You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" Microsoft Azure Security Technologies (AZ-500) Practice Test No 8 "
0 of 64 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Microsoft Azure Security Technologies (AZ-500)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
Answered
Review
Question 1 of 64
1. Question
You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant. You plan to implement Azure Active Directory (Azure AD) Identity Protection. You need to ensure that you can configure a user risk policy and a sign-in risk policy. What should you do first?
Case Study:
Overview:
Companyl is a financial firm that specializes in crypto currencies. Companyl applications are developed in Docker containers and deployed to Azure virtual machines (VMs) in an Azure subscription named Cloud.
Cloud is associated with an Azure Active Directory (Azure AD) tenant named company1.net.
Cloud contains the resources provisioned in four resource groups as shown in exhibit 1. The Azure VMs are associated with the subnets as shown in exhibit 2. The company1.net tenant contains the users as shown in exhibit 3 with roles attached in Cloud. Cloud contains resource groups locks as shown in exhibit 4. Cloud also contains the Azure policies shown in exhibit 5. Storage2 has its firewall enabled.
Requirements:
A new user named User5 is created in company1.net. This user needs permission to push and pull trusted images to a container registry.
A new user named User6 is created in company1.net. This user has the Owner role in Cloud.
Registryl needs to be private and protected by authentication. The push operation in Registryl needs to be audited at the user level.
The images in Registryl need to be frequently scanned for vulnerabilities.
Azure-managed services need to be used whenever possible to reduce administrative efforts.
Network access to VM3 needs to be restricted only to VM1.
Network access to Storagel needs to be restricted only to Sub1.
Network access restrictions needs to be applied at the resource level only.
Exhibit 1
Exhibit 2
Exhibit 3
Exhibit 4
Exhibit 5
You need to restrict network access to resources in Cloud as specified in the requirements.
Which network service should you use to restrict network access for Storages and VM3? To answer, drag the appropriate network service to each resource. A network service may be used once, more than once, or not at all.
Correct
You should use a resource firewall for Storagel. Storage account resource firewalls restrict access to the storage account public endpoint. By default, all networks are allowed in the resource firewall. You can select a virtual network (VNet) or IP range to restrict network access directly in Storagel. You can configure Storagel to allow traffic only from the Sub1 subnet.
An NSG is needed for VM3. An NSG contains security rules that allow or deny inbound network traffic in Azure. An NSG can be attached directly to an Azure VM, and you can create a security rule to allow inbound traffic only from VM1 using a private IP address.
You should not use Azure Firewall. This is a managed network security service from Azure that protects the Azure Virtual Network (VNet). You can use Azure Firewall to centralize network connectivity policies in your VNets. However, Azure Firewall is a separate resource that is not applied directly at the resource level.
You should not use a network appliance. You can deploy network appliance solutions from the Azure marketplace and configure the centralized network connectivity policies in your VNets. Managing an Azure VM with the network appliance will also increase the required administrative effort.
Incorrect
You should use a resource firewall for Storagel. Storage account resource firewalls restrict access to the storage account public endpoint. By default, all networks are allowed in the resource firewall. You can select a virtual network (VNet) or IP range to restrict network access directly in Storagel. You can configure Storagel to allow traffic only from the Sub1 subnet.
An NSG is needed for VM3. An NSG contains security rules that allow or deny inbound network traffic in Azure. An NSG can be attached directly to an Azure VM, and you can create a security rule to allow inbound traffic only from VM1 using a private IP address.
You should not use Azure Firewall. This is a managed network security service from Azure that protects the Azure Virtual Network (VNet). You can use Azure Firewall to centralize network connectivity policies in your VNets. However, Azure Firewall is a separate resource that is not applied directly at the resource level.
You should not use a network appliance. You can deploy network appliance solutions from the Azure marketplace and configure the centralized network connectivity policies in your VNets. Managing an Azure VM with the network appliance will also increase the required administrative effort.
Unattempted
You should use a resource firewall for Storagel. Storage account resource firewalls restrict access to the storage account public endpoint. By default, all networks are allowed in the resource firewall. You can select a virtual network (VNet) or IP range to restrict network access directly in Storagel. You can configure Storagel to allow traffic only from the Sub1 subnet.
An NSG is needed for VM3. An NSG contains security rules that allow or deny inbound network traffic in Azure. An NSG can be attached directly to an Azure VM, and you can create a security rule to allow inbound traffic only from VM1 using a private IP address.
You should not use Azure Firewall. This is a managed network security service from Azure that protects the Azure Virtual Network (VNet). You can use Azure Firewall to centralize network connectivity policies in your VNets. However, Azure Firewall is a separate resource that is not applied directly at the resource level.
You should not use a network appliance. You can deploy network appliance solutions from the Azure marketplace and configure the centralized network connectivity policies in your VNets. Managing an Azure VM with the network appliance will also increase the required administrative effort.
Question 3 of 64
3. Question
You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1. Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1. Solution: You create a new stored access policy. Does this meet the goal?
Correct
Creating a new (additional) stored access policy with have no effect on the existing policy or the SAS linked to it. To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Incorrect
Creating a new (additional) stored access policy with have no effect on the existing policy or the SAS linked to it. To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Unattempted
Creating a new (additional) stored access policy with have no effect on the existing policy or the SAS linked to it. To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Question 4 of 64
4. Question
You have an Azure SQL Server instance in your subscription. Your passwords for the SQL Server instance are stored in a key vault. Your organization has password rotation policies that require all SQL passwords to expire every three months. You decide to automate the password rotation in your key vault three days before the password is about to expire. You need to implement this automation. Solution: Create an Azure Function with an Event Grid Trigger and configure the Key Vault Event Grid as the source. Does the solution meet the goal?
Correct
This solution meets the goal. To automate key rotation, you have to write a custom function that can first create a new key in the key vault and then update the SQL password. Since the old password would not yet have expired, applications that use SQL Server as the data source would still function as long as they have the password cached. Once the password is rotated, the applications would retrieve the new password from the key vault.
Incorrect
This solution meets the goal. To automate key rotation, you have to write a custom function that can first create a new key in the key vault and then update the SQL password. Since the old password would not yet have expired, applications that use SQL Server as the data source would still function as long as they have the password cached. Once the password is rotated, the applications would retrieve the new password from the key vault.
Unattempted
This solution meets the goal. To automate key rotation, you have to write a custom function that can first create a new key in the key vault and then update the SQL password. Since the old password would not yet have expired, applications that use SQL Server as the data source would still function as long as they have the password cached. Once the password is rotated, the applications would retrieve the new password from the key vault.
Question 5 of 64
5. Question
You have a Azure SQL Server instance in your subscription. Your passwords for the SQL Server instance are stored in a key vault. Your organization has password rotation policies that require all SQL passwords to expire every three months. You decide to automate the password rotation in your key vault three days before the password is about to expire. You need to implement this automation. Solution: Trigger an email to the SQL administrator when the password is about to expire. The administrator will update both the Key Vault and the SQL Server with the new password using the Azure Command Line Interface (CLI). Does the solution meet the goal?
Correct
The solution does not meet the goal. The requirements state to automate the password rotation process. Even though this solution will automate the notification of the expiration, it will not automate the password rotation. The Azure CLI would have to be r7cuted by the SQL Server administrator
Incorrect
The solution does not meet the goal. The requirements state to automate the password rotation process. Even though this solution will automate the notification of the expiration, it will not automate the password rotation. The Azure CLI would have to be r7cuted by the SQL Server administrator
Unattempted
The solution does not meet the goal. The requirements state to automate the password rotation process. Even though this solution will automate the notification of the expiration, it will not automate the password rotation. The Azure CLI would have to be r7cuted by the SQL Server administrator
Question 6 of 64
6. Question
A global operating company with its headquarters in the US has subsidiaries in Germany, Russia, and Argentina. Each subsidiary has its own regional IT operation team to manage its IT resources with an autonomous Active Directory (AD) forest in each respective country. Recently, the company has finished consolidating all the separate AD forests into a single Azure Active Directory (Azure AD) tenant. You need to make sure that each respective country‘s regional IT operations team can manage only Azure AD users and group objects in the region of its responsibility. What should you create to meet this requirement?
Correct
You should create administrative units. With Azure administrative units, you can restrict access to any portion of Azure Active Directory (Azure AD). In this way, it is possible to preserve the autonomy of the regional IT teams to manage user and group objects in Azure AD in the region of their responsibility, as requested in the requirement. Administrative units require an Azure AD Premium P1 license for each administrative unit administrator. For each administrative unit member, the Azure AD Free license is enough. Administrative units can only contain users and groups. You should not create an organizational unit (OU). OUs provide the capability to logically organize on-premises Active Directory Domain Services (AD DS) into scoped partitions. This allows administrators to separate their duties to focus on the scope of their responsibility for the resources on premises. The OU concept is valid for AD DS on premises only. In Azure AD, the counterpart to this is administrative units. In this case, the requirement is to manage Azure AD objects. You should not create Active Directory (AD) group policies. Group policies provide the capability to configure settings for a specific set of users and computers that are part of an AD DS domain. They allow the setting of standards and administrative boundaries to manage objects in AD DS on premises. This concept of group policies is not applicable to Azure implement Azure administrative units. To satisfy the requirements in this case you have to You should not create security groups. Security groups are designed to manage access to data and resources, whereas administrative units are designed to delegate fine-grained management permission to manage user and group objects in Azure AD.
Incorrect
You should create administrative units. With Azure administrative units, you can restrict access to any portion of Azure Active Directory (Azure AD). In this way, it is possible to preserve the autonomy of the regional IT teams to manage user and group objects in Azure AD in the region of their responsibility, as requested in the requirement. Administrative units require an Azure AD Premium P1 license for each administrative unit administrator. For each administrative unit member, the Azure AD Free license is enough. Administrative units can only contain users and groups. You should not create an organizational unit (OU). OUs provide the capability to logically organize on-premises Active Directory Domain Services (AD DS) into scoped partitions. This allows administrators to separate their duties to focus on the scope of their responsibility for the resources on premises. The OU concept is valid for AD DS on premises only. In Azure AD, the counterpart to this is administrative units. In this case, the requirement is to manage Azure AD objects. You should not create Active Directory (AD) group policies. Group policies provide the capability to configure settings for a specific set of users and computers that are part of an AD DS domain. They allow the setting of standards and administrative boundaries to manage objects in AD DS on premises. This concept of group policies is not applicable to Azure implement Azure administrative units. To satisfy the requirements in this case you have to You should not create security groups. Security groups are designed to manage access to data and resources, whereas administrative units are designed to delegate fine-grained management permission to manage user and group objects in Azure AD.
Unattempted
You should create administrative units. With Azure administrative units, you can restrict access to any portion of Azure Active Directory (Azure AD). In this way, it is possible to preserve the autonomy of the regional IT teams to manage user and group objects in Azure AD in the region of their responsibility, as requested in the requirement. Administrative units require an Azure AD Premium P1 license for each administrative unit administrator. For each administrative unit member, the Azure AD Free license is enough. Administrative units can only contain users and groups. You should not create an organizational unit (OU). OUs provide the capability to logically organize on-premises Active Directory Domain Services (AD DS) into scoped partitions. This allows administrators to separate their duties to focus on the scope of their responsibility for the resources on premises. The OU concept is valid for AD DS on premises only. In Azure AD, the counterpart to this is administrative units. In this case, the requirement is to manage Azure AD objects. You should not create Active Directory (AD) group policies. Group policies provide the capability to configure settings for a specific set of users and computers that are part of an AD DS domain. They allow the setting of standards and administrative boundaries to manage objects in AD DS on premises. This concept of group policies is not applicable to Azure implement Azure administrative units. To satisfy the requirements in this case you have to You should not create security groups. Security groups are designed to manage access to data and resources, whereas administrative units are designed to delegate fine-grained management permission to manage user and group objects in Azure AD.
