AZ-600 V2

Topic 1, Litware Office

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Existing Environment

Network Environment

The Litware offices and the Fabrikam office connect by using a private circuit. Each office connects directly to the Internet.

Identity Environment

The Litware network contains an Active Directory forest named litwareinc.com. The forest and an Azure Active Directory (Azure AD) tenant named litwareinc.com are integrated by using Active Directory Federation Services (AD FS). Litware has an enterprise certification authority (CA).

The Azure subscriptions of Litware are associated to the litwareic.com Azure AD tenant.

Fabrikam also has an Azure AD tenant.

Azure Stack Hub Environment

Litware has the following two Azure Stack Hub integrated systems:

✑ A fully operational integrated system in Boston that connects to the Internet and has the following configurations:

– Is managed by using an administrator management endpoint of: https://adminportal.eastus.litwareinc.com

– Has an Azure App Service deployment that has two dedicated, large web workers

– Currently uses version 2005 of Azure Stack Hub

✑ A newly delivered integrated system in Chicago that is disconnected from the Internet and will be managed by using an administrator management endpoint of: https://adminportal.northcentralus.litwareinc.com

Datacenter Environment

The Chicago datacenter of Litware contains the infrastructure shown in the following table.

Current Problems

During heavy usage, requests to App Service in Boston fail despite low utilization of the web workers.

Requirements

Planned Changes

Litware plans to implement the following changes:

✑ Deploy an Event Hubs resource provider to the integrated system in Boston.

✑ Make Azure Functions available to Azure Stack Hub users in Boston.

✑ Prepare the integrated system in Chicago to be production-ready.

Technical Requirements

Litware identifies the following technical requirements:

✑ Implement an infrastructure to support Azure Functions on the integrated system in Boston.

✑ Provision the certificates required to deploy the Event Hubs resource provider to the integrated system in Boston.

✑ Configure an identity provider for the integrated system in Chicago.

✑ Locate the IP address of the privileged endpoint (PEP) of the integrated system in Chicago.

✑ Ensure that only operators have control over the creation of subscriptions on the integrated system in Chicago.

✑ Provision a certificate to provide access to the Azure Resource Manager endpoint of the integrated system in Chicago.

✑ Identify which PowerShell setting on CLIENT1 and CLIENT2 must be modified to register the integrated system in Chicago.

✑ Implement a management app that will use Azure Resource Manager to inventory the resources of the integrated system in Chicago.

Security and Compliance Requirements

Litware has the following security and compliance requirements:

✑ All infrastructure software must run the latest version, including hotfixes.

✑ Litware must have control over certificate revocations.

Business Requirements

Litware wants to ensure that the users at Fabrikam have secure access to the workloads on the integrated system in Boston.

Updates and Hotfixes

The current hotfixes and updates available for Azure Stack Hub are:

✑ 2005

✑ 2005 hotfix 1

✑ 2005 hotfix 2

✑ 2005 hotfix 3

✑ 2008

✑ 2008 hotfix 1

✑ 2008 hotfix 2

✑ 2011 (latest version)

You need to identify the PEP information for the integrated system in Chicago. The solution must meet the technical requirements.

What should you use?
A . the HLH configuration file
B. the Get-AzsRegistrationToken cmdlet
C. Properties on the Region management blade of the administrator portal
D. the Help + support blade of the administrator portal

View Answer

Answer: C

Explanation:

Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-privileged-endpoint?view=azs-2008

You and a Microsoft Support Engineer are troubleshooting an Azure Stack Hub integrated system. The security team at your company requires an audit trail whenever management actions are performed on the integrated system.

You unlock the privileged endpoint (PEP) and perform several troubleshooting tasks that resolve the issue.

Which cmdlet should you run next?
A . Invoke-AzureStackOnDemandLog
B. Close-PrivilegedEndpoint
C. Get-AzureStackLog
D. Exit-PSSession

View Answer

Answer: B

Explanation:

Reference: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-privileged-

endpoint?view=azs-2008

DRAG DROP

You deploy an Azure Stack Hub integrated system that contains an Azure App Service deployment. The integrated system uses an Azure Active Directory (Azure AD) identity provider.

