Topic 1, Contoso, Ltd
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
✑ File servers
✑ Domain controllers
✑ Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1.
App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
✑ Move all the tiers of App1 to Azure.
✑ Move the existing product blueprint files to Azure Blob storage.
✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
✑ Ensure that all the virtual machines for App1 are protected by backups.
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Use unmanaged standard storage for the hard disks of the virtual machines.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service administrator of the Azure subscription.
Ensure that a new user named User3 can create network objects for the Azure subscription.
You need to move the blueprint files to Azure.
What should you do?
- A . Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
- B . Use the Azure Import/Export service.
- C . Generate an access key. Map a drive, and then copy the files by using File Explorer.
- D . Use Azure Storage Explorer to copy the files.
D
Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
References: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
- A . a recovery plan
- B . an Azure Backup Server
- C . a backup policy
- D . a Recovery Services vault
D
Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
- A . Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
- B . Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
- C . Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
- D . Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
C
Explanation:
As App1 is public-facing we need an incoming security rule, related to the access of the web servers.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
You need to meet the user requirement for Admin1.
What should you do?
- A . From the Subscriptions blade, select the subscription, and then modify the Properties.
- B . From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
- C . From the Azure Active Directory blade, modify the Properties.
- D . From the Azure Active Directory blade, modify the Groups.
A
Explanation:
Change the Service administrator for an Azure subscription
✑ Sign in to Account Center as the Account administrator.
✑ Select a subscription.
✑ On the right side, select Edit subscription details.
Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.
References: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
HOTSPOT
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 3
One virtual network for every tier
Box 2: 1
Only one subnet for each tier, to minimize the number of open ports.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
HOTSPOT
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Explanation:
Box 1: Selected
Only selected users should be able to join devices
Box 2: Yes
Require Multi-Factor Auth to join devices.
From scenario:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
You need to recommend an identify solution that meets the technical requirements.
What should you recommend?
- A . federated single-on (SSO) and Active Directory Federation Services (AD FS)
- B . password hash synchronization and single sign-on (SSO)
- C . cloud-only user accounts
- D . Pass-through Authentication and single sign-on (SSO)
D
Explanation:
Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.
Scenario: Technical Requirements include:
Prevent user passwords or hashes of passwords from being stored in Azure.
References: https://www.sherweb.com/blog/active-directory-federation-services/
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Box 2: No
Box 3: No
Topic 2, Litware inc.
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview. General Overview
Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd.
Overview. Physical Locations
Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco.
Existing Environment. Identity Environment
The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect.
Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant.
Users at Litware have a UPN suffix of Litware.com
Litware has an internal certification authority (CA) that is trusted by all devices.
The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com.
Existing Environment. Azure Environment
Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant.
Sub1 contains the resources shown in the following table.
Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group.
Fabrikam does NOT have an Azure environment.
Existing Environment. On-Premises Environment
The on-premises network of Litware contains the resources shown in the following table.
The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019.
Existing Environment. Network Environment
Litware has a site-to-site VPN connection to VNet1.
The Litware and Fabrikam datacenters are not connected.
Requirements. Planned Changes
Litware plans to implement the following changes:
✑ Establish a trust relationship between the Litware and Fabrikam forests.
✑ Migrate data from the on-premises NoSQL datastores to Azure Table storage.
✑ Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1.
✑ Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1.
Requirements. Deployment Requirements
Litware identifies the following deployment requirements:
✑ The existing ARM templates must be used for deployments to Sub1.
✑ WebApp1 must be deployed to the AKS cluster without having to change the source code.
Requirements. Authentication and Authorization Requirements
Litware identifies the following authentication and authorization requirements:
✑ The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO.
✑ The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1.
✑ Company policy must prohibit the creation of guest user accounts in the Litware.com tenant.
✑ You must be able to configure deny permissions for RG1 and for the resources in RG1.
✑ WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1.
Requirements. Security Requirements
Litware identifies the following security requirements:
✑ On-premises Litware users must access KVI by using the private IP address of the key vault.
✑ Azure virtual machines must have all their disks encrypted, including the temporary disks.
✑ Azure Storage must encrypt all data by using keys issued by the internal CA of Litware.
✑ Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks.
✑ The principle of least privilege must be used.
You need to configure Azure AD Seamless SSO for Fabrikam. The solution must meet the authentication and authorization requirements.
What should you install first?