Question 7 of 64
7. Question
Case Study:
Overview:
Companyl is a financial firm that specializes in crypto currencies. Companyl applications are developed in Docker containers and deployed to Azure virtual machines (VMs) in an Azure subscription named Cloud.
Cloud is associated with an Azure Active Directory (Azure AD) tenant named company1.net.
Cloud contains the resources provisioned in four resource groups as shown in exhibit 1. The Azure VMs are associated with the subnets as shown in exhibit 2. The company1.net tenant contains the users as shown in exhibit 3 with roles attached in Cloud. Cloud contains resource groups locks as shown in exhibit 4. Cloud also contains the Azure policies shown in exhibit 5. Storage2 has its firewall enabled.
Requirements:
A new user named User5 is created in company1.net. This user needs permission to push and pull trusted images to a container registry.
A new user named User6 is created in company1.net. This user has the Owner role in Cloud.
Registryl needs to be private and protected by authentication. The push operation in Registryl needs to be audited at the user level.
The images in Registryl need to be frequently scanned for vulnerabilities.
Azure-managed services need to be used whenever possible to reduce administrative efforts.
Network access to VM3 needs to be restricted only to VM1.
Network access to Storagel needs to be restricted only to Sub1.
Network access restrictions needs to be applied at the resource level only.
Exhibit 1
Exhibit 2
Exhibit 3
Exhibit 4
Exhibit 5
You need to ensure that the Docker containers running on VM2 can access Storage2 over the Microsoft backbone network only.
What should you do before you create a Docker container on VM2?
Correct
You should create a private endpoint for Storage2 and connect it to the Sub2. The private endpoint uses a separate IP address from the Sub2 address space for the Storage2. As such network traffic between the Docker containers running on VM2 and Storage2 traverses over Sub2 and private link using the Microsoft backbone network.
You should not install the container network interface (CNI) plug-in. This plug-in is only allowed when using Azure Kubernetes Services (AKS)
You should not create an ASG and an NSG. An ASG is used to group similar Azure VMs, allowing you to create security rules in an NSG referencing this application security group. This makes security rule management simpler, but you do not need an application security group to access a private service endpoint in the same subnet.
You should not move Storage2 to RG2. Moving a storage account to another resource group within the same subscription does not affect network access to a private service endpoint. VM2 can access Storage2, even if they are in different resource groups.
Incorrect
You should create a private endpoint for Storage2 and connect it to the Sub2. The private endpoint uses a separate IP address from the Sub2 address space for the Storage2. As such network traffic between the Docker containers running on VM2 and Storage2 traverses over Sub2 and private link using the Microsoft backbone network.
You should not install the container network interface (CNI) plug-in. This plug-in is only allowed when using Azure Kubernetes Services (AKS)
You should not create an ASG and an NSG. An ASG is used to group similar Azure VMs, allowing you to create security rules in an NSG referencing this application security group. This makes security rule management simpler, but you do not need an application security group to access a private service endpoint in the same subnet.
You should not move Storage2 to RG2. Moving a storage account to another resource group within the same subscription does not affect network access to a private service endpoint. VM2 can access Storage2, even if they are in different resource groups.
Unattempted
You should create a private endpoint for Storage2 and connect it to the Sub2. The private endpoint uses a separate IP address from the Sub2 address space for the Storage2. As such network traffic between the Docker containers running on VM2 and Storage2 traverses over Sub2 and private link using the Microsoft backbone network.
You should not install the container network interface (CNI) plug-in. This plug-in is only allowed when using Azure Kubernetes Services (AKS)
You should not create an ASG and an NSG. An ASG is used to group similar Azure VMs, allowing you to create security rules in an NSG referencing this application security group. This makes security rule management simpler, but you do not need an application security group to access a private service endpoint in the same subnet.
You should not move Storage2 to RG2. Moving a storage account to another resource group within the same subscription does not affect network access to a private service endpoint. VM2 can access Storage2, even if they are in different resource groups.
Question 8 of 64
8. Question
You have the Azure virtual machines shown in the following table.
For which virtual machines can you enable Update Management?
Correct
VM1, VM2, and VM4 only You can Enable Update Management only for VMs which are in running State.
Incorrect
VM1, VM2, and VM4 only You can Enable Update Management only for VMs which are in running State.
Unattempted
VM1, VM2, and VM4 only You can Enable Update Management only for VMs which are in running State.
Question 9 of 64
9. Question
You have an Azure subscription named Sub1. In Azure Security Center, you have a security playbook named Play1. Play1 is configured to send an email message to a user named User1. You need to modify Play1 to send email messages to a distribution group named Alerts. What should you use to modify Play1?
Correct
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up. Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
Incorrect
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up. Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
Unattempted
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up. Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
Question 10 of 64
10. Question
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You implement the planned changes for ASG1 and ASG2.
In which NSGs can you use ASG1, and the network interfaces of which virtual machines can you assign to ASG2?
Hot Area:
Correct
Box-1 – NSG2 and NSG4 only
NSG2 and NSG4 is correct as you can only add ASG1 as they are all in the same location which is West US
Box-2- VM3 only
Virtual machines that can use ASG2 should be VM3 only. VM needs to be in the same location of the ASG.
Incorrect
Box-1 – NSG2 and NSG4 only
NSG2 and NSG4 is correct as you can only add ASG1 as they are all in the same location which is West US
Box-2- VM3 only
Virtual machines that can use ASG2 should be VM3 only. VM needs to be in the same location of the ASG.
Unattempted
Box-1 – NSG2 and NSG4 only
NSG2 and NSG4 is correct as you can only add ASG1 as they are all in the same location which is West US
Box-2- VM3 only
Virtual machines that can use ASG2 should be VM3 only. VM needs to be in the same location of the ASG.
Question 11 of 64
11. Question
You have an Azure SQL Server instance in your subscription. Your passwords for the SQL Server instance are stored in a key vault. Your organization has password rotation policies that require all SQL passwords to expire every three months. You decide to automate the password rotation in your key vault three days before the password is about to expire. You need to implement this automation. Solution: Create a PowerShell runbook in an Azure Automation account and schedule it to run every 90 days. Does the solution meet the goal?
Correct
This solution does not meet the goal. The PowerShell runbook would provide the necessary automation for rotating the password, but the trigger is fixed at 90 days. Since the policy states the password needs to be rotated three days before the expiration date, it will not always be a 90-day interval.
Incorrect
This solution does not meet the goal. The PowerShell runbook would provide the necessary automation for rotating the password, but the trigger is fixed at 90 days. Since the policy states the password needs to be rotated three days before the expiration date, it will not always be a 90-day interval.
Unattempted
This solution does not meet the goal. The PowerShell runbook would provide the necessary automation for rotating the password, but the trigger is fixed at 90 days. Since the policy states the password needs to be rotated three days before the expiration date, it will not always be a 90-day interval.
Question 12 of 64
12. Question
Your company recently created an Azure subscription. You have been tasked with making sure that a specified user is able to implement Azure AD Privileged Identity Management (PIM). Which of the following is the role you should assign to the user?
Correct
To start using PIM in your directory, you must first enable PIM. 1. Sign in to the Azure portal as a Global Administrator of your directory. You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory. Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com Reference: https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started
Incorrect
To start using PIM in your directory, you must first enable PIM. 1. Sign in to the Azure portal as a Global Administrator of your directory. You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory. Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com Reference: https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started
Unattempted
To start using PIM in your directory, you must first enable PIM. 1. Sign in to the Azure portal as a Global Administrator of your directory. You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory. Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com Reference: https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started
Question 13 of 64
13. Question
You are an Azure resource tenant administrator in a resources / accounts Azure Active Directory (Azure AD) multi-tenant architecture.
You need to provide users with accounts residing in the accounts Azure AD tenant access to your organization‘s resources residing in the resources Azure AD tenant.
Which three actions should ylm4 perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Correct
You should perform the following steps in order: 1. Send the accounts Azure AD users an invitation. 2. Ensure that the accounts Azure AD users accept the invitation so that user objects are automatically created in the resources Azure AD tenant. 3. Choose an Azure AD identity provider for authentication. For users from the accounts Azure AD tenant be able to access resources in the resources Azure AD tenant, you should send an invitation first. You can do so in the Azure AD portal by navigating to the Users menu, selecting Invite user, and adding guest user information.
Next, you should ensure that the accounts Azure AD users accept the invitation. This is so that the resources Azure AD tenant can create user objects.
Finally, you should choose an Azure AD identity provider. Azure AD is a cloud-based identity management service that provides user authentication services for Azure resources, Microsoft 365 resources, and software-as-a-service (SaaS) applications. Both tenants in the scenario are Azure AD tenants, so you should use an Azure AD identity provider. Users with Azure AD accounts in an external Azure AD tenant can be invited via email. After accepting the invitation, they can sign into the resources Azure AD tenant without any further configuration.
You should not choose an MSA identity provider. MSA is an identity provider used for Microsoft‘s consumer products, such as Xbox LIVE, Outlook, etc. In this case, the organization‘s accounts reside in Azure AD, which implies that users cannot authenticate using MSA.
You should not choose an SAMUWS-Fed identity provider. If the partner organization‘s identity provider is neither Azure AD nor M , you can set up a custom authentication flow using the SAM/WS-Fed protocol. This could be the case if partner‘s accounts reside in Active Directory (AD) on-premises.
You should not choose an email one-time passcode for authentication. This authentication mechanism can be used for external identities if they cannot be authenticated using any of the available identity providers.
Incorrect
You should perform the following steps in order: 1. Send the accounts Azure AD users an invitation. 2. Ensure that the accounts Azure AD users accept the invitation so that user objects are automatically created in the resources Azure AD tenant. 3. Choose an Azure AD identity provider for authentication. For users from the accounts Azure AD tenant be able to access resources in the resources Azure AD tenant, you should send an invitation first. You can do so in the Azure AD portal by navigating to the Users menu, selecting Invite user, and adding guest user information.
Next, you should ensure that the accounts Azure AD users accept the invitation. This is so that the resources Azure AD tenant can create user objects.
Finally, you should choose an Azure AD identity provider. Azure AD is a cloud-based identity management service that provides user authentication services for Azure resources, Microsoft 365 resources, and software-as-a-service (SaaS) applications. Both tenants in the scenario are Azure AD tenants, so you should use an Azure AD identity provider. Users with Azure AD accounts in an external Azure AD tenant can be invited via email. After accepting the invitation, they can sign into the resources Azure AD tenant without any further configuration.
You should not choose an MSA identity provider. MSA is an identity provider used for Microsoft‘s consumer products, such as Xbox LIVE, Outlook, etc. In this case, the organization‘s accounts reside in Azure AD, which implies that users cannot authenticate using MSA.
You should not choose an SAMUWS-Fed identity provider. If the partner organization‘s identity provider is neither Azure AD nor M , you can set up a custom authentication flow using the SAM/WS-Fed protocol. This could be the case if partner‘s accounts reside in Active Directory (AD) on-premises.
You should not choose an email one-time passcode for authentication. This authentication mechanism can be used for external identities if they cannot be authenticated using any of the available identity providers.
Unattempted
You should perform the following steps in order: 1. Send the accounts Azure AD users an invitation. 2. Ensure that the accounts Azure AD users accept the invitation so that user objects are automatically created in the resources Azure AD tenant. 3. Choose an Azure AD identity provider for authentication. For users from the accounts Azure AD tenant be able to access resources in the resources Azure AD tenant, you should send an invitation first. You can do so in the Azure AD portal by navigating to the Users menu, selecting Invite user, and adding guest user information.