You need to provide users with the ability to deploy App Service web apps directly from their GitHub repositories.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

View Answer

Answer:

DRAG DROP

You have an Azure Stack Hub integrated system that is disconnected from the Internet.

During an update, an error occurs that prevents you from accessing the administrator portal.

While troubleshooting the issue, a Microsoft Support Engineer requests that you collect and send the relevant logs.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

View Answer

Answer:

DRAG DROP

You need to create the Linux virtual machine image. The solution must support the planned changes.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

View Answer

Answer:

Explanation:

Step 1: Create a config.file and save the file as Sloud-init.txt file.

Publish a custom cloud-init built image of a Linux virtual machine to Azure Stack Hub Marketplace on the integrated system.

Add Linux images to the Azure Stack Hub Marketplace

1: Create a cloud-init.txt file with your cloud-config

Step 2: Upload the file to Azure Stack Hub storage account.

2: Reference cloud-init.txt during the Linux VM deployment

Upload the file to an Azure storage account, Azure Stack Hub storage account, or GitHub repository reachable by your Azure Stack Hub Linux VM.

Step 3: Provision on Azure Stack Hub virtual machine by using Az PowerShell moduel. You can create an Ubuntu Server 16.04 LTS virtual machine (VM) by using Azure Stack Hub PowerShell.

Make sure to reference the cloud-init.txt as a part of the -CustomData flag: $VirtualMachine =Set-AzVMOperatingSystem -VM $VirtualMachine ` -Linux `

-ComputerName "MainComputer" `

-Credential $cred -CustomData "#include https://cloudinitstrg.blob.core.windows.net/strg/cloud-init.txt"

DRAG DROP

You have an Azure subscription named sub1 linked to an Azure Active Directory (Azure AD) tenant named contoso.com

You have an Azure Stack Hub integrated system that is registered to sub1.

You need to delegate registering the Azure Stack Hub integrated system to an Azure Stack Hub operator. The solution must use the Principle of least privilege.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.

View Answer

Answer:

Explanation:

Graphical user interface, text, application, email

Description automatically generated

Step 1: Create a JSON file that contains the role definition.

Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. This account can then be used to register your Azure Stack Hub.

Create a custom role using PowerShell

Use the following JSON template to simplify creation of the custom role. The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.

DRAG DROP

You have an Azure Stack Hub integrated system that is disconnected from the Internet.

You need to collect diagnostic logs, but do not have access to an SMB share.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

View Answer

Answer:

Topic 4, Misc. Questions

You plan to deploy an Azure Stack Hub integrated system that will be disconnected from the internet. The integrated system region name is region1, and the external domain is name is contoso.local.

You need to ensure that the generated certificate signing request (CSR) has the correct

subjects and subject alternative names (SAN).

Which name must you include in the CSR?
A . graph.region1.contoso.local
B. graph.local.azurestack.external
C. *.hosting.region1.azurestack.local
D. *.adminhosting.region 1.azurestack.local

View Answer

Answer: D

Explanation:

You can deploy and use Azure Stack Hub without a connection to the internet. However, with a disconnected deployment, you’re limited to an Active Directory Federation Services (AD FS) identity store and the capacity-based billing model. Because multitenancy requires the use of Azure Active Directory (Azure AD), multitenancy isn’t supported for disconnected deployments.

The implementation of Extension Host requires two wild card SSL certificates, one for the Admin portal and one for the Tenant portal.

Note: Certificate requirements

The extension host implements two new domain namespaces to guarantee unique host entries for each portal extension. The new domain namespaces require two additional wildcard certificates to ensure secure communication.

The table shows the new namespaces and the associated certificates:

Table

Description automatically generated

Example:

$regionName = ‘east’# The region name for your Azure Stack Hub deployment

$externalFQDN = ‘azurestack.contoso.com’ # The external FQDN for your Azure Stack Hub deployment

Starting Certificate Request Process for Deployment CSR generating for following SAN(s):

*.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.b lob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azur estack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.c om,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso. com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:UsersusernameDocumentsAzureStackCSRDeployment_east_azurestack_contoso_c om_SingleCSR_CertRequest_20200710165538.req Certreq.exe output: CertReq: Request Created

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-disconnected-deployment

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-extension-host-prepare

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-get-pki-certs

You need to configure the log forwarding. The solution must meet the Azure Stack Hub requirements.