- A . the Azure AD Connect provisioning agent on SERVER1
- B . the Azure AD Connect provisioning agent on DC1
- C . Azure AD Connect in staging mode on SERVER1
- D . an Azure AD Connect primary server on SERVER1
A
Explanation:
The Litware and Fabrikam datacenters are not connected.
Azure AD Connect Cloud Sync provides support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
You migrate WebApp1 to Azure.
You need to configure the AKS cluster to enable WebApp1 to access KV1. The solution must meet the authentication and authorization requirements.
What should you do?
- A . Configure Azure role-based access control (Azure R8AQ for Kubernetes Authorization.
- B . Configure a pod-managed identity.
- C . Implement pod security policies.
- D . Implement the Secrets Store CSl Driver.
You need to ensure that the NoSQL data is encrypted. The solution must meet the security requirements.
What should you do first?
- A . Upgrade storage2 to StorageV2 (general purpose v2).
- B . Create a new general-purpose v2 storage account.
- C . Create a new Azure Blob storage account.
- D . Modify the Encryption settings of storage2.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/account-encryption-key-create?toc=%2Fazure%2Fstorage%2Ftables%2Ftoc.json&tabs=portal
You need to ensure that you can implement Azure AD Seamless SSO for Fabrikam. The solution must meet the following requirements:
✑ Support the planned changes.
✑ Meet the authentication and authorization requirements.
What should you do?
- A . Create a new Azure AD tenant named fabrikam.com
- B . From the Fabrikam forest, configure an additional UPN suffix of Litware.com.
- C . From the Fabrikam forest, configure all users to have a UPN suffix ofLitware.com.
- D . From the Litware.com tenant, add a custom domain named fabrikam com.
HOTSPOT
You plan to migrate WebApp1 to Azure.
You need to implement the AKS cluster that will host WebApp1. The solution must meet the deployment requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application
Description automatically generated
DRAG DROP
You need to ensure that the virtual machine disks are encrypted. The solution must meet the security requirements.
Which three actions should you perform in Sub1 in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Text
Description automatically generated
You create and publish the BP1 blueprint.
You need to ensure that you can use BP1 to configure permissions for RG1. The solution must meet the authentication and authorization requirements.
What should you do?
- A . Add a read-only resource lock to Sub1.
- B . Assign an Azure role-based access control (Azure RBAC) role to Sub1.
- C . Assign an Azure role-based access control (Azure RBAC) role to BP1.
- D . Select the Read Only blueprint lock mode for the BP1 assignment.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
HOTSPOT
You need to recommend a solution to provide KV1 with access to the on-premises network of Litware. The solution must meet the security requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application
Description automatically generated
You migrate WebApp1 to Azure.
You need to implement a traffic filtering solution for WebApp1. The solution must meet the security requirements.
What should you do?
- A . Configure the Threat intelligence settings for FW1.
- B . Deploy an Azure Application Gateway to VNet1.
- C . Deploy Azure Bastion to VNet1
- D . Configure an inbound rule on FW1.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/overview
Topic 3, Misc. Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Note: Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference: https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:Folder1 in the container image.
Solution: You add the following line to the Dockerfile.
ADD File1.txt C:/Folder1/
You then build the container image.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Copy is the correct command to copy a file to the container image. The ADD command can also be used. However, the root directory is specified as ‘/’ and not as ‘C:/’.
Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/
HOTSPOT
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Never
Box 2: Never
After you configure firewall and virtual network settings for your storage account, select
Allow trusted Microsoft services to access this storage account as an exception to enable
Azure Backup service to access the network restricted storage account.
You create an Azure Kubernetes Service (AKS) duster and an Azure Container Registry.
You need to perform continuous deployments of a containerized application to the AKS cluster as soon as the image updates in the registry.
What should you use to perform the deployments?
- A . an Azure Pipelines release pipeline
- B . an Azure Automation runbook
- C . an Azure Resource Manager template
- D . a kubectl script from a CRON job
A
Explanation:
You can implement a Continuous Deployment pipeline.
Example:
What the pipeline accomplishes:
Stage 1: The code gets pushed in the Github. The Jenkins job gets triggered automatically.
The Dockerfile is checked out from Github.
Stage 2: Docker builds an image from the Dockerfile and then the image is tagged with the build number. Additionally, the latest tag is also attached to the image for the containers to use.
Stage 3: We have default deployment and service YAML files stored on the Jenkins server. Jenkins makes a copy of the default YAML files, make the necessary changes according to the build and put them in a separate folder.