Next, you should ensure that the accounts Azure AD users accept the invitation. This is so that the resources Azure AD tenant can create user objects.
Finally, you should choose an Azure AD identity provider. Azure AD is a cloud-based identity management service that provides user authentication services for Azure resources, Microsoft 365 resources, and software-as-a-service (SaaS) applications. Both tenants in the scenario are Azure AD tenants, so you should use an Azure AD identity provider. Users with Azure AD accounts in an external Azure AD tenant can be invited via email. After accepting the invitation, they can sign into the resources Azure AD tenant without any further configuration.
You should not choose an MSA identity provider. MSA is an identity provider used for Microsoft‘s consumer products, such as Xbox LIVE, Outlook, etc. In this case, the organization‘s accounts reside in Azure AD, which implies that users cannot authenticate using MSA.
You should not choose an SAMUWS-Fed identity provider. If the partner organization‘s identity provider is neither Azure AD nor M , you can set up a custom authentication flow using the SAM/WS-Fed protocol. This could be the case if partner‘s accounts reside in Active Directory (AD) on-premises.
You should not choose an email one-time passcode for authentication. This authentication mechanism can be used for external identities if they cannot be authenticated using any of the available identity providers.
Question 14 of 64
14. Question
Your organization has a subscription that hosts resources for multiple applications in Azure. The subscription is part of a tenant that has synchronization enabled using AD Connect with on-premises Active Directory Domain Services (AD DS). The resources for each application are contained in individual resource groups. As additional users are added to the application teams, you add roles for those users at the resource group level. Users can manage multiple applications. You need to efficiently manage permissions assigned to Azure Active Directory (Azure AD) users to access these resource groups. Solution: You remove permissions for the users at the resource group level and apply the same permissions for each individual user at the subscription level. Does the solution meet the goal?
Correct
This solution does not meet the goal. You should not assign users permissions at the subscription level. Even though you can easily add and remove permissions to individual users, adding user permissions at the subscription level would provide them with permissions to all resource groups. The permissions need to be managed at the resource group level since eachv1/4source group has resources for different applications and only users that have managed a given application would need to have permission to those resources. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Incorrect
This solution does not meet the goal. You should not assign users permissions at the subscription level. Even though you can easily add and remove permissions to individual users, adding user permissions at the subscription level would provide them with permissions to all resource groups. The permissions need to be managed at the resource group level since eachv1/4source group has resources for different applications and only users that have managed a given application would need to have permission to those resources. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Unattempted
This solution does not meet the goal. You should not assign users permissions at the subscription level. Even though you can easily add and remove permissions to individual users, adding user permissions at the subscription level would provide them with permissions to all resource groups. The permissions need to be managed at the resource group level since eachv1/4source group has resources for different applications and only users that have managed a given application would need to have permission to those resources. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Question 15 of 64
15. Question
You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults. You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters. What should you use to construct the resource ID?
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You need to configure diagnostic settings for contoso.com. The solution must meet the following requirements:
Retain logs for two years.
Query logs by using the Kusto query language.
Minimize administrative effort.
Where should you store the logs?
Correct
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
Incorrect
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
Unattempted
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
Question 17 of 64
17. Question
You have an Azure subscription that contains two virtual machines named VM1 and VM2 that run Windows Server 2019. You are implementing Update Management in Azure Automation. You plan to create a new update deployment named Update1. You need to ensure that Update1 meets the following requirements: ? Automatically applies updates to VM1 and VM2. ? Automatically adds any new Windows Server 2019 virtual machines to Update1. What should you include in Update1?
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center. You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort. What should you create?
Correct
A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. For example, if an account and machine are compromised, a playbook can isolate the machine from the network and block the account by the time the SOC team is notified of the incident. Playbooks can be used within the subscription to which they belong, but the Playbooks tab (in the Automation blade) displays all the playbooks available across any selected subscriptions. https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Incorrect
A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. For example, if an account and machine are compromised, a playbook can isolate the machine from the network and block the account by the time the SOC team is notified of the incident. Playbooks can be used within the subscription to which they belong, but the Playbooks tab (in the Automation blade) displays all the playbooks available across any selected subscriptions. https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Unattempted
A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. For example, if an account and machine are compromised, a playbook can isolate the machine from the network and block the account by the time the SOC team is notified of the incident. Playbooks can be used within the subscription to which they belong, but the Playbooks tab (in the Automation blade) displays all the playbooks available across any selected subscriptions. https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Question 19 of 64
19. Question
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens. You need to register App1 in Azure AD. What information should you obtain from the developer to register the application?
Your organization has a subscription that hosts resources for multiple applications in Azure. The subscription is part of a tenant that has synchronization enabled using AD Connect with on-premises Active Directory Domain Services (AD DS). The resources for each application are contained in individual resource groups. As additional users are added to the application teams, you add roles for those users at the resource group level. Users can manage multiple applications. You need to efficiently manage permissions assigned to Azure Active Directory (Azure AD) users to access these resource groups. Solution: You create Azure AD groups for each application, add users to these groups, and assign roles to the groups at the resource group level. Does the solution meet the goal?
Correct
This solution meets the goal. Creating Azure AD groups provides centralized user management to groups of users rather than individual users. When the group is provided permissions at the resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding Azure AD grot Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Incorrect
This solution meets the goal. Creating Azure AD groups provides centralized user management to groups of users rather than individual users. When the group is provided permissions at the resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding Azure AD grot Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Unattempted
This solution meets the goal. Creating Azure AD groups provides centralized user management to groups of users rather than individual users. When the group is provided permissions at the resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding Azure AD grot Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Question 21 of 64
21. Question
You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure storage account with a file share named generalBlob. You plan to allow users to authenticate to generalBlob by using their Azure AD credentials. You need to configure the environment to support the planned authentication. Solution: You deploy the on-premises data gateway in the on-premises network. Does this solution meet the goal?
Correct
This solution does not meet the goal. You should not deploy an on-premises data gateway in the on-premises network. An on-premises data gateway provides quick and secure4sta transfer between on-premises data and several Microsoft cloud services, like PowerBl, PowerApps, and Azure Logic Apps.
Incorrect
This solution does not meet the goal. You should not deploy an on-premises data gateway in the on-premises network. An on-premises data gateway provides quick and secure4sta transfer between on-premises data and several Microsoft cloud services, like PowerBl, PowerApps, and Azure Logic Apps.
Unattempted
This solution does not meet the goal. You should not deploy an on-premises data gateway in the on-premises network. An on-premises data gateway provides quick and secure4sta transfer between on-premises data and several Microsoft cloud services, like PowerBl, PowerApps, and Azure Logic Apps.
Question 22 of 64
22. Question
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2.
Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
From Azure Security Center, you need to deploy SecPol1.
What should you do first?
Correct
Create an initiative.
Initiatives enable you to group several related policy definitions to simplify assignments and management because you work with a group as a single item. For example, you can group related tagging policy definitions into a single initiative. Rather than assigning each policy individually, you apply the initiative.
Reference: https://zimmergren.net/create-custom-security-center-recommendation-with-azure-policy
Incorrect
Create an initiative.
Initiatives enable you to group several related policy definitions to simplify assignments and management because you work with a group as a single item. For example, you can group related tagging policy definitions into a single initiative. Rather than assigning each policy individually, you apply the initiative.
Reference: https://zimmergren.net/create-custom-security-center-recommendation-with-azure-policy
Unattempted
Create an initiative.
Initiatives enable you to group several related policy definitions to simplify assignments and management because you work with a group as a single item. For example, you can group related tagging policy definitions into a single initiative. Rather than assigning each policy individually, you apply the initiative.
Reference: https://zimmergren.net/create-custom-security-center-recommendation-with-azure-policy
Question 23 of 64
23. Question
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1. Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1. Solution: You regenerate the Azure storage account access keys. Does this meet the goal?
You have an Azure subscription named Sub1.
You have an Azure Active Directory (Azure AD) group named Group1 that contains all the members of your IT team.
You need to ensure that the members of Group1 can stop, start, and restart the Azure virtual machines in Sub1. The solution must use the principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Correct
Incorrect
Unattempted
Question 26 of 64
26. Question
Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.
The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Box 1: Yes –
User1 is logging in from Non-Trusted IP and has MFA Enabled hence needs to authenticate by Phone.
Box 2: No –
Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.
Box 3: No –
The New York IP address subnet is included in the “skip multi-factor authentication for request.
Reference: https://www.cayosoft.com/difference-enabling-enforcing-mfa/
Incorrect
Box 1: Yes –
User1 is logging in from Non-Trusted IP and has MFA Enabled hence needs to authenticate by Phone.
Box 2: No –
Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.
Box 3: No –
The New York IP address subnet is included in the “skip multi-factor authentication for request.
Reference: https://www.cayosoft.com/difference-enabling-enforcing-mfa/
Unattempted
Box 1: Yes –
User1 is logging in from Non-Trusted IP and has MFA Enabled hence needs to authenticate by Phone.
Box 2: No –
Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.
Box 3: No –
The New York IP address subnet is included in the “skip multi-factor authentication for request.
Reference: https://www.cayosoft.com/difference-enabling-enforcing-mfa/
Question 27 of 64
27. Question
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Correct
Line 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Line 2: DROPPED-
(because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Incorrect
Line 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Line 2: DROPPED-
(because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Unattempted
Line 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Line 2: DROPPED-
(because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Question 28 of 64
28. Question
You have an Azure subscription that contains an Azure SQL database named sql1. You plan to audit sql1. You need to configure the audit log destination. The solution must meet the following requirements: Support querying events by using the Kusto query language. Minimize administrative effort. What should you configure?
You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1. Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04. You create a service endpoint for MicrosoftStorage in Subnet1. You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service endpoint. What should you do on VM1 before you deploy the container?
Correct
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network, and connecting them directly to other containers and virtual network resources. The plug-in doesn‘t rely on overlay networks, or routes, for connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network, and connecting them directly to other containers and virtual network resources. The plug-in doesn‘t rely on overlay networks, or routes, for connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network, and connecting them directly to other containers and virtual network resources. The plug-in doesn‘t rely on overlay networks, or routes, for connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
You have an Azure subscription named Sub1. In Azure Security Center, you have a workflow automation named WF1. WF1 is configured to send an email message to a user named User1. You need to modify WF1 to send email messages to a distribution group named Alerts. What should you use to modify WF1?
Correct
When you work with Azure Logic Apps in the Azure portal, you can edit your workflows visually or programmatically. After you open a logic app resource in the portal, on the resource menu under Developer, you can select between Code view and Designer view. When you want to visually develop, edit, and run your workflow, select the designer view. You can switch between the designer view and code view at any time.
Incorrect
When you work with Azure Logic Apps in the Azure portal, you can edit your workflows visually or programmatically. After you open a logic app resource in the portal, on the resource menu under Developer, you can select between Code view and Designer view. When you want to visually develop, edit, and run your workflow, select the designer view. You can switch between the designer view and code view at any time.
Unattempted
When you work with Azure Logic Apps in the Azure portal, you can edit your workflows visually or programmatically. After you open a logic app resource in the portal, on the resource menu under Developer, you can select between Code view and Designer view. When you want to visually develop, edit, and run your workflow, select the designer view. You can switch between the designer view and code view at any time.
Question 31 of 64
31. Question
You have an Azure subscription that contains the resources shown in the following table.
Transparent Data Encryption (TDE) is disabled on SQL1.
You assign policies to the resource groups as shown in the following table.
You plan to deploy Azure SQL databases by using an Azure Resource Manager (ARM) template. The databases will be configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.
You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
An update deployment can apply to Windows VMs or Linux VMs but not both. The VMs can be in different regions, different subscriptions and different resource groups.
Update1: VM1 and VM2 only –
VM3: Windows Server 2016.
