnDemandLog
- D . Read-AzsReadinessReport
Your company is a Cloud Solution Provider (CSP) that provides Azure Stack Hub services to multiple customers in a multitenant environment.
User subscriptions are linked to Azure CSP subscriptions for billing reconciliation.
You need to view the usage of all the customers for the current day and the last seven days.
What should you do?
- A . Query the Azure Stack Hub usage API
- B . Query the Partner Center Usage API
- C . From Partner Center, download the daily-rated usage reconciliation CSV
- D . From Partner Center, view the usage associated to the Azure Partner Shared Services (APSS) subscription
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-provider-resource-api?view=azs-2008
DRAG DROP
You have a corrected Azure Stack Hub integrated system.
You need to query the health status of the Key Vault resource provider by using PowerShell
Which three actions should you perform in sequence? To answer move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Stack Hub integrated system that connects to the Internet. The integrated system uses an Enterprise Agreement (EA) for licensing.
You are creating an Azure Resource Manager template to generate a marketplace item for a virtual machine that runs Windows Server 2019 Datacenter and a custom application.
You need to ensure that Windows Server is licensed by using the bring-your-own-license model.
Solution: You remove the licenseType section from the Azure Resource Manager template.
Does this meet the goal?
- A . Yes
- B . No
DRAG DROP
You have an Azure Stack Hub integrated system.
You install the Azure Gallery Packager (.azpkg) tool on a management workstation.
You need to define a custom Azure Stack Hub Marketplace item that will provision a virtual machine from a base image.
Which file should you configure for each requirement? To answer, drag the appropriate files to the correct requirements. Each file may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
DRAG DROP
You have an Azure Stack Hub integrated system linked to an Azure AD tenant named contoso.onmicrosoft.com.
You need to allow users in an Azure AD tenant named adatum.onmicrosoft.com to access Azure Stack Hub resources.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
Register a guest directory
To register a guest directory for multi-tenancy, you need to configure both the home Azure Stack Hub directory and the guest directory.
Configure Azure Stack Hub directory
The first step is to make your Azure Stack Hub system aware of the guest directory. In this example, the directory from Mary’s company, Adatum, is called adatum.onmicrosoft.com.
You are planning the deployment of two Azure Stack Hub integrated systems that will be located in Seattle and Redmond, respectively.
Workloads will run on infrastructure as a service (IaaS) virtual machines that have a static IIS web front-end and a Microsoft SQL Server 2019 cluster backend for database storage.
You plan to leverage Azure Traffic Manager to direct DNS requests to the integrated system in Seattle by default and use the Redmond integrated system in the event of a disaster.
What should you use to replicate application consistent database changes to the Redmond site?
- A . Hyper-V Replica
- B . Azure Blob storage replication
- C . SQL Server replication
- D . Azure SQL Database replication
C
Explanation:
Reference: https://azure.microsoft.com/en-gb/blog/protecting-applications-and-data-on-azure-stack/
You have an Azure Stack Hub integrated system that uses the latest version.
You discover an alert for an external certificate that will expire. You obtain new certificates.
You need to validate that all the components required to change the certificates are in a healthy state, and then renew the certificates.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Run the Start-SecretRotation and specify the PfxFilePath parameter.
- B . Run Start-SecretRotation cmdlet and specify the Internal parameter.
- C . Copy the certificates to Azure Blob storage.
- D . Run the Test-AzureStack cmdlet and specify the -Group UpdateReadiness parameter.
DRAG DROP
You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com
You have an Azure Stack Hub integrated system that is registered to sub1.
You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
Step 1: Create a JSON file that contains the role definition.
Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.
Create a custom role using PowerShell
Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.
DRAG DROP
You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com
You have an Azure Stack Hub integrated system that is registered to sub1.
You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
Step 1: Create a JSON file that contains the role definition.
Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.
Create a custom role using PowerShell
Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.
DRAG DROP
You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com
You have an Azure Stack Hub integrated system that is registered to sub1.
You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
Step 1: Create a JSON file that contains the role definition.
Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.
Create a custom role using PowerShell
Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.
DRAG DROP
You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com
You have an Azure Stack Hub integrated system that is registered to sub1.
You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
Step 1: Create a JSON file that contains the role definition.
Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.
Create a custom role using PowerShell
Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.
DRAG DROP
You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com
You have an Azure Stack Hub integrated system that is registered to sub1.
You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
Step 1: Create a JSON file that contains the role definition.
Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.
Create a custom role using PowerShell
Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.
You have an Azure Stack Hub integrated system that is not yet in production and has no workloads running.
You configure the Infrastructure Backup Service, and you complete a backup.
You need to recommend a method to verify the restore process once the integrated system is in production.
What should you recommend?
- A . From the administrator portal, restore the domain controller backup to the default provider subscription and ensure that the domain controller starts successfully.
- B . Run Get-FileIntegrity against the infrastructure backup data files stored in the file share.
- C . Install the Azure Stack Development Kit (ASDK) and select the infrastructure backup data as the configuration during the installation.
- D . Instruct the IT team to redeploy the integrated system in restore mode by using the backup data.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure-stack/asdk/asdk-validate-backup?view=azs-2102
HOTSPOT
You have three Azure Stack Hub integrated systems that use the same Azure Active Directory (Azure AD) tenant named contoso.com as their identity provider. The integrated systems are deployed in Chicago, New York, and Seattle. The region name of each integrated system corresponds to the city in which the system is deployed.
When reviewing alerts in the integrated system in Chicago, you receive an alert indicating that the home directory requires an update.
From the Azurestack-tools-master/identity folder, you import the AzureStack.Identity.psm1 module.
How should you complete the command to update the home directory? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
DRAG DROP
You have an Azure Stack Hub integrated system that is disconnected from the Internet.
During an update, an error occurs that prevents you from accessing the administrator portal.
While troubleshooting the issue, a Microsoft Support Engineer requests that you collect and send the relevant logs.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
HOTSPOT
You plan to deploy two Azure Stack Hub integrated systems named AZStack1 and AZStack2.
AZStack1 must meet the following requirements:
✑ Connect to the Internet.
✑ Have minimal capital expenditures.
✑ Use the minimum number of on-premises servers for identity.
✑ Have no existing licenses for Windows virtual machines deployed.
AZStack2 must meet the following requirements:
✑ Be disconnected from the Internet.
✑ Use the minimum number of on-premises servers for identity.
✑ Support the syndication of Azure Stack Hub Marketplace items.
Which identity provider and licensing model should you use for each integrated system? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.