Stage 4: kubectl was initially configured at the time of setting up AKS on the Jenkins server. The YAML files are fed to the kubectl util which in turn creates pods and services.
Reference: https://medium.com/velotio-perspectives/continuous-deployment-with-azure-kubernetes-service-azure-container-registry-jenkins-ca337940151b
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 contains 50 virtual machines. Twenty-five of the virtual machines are web servers and the other 25 are application servers.
You need to filter traffic the web servers and the application servers by using application security groups.
Which additional resources should you provision?
- A . Azure Private Link
- B . a network security group (NSG)
- C . a user-defined route
- D . Azure-firewall
B
Explanation:
Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day.
Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.
Solution: You run the following query.
You set the EnableCrossPartitionQuery property to True.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Returns Item1 and Item2 only.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where
https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure-dotnet
DRAG DROP
You are designing a solution to secure a company’s Azure resources. The environment hosts 10 teams. Each team manages a project and has a project manager, a virtual machine (VM) operator, developers, and contractors.
Project managers must be able to manage everything except access and authentication for users. VM operators must be able to manage VMs, but not the virtual network or storage account to which they are connected. Developers and contractors must be able to manage storage accounts.
You need to recommend roles for each member.
What should you recommend? To answer, drag the appropriate roles to the correct employee types. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
You have an Azure subscription named Subscription1 that is used by several departments at your company.
Subscription1 contains the resources in the following table.
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
- A . Container1
- B . VM1
- C . Storage2
- D . RG1
D
Explanation:
You can verify the deployment by exploring the resource group from the Azure portal
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-manager-tutorial
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
You have an Azure subscription that contains the storage accounts shown in the following table.
You enable Azure Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Azure ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . storagecontoso1
- B . storagecontoso2
- C . storagecontoso3
- D . storagecontoso4
- E . storaaecontoso5
A,B
Explanation:
Advanced threat protection for Azure Storage is currently available only for Blob Storage.
https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-protection?tabs=azure-portal
You have an Azure subscription that contains a resource group named RG1. RG1 contains multiple resources.
You need to trigger an alert when the resources in RG1 consume $1,000 USD.
What should you do?
- A . From Cost Management + Billing, add a cloud connector.
- B . From the subscription, create an event subscription.
- C . From Cost Management + Billing create a budget.
- D . From RG1, create an event subscription.
C
Explanation:
Create budgets to manage costs and create alerts that automatically notify you are your stakeholders of spending anomalies and overspending.
To set it up, go to the Azure Portal, select ‘Cost Management + Billing’ -‘Cost> Management’ ->’Go to Cost Management’.
Note: Cost alerts are automatically generated based when Azure resources are consumed. Alerts show all active cost management and billing alerts together in one place. When your consumption reaches a given threshold, alerts are generated by Cost Management. There are three types of cost alerts: budget alerts, credit alerts, and department spending quota alerts.
Reference: https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/getting-started
Your company has the groups shown in the following table.
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?
- A . Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
- B . Purchase an Azure AD Premium P1 license for each user in the Managers group.
- C . Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
- D . Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
B
Explanation:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.
References: https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-enable
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support erver-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases each on a different Azure SQL Database server.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Note: Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference: https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
HOTSPOT
You have an Azure subscription that contains the resource groups shown in the following table.
You create an Azure Resource Manager template named Template1 as shown in the following exhibit.
From the Azure portal, you deploy Template1 four times by using the settings shown in the following table.
What is the result of the deployment? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:Folder1 in the container image.
Solution: You add the following line to the Dockerfile.
XCOPY File1.txt C:Folder1
You then build the container image.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Copy is the correct command to copy a file to the container image. Furthermore, the root directory is specified as ‘/’ and not as ‘C:/’.
References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.
You need to enable multi-factor authentication (MFA) for the users in Group1 only.
Solution: From the Azure portal, you configure an authentication method policy.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
We should use a Conditional Access policy.
Note: There are two ways to secure user sign-in events by requiring multi-factor authentication in Azure AD. The first, and preferred, option is to set up a Conditional Access policy that requires multi-factor authentication under certain conditions. The second option is to enable each user for Azure Multi-Factor Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on).
Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. Changing user states is no longer recommended unless your licenses don’t include Conditional Access as it requires users to perform MFA every time they sign in.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com that contains a user named User1. The domain syncs to Azure Active Directory (Azure AD).