Update2: VM4 and VM5 only –
VM6: CentOS 7.5.
For Linux, the machine must have access to an update repository. The update repository can be private or public.
Reference: https://docs.microsoft.com/en-us/azure/automation/update-management/overview
Incorrect
An update deployment can apply to Windows VMs or Linux VMs but not both. The VMs can be in different regions, different subscriptions and different resource groups.
Update1: VM1 and VM2 only –
VM3: Windows Server 2016.
Update2: VM4 and VM5 only –
VM6: CentOS 7.5.
For Linux, the machine must have access to an update repository. The update repository can be private or public.
Reference: https://docs.microsoft.com/en-us/azure/automation/update-management/overview
Unattempted
An update deployment can apply to Windows VMs or Linux VMs but not both. The VMs can be in different regions, different subscriptions and different resource groups.
Update1: VM1 and VM2 only –
VM3: Windows Server 2016.
Update2: VM4 and VM5 only –
VM6: CentOS 7.5.
For Linux, the machine must have access to an update repository. The update repository can be private or public.
Reference: https://docs.microsoft.com/en-us/azure/automation/update-management/overview
Question 33 of 64
33. Question
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You need to meet the technical requirements for the finance department users.
Which CAPolicy1 settings should you modify?
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2.
Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You need to delegate the creation of RG2 and the management of permissions for RG1.
Which users can perform each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Box 1: Admin3 only –
The Contributor role has the necessary write permissions to create the resource group.
Box 2: Admin4 only –
You need Owner level access to be able to manage permissions. The Contributor role can do most things but cannot modify permissions on existing objects.
Incorrect
Box 1: Admin3 only –
The Contributor role has the necessary write permissions to create the resource group.
Box 2: Admin4 only –
You need Owner level access to be able to manage permissions. The Contributor role can do most things but cannot modify permissions on existing objects.
Unattempted
Box 1: Admin3 only –
The Contributor role has the necessary write permissions to create the resource group.
Box 2: Admin4 only –
You need Owner level access to be able to manage permissions. The Contributor role can do most things but cannot modify permissions on existing objects.
Question 35 of 64
35. Question
You have an Azure resource group that contains 100 virtual machines. You have an initiative named Initiative1 that contains multiple policy definitions. Initiative1 is assigned to the resource group. You need to identify which resources do NOT match the policy definitions. What should you do?
Your organization has a subscription that hosts resources for multiple applications in Azure. The subscription is part of a tenant that has synchronization enabled using AD Connect with on-premises Active Directory Domain Services (AD DS). The resources for each application are contained in individual resource groups. As additional users are added to the application teams, you add roles for those users at the resource group level. Users can manage multiple applications. You need to efficiently manage permissions assigned to Azure Active Directory (Azure AD) users to access these resource groups. Solution: You create security groups in AD DS, add users in these groups, and assign roles to the groups at the resource group level. Does the solution meet the goal?
Correct
This solution meets the goal. Creating AD DS security groups provides centralized user management to groups of users in your on-premises active directory. Since these groups are synchronized with AD Connect, they are available in Azure AD to assign permissions. When the group is provided permissions at a resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding AD DS group. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Incorrect
This solution meets the goal. Creating AD DS security groups provides centralized user management to groups of users in your on-premises active directory. Since these groups are synchronized with AD Connect, they are available in Azure AD to assign permissions. When the group is provided permissions at a resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding AD DS group. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Unattempted
This solution meets the goal. Creating AD DS security groups provides centralized user management to groups of users in your on-premises active directory. Since these groups are synchronized with AD Connect, they are available in Azure AD to assign permissions. When the group is provided permissions at a resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding AD DS group. Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Question 37 of 64
37. Question
Your company has a web app named CorpIntranet that uses Azure Active Directory (Azure AD) authentication. You configure password hash synchronization (PHS) in Azure AD Connect to replicate on-premises Active Directory user accounts to Azure AD. You need to enforce two-step authentication for all Azure AD users. What should you use? Choose the correct answer
Correct
To enforce multi-factor authentication (MFA). also called two-step verification, you should deploy a Conditional Access policy that requires MFA enrollment. Azure AD Conditional Access enforces policies after the user provides first-factor (password) authentication. Although Conditional Access policies can completely “shape“ the user authentication environment, in this case you need only to configure the policy to grant access and require MFA. If the user has not yet enrolled in Azure MFA, they will be required to do so. Already enrolled users will be prompted with an MFA challenge as their second-factor authentication. You should not use Azure Policy. Azure Policy is a governance tool with which you can standardize deployment attributes in your subscriptions. For example, you could deploy an Azure Policy that limits the regions your administrators can deploy resources to. You should not use Azure AD Privileged Identity Management (PIM). Azure AD PIM is a platform to evaluate high privileged Azure AD and Azure resource roles, and to control their use. You should not use Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is a toolset that, among other features, analyzes the security posture of your subscription and offers recommendations for improvement.
Incorrect
To enforce multi-factor authentication (MFA). also called two-step verification, you should deploy a Conditional Access policy that requires MFA enrollment. Azure AD Conditional Access enforces policies after the user provides first-factor (password) authentication. Although Conditional Access policies can completely “shape“ the user authentication environment, in this case you need only to configure the policy to grant access and require MFA. If the user has not yet enrolled in Azure MFA, they will be required to do so. Already enrolled users will be prompted with an MFA challenge as their second-factor authentication. You should not use Azure Policy. Azure Policy is a governance tool with which you can standardize deployment attributes in your subscriptions. For example, you could deploy an Azure Policy that limits the regions your administrators can deploy resources to. You should not use Azure AD Privileged Identity Management (PIM). Azure AD PIM is a platform to evaluate high privileged Azure AD and Azure resource roles, and to control their use. You should not use Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is a toolset that, among other features, analyzes the security posture of your subscription and offers recommendations for improvement.
Unattempted
To enforce multi-factor authentication (MFA). also called two-step verification, you should deploy a Conditional Access policy that requires MFA enrollment. Azure AD Conditional Access enforces policies after the user provides first-factor (password) authentication. Although Conditional Access policies can completely “shape“ the user authentication environment, in this case you need only to configure the policy to grant access and require MFA. If the user has not yet enrolled in Azure MFA, they will be required to do so. Already enrolled users will be prompted with an MFA challenge as their second-factor authentication. You should not use Azure Policy. Azure Policy is a governance tool with which you can standardize deployment attributes in your subscriptions. For example, you could deploy an Azure Policy that limits the regions your administrators can deploy resources to. You should not use Azure AD Privileged Identity Management (PIM). Azure AD PIM is a platform to evaluate high privileged Azure AD and Azure resource roles, and to control their use. You should not use Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is a toolset that, among other features, analyzes the security posture of your subscription and offers recommendations for improvement.
Question 38 of 64
38. Question
You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure storage account with a blob service named generalBlob. You plan to allow users to authenticate to generalBlob by using their Azure AD credentials. You need to configure the environment to support the planned authentication. Solution: You deploy an Azure AD Application Proxy. Does this solution meet the goal?
Correct
This solution does not meet the goal. You should use ure AD Application Proxy to provide secure remote access to web applications hosted on-premises from a remote client. You can enable single sign-on (SSO) with Application Proxy. However, you cannot allow users to authenticate to the generalelob file share with Application Proxy.
Incorrect
This solution does not meet the goal. You should use ure AD Application Proxy to provide secure remote access to web applications hosted on-premises from a remote client. You can enable single sign-on (SSO) with Application Proxy. However, you cannot allow users to authenticate to the generalelob file share with Application Proxy.
Unattempted
This solution does not meet the goal. You should use ure AD Application Proxy to provide secure remote access to web applications hosted on-premises from a remote client. You can enable single sign-on (SSO) with Application Proxy. However, you cannot allow users to authenticate to the generalelob file share with Application Proxy.
Question 39 of 64
39. Question
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You need to perform the planned changes for OU2 and User1.
Which tools should you use? To answer, drag the appropriate tools to the correct resources. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Correct
As per the Technical Requirements we need to Sync OU2 to Azure AD. The only tool which can do this would be Azure AD Connect. Another requirement was to add Add User1 to Group1. Which can be achieved via Azure Portal.
Incorrect
As per the Technical Requirements we need to Sync OU2 to Azure AD. The only tool which can do this would be Azure AD Connect. Another requirement was to add Add User1 to Group1. Which can be achieved via Azure Portal.
Unattempted
As per the Technical Requirements we need to Sync OU2 to Azure AD. The only tool which can do this would be Azure AD Connect. Another requirement was to add Add User1 to Group1. Which can be achieved via Azure Portal.
Question 40 of 64
40. Question
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets.
Which can each secret be used by an application? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Box 1: Never –
Password1 is disabled.
Box 2: Only between March 1, 2019 and May 1,
Password2:
Incorrect
Box 1: Never –
Password1 is disabled.
Box 2: Only between March 1, 2019 and May 1,
Password2:
Unattempted
Box 1: Never –
Password1 is disabled.
Box 2: Only between March 1, 2019 and May 1,
Password2:
Question 41 of 64
41. Question
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You plan to implement JIT VM access.
Which virtual machines will be supported?
You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1.
You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.
The permissions for Role1 are shown in the following JSON code.
The permissions for Role2 are shown in the following JSON code.
You assign the roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
User1 can read the data from storage as he has read permission to Storage Accounts
User 2 can read the data from storage as he has read permission to Storage Accounts
User 3 doesn‘t have the required permission to perform the task.
User1 can read the data from storage as he has read permission to Storage Accounts
User 2 can read the data from storage as he has read permission to Storage Accounts
User 3 doesn‘t have the required permission to perform the task.
User1 can read the data from storage as he has read permission to Storage Accounts
User 2 can read the data from storage as he has read permission to Storage Accounts
User 3 doesn‘t have the required permission to perform the task.
You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure storage account with a blob service named generalblob. You plan to allow users to authenticate to generalblob by using their Azure AD credentials. You need to configure the environment to support the planned authentication. Solution: Assign the Storage Blob Data Contributor Does this solution meet the goal?
Correct
This solution meets the goal. Azure storage supports access to blob storage resources using Azure AD credentials. To authorize your users you should assign to their account one of role based access control (RBAC) roles: Storage Blob Data Owner: Use to set ownership and grant full access to Blob storage resources. Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources. Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources. Storage Blob Delegator: Get a user delegation key to u o create a shared access signature that is signed with Azure AD credentials for a container or blob.
Incorrect
This solution meets the goal. Azure storage supports access to blob storage resources using Azure AD credentials. To authorize your users you should assign to their account one of role based access control (RBAC) roles: Storage Blob Data Owner: Use to set ownership and grant full access to Blob storage resources. Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources. Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources. Storage Blob Delegator: Get a user delegation key to u o create a shared access signature that is signed with Azure AD credentials for a container or blob.
Unattempted
This solution meets the goal. Azure storage supports access to blob storage resources using Azure AD credentials. To authorize your users you should assign to their account one of role based access control (RBAC) roles: Storage Blob Data Owner: Use to set ownership and grant full access to Blob storage resources. Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources. Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources. Storage Blob Delegator: Get a user delegation key to u o create a shared access signature that is signed with Azure AD credentials for a container or blob.
Question 44 of 64
44. Question
You are developing a web application named WebAppl that needs to retrieve data from Azure SQL database Del. Your static code security analysis identified an SQL connection string with a username and password included in your code in plain text. You must eliminate this vulnerability in your WebAppl. Which two actions should you identify to achieve this goal in the most effective way? Each correct answers presents a complete solution.