What should you do?
A . Connect to 192.168.101.101 and run the Set-EventLogLevel and Add-AzLogProfile cmdlets.
B. Connect to 192.168.100.224 and run the Set-SyslogServer and Set-SyslogClient cmdlets.
C. Connect to 192.168.100.224 and run the Set-EventLogLevel and Add-AzLogProfile cmdlets.
D. Connect to 192.168.101.101 and run the Set-SyslogServer and Set-SyslogClient cmdlets.

View Answer

Answer: D

Explanation:

Integrate Azure Stack Hub with monitoring solutions using syslog forwarding

The syslog channel exposes audits, alerts, and security logs from all the components of the Azure Stack Hub infrastructure. Use syslog forwarding to integrate with security monitoring solutions and to retrieve all audits, alerts, and security logs to store them for retention.

Cmdlets to configure syslog forwarding

Configuring syslog forwarding requires access to the privileged endpoint (PEP). Two PowerShell cmdlets have been added to the PEP to configure the syslog forwarding:

### cmdlet to pass the syslog server information to the client and to configure the transport protocol, the encryption and the authentication between the client and the server

Set-SyslogServer [-ServerName <String>] [-ServerPort <UInt16>] [-NoEncryption] [-SkipCertificateCheck] [-SkipCNCheck] [-UseUDP] [-Remove]

### cmdlet to configure the certificate for the syslog client to authenticate with the server

Set-SyslogClient [-pfxBinary <Byte[]>] [-CertPassword <SecureString>]

Reference: https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-integrate-security

You have an Azure Stack Hub integrated system that is disconnected from the internet.

The integrated system has an Azure App Service resource provider.

You generate a new certificate.

You need to rotate the certificate of the App Service identity application to use the new certificate.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A . From the administrator portal, get the value of the default provider subscription object ID.
B. From a privileged endpoint (PEP) session, run the Export-Cercificace cmdlet. and then run the Import-Certificace cmdlet
C. From a privileged endpoint (PEP) session, run the New-Object cmdlet. and then run the import-PfxCertificace cmdlet
D. From a privileged endpoint (PEP) session, run the New-Objecc cmdlet, and then run the Sec-GraphApplicacion cmdlet
E. From the administrator portal, get the value of the AzureStack-AppService object ID.

View Answer

Answer: D,E

Explanation:

Your choice of either Azure AD or AD FS is determined by the mode in which you deploy

Azure Stack Hub:

When you deploy it in a connected mode, you can use either Azure AD or AD FS.

When you deploy it in a disconnected mode, without a connection to the internet, only AD FS is supported.

E:

Rotate certificate for AD FS identity application

The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. If the application’s object ID is unknown, follow these steps to discover it:

✑ Go to the Azure Stack Hub administrator portal.

✑ Go to Subscriptions and select Default Provider Subscription.

✑ Select Access Control (IAM) and select the AzureStack-AppService-<guid> application.

✑ Take a note of the Object ID, this value is the ID of the Service Principal that must be updated in AD FS.

D: To rotate the certificate for the application in AD FS, you need to have access to the privileged endpoint (PEP). Then you update the certificate credential using PowerShell.

# Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint

$Creds = Get-Credential

# Create a new Certificate object from the identity application certificate exported as .cer file

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<CertificateFileLocation >")

# Create a new PSSession to the PrivelegedEndpoint VM

$Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)

# Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with the App Service identity application

$SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication – ApplicationIdentifier "<ApplicationObjectId>" -ClientCertificates $using:Cert} $Session | Remove-PSSession

# Output the updated service principal details

$SpObject

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-identity-overview

https://learn.microsoft.com/en-us/azure-stack/operator/app-service-rotate-certificates