You have the Windows 10 devices shown in the following table.
The User Sign-In settings are configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point
Explanation:
Box 1: Yes
Seamless SSO needs the user’s device to be domain-joined only, but it is not used on
Azure AD Joined or Hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid
Azure AD joined, and Azure AD registered devices works based on the primary refresh
token.
Box 2: No
Box 3: No
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . Short Message Service (SMS) messages
- B . Authentication app
- C . Email addresses
- D . Security questions
- E . App passwords
A,B
Explanation:
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don’t need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Users can also verify themselves using a mobile phone or office phone as secondary form of authentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a password less way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image. You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Create a new virtual machine scale set in the Azure portal.
- B . Create an automation account.
- C . Upload a configuration script.
- D . Modify the extensionProfile section of the Azure Resource Manager template.
- E . Create an Azure policy.
A,D
Explanation:
References: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-
template
You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.
You plan to change the partition key for Container1.
What should you do first?
- A . Delete Container1.
- B . Create a new Azure Cosmos DB account.
- C . Implement the Azure Cosmos DB.NET.SDK.
- D . Regenerate the keys for Account1.
B
Explanation:
The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to achieve a live migration of your data from one container to another. This allows you to re-distribute your data to match the desired new partition key scheme, and make the relevant application changes afterwards, thus achieving the effect of “updating your partition key”.
Reference: https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/
HOTSPOT
You have an Azure subscription named Subscription1.
In Subscription1, you create an alert rule named Alert1.
The Alert1 action group is configured as shown in the following exhibit.
Alert1 alert criteria is triggered every minute.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 60
One alert per minute will trigger one email per minute.
Box 2: 12
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
References: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/monitoring-and-diagnostics/monitoring-overview-alerts.md
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their changed to a less expensive offering.
Which Wade should you use?
- A . Metrics
- B . Monitor
- C . Customer insights
- D . Advisor
D
Explanation:
References: https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.
KeyVault1 has an access policy that provides several users with Create Key permissions.
You need to ensure that the users can only register secrets in KeyVault1 from VM1.
What should you do?
- A . Create a network security group (NSG) that is linked to Subnet1.
- B . Configure the Firewall and virtual networks settings for KeyVault1.
- C . Modify the access policy for KeyVault1.
- D . Configure KeyVault1 to use a hardware security module (HSM).
C
Explanation:
You grant data plane access by setting Key Vault access policies for a key vault.
Note 1: Grant our VM’s system-assigned managed identity access to the Key Vault.
✑ Select Access policies and click Add new.
✑ In Configure from template, select Secret Management.
✑ Choose Select Principal, and in the search field enter the name of the VM you created earlier. Select the VM in the result list and click Select.
✑ Click OK to finishing adding the new access policy, and OK to finish access policy selection.
Note 2: Access to a key vault is controlled through two interfaces: the management plane and the data plane. The management plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies. The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault2
HOTSPOT
You have a web server app named App1 that is hosted in three Azure regions.
You plan to use Azure Traffic Manager to distribute traffic optimally for App1.
You need to enable Real User Measurements to monitor the network latency data for App1.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Select Generate key
You can configure your web pages to send Real User Measurements to Traffic Manager by obtaining a Real User Measurements (RUM) key and embedding the generated code to web page.
Obtain a Real User Measurements key
The measurements you take and send to Traffic Manager from your client application are
identified by the service using a unique string, called the Real User Measurements (RUM)
Key. You can get a RUM key using the Azure portal, a REST API, or by using the
PowerShell or Azure CLI.
To obtain the RUM Key using Azure portal:
✑ From a browser, sign in to the Azure portal. If you don’t already have an account, you can sign up for a free one-month trial.
✑ In the portal’s search bar, search for the Traffic Manager profile name that you want to modify, and then click the Traffic Manager profile in the results that the displayed.
✑ In the Traffic Manager profile blade, click Real User Measurements under Settings.
✑ Click Generate Key to create a new RUM Key.
Box 2: Embed the Traffic Manager JavaScript code snippet.
Embed the code to an HTML web page
After you have obtained the RUM key, the next step is to embed this copied JavaScript into an HTML page that your end users visit.
This example shows how to update an HTML page to add this script.
You can use this guidance to adapt it to your HTML source management workflow.
✑ Open the HTML page in a text editor
✑ Paste the JavaScript code you had copied in the earlier step to the BODY section of the HTML (the copied code is on line 8 & 9, see figure 3).