Correct
You should create a user-assigned or system-assigned managed identity. A managed identity is an Azure Active Directory (Azure AD) security principal that represents the Azure resource. Azure resources can use a managed identity to authenticate to any other Azure services, as such providing secure inter-service authentication. Managed identities can be system-assigned or user-assigned. If you set a system-assigned managed identity, it is created and managed by Azure and gets assigned to your respective resource automatically. If you would like to manage the identity of a security principal yourself, you have to manually create a managed identity as Azure resource and then assign it to your app service, virtual machine (VM), or other Azure resources. In this scenario, using an Azure AD-managed identity provides the possibility to move plain text authentication credentials out of the source code, thereby mitigating the security risk of stolen credentials. You should not create an Azure Active Directory (Azure AD) user identity. Although using an Azure AD user identity would enable WebAppl to access Dal, it is not the most effective way. This solution will be more expensive and requires much more administrative effort. An Azure AD user identity would be suitable to manage access to WebAppt but it is not effective to configure service to service authentication. You should not create a database user identity. Database identities can be used by users who do not have a login and if they only need access to one or a few databases. It should not be used in the scenario of service to service authentication, like this one. It is the most dangerous type of authentication. You should not create a virtual machine local user identity. It is technologically not possible to use a virtual machine local user identity to access Azure SQL Database. A virtual machine local user could be used in the case of an SQL server being installed directly on the virtual machine with the local user.
Incorrect
You should create a user-assigned or system-assigned managed identity. A managed identity is an Azure Active Directory (Azure AD) security principal that represents the Azure resource. Azure resources can use a managed identity to authenticate to any other Azure services, as such providing secure inter-service authentication. Managed identities can be system-assigned or user-assigned. If you set a system-assigned managed identity, it is created and managed by Azure and gets assigned to your respective resource automatically. If you would like to manage the identity of a security principal yourself, you have to manually create a managed identity as Azure resource and then assign it to your app service, virtual machine (VM), or other Azure resources. In this scenario, using an Azure AD-managed identity provides the possibility to move plain text authentication credentials out of the source code, thereby mitigating the security risk of stolen credentials. You should not create an Azure Active Directory (Azure AD) user identity. Although using an Azure AD user identity would enable WebAppl to access Dal, it is not the most effective way. This solution will be more expensive and requires much more administrative effort. An Azure AD user identity would be suitable to manage access to WebAppt but it is not effective to configure service to service authentication. You should not create a database user identity. Database identities can be used by users who do not have a login and if they only need access to one or a few databases. It should not be used in the scenario of service to service authentication, like this one. It is the most dangerous type of authentication. You should not create a virtual machine local user identity. It is technologically not possible to use a virtual machine local user identity to access Azure SQL Database. A virtual machine local user could be used in the case of an SQL server being installed directly on the virtual machine with the local user.
Unattempted
You should create a user-assigned or system-assigned managed identity. A managed identity is an Azure Active Directory (Azure AD) security principal that represents the Azure resource. Azure resources can use a managed identity to authenticate to any other Azure services, as such providing secure inter-service authentication. Managed identities can be system-assigned or user-assigned. If you set a system-assigned managed identity, it is created and managed by Azure and gets assigned to your respective resource automatically. If you would like to manage the identity of a security principal yourself, you have to manually create a managed identity as Azure resource and then assign it to your app service, virtual machine (VM), or other Azure resources. In this scenario, using an Azure AD-managed identity provides the possibility to move plain text authentication credentials out of the source code, thereby mitigating the security risk of stolen credentials. You should not create an Azure Active Directory (Azure AD) user identity. Although using an Azure AD user identity would enable WebAppl to access Dal, it is not the most effective way. This solution will be more expensive and requires much more administrative effort. An Azure AD user identity would be suitable to manage access to WebAppt but it is not effective to configure service to service authentication. You should not create a database user identity. Database identities can be used by users who do not have a login and if they only need access to one or a few databases. It should not be used in the scenario of service to service authentication, like this one. It is the most dangerous type of authentication. You should not create a virtual machine local user identity. It is technologically not possible to use a virtual machine local user identity to access Azure SQL Database. A virtual machine local user could be used in the case of an SQL server being installed directly on the virtual machine with the local user.
Question 45 of 64
45. Question
Your company recently completed an Office 365 migration and is using Azure AD Connect to synchronize onsite Active Directory with Azure Active Directory (Azure AD). After a security incident, your company‘s security team enables and enforces multi-factor authentication (MFA) deployed on an on-premises server for all external sales reps. The sales director is unable to access his account and an important presentation because the Microsoft Authenticator app does not launch. You need to ensure that the director has access to his presentation as quickly as possible without compromising the company‘s security policy. What should you do?
Correct
You should create a one-time bypass for the sales director‘s user account. One-time bypasses are used as a temporary solution to MFA issues, for example when a user is not receiving a notification or phone call. They are time-limited and allow a one-time bypass so the user can access the desired resource. You should not disable MFA on the sales directors account in AD Users & Computers. MFA is not controlled through the on-premises AD. It is controlled in Azure AD. 4 You should not use the Set-MsolUser cmdlet. The set-MsolUser cmdlet is used to configure MFA and not to disable it. You should not launch the Azure Portal app and disable MFA on the sales director‘s user account. Although this allows access to the resource, it leaves MFA disabled for any subsequent logins.
Incorrect
You should create a one-time bypass for the sales director‘s user account. One-time bypasses are used as a temporary solution to MFA issues, for example when a user is not receiving a notification or phone call. They are time-limited and allow a one-time bypass so the user can access the desired resource. You should not disable MFA on the sales directors account in AD Users & Computers. MFA is not controlled through the on-premises AD. It is controlled in Azure AD. 4 You should not use the Set-MsolUser cmdlet. The set-MsolUser cmdlet is used to configure MFA and not to disable it. You should not launch the Azure Portal app and disable MFA on the sales director‘s user account. Although this allows access to the resource, it leaves MFA disabled for any subsequent logins.
Unattempted
You should create a one-time bypass for the sales director‘s user account. One-time bypasses are used as a temporary solution to MFA issues, for example when a user is not receiving a notification or phone call. They are time-limited and allow a one-time bypass so the user can access the desired resource. You should not disable MFA on the sales directors account in AD Users & Computers. MFA is not controlled through the on-premises AD. It is controlled in Azure AD. 4 You should not use the Set-MsolUser cmdlet. The set-MsolUser cmdlet is used to configure MFA and not to disable it. You should not launch the Azure Portal app and disable MFA on the sales director‘s user account. Although this allows access to the resource, it leaves MFA disabled for any subsequent logins.
Question 46 of 64
46. Question
Case Study:
Overview:
Companyl is a financial firm that specializes in crypto currencies. Companyl applications are developed in Docker containers and deployed to Azure virtual machines (VMs) in an Azure subscription named Cloud.
Cloud is associated with an Azure Active Directory (Azure AD) tenant named company1.net.
Cloud contains the resources provisioned in four resource groups as shown in exhibit 1. The Azure VMs are associated with the subnets as shown in exhibit 2. The company1.net tenant contains the users as shown in exhibit 3 with roles attached in Cloud. Cloud contains resource groups locks as shown in exhibit 4. Cloud also contains the Azure policies shown in exhibit 5. Storage2 has its firewall enabled.
Requirements:
A new user named User5 is created in company1.net. This user needs permission to push and pull trusted images to a container registry.
A new user named User6 is created in company1.net. This user has the Owner role in Cloud.
Registryl needs to be private and protected by authentication. The push operation in Registryl needs to be audited at the user level.
The images in Registryl need to be frequently scanned for vulnerabilities.
Azure-managed services need to be used whenever possible to reduce administrative efforts.
Network access to VM3 needs to be restricted only to VM1.
Network access to Storagel needs to be restricted only to Sub1.
Network access restrictions needs to be applied at the resource level only.
Exhibit 1
Exhibit 2
Exhibit 3
Exhibit 4
Exhibit 5
You need to determine which users can upload and download the container images stored in Registryl based on the attached role for each user.
Which users should you choose? To answer, select the appropriate options from the drop-down menus.
Correct
Only Userl and User3 can upload images to Registryl. You need to use a role with push image permission. The Owner, Contributor, and AcrPush Azure Container Registry roles have this permission. The users with one of these roles are Userl and User3 only.
Userl, User2, and User3 are eligible to down) d images from Registryl. You need to use a role with pull image permission. All Azure Container Registr oles, except AcrDelete and AcrlmageSigner, have this permission. The users with one of these roles are Usert User2, and User3 only.
User4 has the AcrlmageSigner role, which does not have the permission to upload or download container images from Registryl.
Incorrect
Only Userl and User3 can upload images to Registryl. You need to use a role with push image permission. The Owner, Contributor, and AcrPush Azure Container Registry roles have this permission. The users with one of these roles are Userl and User3 only.
Userl, User2, and User3 are eligible to down) d images from Registryl. You need to use a role with pull image permission. All Azure Container Registr oles, except AcrDelete and AcrlmageSigner, have this permission. The users with one of these roles are Usert User2, and User3 only.
User4 has the AcrlmageSigner role, which does not have the permission to upload or download container images from Registryl.
Unattempted
Only Userl and User3 can upload images to Registryl. You need to use a role with push image permission. The Owner, Contributor, and AcrPush Azure Container Registry roles have this permission. The users with one of these roles are Userl and User3 only.
Userl, User2, and User3 are eligible to down) d images from Registryl. You need to use a role with pull image permission. All Azure Container Registr oles, except AcrDelete and AcrlmageSigner, have this permission. The users with one of these roles are Usert User2, and User3 only.
User4 has the AcrlmageSigner role, which does not have the permission to upload or download container images from Registryl.
Question 47 of 64
47. Question
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2.
Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
The Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
Azure AD contains the resources shown in the following table.
Subscription1 Resources
Subscription1 contains the virtual networks shown in the following table.
Subscription1 contains the network security groups (NSGs) shown in the following table.
Subscription1 contains the virtual machines shown in the following table.
Subscription1 contains the Azure key vaults shown in the following table.
Subscription1 contains a storage account named storage1 in the West US Azure region.
Planned Changes and Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Create two application security groups as shown in the following table.
Associate the network interface of VM1 to ASG1.
Deploy SecPol1 by using Azure Security Center.
Deploy a third-party app named App1. A version of App1 exists for all available operating systems.
Create a resource group named RG2.
Sync OU2 to Azure AD.
Add User1 to Group1.
Technical Requirements
Fabrikam identifies the following technical requirements:
The finance department users must reauthenticate after three hours when they access SharePoint Online.
Storage1 must be encrypted by using customer-managed keys and automatic key rotation.
From Sentinel1, you must ensure that the following notebooks can be launched:
– Entity Explorer Account
– Entity Explorer Windows Host
– Guided Investigation Process Alerts
VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption.
Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled.
App1 must use a secure connection string stored in KeyVault1.
KeyVault1 traffic must NOT travel over the internet.
QUESTION:
You plan to configure Azure Disk Encryption for VM4.
Which key vault can you use to store the encryption key?
You have an Azure subscription. You create an Azure web app named Contoso1812 that uses an S1 App Service plan. You plan to – create a CNAME DNS record for http://www.contoso.com that points to Contoso1812. You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
Correct
You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either http://www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records: A root “A“ record pointing to contoso.com A root “TXT“ record for verification A “CNAME“ record for the www name that points to the A record To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS. Reference: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Incorrect
You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either http://www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records: A root “A“ record pointing to contoso.com A root “TXT“ record for verification A “CNAME“ record for the www name that points to the A record To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS. Reference: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Unattempted
You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either http://www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records: A root “A“ record pointing to contoso.com A root “TXT“ record for verification A “CNAME“ record for the www name that points to the A record To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS. Reference: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Question 49 of 64
49. Question
Case Study:
Overview:
Companyl is a financial firm that specializes in crypto currencies. Companyl applications are developed in Docker containers and deployed to Azure virtual machines (VMs) in an Azure subscription named Cloud.