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the following table.
You enable self-service password reset (SSPR) for Group1.
You configure the Notifications settings as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
Notify all admins when other admins reset their passwords: Yes.
Box 2: No
Notify users on password resets: No.
Box 3: No
✑ Notify users on password resets
If this option is set to Yes, then users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.
✑ Notify all admins when other admins reset their passwords
If this option is set to Yes, then all administrators receive an email to their primary email address on file in Azure AD. The email notifies them that another administrator has changed their password by using SSPR.
Example: There are four administrators in an environment. Administrator A resets their password by using SSPR. Administrators B, C, and D receive an email alerting them of the password reset.
DRAG DROP
You have virtual machines (VMs) that run a mission-critical application.
You need to minimize the possibility that the application will experience downtime.
What should you recommend? To answer, drag the appropriate solutions to the correct scenarios. Each solution may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Text, letter
Description automatically generated
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company is deploying an on-premises application named Appl. Users will access App1 by using a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the My Apps portal for all the users.
Solution: You create an offer for App1 and publish the offer to Azure Marketplace.
- A . Yes
- B . No
HOTSPOT
Your company has a virtualization environment that contains the virtualization hosts shown in the following table.
The virtual machines are configured as shown in the following table.
All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You have an Azure web app that runs in a Premium App Service plan.
Developers plan to update the app weekly.
You need to ensure that the app can be twitched from the current version to the new version.
The solution must meet the following requirements:
• Provide the developers with the ability to test the app m Azure prior to switching versions Testing must use the same app instance
• Ensure that the app version can be rolled back.
• Minimize downtime.
What should you do?
- A . Create a deployment slot.
- B . Add an instance of the app to the scale set
- C . Copy the App Service plan.
- D . Create an Azure Active Directory (Azure AD) enterprise application
A
Explanation:
Azure Functions deployment slots allow your function app to run different instances called "slots". Slots are different environments exposed via a publicly available endpoint. One app instance is always mapped to the production slot, and you can swap instances assigned to a slot on demand.
There are a number of advantages to using deployment slots.
The following scenarios describe common uses for slots:
✑ Different environments for different purposes: Using different slots gives you the opportunity to differentiate app instances before swapping to production or a staging slot.
✑ Easy fallbacks: After a swap with production, the slot with a previously staged app now has the previous production app. If the changes swapped into the production slot aren’t as you expect, you can immediately reverse the swap to get your "last known good instance" back.
✑ Prewarming
Reference: https://docs.microsoft.com/en-us/azure/azure-functions/functions-deployment-slots
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:Folder1 in the container image.
Solution: You add the following line to the Dockerfile.
COPY File1.txt C:/Folder1/
You then build the container image.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Copy is the correct command to copy a file to the container image but the root directory is specified as ‘/’ and not as ‘C:/’.
References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/
You have an Azure subscription that contains 20 virtual machines. The virtual machines require authenticated access to several Azure resources.
You need to ensure that the virtual machines can authenticate by using Azure Active Directory (Azure AD).
Solution: You configure the Identity settings for each virtual machine.
Does this meet the goal?
- A . Yes
- B . No
You have the following Azure Active Directory (Azure AD) tenants
• Contosoonmicrosoft.com Linked to a Microsoft Office 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization
• Contosoazure onmicrosoft.com Linked to an Azure subscription named Subscription1.
You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.
What should you do?
- A . Configure contosoxHVTttcrosoft.com to use pass-through authentication.
- B . Associate Subscription1 to contoso.onmicrosoft.com Reassign all the roles in Subscnption1.
- C . Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com.
- D . Configure Active Directory federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.
C
Explanation:
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365.
Note: The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
You have an Azure subscription named Subscription1.
You create several Azure virtual machines in Subscription1. All of the virtual machines belong to the same virtual network.
You have an on-premises Hyper-V server named Server1. Server1 hosts a virtual machine named VM1.
You plan to replicate VM1 to Azure.
You need to create additional objects in Subscription1 to support the planned deployment.
Which three objects should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Hyper-V site
- B . Azure Recovery Services Vault
- C . storage account
- D . replication policy
- E . Azure Traffic Manager instance
- F . endpoint
A,B,D
Explanation:
"There’s no need to specify storage accounts to store the backup data. The Recovery Services vault and the Azure Backup service handle that automatically." (Source: https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault)
You have resources in three Azure regions. Each region contains two virtual machines. Each virtual machine has a public IP address assigned to its network interface and a locally installed application named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front Door.