Cloud is associated with an Azure Active Directory (Azure AD) tenant named company1.net.
Cloud contains the resources provisioned in four resource groups as shown in exhibit 1. The Azure VMs are associated with the subnets as shown in exhibit 2. The company1.net tenant contains the users as shown in exhibit 3 with roles attached in Cloud. Cloud contains resource groups locks as shown in exhibit 4. Cloud also contains the Azure policies shown in exhibit 5. Storage2 has its firewall enabled.
Requirements:
A new user named User5 is created in company1.net. This user needs permission to push and pull trusted images to a container registry.
A new user named User6 is created in company1.net. This user has the Owner role in Cloud.
Registryl needs to be private and protected by authentication. The push operation in Registryl needs to be audited at the user level.
The images in Registryl need to be frequently scanned for vulnerabilities.
Azure-managed services need to be used whenever possible to reduce administrative efforts.
Network access to VM3 needs to be restricted only to VM1.
Network access to Storagel needs to be restricted only to Sub1.
Network access restrictions needs to be applied at the resource level only.
Exhibit 1
Exhibit 2
Exhibit 3
Exhibit 4
Exhibit 5
You create User6 and assign him the Owner role at the Cloud subscription level.
In which resource groups should User6 create a new Azure virtual machine (VM) and a container registry? To answer, select the appropriate options from the drop-down menus.
Correct
Even if a user is assigned the Owner role in a subscription, resource group locks and Azure Policy are applied.
User6 should provision an Azure VM in resource groups RG1 and RG2 only. The Azure policy on RG2 allows only VMs to be provisioned, and the policy in RG1 only restricts the container registry to be provisioned.
User6 should provision the container only in the R resource group. The Azure policy on RG1 and RG3 restricts User6 from provisioning the container reps in these resource groups, and the policy on RG2 only allows VMs to be provisioned in RG2. RG4 does not have any restrictions on provisioning the container registry.
User6 should not provision any resources to RG3 because a ReadOnly lock is enabled in this resource group. The delete lock type applied to other resource groups does not restrict you from provisioning new resources. You are only restricted from deleting the existing resources.
Incorrect
Even if a user is assigned the Owner role in a subscription, resource group locks and Azure Policy are applied.
User6 should provision an Azure VM in resource groups RG1 and RG2 only. The Azure policy on RG2 allows only VMs to be provisioned, and the policy in RG1 only restricts the container registry to be provisioned.
User6 should provision the container only in the R resource group. The Azure policy on RG1 and RG3 restricts User6 from provisioning the container reps in these resource groups, and the policy on RG2 only allows VMs to be provisioned in RG2. RG4 does not have any restrictions on provisioning the container registry.
User6 should not provision any resources to RG3 because a ReadOnly lock is enabled in this resource group. The delete lock type applied to other resource groups does not restrict you from provisioning new resources. You are only restricted from deleting the existing resources.
Unattempted
Even if a user is assigned the Owner role in a subscription, resource group locks and Azure Policy are applied.
User6 should provision an Azure VM in resource groups RG1 and RG2 only. The Azure policy on RG2 allows only VMs to be provisioned, and the policy in RG1 only restricts the container registry to be provisioned.
User6 should provision the container only in the R resource group. The Azure policy on RG1 and RG3 restricts User6 from provisioning the container reps in these resource groups, and the policy on RG2 only allows VMs to be provisioned in RG2. RG4 does not have any restrictions on provisioning the container registry.
User6 should not provision any resources to RG3 because a ReadOnly lock is enabled in this resource group. The delete lock type applied to other resource groups does not restrict you from provisioning new resources. You are only restricted from deleting the existing resources.
Question 50 of 64
50. Question
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Yes — User1 is excluded from Policy1 as exclusion takes precedence. That means User hits Policy2 which grants access with MFA.
Yes — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 matches the include but misses the location. We drop down to a final match on Policy4 which is specific to User2 which does grant access with MFA.
No — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 we match the include and location which results in blocking access.
Incorrect
Yes — User1 is excluded from Policy1 as exclusion takes precedence. That means User hits Policy2 which grants access with MFA.
Yes — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 matches the include but misses the location. We drop down to a final match on Policy4 which is specific to User2 which does grant access with MFA.
No — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 we match the include and location which results in blocking access.
Unattempted
Yes — User1 is excluded from Policy1 as exclusion takes precedence. That means User hits Policy2 which grants access with MFA.
Yes — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 matches the include but misses the location. We drop down to a final match on Policy4 which is specific to User2 which does grant access with MFA.
No — User2 is excluded from Policy1. Policy2 is a complete miss. Policy3 we match the include and location which results in blocking access.
Question 51 of 64
51. Question
You create resources in an Azure subscription as shown in the following table.
VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Box 1: Yes –
Access from Subnet1 is allowed.
Box 2: No –
No access from Subnet2 is allowed.
Box 3: Yes –
Access from IP address 193.77.10.2 is allowed.
Incorrect
Box 1: Yes –
Access from Subnet1 is allowed.
Box 2: No –
No access from Subnet2 is allowed.
Box 3: Yes –
Access from IP address 193.77.10.2 is allowed.
Unattempted
Box 1: Yes –
Access from Subnet1 is allowed.
Box 2: No –
No access from Subnet2 is allowed.
Box 3: Yes –
Access from IP address 193.77.10.2 is allowed.
Question 52 of 64
52. Question
You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1. Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1. Solution: You create a lock on sa1. Does this meet the goal?
Correct
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Incorrect
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Unattempted
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it. Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Question 53 of 64
53. Question
You have the hierarchy of Azure resources shown in the following exhibit.
RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM1.
You assign role-based access control (RBAC) roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1. You plan to publish several apps in the tenant. You need to ensure that User1 can grant admin consent for the published apps. Which two possible user roles can you assign to User1 to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
Correct
To grant tenant-wide admin consent, you need: Cloud application administrator Application administrator An Azure account with one of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator. Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Incorrect
To grant tenant-wide admin consent, you need: Cloud application administrator Application administrator An Azure account with one of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator. Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Unattempted
To grant tenant-wide admin consent, you need: Cloud application administrator Application administrator An Azure account with one of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator. Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Question 55 of 64
55. Question
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1. You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is configured to collect security-related performance counters from the connected servers. You need to configure alerts based on the data collected by LAW1. The solution must meet the following requirements: Alert rules must support dimensions. The time it takes to generate an alert must be minimized. Alert notifications must be generated only once when the alert is generated and once when the alert is resolved. Which signal type should you use when you create the alert rules?
Correct
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics. Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
Incorrect
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics. Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
Unattempted
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics. Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
Question 56 of 64
56. Question
Your company owns an Azure Active Directory (Azure AD) tenant named myCompany.com. You create a subscription in the tenant named subscriptionA. The tenant has the users, the roles defined in Azure AD, and the subscriptionA level shown in the exhibit.
You have a resource group named resourcegroup1 in subscriptionA.
You need to understand how these role assignments affect the ability of users to perform tasks in resourcegroup1.
Which users can perform the actions specified in the answer area? To answer, select the appropriate options from the drop-down menus.
Correct
Only Used would be able to manage permissions on resourcegroup1. When using built-in roles, you have to be part of the Owner built-in role to manage permissions on resources in Azure. The Conditional Access Administrator, Contributor, and Security Admin roles do not have permissions to manage user access across Azure resources.
Used and User2 would be able to create a VM in resourcegroup1Rhe Contributor role provides all permissions to manage resources in Azure except the ability to manage access control on resources. The Security Admin role does not have permission to create a VM in Azure.
Only Used can register applications in the tenant. To register applications at the tenant level, users must be assigned Azure AD roles rather than subscription roles. The Application developer role has permissions to register an application in the tenant. The Conditional Access Administrator role provides permissions to manage the configuration of conditional access to resources in Azure.
Incorrect
Only Used would be able to manage permissions on resourcegroup1. When using built-in roles, you have to be part of the Owner built-in role to manage permissions on resources in Azure. The Conditional Access Administrator, Contributor, and Security Admin roles do not have permissions to manage user access across Azure resources.
Used and User2 would be able to create a VM in resourcegroup1Rhe Contributor role provides all permissions to manage resources in Azure except the ability to manage access control on resources. The Security Admin role does not have permission to create a VM in Azure.
Only Used can register applications in the tenant. To register applications at the tenant level, users must be assigned Azure AD roles rather than subscription roles. The Application developer role has permissions to register an application in the tenant. The Conditional Access Administrator role provides permissions to manage the configuration of conditional access to resources in Azure.
Unattempted
Only Used would be able to manage permissions on resourcegroup1. When using built-in roles, you have to be part of the Owner built-in role to manage permissions on resources in Azure. The Conditional Access Administrator, Contributor, and Security Admin roles do not have permissions to manage user access across Azure resources.
Used and User2 would be able to create a VM in resourcegroup1Rhe Contributor role provides all permissions to manage resources in Azure except the ability to manage access control on resources. The Security Admin role does not have permission to create a VM in Azure.
Only Used can register applications in the tenant. To register applications at the tenant level, users must be assigned Azure AD roles rather than subscription roles. The Application developer role has permissions to register an application in the tenant. The Conditional Access Administrator role provides permissions to manage the configuration of conditional access to resources in Azure.
Question 57 of 64
57. Question
Your company has an Azure subscription that is associated with an Azure Active Directory (Azure AD) tenant. You develop a mobile app and install it on your company devices. Your device needs to access protected resources on your tenant for which your app would use OAuth 2 code grant to acquire Azure AD access tokens. You need to register your app in Azure AD. What information should you provide to register your app in Azure AD? Choose the correct answer
Correct
You should provide a redirect URI. Azure AD will use this URI to return token responses to the client app. An app configuration can be completed without a redirect URI, but the OAuth 2 code grant would not work for your mobile application without the redirect URI configured for the Azure AD registered App. You should not provide a service principal object id. A service 14ncipal object id is a principal that is created for the app registration that can be assigned permissions on resources in Azure subscriptions. You should not provide a client certificate. You would use a client certificate for the app registration if you want the authentication for the app to use a certificate instead of a password. You should not provide an application id. The application id is a unique id provided once the app is registered in Azure AD.
Incorrect
You should provide a redirect URI. Azure AD will use this URI to return token responses to the client app. An app configuration can be completed without a redirect URI, but the OAuth 2 code grant would not work for your mobile application without the redirect URI configured for the Azure AD registered App. You should not provide a service principal object id. A service 14ncipal object id is a principal that is created for the app registration that can be assigned permissions on resources in Azure subscriptions. You should not provide a client certificate. You would use a client certificate for the app registration if you want the authentication for the app to use a certificate instead of a password. You should not provide an application id. The application id is a unique id provided once the app is registered in Azure AD.
Unattempted
You should provide a redirect URI. Azure AD will use this URI to return token responses to the client app. An app configuration can be completed without a redirect URI, but the OAuth 2 code grant would not work for your mobile application without the redirect URI configured for the Azure AD registered App. You should not provide a service principal object id. A service 14ncipal object id is a principal that is created for the app registration that can be assigned permissions on resources in Azure subscriptions. You should not provide a client certificate. You would use a client certificate for the app registration if you want the authentication for the app to use a certificate instead of a password. You should not provide an application id. The application id is a unique id provided once the app is registered in Azure AD.
Question 58 of 64
58. Question
You are managing an Azure Active Directory (Azure AD) tenant. In your Azure AD tenant you have a linked subscription named Subscription1. For billing purposes, your organization requires to tag every resource created in the subscription with cost center and product name information. Although you have communicated the requirement to your administrators, you notice that many resources do not have the required tag values filled in.
You need to enforce required tags for cost center and product name to be set during every resource creation with the least amount of administrative effort. You create two Azure policy definitions: costcenterTag1 and productnameTag1
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Correct
You should perform the following steps in order:
1. Create an Initiative definition.
2. Add costcenterTag1 and productnameTag1 to the Initiative definition.
3. Assign the Initiative definition to Subscription1.
First, you should create an Initiative definition. An Initiative definition is a collection or group of Policy definitions towards a specific goal or purpose. Grouping Policy definitions into an Initiative definition can essentially simplify administrative effort, as you can enhance and assign multiple Policy definitions in one step.
Next, you should add costcenterTag1 and productnameTag1 to the newly created Initiative definition. In so doing, you define the multiple requirements that have to be enforced to achieve a common goal.
Finally, you should assign the newly created Initiative definition to Subscription1. This step puts the desired policies into effect.
You should not assign Initiative definition to resource groups. Although it would help to achieve the goal to enforce the setting of the required tags, it would not be the least amount of administrative effort. In contrast to the single assignment on the subscription level, you would have to assign Initiative definition every time administrators create a resource group.
You should not assign costcenterTag1 and productnameTag1 to Subscription1. This action could help to achieve the goal to enforce the setting of required tags, but in this case administrative effort would not be minimized. This solution requires handling every policy definition separately, and thus more administrative effort will be required.
Incorrect
You should perform the following steps in order:
1. Create an Initiative definition.
2. Add costcenterTag1 and productnameTag1 to the Initiative definition.
3. Assign the Initiative definition to Subscription1.
First, you should create an Initiative definition. An Initiative definition is a collection or group of Policy definitions towards a specific goal or purpose. Grouping Policy definitions into an Initiative definition can essentially simplify administrative effort, as you can enhance and assign multiple Policy definitions in one step.
Next, you should add costcenterTag1 and productnameTag1 to the newly created Initiative definition. In so doing, you define the multiple requirements that have to be enforced to achieve a common goal.
Finally, you should assign the newly created Initiative definition to Subscription1. This step puts the desired policies into effect.
You should not assign Initiative definition to resource groups. Although it would help to achieve the goal to enforce the setting of the required tags, it would not be the least amount of administrative effort. In contrast to the single assignment on the subscription level, you would have to assign Initiative definition every time administrators create a resource group.
You should not assign costcenterTag1 and productnameTag1 to Subscription1. This action could help to achieve the goal to enforce the setting of required tags, but in this case administrative effort would not be minimized. This solution requires handling every policy definition separately, and thus more administrative effort will be required.
Unattempted
You should perform the following steps in order:
1. Create an Initiative definition.
2. Add costcenterTag1 and productnameTag1 to the Initiative definition.
3. Assign the Initiative definition to Subscription1.
First, you should create an Initiative definition. An Initiative definition is a collection or group of Policy definitions towards a specific goal or purpose. Grouping Policy definitions into an Initiative definition can essentially simplify administrative effort, as you can enhance and assign multiple Policy definitions in one step.
Next, you should add costcenterTag1 and productnameTag1 to the newly created Initiative definition. In so doing, you define the multiple requirements that have to be enforced to achieve a common goal.
Finally, you should assign the newly created Initiative definition to Subscription1. This step puts the desired policies into effect.
You should not assign Initiative definition to resource groups. Although it would help to achieve the goal to enforce the setting of the required tags, it would not be the least amount of administrative effort. In contrast to the single assignment on the subscription level, you would have to assign Initiative definition every time administrators create a resource group.
You should not assign costcenterTag1 and productnameTag1 to Subscription1. This action could help to achieve the goal to enforce the setting of required tags, but in this case administrative effort would not be minimized. This solution requires handling every policy definition separately, and thus more administrative effort will be required.
Question 59 of 64
59. Question
Your company has an Azure subscription associated with an Azure Active Directory (Azure AD) tenant named company.net.
The company is developing an application named Appl running on a Linux Ubuntu server provisioned in this Azure subscription.
Appl runs as a background service and does not need a signed-in user to run. Appl needs to access the company.net Microsoft Graph API to export user data in this tenant. You need to delegate the required permissions to Appl using the principle of least privilege. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Correct
You should perform the following actions in order:
1. Create an app registration
2. Add an application permission.
3. Grant permissions.
You should first create an app registration. App registration is used to create an identity for an application. This identity is also known as a service principal. You can assign role-based access control (RBAC) permissions to the service principal. This limits the application to only have permission to export user data.
You also need to add an application permission. Application permissions are used by applications that run without a signed-in user. They require admin consent to be permitted, which is also required to export user data from the Graph API.
The last step is to grant permissions to the app. The User.Export.All permission is required for App1 to be able to export user data from Graph API. This is the only necessary permission for App1.
You should not configure Azure AD Application Proxy for this scenario. Azure AD Application Proxy is used to provide remote access to on-premises web applications. App1 is provisioned in the Azure infrastructure.
You should not add a delegated permission. This permission is used by applications that require a signed-in user. The applications use the user identity to perform requests on behalf of the user. App1 runs as a background service and does not interact directly with signed-in users.
Incorrect
You should perform the following actions in order:
1. Create an app registration
2. Add an application permission.
3. Grant permissions.
You should first create an app registration. App registration is used to create an identity for an application. This identity is also known as a service principal. You can assign role-based access control (RBAC) permissions to the service principal. This limits the application to only have permission to export user data.
You also need to add an application permission. Application permissions are used by applications that run without a signed-in user. They require admin consent to be permitted, which is also required to export user data from the Graph API.
The last step is to grant permissions to the app. The User.Export.All permission is required for App1 to be able to export user data from Graph API. This is the only necessary permission for App1.
You should not configure Azure AD Application Proxy for this scenario. Azure AD Application Proxy is used to provide remote access to on-premises web applications. App1 is provisioned in the Azure infrastructure.
You should not add a delegated permission. This permission is used by applications that require a signed-in user. The applications use the user identity to perform requests on behalf of the user. App1 runs as a background service and does not interact directly with signed-in users.
Unattempted
You should perform the following actions in order:
1. Create an app registration
2. Add an application permission.
3. Grant permissions.
You should first create an app registration. App registration is used to create an identity for an application. This identity is also known as a service principal. You can assign role-based access control (RBAC) permissions to the service principal. This limits the application to only have permission to export user data.
You also need to add an application permission. Application permissions are used by applications that run without a signed-in user. They require admin consent to be permitted, which is also required to export user data from the Graph API.
The last step is to grant permissions to the app. The User.Export.All permission is required for App1 to be able to export user data from Graph API. This is the only necessary permission for App1.
You should not configure Azure AD Application Proxy for this scenario. Azure AD Application Proxy is used to provide remote access to on-premises web applications. App1 is provisioned in the Azure infrastructure.
You should not add a delegated permission. This permission is used by applications that require a signed-in user. The applications use the user identity to perform requests on behalf of the user. App1 runs as a background service and does not interact directly with signed-in users.
Question 60 of 64
60. Question
Refer to the exhibit. Your company has an Azure Active Directory (Azure AD) tenant. You configure users in the tenant with group membership and multi-factor authentication (MFA) status as shown in the exhibit.
You create an Azure AD Identity Protection sign-in risk policy and enforce it on your tenant. The policy has the following settings:
Assignments: Include Group1, exclude Group2
Conditions: Sign-in risk level: Medium and above
Access: Allow access, Require multi-factor authentication
You need to determine how each of the defined users wo
experience sign-in to your Azure AD tenant.
What would the sign-in behavior be in each scenario? To answer, select the appropriate options from the drop-
down menus.
Correct
When Usen signs in from an unfamiliar location, the user will be blocked. User1 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an unfamiliar location is considered a medium risk and MFA is not enabled, the user will be blocked.
When User2 signs in from an anonymous I dress, the user will be prompted for MFA. User2 belongs to Group1 which is included in the sign-in risk policy, and to Group2, which is excluded from the sign-in risk policy. In this conflicting situation exclusion will override the inclusion, hence the sign-in risk policy per se will not trigger for User2. However, User2 is enrolled in a per-user Azure AD Multi-Factor Authentication with the status enabled. When this is enabled, users sign in, complete the registration process, and their state changes to Enforced. As such, User2 will be prompted for MFA to complete the enrollment process.
When User3 signs in from an infected device, the user will be blocked. User3 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an infected device is considered a medium risk and MFA is not enabled, the user will be blocked.
Incorrect
When Usen signs in from an unfamiliar location, the user will be blocked. User1 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an unfamiliar location is considered a medium risk and MFA is not enabled, the user will be blocked.
When User2 signs in from an anonymous I dress, the user will be prompted for MFA. User2 belongs to Group1 which is included in the sign-in risk policy, and to Group2, which is excluded from the sign-in risk policy. In this conflicting situation exclusion will override the inclusion, hence the sign-in risk policy per se will not trigger for User2. However, User2 is enrolled in a per-user Azure AD Multi-Factor Authentication with the status enabled. When this is enabled, users sign in, complete the registration process, and their state changes to Enforced. As such, User2 will be prompted for MFA to complete the enrollment process.
When User3 signs in from an infected device, the user will be blocked. User3 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an infected device is considered a medium risk and MFA is not enabled, the user will be blocked.
Unattempted
When Usen signs in from an unfamiliar location, the user will be blocked. User1 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an unfamiliar location is considered a medium risk and MFA is not enabled, the user will be blocked.
When User2 signs in from an anonymous I dress, the user will be prompted for MFA. User2 belongs to Group1 which is included in the sign-in risk policy, and to Group2, which is excluded from the sign-in risk policy. In this conflicting situation exclusion will override the inclusion, hence the sign-in risk policy per se will not trigger for User2. However, User2 is enrolled in a per-user Azure AD Multi-Factor Authentication with the status enabled. When this is enabled, users sign in, complete the registration process, and their state changes to Enforced. As such, User2 will be prompted for MFA to complete the enrollment process.
When User3 signs in from an infected device, the user will be blocked. User3 is part of Group1, and that group is assigned an Azure AD Identity Protection sign-in risk policy with a sign-in risk level of Medium and above. Since signing in from an infected device is considered a medium risk and MFA is not enabled, the user will be blocked.
Question 61 of 64
61. Question
You are responsible for administering security in your organization‘s Azure environment. The environment contains multiple subscriptions. The security management board has agreed on a set of security policies for Azure resource management. and has requested you to implement them globally in your Azure tenant. You start defining the policy. You need to identify a location for the policy that satisfies the requirements of the security management board. Which location should you identify? Choose the correct answer
Correct
You should identify management group as the location for the policy. When you start defining a policy, the very first decision you have to make is the location of the policy definition. The policy definition location sets the scope of the resources the policy will evaluate. The policy definition location can be assigned either to a management group or to a subscription. Because your organization has multiple subscriptions and the policy has to be applied globally, you should assign the policy definition location to a management group. You should not identify resource group as the location for the policy. Microsoft does not support a resource group as a policy definition location. The only supported policy definition locations are management group and subscription. You should not identify resource as the location for the policy. Microsoft does not support resource as the policy definition location. The only supported definition locations are management group and subscription You should not identify subscription as the location for the policy. if the policy definition location is assigned to a subscription, only resources within the subscription can be assigned this policy definition. In this scenario, Azure Policy has to be applied globally. Because management group is a container that organizes multiple subscriptions, you should configure a management group as the policy definition location.
Incorrect
You should identify management group as the location for the policy. When you start defining a policy, the very first decision you have to make is the location of the policy definition. The policy definition location sets the scope of the resources the policy will evaluate. The policy definition location can be assigned either to a management group or to a subscription. Because your organization has multiple subscriptions and the policy has to be applied globally, you should assign the policy definition location to a management group. You should not identify resource group as the location for the policy. Microsoft does not support a resource group as a policy definition location. The only supported policy definition locations are management group and subscription. You should not identify resource as the location for the policy. Microsoft does not support resource as the policy definition location. The only supported definition locations are management group and subscription You should not identify subscription as the location for the policy. if the policy definition location is assigned to a subscription, only resources within the subscription can be assigned this policy definition. In this scenario, Azure Policy has to be applied globally. Because management group is a container that organizes multiple subscriptions, you should configure a management group as the policy definition location.
Unattempted
You should identify management group as the location for the policy. When you start defining a policy, the very first decision you have to make is the location of the policy definition. The policy definition location sets the scope of the resources the policy will evaluate. The policy definition location can be assigned either to a management group or to a subscription. Because your organization has multiple subscriptions and the policy has to be applied globally, you should assign the policy definition location to a management group. You should not identify resource group as the location for the policy. Microsoft does not support a resource group as a policy definition location. The only supported policy definition locations are management group and subscription. You should not identify resource as the location for the policy. Microsoft does not support resource as the policy definition location. The only supported definition locations are management group and subscription You should not identify subscription as the location for the policy. if the policy definition location is assigned to a subscription, only resources within the subscription can be assigned this policy definition. In this scenario, Azure Policy has to be applied globally. Because management group is a container that organizes multiple subscriptions, you should configure a management group as the policy definition location.
Question 62 of 64
62. Question
A company has over a hundred Windows Server 2016 VMs running in the Azure West Europe region. Machines start and stop automatically by using an Azure Automation runbook, and updates are managed by using Azure Update Management. You learn of a Microsoft security vulnerability that affects the Windows Server 2016 operating system. The vulnerability is fixed by installing a hotfix. You need to create a report of the systems that do not have the hotfix installed. What should you do to generate the report? Choose the correct answer
Correct
You should use Update Management from the automation account, select the hotfix from the missing updates list, and export the results to a CSV file. When Azure Update Management is enabled in Azure, you can either use an existing automation account or a new one is created for you. Virtual machines (VMs) that have Update Management enabled are then scanned regularly for compliance, and the scan results are exported to a Log Analytics workspace. You should search for any VMs that require a hotfix to be installed. By selecting the hotfix from the missing updates list, the Kusto Query Language (KQL) script is automatically generated and displays a list of VMs requiring the update. The results can then be exported to a CSV file. You should not use the Get-Hotfix command. The command searches for installed hotfixes on local and remote machines and generates a list of VMs requiring the update. However, the search is resource-intensive and requires all VMs to be powered on. You should not use WMI or the Get-Childltem command to connect remotely to each machine, search for the hotfix, and export the results to a CSV file. Both commands require all VMs to be powered on, are resource-intensive, and can be inaccurate.
Incorrect
You should use Update Management from the automation account, select the hotfix from the missing updates list, and export the results to a CSV file. When Azure Update Management is enabled in Azure, you can either use an existing automation account or a new one is created for you. Virtual machines (VMs) that have Update Management enabled are then scanned regularly for compliance, and the scan results are exported to a Log Analytics workspace. You should search for any VMs that require a hotfix to be installed. By selecting the hotfix from the missing updates list, the Kusto Query Language (KQL) script is automatically generated and displays a list of VMs requiring the update. The results can then be exported to a CSV file. You should not use the Get-Hotfix command. The command searches for installed hotfixes on local and remote machines and generates a list of VMs requiring the update. However, the search is resource-intensive and requires all VMs to be powered on. You should not use WMI or the Get-Childltem command to connect remotely to each machine, search for the hotfix, and export the results to a CSV file. Both commands require all VMs to be powered on, are resource-intensive, and can be inaccurate.
Unattempted
You should use Update Management from the automation account, select the hotfix from the missing updates list, and export the results to a CSV file. When Azure Update Management is enabled in Azure, you can either use an existing automation account or a new one is created for you. Virtual machines (VMs) that have Update Management enabled are then scanned regularly for compliance, and the scan results are exported to a Log Analytics workspace. You should search for any VMs that require a hotfix to be installed. By selecting the hotfix from the missing updates list, the Kusto Query Language (KQL) script is automatically generated and displays a list of VMs requiring the update. The results can then be exported to a CSV file. You should not use the Get-Hotfix command. The command searches for installed hotfixes on local and remote machines and generates a list of VMs requiring the update. However, the search is resource-intensive and requires all VMs to be powered on. You should not use WMI or the Get-Childltem command to connect remotely to each machine, search for the hotfix, and export the results to a CSV file. Both commands require all VMs to be powered on, are resource-intensive, and can be inaccurate.
Question 63 of 64
63. Question
Your company uses a centralized system for payroll and expense payments. The payroll system is secured by Azure Active Directory (Azure AD) groups, and access is delegated to two groups. The Payroll Administrators group grants access to payroll data. The Expense Administrators group grants access to expense data. When a new payroll user is created, access is requested by the user‘s line manager. In the past, access to payroll data was incorrectly granted to new users. The mistake is sometimes rectified months after the creation of the new account. You need to implement a solution allowing the payroll manager to check and remediate access to the payroll data on a regular basis. What should you do? Choose the correct answer
Correct
You should create an Access review with a monthly frequency for the Payroll Administrators group and select the payroll manager as the reviewer. Access reviews can be created as either a one-off review or they can be performed on a schedule. The aim of an access review is to allow specific users, in this case the payroll manager, to review group members based on their requirements. The payroll manager will see all the group members and can approve or deny members of the group via the access review. Any denied users will be removed from the group. You should not create a scheduled task to use the Get-ADGroupMember cmdlet and send the Payroll Administrators group members to the payroll manager. The Get-ADGroupMember command retrieves a list of group members, which can be exported to CSV. However, you cannot modify group membership via the Get-ADGroupMember cmdlet. You should not create an Azure function to send an email to the payroll manager whenever a new user is added to the Payroll Administrators group. Although this will inform the payroll manager when users are added to the group, it is an unnecessarily complex solution and will incur additional costs. It also does not provide the ability to remediate any users who have been incorrectly assigned to the Payroll Administrators group. You should not change the group owner of the Payroll Administrators group to the payroll manager. This will not inform the payroll manager whenever any changes are made to the group or provide any additional functionality to regularly review and remediate group membership.
Incorrect
You should create an Access review with a monthly frequency for the Payroll Administrators group and select the payroll manager as the reviewer. Access reviews can be created as either a one-off review or they can be performed on a schedule. The aim of an access review is to allow specific users, in this case the payroll manager, to review group members based on their requirements. The payroll manager will see all the group members and can approve or deny members of the group via the access review. Any denied users will be removed from the group. You should not create a scheduled task to use the Get-ADGroupMember cmdlet and send the Payroll Administrators group members to the payroll manager. The Get-ADGroupMember command retrieves a list of group members, which can be exported to CSV. However, you cannot modify group membership via the Get-ADGroupMember cmdlet. You should not create an Azure function to send an email to the payroll manager whenever a new user is added to the Payroll Administrators group. Although this will inform the payroll manager when users are added to the group, it is an unnecessarily complex solution and will incur additional costs. It also does not provide the ability to remediate any users who have been incorrectly assigned to the Payroll Administrators group. You should not change the group owner of the Payroll Administrators group to the payroll manager. This will not inform the payroll manager whenever any changes are made to the group or provide any additional functionality to regularly review and remediate group membership.
Unattempted
You should create an Access review with a monthly frequency for the Payroll Administrators group and select the payroll manager as the reviewer. Access reviews can be created as either a one-off review or they can be performed on a schedule. The aim of an access review is to allow specific users, in this case the payroll manager, to review group members based on their requirements. The payroll manager will see all the group members and can approve or deny members of the group via the access review. Any denied users will be removed from the group. You should not create a scheduled task to use the Get-ADGroupMember cmdlet and send the Payroll Administrators group members to the payroll manager. The Get-ADGroupMember command retrieves a list of group members, which can be exported to CSV. However, you cannot modify group membership via the Get-ADGroupMember cmdlet. You should not create an Azure function to send an email to the payroll manager whenever a new user is added to the Payroll Administrators group. Although this will inform the payroll manager when users are added to the group, it is an unnecessarily complex solution and will incur additional costs. It also does not provide the ability to remediate any users who have been incorrectly assigned to the Payroll Administrators group. You should not change the group owner of the Payroll Administrators group to the payroll manager. This will not inform the payroll manager whenever any changes are made to the group or provide any additional functionality to regularly review and remediate group membership.
Question 64 of 64
64. Question
Your company has a single subscription and two resource groups configured, one named production-rg and the other development-rg
The network is configured as shown in the exhibit.
The development team regularly creates resources in the development-rg group and connects them to Subnet2. During testing, all development resources communicate over TCP port 80 or 443 from Subnet1
You need to ensure that traffic to the development resources is allowed but all other traffic for Subnet2 should be denied. What should you do? Choose the correct answer
Correct
You should create a new NSG and allow inbound traffic to TCP ports 80 and 443, and then assign the new NSG to Subnet2. When you create an NSG, the default system rules will block all traffic. Only traffic explicitly specified will be allowed. In this scenario, you create an inbound rule to allow TCP ports 80 and 443 from any source and then assign the NSG to Subnet2.
You should not create a new static route to the 10.2.1.0/24 subnet, set the next hop to VNET2, and then assign the new static route to Subnet1 Static routes are used to route traffic and do not allow or deny traffic.
You should not create a VNET peering between VNET1 and VNET2. By default, all subnets in a VNET are able to communicate with each other, but VNET to VNET communication only occurs if both VNETs are peered. Peering does not allow or deny traffic.
You should not create a new NSG, allow outbound traffic to TCP ports 80 and 443, and then assign the NSG to VNET1 and Subnet1 This will block all outbound traffic leaving Subnet1, other than TCP 80 and 443, and would be too restrictive.
Incorrect
You should create a new NSG and allow inbound traffic to TCP ports 80 and 443, and then assign the new NSG to Subnet2. When you create an NSG, the default system rules will block all traffic. Only traffic explicitly specified will be allowed. In this scenario, you create an inbound rule to allow TCP ports 80 and 443 from any source and then assign the NSG to Subnet2.
You should not create a new static route to the 10.2.1.0/24 subnet, set the next hop to VNET2, and then assign the new static route to Subnet1 Static routes are used to route traffic and do not allow or deny traffic.
You should not create a VNET peering between VNET1 and VNET2. By default, all subnets in a VNET are able to communicate with each other, but VNET to VNET communication only occurs if both VNETs are peered. Peering does not allow or deny traffic.
You should not create a new NSG, allow outbound traffic to TCP ports 80 and 443, and then assign the NSG to VNET1 and Subnet1 This will block all outbound traffic leaving Subnet1, other than TCP 80 and 443, and would be too restrictive.
Unattempted
You should create a new NSG and allow inbound traffic to TCP ports 80 and 443, and then assign the new NSG to Subnet2. When you create an NSG, the default system rules will block all traffic. Only traffic explicitly specified will be allowed. In this scenario, you create an inbound rule to allow TCP ports 80 and 443 from any source and then assign the NSG to Subnet2.
You should not create a new static route to the 10.2.1.0/24 subnet, set the next hop to VNET2, and then assign the new static route to Subnet1 Static routes are used to route traffic and do not allow or deny traffic.
You should not create a VNET peering between VNET1 and VNET2. By default, all subnets in a VNET are able to communicate with each other, but VNET to VNET communication only occurs if both VNETs are peered. Peering does not allow or deny traffic.
You should not create a new NSG, allow outbound traffic to TCP ports 80 and 443, and then assign the NSG to VNET1 and Subnet1 This will block all outbound traffic leaving Subnet1, other than TCP 80 and 443, and would be too restrictive.
Use Page numbers below to navigate to other practice tests