What should you implement?
- A . Azure Private Link
- B . service endpoints
- C . network security groups (NSGs) with service tags
- D . network security groups (NSGs) with application security groups
C
Explanation:
Configure IP ACLing for your backends to accept traffic from Azure Front Door’s backend IP address space and Azure’s infrastructure services only. Refer the IP details below for ACLing your backend:
✑ Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door’s IPv4 backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq
You download an Azure Resource Manager template based on an existing virtual machine.
The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
- A . a Recovery Services vault and a backup policy
- B . an Azure Key Vault and an access policy
- C . an Azure Storage account and an access policy
- D . Azure Active Directory (AD) identity protection and an Azure policy
HOTSPOT
You create and save an Azure Resource Manager template named Template1 that includes the following four sections.
You deploy template1.
For each of the following statement, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT
You have an Azure subscription that contains multiple resource groups.
You create an availability set as shown in the following exhibit.
You deploy 10 virtual machines to AS1.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 6
Two out of three update domains would be available, each with at least 3 VMs.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions-and-availability
You have an Azure subscription that contains the resources shown in the following table.
A certificate named Certificate! is stored in Vault!
You need to grant VM1 and VM2 access to Certificate1 by using the same security principal.
What should you do?
- A . Create an Azure Active Directory (Azure AD) user. Create an access policy for Vaultl. Assign the access policy to the user. Configure a user-assigned managed identity forVMl andVM2.
- B . Create a managed identity. Assign the Key Vault Reader role-based access control (RBAC) role for Vault 1 to the managed identity. Configure a system-assigned managed identity for VM1 and VM2.
- C . Create an Azure Active Directory (Azure AD) user. Assign the Key Vault Reader role-based access control (RBAC) role for Vaultl to the user. Configure a user-assigned managed identity for VM1 and VM2.
- D . Create a managed identity. Add the Vaultl access policy to the managed identity.
Configure a user-assigned managed identity for VM1 and VM2.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You have an Azure SQL database named DB1.
You plan to create the following four tables in DB1 by using the following code:
- A . Table 1
- B . Table 2
- C . Table 3
- D . Table 4
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1.
What should you do?
- A . From Diagnostic settings for VM1. configure the performance counters to include network counters.
- B . From the VM1 blade, configure Connection troubleshoot.
- C . From the VM1 blade, install performance diagnostics and run advanced performance analysis
- D . From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
C
Explanation:
omplex issues that require additional traces. Running this scenario for longer periods will increase t
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the performance analysis, and collects one or more of the traces, as listed in the following sections. Use this scenario to troubleshoot c he overall size of diagnostics output, depending on the size of the VM and the trace options that are selected.
References: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A . Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B . Use Azure AD Connect to customize the synchronization options.
- C . Use the Synchronization Rules Editor to create a synchronization rule.
- D . Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
C
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A . Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B . Use Azure AD Connect to customize the synchronization options.
- C . Use the Synchronization Rules Editor to create a synchronization rule.
- D . Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
C
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A . Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B . Use Azure AD Connect to customize the synchronization options.
- C . Use the Synchronization Rules Editor to create a synchronization rule.
- D . Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
C
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A . Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B . Use Azure AD Connect to customize the synchronization options.
- C . Use the Synchronization Rules Editor to create a synchronization rule.
- D . Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
C
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A . Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B . Use Azure AD Connect to customize the synchronization options.
- C . Use the Synchronization Rules Editor to create a synchronization rule.
- D . Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
C
Explanation:
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
You have an Azure key vault named KV1.
You need to implement a process that will digitally sign the blobs stored in Azure Storage.
What is required in KV1 to sign the blobs?
- A . a key
- B . a secret
- C . a certificate
B
Explanation:
Use an Azure key vault secret to key of your blob storage account container.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/integrate-databricks-blob-storage
HOTSPOT
You network contains an Active Directory domain that is synced to Azure Active Directory (Azure AD) as shown in the following exhibit.
You have a user account configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Password writeback is disabled.
Note: Having a cloud-based password reset utility is great but most companies still have an on-premises directory where their users exist.
How does Microsoft support keeping traditional on-premises Active Directory (AD) in sync with password changes in the cloud? Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time.
Box 2: No
Box 3: Yes
Yes, there is an Edit link for Location Info.
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback