Az 500 Exam - Free Actual QAs Page 1 Examtopics Practice For Cissp

27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Veri ed, Online, Free.
ExamTopics Black Friday 2020

Use coupon code BF2020YR to get 25% off of a 365-day contributor access, valid for all
exams.
* Only valid thru November 27th 2020
 Custom View Settings
Topic 1 - Question Set 1
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 1/311
Question #1 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the le service in Sa1 by using several shared access signatures (SASs) and stored access
policies.
You discover that unauthorized users accessed both the le service and the blob service.
You need to revoke all access to Sa1.
Solution: You generate new SASs.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identi er. Changing the signed identi er breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
affects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
  anonymous654 11 months ago

I choose b
upvoted 1 times
  P4YDAY 10 months, 3 weeks ago

Why did you choose b?
upvoted 1 times
  PDR 9 months ago

I agree with B as just creating a new one does not effect the currently created SASs - so either delete, rename as stated or you could also
regenerate the KEY used to create the SAS which would have teh effect of disabling all SASs created with that previous generated key.
upvoted 4 times
  IsildursHeir 7 months, 2 weeks ago

I could not specifically find the documentation to associate service SAS with Stored Access Policy in docsMSFT, but found at this blog
https://husseinsalman.com/securing-access-to-azure-storage-part-5-stored-access-policy/
upvoted 3 times
  aythan09 6 months ago

A stored access policy [provides an additional level of control over service-level shared access signatures (SAS)] on the server side.
Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that
are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to
revoke it after it has been issued.
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
upvoted 3 times
  AS007 7 months, 1 week ago

Given answer is correct
upvoted 2 times
  Ridgy 5 months, 3 weeks ago

Although changing the SASs woud generate new ones, the scenario specifically states that users also use policies to access the resource.
Thus, without creating new policies, the current policies providing access remains.
upvoted 2 times
  lnn_az 5 months, 3 weeks ago

The Correct answer is b.
As per the question, the SAS with a stored access policy, so this is a Service SAS and it can be revoked only by modifying/deleting stored

access policy. Creating new SAS has no affect on already available SAS.
For Account Level SAS, regenerating the access key is the only possibility.
upvoted 4 times
  ExamWynner 3 months, 1 week ago

Good point! First need understand storage account SAS vs. service SAS.
upvoted 2 times
  P0d 5 months, 2 weeks ago

SAS uses 2 keys. Key1 and Key2. If some users uses SAS key1 and then you generate SAS1 key1 then users who was using that key will lose
his access. So for me Answer: Yes
upvoted 1 times

Skip it. Mixed SAS key with signature. Generate SAS only need to if we have changes on providing SAS (Read, Write, start and end times,
signing key, Allowed protocol and so)
Answer is B.
upvoted 1 times
  gfhbox0083 5 months ago

B, for sure.
upvoted 2 times
  Attaxhan 4 months ago

ITS IN THE EXAM I CHOOSE YES
upvoted 2 times
  BobJayJay4 4 months ago

I see the Exam was updated July29th per the Microsoft web site. Topics removed , some added, any one know if this question is will on it?
Are there updated questions yet.
upvoted 4 times
  wzlinux 2 months, 2 weeks ago

I choose B
upvoted 1 times
  kiketxu 2 months ago

It's a YES. Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage
account keys.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
upvoted 1 times
  kiketxu 6 days, 18 hours ago

Sorry forget my previous comment, I was wrong. The answer is B. Creating a new SAS will not revoke the old signatures.
upvoted 1 times
  Cpk 1 month, 4 weeks ago

I think answer is YES because it says you need to revoke all access to sa1. Generating new SASs will invalidate old ones and remove access
for everyone.
upvoted 3 times
  Cis 1 month ago

Answer is B
upvoted 1 times
  rand1220 1 month ago

I went for A because replacing SAs, which means changing the keys should swap place with the old keys. Isn't it?
upvoted 1 times
  awssecuritynewbie 3 weeks, 4 days ago

this would be A, when you regenerate the access keys it will revoke any sort of the access keys before..
Ref : https://husseinsalman.com/securing-access-to-azure-storage-part-4-shared-access-signature/
The only way to avoid the resulting excessive access problem, is to revoke the SAS by regenerating the key, which was used for signing
when generating the SAS. If you’re using the key in application code, you will end up having the same problem as discussed in the
previous article and you must follow the same process to rotate the account keys to avoid any downtime.
upvoted 2 times

ignore it
upvoted 2 times
  realname007 2 weeks, 3 days ago

Anyone know the answer for https://www.freecram.com/question/Microsoft.AZ-500.v2019-12-31.q55/you-are-evaluating-the-security-of-
vm1-vm2-and-vm3-in-sub2-for-each-of-the-following-statements-select
upvoted 1 times

  jennyka76 2 weeks, 1 day ago
Answer - B read the whole article

Its call study
upvoted 2 times
Question #2 Topic 1
policies.
Solution: You create a new stored access policy.
A. Yes
B. No
Correct Answer: A
effects all of the shared access signatures associated with it.
References:
  JohnCrawford 1 year, 1 month ago

I believe the correct answer to this is "No". You can up to 5 access policies on an object. Creating a new one doesn't revoke the old one. To
revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the
past. Nowhere in the documentation does it say creating a new one revokes the old one.
upvoted 23 times
  awssecuritynewbie 1 month, 3 weeks ago

i agree, it just says create a new policy not " delete" or revoke the existing one that has caused this issue
upvoted 1 times
  Kerbob 1 year ago

Agreed. Correct answer is "No". You only break associations by deleting or renaming an existing SAS policy.
upvoted 5 times
  Sedge 11 months, 2 weeks ago

The reasoning behind, "create a new stored access policy" being correct is that this policy can be created with an expiry date in the past,
thus revoking access to the shared access signature. This answer is indeed, 'Yes'.
Can you also revoke, delete, or modify an existing stored access policy? Sure, but that is not what this question is asking. Can access to a
SAS be revoked by creating a new stored access policy? Yes.
upvoted 11 times
  NS 9 months, 4 weeks ago

"Can access to a SAS be revoked by creating a new stored access policy?" Yes, but that was not the question :)
upvoted 3 times
  kristiann21 5 months, 4 weeks ago

Correct Answer No.
Shared access signatures provides access to a particular resource such as blog. Stored access policies are a group of Shared Access
Signatures (SAS). In order to revoke access to a SAS you can either:
1. Rotate the Key1 or Key 2, that is the access keys used to sign the SAS. Rotating the access keys used to sign the SAS, invalidates
any previously signed SAS hence revoking the SAS issused before
2. Remove the stored access policy which an SAS is linked to. If a Stored Access Policy is removed, it also invalidates the SASs liked to
the Stored Access Policy.
Creating a new Stored Acccess Policy? Well it just creates a new Stored Access Policy and does nothing to existing SAS, and Stored
Access Policy.

So, the correct answer is 'No'.
upvoted 4 times
  S_Khan 8 months, 2 weeks ago

Answer "Yes" is correct. You can find explanation in the article: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-
access-policy
"A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are
bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it
after it has been issued."
upvoted 15 times
  cybrtrk 7 months, 2 weeks ago

Sorry JohnCrawford, I'd have to agree with the 'yes' crowd.
Changing the policy - regardless of how many policies you have - is better than revoking your SAS keys. That's the point of using policies,
much easier to revoke and re-enable vs. having the pain of redistributing new sas keys.
upvoted 6 times

I would agree with the No crowd. The question is "You need to revoke all access to Sa1." Creating a new stored access policy does not
affect the existing SAS? Only changing or modifying the stored access policy that is associated with the existing SAS will influence it?
upvoted 2 times

The answer is correct
upvoted 2 times
  jam3sb0nd 7 months, 1 week ago

Creating a new access policy does not necessarily revoke the existing access policies. So, the answer should be no.
upvoted 1 times
  Tom84 7 months ago

upvoted 2 times
  faltu1985 6 months, 3 weeks ago

Ans is NO - I just tested it also. Adding new Policy will not change the existing access. It is updating/deleting the existing one will only
change the access.
upvoted 3 times
  joilec435 6 months, 3 weeks ago

YES - You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has
been issued.
upvoted 3 times
  Solanki 6 months, 3 weeks ago

It is quite logical that creating a new Access Policy should not do anything with old unless you modify existing one or delete existing. I
would go with NO for sure.
upvoted 3 times
  peluca 6 months, 2 weeks ago

I agree with the NO crowd. Creating a new access policy doesn't revoke access to any old SAS. It's kind of logic
upvoted 1 times
  sf2020 6 months, 1 week ago

Answer is yes. This is provided in Microsoft documentation.
You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been
issued.
upvoted 5 times
  examkid 6 months ago

To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the
past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy.
upvoted 1 times

Given answer is incorrect. correct answer is 'NO'
Creating new Stored Access Policy does nothing. it just creates a new Stored Access Policy which can be used for Future SAS creation. but
it doesn't revoke already available access to Storage account which is apparently our goal.
there are 4 solutions to meet our goal.

1. Regenerate access keys Key 1 or Key 2. but this wouldn't be an optimal solution as we have to redistribute the new access keys.
2. Delete all the Stored Access Policy
3. Rename all the Stored Access Policy, which will change the identifier. Changing the signed identifier breaks the associations between
any existing signatures and the stored access policy
4. Change the expiry time to a value in the past for all the Stored Access Policy.
upvoted 5 times 
B, for sure
upvoted 1 times
  Bobo_Lee 5 months ago

The correct answer is 'B' stored access policy is setup on container not on SAS. A policy must be created before associating it to SAS. So
creating new policy won't revoke access granted to former SAS with old policy
upvoted 2 times
  gboyega 4 months, 3 weeks ago

The answer is NO
In the documentation, it is not stated that creating another access policy would revoke the SAS
1. https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-polic
2. https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions
upvoted 1 times
  levo017 3 months ago

The answer 'Yes' is correct.
from: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Define a stored access policy for a service SAS. Stored access policies give you the option to revoke permissions for a service SAS without
having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it's regularly
updated to move it farther into the future.
So, you can add a new Stored Access Policy, gives an immediate expiration datetime. This will essentially revoke all SAS.
upvoted 2 times
  server1 2 months, 4 weeks ago

I would say NO. The question states you create a new policy. This does not revoke the old policy. therefore it does not remove the old
access. to achieve this the old policy must be deleted eg by changing the expiry date to a date in the past.
upvoted 1 times

I choose B
upvoted 1 times
  sayak17 2 months, 1 week ago

even though confusing the answer can be considered correct because of the last line in the provided link which says: To remove all access
policies from the resource, call the Set ACL operation with an empty request body.
upvoted 2 times
  mxxii 1 month, 3 weeks ago

I agreed with Yes.
Because from “https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy“ said
“ To remove a single access policy, call the resource's Set ACL operation, passing in the set of signed identifiers that you wish to maintain
on the container. To remove all access policies from the resource, call the Set ACL operation with an empty request body.”
upvoted 1 times
  Israel1 4 weeks, 1 day ago

NO is the correct answer
upvoted 1 times
  musiman 1 week, 1 day ago

Yes, No, Yes, No. etc.
Well, I searched for all possible solutions to this question and all others were a "No". There has to be one with a "Yes", right? So, despite
the fact that one can generate more stored access policies and creating a new stored access policy doesn't revoke an already existing one,
I tend to go to a "Yes". I think that the creator of this question wants to use the new stored access policy and remove the other. Yes, I
know it's not in the solution's answer, but there has to be one of the solutions with a correct answer, right?
So my answer would be: YES

upvoted 1 times

Answer is B. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it
has been issued.
upvoted 1 times
Question #3 Topic 1
You have a hybrid con guration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to con gure the environment to support the planned authentication.
Solution: You deploy the On-premises data gateway to the on-premises network.
A. Yes
B. No
Correct Answer: B
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:
✑ Create Azure Virtual Network.
✑ Create a custom DNS server in the Azure Virtual Network.
✑ Con gure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
✑ Con gure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network

upvoted 1 times

B, for sure.
upvoted 2 times

I choos B
upvoted 1 times
  Mehblah 1 week, 6 days ago

Yes B is the answer
upvoted 1 times

No doubts. B
upvoted 1 times
Question #4 Topic 1
Solution: You create a site-to-site VPN between the virtual network and the on-premises network.
A. Yes
B. No
Correct Answer: A
You can connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
References:
  SB 1 year, 3 months ago

Answer seems confusing: VPN is needed to restrict access to HDInsight cluster to corporate network. To authenticate using on-prem
credentials one need to set up password hash sync to Azure AD DS and assure networking connectivity from the HDInsight virtual
network to the Azure AD DS virtual network (see https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-
architecture)
upvoted 8 times
  gills 2 months, 1 week ago

This is not needed --> o authenticate using on-prem credentials one need to set up password hash sync to Azure AD DS and assure
networking connectivity from the HDInsight virtual network to the Azure AD DS virtual network
HDInsight can authenticate to Active Directory directly and therefore the VPN is required.
upvoted 1 times
  AP_Singh 10 months, 1 week ago

The correct Answer is A. It is asking pass through authentication with Azure AD connect
upvoted 4 times
  PDR 10 months, 1 week ago

agree it is confusing. My reasons :
It says "You have a hybrid configuration of Azure Active Directory (Azure AD)" which suggests that AD Connect is in place , but it isnt clear
plus doesnt mention what configuration it has (Hash Synch, Pass through, Federated etc).
Creating a site to site VPN will simply just enabled connectivty between the on premise network and the HDInsight cluster but not fulfil the
authentifacation via on premises AD.
So without exact knowledge of the configuration of the Hybrid AD , any AD connect etc it is impossible to say for sure that would work.
You could take it further and say it is impossible to know as you dont know the config of the HD cluster, any NSGs etc. I always find this
ambiguous questions a bit annoying if I have the knowledge to answer them but the details are too blurry.
upvoted 8 times
  kiketxu 2 months, 1 week ago

I agree with your point. This is the key "You have a hybrid configuration of Azure Active Directory (Azure AD)" so if ADConnect is in place
it only need connectivity.
My answer in yes, it's right it this case. (Planned authentication doesn't mean plain-text auth, it is about the plan to configure
authentication (just says in the above line)
Btw, this same question it is repeated without "Hybrid" AD scenario, where the S2S-VPN isn't the solution and the answer will be NO.
upvoted 1 times
  barchetta 10 months ago 

ambiguous as all heck. I mean seriously? A site to site vpn has zero to do with authentication. I hope this question is fixed when I take the
exam.
upvoted 5 times

agreed this looks like a terrible question
upvoted 1 times
  swip 7 months, 2 weeks ago

Agreed this is extremely ambiguous, how ever my best conclusion is as follows:
The question states HDInsight cluster is on a vNet which confirms its running in Azure.
As per the documentation SB has listed I point to this snippet
"HDInsight relies on a popular identity provider--Active Directory--in a managed way. By integrating HDInsight with Azure Active Directory
Domain Services (Azure AD DS), you can access the clusters by using your domain credentials."
See https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture for full details.
I conclude that to join the HDInsights cluseter to your AD DS services (domain join) you need connectivity to your domain controllers. As
the environment is Hybrid we know there is almost certainly DC's on premise so even if there are DC's on tht vNet there needs to be a VPN
or Express route circuit to support AD integrated authentication. I don not believe HD insights supports AAD authentication so AD connect
is neither here nor there
I.e. The Suggested answer is correct

upvoted 5 times

I wouldn't agree with this.https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture#on-
premises-active-directory-or-active-directory-on-iaas-vms -> Using on-premises Active Directory or Active Directory on IaaS VMs alone,
without Azure AD and Azure AD DS, isn't a supported configuration for HDInsight clusters with ESP. AADDS seems a prerequisite. The
VNET / VPN just doesn't make any sense then if there is an AADDS and there is a hybrid setup with AAD Connect set up, hopefully with
password hash sync which seems a prereq.
upvoted 3 times
  ExamWynner 3 months, 1 week ago

Agreed, that's why in this case the AADDS is not there, VPN is for this case of using on-prem AD https://docs.microsoft.com/en-
us/azure/hdinsight/connect-on-premises-network
upvoted 1 times

Goal is to authenticate, however VPN is the first step to allow sync hence its not the complete solution. So, its a NO
upvoted 2 times
  cloudguy365 6 months, 4 weeks ago

Here is hint in the question itself--- "You need to configure the environment to support the planned authentication"
They are asking to "configure the environment" to support the planned auth, hence VPN is one of solution
upvoted 15 times

excellent observation - we have to read the question carefully
upvoted 1 times

Answer is No. by having a site-to-site VPN connection, the connection is encrypted, just that. site-to-site VPN it’s to enable secure
connection between onPrem networks and Azure Networks. For authentication the Active Directory needs to connect with Azure AD which
has nothing to do with Site-to-site VPN but with AADC and authentication methods such as PTA, PHS, etc
upvoted 3 times

I guess I am not reading into it all that much:
You have a hybrid configuration of Azure Active Directory (Azure AD).
You need to configure the environment to support the planned authentication.
Solution: You create a site-to-site VPN between the virtual network and the on-premises network.
Im reading:
Does a site-to-site VPN allow auth to the cluster on the vNET?
NO. VPN encrypts... auth is more like hash or PTA and not encryption. It is a step if it was a new configuration but it statess the cluster is all
ready on the vnet...
upvoted 2 times
  skb1996 6 months ago

I think the main reason is to see how HDinsight authentication works out with ad, but I agree they are discussing identity and asking
network security.
upvoted 1 times
  kratos13 5 months ago 

A lot of ambiguity (thanks Microsoft). I want to say "answer is correct" based on this article ::
~ https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
upvoted 1 times
  gfhbox0083 4 months, 4 weeks ago

A, for sure.
upvoted 1 times
  idnildeb40 3 months ago

Please justify
upvoted 2 times
  nidoz 3 months ago

Guys part of question is "You need to configure the environment to support the planned authentication."
so setting up a VPN is definitely part of solution and then there comes planned authentication. My take here is YES
upvoted 2 times

I choose B
upvoted 2 times
  Bluediamond 2 months, 2 weeks ago

Answer is correct. Read the question it says "You need to configure the environment to support the planned authentication." S2S will
support the environment. Granted you need more like Azure AD connect ect.
upvoted 3 times
Question #5 Topic 1
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
A. federated identity with Active Directory Federation Services (AD FS)
B. password hash synchronization with seamless single sign-on (SSO)
C. pass-through authentication with seamless single sign-on (SSO)
Correct Answer: B
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically
applies to organizations that only need their users to sign in to O ce 365, SaaS apps, and other Azure AD-based resources. When turned on,
password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing
federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the
authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents
must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need
outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter
network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network tra c is encrypted and limited to
authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
  c1265 1 year ago

The way question is worded suggests you need to enforce pw policies and logon restrictions (e.g. logon hours) from on-premises. I think C
is correct answer, PTA also minimises servers required
upvoted 31 times
  onlyfunmails 10 months, 1 week ago

Agree with PTA (c) https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn#decision-tree
upvoted 8 times

agree also and the link to the decision tree is the perfect clear proof C is correct
upvoted 4 times
  jdoemailinator 11 months, 1 week ago

agreed. this one should be C.
PW Hash sync doesn't guarantee policy enforcement in real-time.
upvoted 2 times

i choose c
upvoted 2 times
  cloudera 10 months, 3 weeks ago

So what is the correct answer? This link state that https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn
1. AAD PW HASH Synchronization is the SIMPLEST (yes I literally bold that) way to enable authentication for on-premises directory objects
in Azure AD and use on-premises resources WITHOUT (yes I literally bold that too) having to deploy any additional infrastructure. 
2. AAD PTA provides a SIMPLE (not simplest) password validation for Azure AD authentication services by using a software agent that runs
on ONE or MORE (yes I bold that one again) on-premises servers.
Based on this information PW HASH Synchronization seems to be the correct answer.

upvoted 10 times

Sorry my bad the correct answer should rather be C - Pass Through Authentication. The reason being:
1. Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
>> Pass-Through Authentication enforce on-premises user account states, password policies, and sign-in hours.
2. Minimizes the number of servers required for the solution.

>> Pass-through needs a lightweight agent to be installed one (or more) on-premises servers.
>> PW Hash also require installing Azure AD Connect on your existing DC.
upvoted 7 times
  BobIsSearchingForTheMoon 9 months ago

PTA validates password directly against on-prem AD. This enables the organization to leverage AD DS policies, like logon hours. I would
choose answer C.
upvoted 2 times
  ochiwi 7 months, 3 weeks ago

This is what makes the answer A ..
This requirement means one that involves the least effort to implement
upvoted 1 times
  e3rh 7 months, 3 weeks ago

it is PHS right answer - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
(read security consideration) fulfills the requirements of the question, no extra infra and policies for pwd
upvoted 1 times
  SIDNEY1 7 months, 2 weeks ago

Incorrect. With PHS, you cannot enforce on-prem security policies. PTA lets you do that and is the correct answer.
upvoted 3 times

"password policies and user logon restrictions apply"
definitely refers to PASS THROUGH authentication:
"wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication"
upvoted 2 times

When you use Password hash synchronization, the following happens.
- The user in Azure AD will get the same password hash
- The password policy of Azure AD is disabled for the users
- All passwords of the users in Azure AD have an UNLIMITED lifetime...
So, when you have a user who logs in Active Directory once and after that only logs in to Azure AD (e.g. it's someone who always works
out of the office and only uses cloud services), he will NEVER get a warning that his password has to be changed!!!
Only when he tries to login Active Directory again, he gets the message to change his password.
So, password hash synchronization is definitely a WRONG answer.
C is correct.
upvoted 1 times
  Rave763 7 months, 1 week ago

I will go with C
Reason being following statement which is missing in PW Hash but is particulary asked in our question.
"Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours
might use this authentication method. For more information on the actual pass-through authentication process, see User sign-in with
Azure AD pass-through authentication."
upvoted 1 times

Correct Answer : C. pass-through authentication with seamless single sign-on (SSO)
upvoted 1 times
  qay801 7 months, 1 week ago

Minimizes the number of servers required for the solution. So it should be B?
upvoted 1 times
  Tom84 7 months ago 

C is correct
upvoted 1 times
  Prash85 6 months, 3 weeks ago

there is one condition here to note it...Minimizes the number of servers required for the solution. PTA needs 2 agents actively running at
on prem dir server.. so bcse of the condition and requirement it is definitely a PHA
upvoted 1 times

An agent is not equivalent to a server. Plus, dont get hung up on "number of servers." If they have an on-premise AD (thats server 1)
and an Azure AD (thats server 2). This is what they have all ready.
upvoted 1 times
  Root_Access 6 months, 2 weeks ago

Folks, I think its PTA, go to the video here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
fast forward to 2:00, when he gets to PTA it clearly says organizations who wants their security policies to be used on cloud. Also go to
8:00 and listen when he talks about PTA, specifically mentions password policies
upvoted 1 times
  karpoj23 6 months, 2 weeks ago

and then is C?
upvoted 1 times
  D_PaW 6 months ago

Since it needs password policies and logon restrictions then it must be C. Check this link that calls these out as specific reasons to chose
PTA over some of the other options:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin#pass-through-authentication
Quote: "...This allows for on-premises policies, such as sign-in hour restrictions..."
upvoted 2 times
  m2L 5 months, 3 weeks ago

The given answer is correct. Because with PHS the local policy replace the cloud policy fir synced, users
https://docs.microsoft.com/fr-fr/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
upvoted 3 times

The given answer is incorrect. Correct answer is C. PTA is required to "Ensures that password policies and user logon restrictions apply to
user accounts that are synced to the tenant"
upvoted 2 times
  Luciborg 5 months, 1 week ago

PTA doesn't minimize the server requirement. PTA needs at least 2 services on a separate server for high availability. It's best practice.
upvoted 1 times
  mackc13 5 months ago

Answer should be C.
Azure Active Directory Pass-through Authentication

This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to
organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can
choose to use Pass-through Authentication instead. Review this guide for a comparison of the various Azure AD sign-in methods and how
to choose the right sign-in method for your organization.
upvoted 1 times

C, for sure.
Pass-through authentication with seamless single sign-on (SSO)
upvoted 1 times

C is the Correct Answer.
upvoted 1 times
  Luciborg 4 months, 3 weeks ago

I'm sorry if you look at requirements I choose PTA too
upvoted 1 times
  kingnag1 4 months, 3 weeks ago

should be C, PTA is the right answer
upvoted 1 times
  admintalks 4 months, 1 week ago

Correct answer is PTA, Guaranteed! - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn 
Go to Decision tree and you'll see "If you need to apply, user-level Active Directory security policies such as account expired, disabled
account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises
components."
So, PHS cannot be the answer and only PTA can do it. Req also says reduce servers so PTA meets that requirement too since you do not
need any additional infra and the agent installs on existing Domain Controllers.
upvoted 2 times
  Thenga 4 months ago

upvoted 1 times
  h4ck3r 4 months ago

password policies and user logon restrictions is possible only through hash authentication. Passthrough authentication is the non
restrictive part.
upvoted 1 times

ITS IN EXAM I CHOOSE B
upvoted 1 times

Answer is C.
See: http://superhybridcloud.com/difference-between-federation-password-hash-sync-pass-through-authentication/
Quick note for me to remember: Password Hash can only deal with username / password, not for password policies.
upvoted 1 times
  Roy_Batty 2 months, 3 weeks ago

I'm in agreement that the key here is the requirement:
"Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant"; that would indicate PTA
over PHS. (so, C)
*BUT*
Is the listed answer an actual verified account of what the exam will expect/consider correct, or is it some expert-contributor's take on
things? That would make a difference on how I respond to the question on a test, regardless of what the 'correct' answer actually is.
Anyone know?
upvoted 1 times
  gills 2 months, 3 weeks ago

Answer clearly shows that the authentication needs to happen at the on premises AD. So the only answer is C, pass thru authentication.
upvoted 1 times

I choose C
upvoted 1 times
  gills 2 months, 1 week ago

PTA is correct. C. Reason being it clearly states that the policies of user logon hours needs to be applied and that means authentication
needs to happen on premises Active Directory. That means pass thru authentication.
upvoted 1 times

So after doing some research the question says it must be able to apply the existing policies for the AD users and between all the options
we have, Pass through authentication does that please see ...
in short if you don't want to read the below it is "C"
"Advanced scenarios:" Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is
denied when an on-premises user’s account state is disabled, locked out, or their password expires or the logon attempt falls outside the
hours when the user is allowed to sign in."
but it does require having multiple agents but i think the reason they said least server use is beccause ADFS required a farm of server
" Federated systems typically require a load-balanced array of servers, known as a farm. This farm is configured in an internal network and
perimeter network topology to ensure high availability for authentication requests."
Ref : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
upvoted 2 times
  DeepMoon 1 month, 3 weeks ago

Answer C - Pass Through Authentication is the only one that meets both criteria.
1. Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
• Pass-Through Authentication does enforce on-premises user account states, password policies, and sign-in hours.
• Password hash only syncs the passwords.
AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure
AD instance. From <https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs>
2. Minimizes the number of servers required for the solution. 

• Pass-through needs a lightweight agent to be installed one (or more) existing on-premises servers.
• PW Hash also require installing Azure AD Connect (But a separate server) on your existing DC.
upvoted 1 times
  njeske 1 month, 2 weeks ago

Definitely C. The simplest solution that allows for enforcing on-premise password policies and logon restrictions is Pass-Through
Authentication with Seamless SSO. The simplest overall solution is B, but you can't enforce local password policies and logon restrictions
using password hash sync.
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
The flow-chart on that page is confusing, and (frankly) sucks. Read through the details of each detailed authentication method. The
Advanced Scenarios (3rd bullet) underneath Pass-Through Authentication spells it out plainly.
upvoted 1 times
  mluistovar 1 month, 1 week ago

make your choice, it was on my exam sep2020
upvoted 1 times

Answer is C
upvoted 1 times
  Seagun 1 month ago

Answer provided is right - Answer is B, listen to Nick Colyer lecture 18- authentication options.
Answer is not pass through.
Reason B is Azure AD still does a directory query with your on prem AD. The question also refers to least amount of servers and it never
said authentication has to happen complete with azure AD
upvoted 3 times
  Gaurav_Architect 4 weeks ago

Correct Answer is C as logon restriction will get applied when authentication take place at On Prem DCs for which PTA required.
upvoted 1 times
  zuarkhan 3 weeks, 3 days ago

Correct Answer is C
Please watch this Microsoft Mechanics video to clarify:
https://www.youtube.com/watch?v=PyeAC85Gm7w
upvoted 1 times
  Inferno 2 weeks, 2 days ago

Should be C. AAD cannot enforce on-premise policies control
upvoted 2 times
  Srikanth_M 3 days, 18 hours ago

Correct answer is C.
upvoted 1 times
  Chamba 2 days, 19 hours ago

B is correct
upvoted 1 times
Question #6 Topic 1
Your network contains an on-premises Active Directory domain named corp.contoso.com.

You sync all on-premises identities to Azure AD.
You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize
administrative effort.
What should you use?
A. Synchronization Rules Editor
B. Web Service Con guration Tool
C. the Azure AD Connect wizard
D. Active Directory Users and Computers
Correct Answer: A
Use the Synchronization Rules Editor and write attribute-based ltering rule.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-con guration

Correct Answer
upvoted 6 times

I have implemented editing attributes synchronization in Azure AD Connect. And this possible with the Azure AD connect rules editor,
which edits the synchronization rules.
upvoted 2 times

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Answer is correct
upvoted 1 times

A, for sure.
Synchronization Rules Editor
upvoted 1 times

IN THE EXAM I CHOOSE A
upvoted 1 times
Question #7 Topic 1
DRAG DROP -
You are implementing conditional access policies.
You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to con gure and implement the policies.
You need to identify the risk level of the following risk events:
✑ Users with leaked credentials
✑ Impossible travel to atypical locations
✑ Sign-ins from IP addresses with suspicious activity
Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Azure AD Identity protection can detect six types of suspicious sign-in activities:
✑ Sign-ins from anonymous IP addresses
✑ Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
✑ Sign-ins from unfamiliar locations

These six types of events are categorized in to 3 levels of risks "" High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-con gure-risk-based-azure-conditional-access-policies/
  Adamasbue 1 year ago

Wrong see: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#sign-ins-from-ip-addresses-
with-suspicious-activity
upvoted 23 times

i know but if you look at this link you see it is the right answer i though first it was M , H , M but it is not the fact please check it out
before deciding
https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-
policies/#:~:text=These%20six%2Dtypes%20of%20events,%E2%80%93%20High%2C%20Medium%20%26%20Low.&text=We%20can%20
use%20these%20risk,to%20protect%20sensitive%20application%20access.
upvoted 2 times
  Oz 11 months, 3 weeks ago

True!
It's going to be:
Medium
High
Medium
upvoted 15 times
  NoNotSpam 11 months, 2 weeks ago

The table in the "Answer" is incorrect, as is the blog it came from. "sign ins from infected devices" (Which really should be from infected
IPs) is the only Low one. The others, except for the one High one, are all Mediums. https://docs.microsoft.com/en-us/azure/active-
directory/reports-monitoring/concept-risk-events#risk-level
upvoted 3 times

Leak creds: High
The rest : Medium
upvoted 3 times

✑ Users with leaked credentials HIGH
✑ Impossible travel to atypical locations MEDIUM
✑ Sign-ins from IP addresses with suspicious activity MEDIUM
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events
upvoted 8 times
  wlfjck 10 months ago

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#risk-level
upvoted 2 times
  nixan_nixan 9 months, 2 weeks ago

Sign-ins from anonymous IP addresses
The risk level for this risk detection type is MEDIUM because an anonymous IP address is not a strong indication of an account
compromise. We recommend that you immediately contact the user to verify if they were using anonymous IP addresses.
DOCS: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#sign-ins-from-ip-addresses-with- 
suspicious-activity
upvoted 1 times

High:
Leaked credentials
Medium:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-in from unfamiliar locations
Sign-ins from IP addresses with suspicious activity
Low:
Sign-ins from infected devices
upvoted 14 times
  amal2885 7 months, 3 weeks ago

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/media/concept-risk-events/91.png
upvoted 4 times
  Remco 7 months, 2 weeks ago

It is medium - high - medium for sure.
Just take a look at this:
upvoted 3 times

agree with @Cloudera
✑ Users with leaked credentials HIGH

✑ Impossible travel to atypical locations MEDIUM
✑ Sign-ins from IP addresses with suspicious activity MEDIUM
upvoted 1 times

Correct Answer :
Med
High
Med
upvoted 3 times
  Jhonsteve83 6 months, 3 weeks ago

Wrong. it should be :
Medium
High
Medium
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials
upvoted 2 times

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#sign-ins-from-ip-addresses-with-
suspicious-activity
Medium.
There is only one Low risk event type and that is Sign in from infected devices. Remember infected devices, infected devices, infected
devices, Low!
upvoted 7 times

The correct answer is
Medium
High
Medium
Refer https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#sign-ins-from-ip-addresses-with-
suspicious-activity
upvoted 3 times

it does not even say it is medium .. you just pasting shit in ?
upvoted 1 times

Medium, High Medium
upvoted 3 times
  jakobaszek 4 months, 2 weeks ago

True!
It's going to be: 
Medium
High
Medium
upvoted 2 times
  Thenga 4 months ago

It is medium, high and low.
https://www.vansurksum.com/2020/04/07/azure-ad-identity-protection-deep-dive/
upvoted 1 times
  LTTAM 3 months, 4 weeks ago

Best to use links from Microsoft to justify your answers. This is a Microsoft exam and their answers will be based from their
documentation.
upvoted 1 times
  Lexa 3 months, 2 weeks ago

Sign-ins from IP addresses with suspicious activity - MEDIUM
"Microsoft's recommendation is to set the user risk policy threshold to High and the sign-in risk policy to Medium and above."
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#choosing-
acceptable-risk-levels
upvoted 2 times
  buyog 2 months, 3 weeks ago

I could not find the risk levels (Low, Medium, High) anywhere in Microsoft's documentation. I don't think this question is valid anymore. Is
it?
An excerpt from Microsoft's documentation:
"Risk levels
Identity Protection categorizes risk into three tiers: low, medium, and high.
While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the
user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as
threatening as leaked credentials for another user."
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
  hstorm 2 months, 2 weeks ago

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
My answer would be "MEDIUM"
This page shows all the alerts and the serverity, strangely enough the only table without severity coloumn is "virtual machine".
Below i have copy-pasted the description for the same alert regarding storage account.
I do not see any reason for having different severity for virtual machine and storage-account, but this is no guarantee...
Alert
PREVIEW – Access from a Suspicious IP address
Description
Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered
by Microsoft Threat Intelligence.
Learn more about Microsoft's threat intelligence capabilities.
Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
Severity
Medium
upvoted 1 times
  DrSushi 2 months, 2 weeks ago

This one seems quite debatable.... one side here says: HIGH, MEDIUM, MEDIUM, the other side of the crowd seems embraces: HIGH,
MEDIUM, LOW
Frankly speaking, the official page at Microsoft doesn't help much to settle this debate:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-levels
"While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the
user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as
threatening as leaked credentials for another user."
upvoted 1 times
  pkasthur 2 months, 1 week ago

the answer should be Medium
High
Medium
upvoted 1 times 
The answer is right. Seems the table was taken from here.
https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-
policies/#:~:text=These%20six%2Dtypes%20of%20events,%E2%80%93%20High%2C%20Medium%20%26%20Low.&text=We%20can%20us
e%20these%20risk,to%20protect%20sensitive%20application%20access.
upvoted 1 times

Upss, didn't saw the ref at the bottom, lol!
upvoted 1 times

so sign in from unfaimilar location is not the same as "Sign-ins from IP addresses with suspicious activity " i just checked my own Azure
tenant and it says that the answers provided are out of date .. can anyone confirm they got this in their exam recently please.
upvoted 1 times

This is probably an old question that changed with newer updates to Azure.
Even Microsoft Tech writers are not able to answer this question: See Link below:
https://github.com/MicrosoftDocs/azure-docs/issues/63555#issuecomment-701546092
upvoted 4 times

Medium
High
Medium
upvoted 1 times
  Stuudent 3 weeks, 1 day ago

Seems outdated, direct quote:
Microsoft does not provide specific details about how risk is calculated
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
  shanan_ilen 2 weeks, 3 days ago

Agree with you
upvoted 1 times
Question #8 Topic 1
HOTSPOT -
You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
✑ Assignment: Include Group1, Exclude Group2
✑ Conditions: Sign-in risk of Medium and above
Access: Allow access, Require password change
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer: Explanation

Box 1: Yes -
User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.
Box 2: Yes -
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.
Box 3: No -
Sign-ins from IP addresses with suspicious activity is low.
Note:
Azure AD Identity protection can detect six types of suspicious sign-in activities:
✑ Sign-ins from anonymous IP addresses
✑ Sign-ins from infected devices
✑ Sign-ins from IP addresses with suspicious activity
✑ Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks "" High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-con gure-risk-based-azure-conditional-access-policies/
  Ramir 11 months, 1 week ago

YES - 
NO - Group 2 exclude takes precedence over Group 1
YES - Sign-ins from IP addresses with suspicious activity is a medium priority so its YES
upvoted 14 times
  connorhoehn 9 months ago

Sign-ins from infected devices
This risk detection type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot
server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server.
Medium <- Agreed
upvoted 2 times
  Heracles 3 weeks, 1 day ago

I agree. Right under "Alerts for Azure network layer" on the link below it shows that it's a medium threat.
https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
upvoted 1 times
  eug45 3 months, 3 weeks ago

wrong, the answer is Yes, Yes, No
upvoted 2 times
  gills 1 month, 2 weeks ago

User 2 is excluded via Group 2 so how is it possible for second part to be Yes ? Can you explain ? Exclusion takes precedence over
inclusion via group membership.
upvoted 1 times
  mlemartien 9 months, 4 weeks ago

The reference used in this response is wrong. See here:
upvoted 4 times
  g01d 9 months, 3 weeks ago

Agreed, I think the answer is> Yes, No, No, I don't know why some people is categorizing the last one as suspicious activity, infected
device is Los risk, so doesn't apply for password change
upvoted 12 times
  PJR 9 months, 2 weeks ago

g01d is correct - the question states "if user3 signs in from a computer containing malware that is communicating with known bot
servers" the definition from the link posted above is
"Sign-ins from infected devices

This risk detection identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are
controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is why this risk detection is
classified as Low."
Therefore the risk would be low and policy would not be triggered
Answer is therefore
Yes
No
No
Does anyone have a link from Microsoft that states exclusions from policies take precedence?
upvoted 8 times

the best I can find from Microsoft that confirms the exclusions taking precedence over over settings is this
https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
upvoted 2 times
  pressieguy 8 months ago

is it me or are there no statement questions?
where are the questions for this question?
seems like it just goes straight to the answers
upvoted 13 times

I am with you, cannot see any questions? Is it Chredge?
upvoted 4 times

Same here - on Edge Chromium, but tried with old IE, and Firefox - same same
upvoted 3 times

Ramir, you're wrong on the last answer, as others have stated below. The reference url link in the answer is wrong. malware
communicating with bot servers is a LOW risk, thus the policy will not take effect. 
Which makes connorhoehn wrong.
g01d and PJR are correct.
upvoted 3 times
  Ixy 7 months, 1 week ago

Question:
If User1 signs in from an unfamiliar location, he/she must change his password (True/False)
If User2 signs in from an anonymous IP address, he/she must change his/her password. (True/False)
If User3 signs in from a computer containing malware that is communicating with known bot servers, he/she must change his/her
password (True/False)
upvoted 24 times
  Derek_O2018 6 months, 3 weeks ago

For the second question, the answer should be false as the user is excluded from the policy. Ref: https://github.com/MicrosoftDocs/azure-
docs/issues/48314
upvoted 1 times
  Rajuuu 6 months, 1 week ago

But User is part of Group 1 as well for which there is a Role assignment .
upvoted 1 times

This user is *also* a member of the excluded Group 2. Per Raj2020's Msft docs link (elsewhere in this thread):
"When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action
overrides an include in policy."
upvoted 1 times
  AnuV 6 months, 1 week ago

The answer should be
Unfamiliar location - Yes
Anonymous location - Yes
Computer containing malware - No
upvoted 1 times

Policy is to change pw if risk is medium or above.
Unfamiliar location (risk:medium) - Yes
anonymous IP adx (risk:medium) but in group 2 (exclude and takes precedence) - No
infected device (risk:low) - No
upvoted 10 times

user2 is part of group 2 that is excluded so it will not take effect. exclude groups override
upvoted 1 times
  PhiIipp 5 months, 1 week ago

ahh there is important information missing which is giving in the answer multible choice
https://vceguide.com/wp-content/uploads/2019/10/Microsoft-AZ-500-date-01-06-2019-00001_Page_15_Image_0001.jpg
upvoted 7 times

Yes (Included)
No (excluded)
No (Low Risk)
upvoted 12 times
  summut 4 months, 4 weeks ago

Hot area with the main questions is missing from this question
upvoted 7 times
  LTTAM 4 months, 1 week ago

How are people answering the questions?? This question is missing the 'Hot Area' statements.
upvoted 3 times

By reading earlier comments with links to the image
upvoted 2 times
  Raj2020 3 months, 4 weeks ago

it should be
Yes
No - Group 2 exclude takes precedence over Group 1 ( ref the link)
No - Malicious devices under Low Risk.
ref- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups
upvoted 6 times
  momo_tree 3 months, 2 weeks ago


Raj is right
upvoted 1 times

Agree "Exclude users
When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action
overrides an include in policy. Exclusions are commonly used for emergency access or break-glass accounts. "
upvoted 2 times

Agreed!
upvoted 1 times

thanks Raj for the link and this is the why the USER2 is excluded as it is part of group2 and
" as an exclude action overrides an include in policy. "
upvoted 1 times
  buyog 3 months, 1 week ago

I've read this to clarify that exclusions take precedence over inclusions.
"Risk policies & remediation

The user risk and sign-in risk policies are configured separately and can be applied to all users or selected users and groups. You can also
exclude users, for example if they are a member of an included group."
Source:
https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-active-directory-identity/ba-p/1320887
upvoted 1 times

Definitely YES NO NO
The policy is to change the password if rated risk is medium or above
unfamiliar location - risk is medium - YES
Anonymous ip risk is medium but Group2 excludes and takes precedence so NO
Infected device risk is low so NO
upvoted 1 times
  Kampo 2 months, 2 weeks ago

So whats the final answer ?
What I understand from discussion is YES,NO, NO - is it right ?
Since user2 is part of group2 so its excluded.
User3 is coming from infected device which is low risk policy hence this policy is not applied and user will not be asked to change
password.
upvoted 1 times

How is user1 asked to change password when MFA is disabled ?
upvoted 1 times
  doublekill 2 months, 2 weeks ago

Do any of you have the reference that the infected devices is classified as low?
upvoted 1 times

Q8 seems to be missing the hot area.
People are debating answers. But I can't figure out what the hot area is showing first to formulate an answer. What am I missing here.
upvoted 2 times

https://vceguide.com/wp-content/uploads/2019/10/Microsoft-AZ-500-date-01-06-2019-00001_Page_15_Image_0001.jpg
upvoted 1 times
  ChrisBr 1 month, 2 weeks ago

Seems like the table for the assignment of the risk level to the detections is gone and not valid anymore... now the DOCS says: "While
Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user
or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as
threatening as leaked credentials for another user." Source: https://docs.microsoft.com/en-us/azure/active-directory/identity-
protection/concept-identity-protection-risks#risk-levels
upvoted 1 times
  ITAdmin2019 1 month, 2 weeks ago

My thoughts are:
Yes - The user is included in the scope of the policy
No - The user is excluded in group 2 (excludes override include, as someone else here has pointed out)
Yes - The user must change his password as he's signing-in from an infected device (as opposed to suspicious activity, see below)
https://techcommunity.microsoft.com/t5/azure/sign-ins-from-infected-devices/m-p/110457
Yes - 
upvoted 2 times

YES
YES
NO
upvoted 2 times
  ealcober 3 weeks, 3 days ago

there are no questions to evaluate
upvoted 2 times
  CE6969 3 weeks, 1 day ago

Hotspot
If User1 signs in from an familiar location, he must change his password
If User2 signs in from an anonymous IP address, she must change her password
If User3 signs in from a computer containing malware that is communicating with known bots servers, he must change his password
upvoted 1 times

Yes (Included and medium)
No (excluded)
No (Low Risk)
upvoted 1 times
Question #9 Topic 1
DRAG DROP -
You need to con gure an access review. The review will be assigned to a new collection of reviews and reviewed by resource owners.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: Create an access review program

Step 2: Create an access review control
Step 3: Set Reviewers to Group owners
In the Reviewers section, select either one or more people to review all the users in scope. Or you can select to have the members review their
own access. If the resource is a group, you can ask the group owners to review.
References:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review https://docs.microsoft.com/en-us/azure/active-
directory/governance/manage-programs-controls
  RupaliS 11 months ago

Answer : 1 Create access review control (etc Name, Date etc)
2 Set Reviewers to Group Owners
3 Create access review program (even in the image shows, it comes later below, and program can be any goverance/risk management or 
compliance activity)
see video - https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 3 times
  onlyfunmails 10 months, 2 weeks ago

Review control requires Review Program, so suggested Answer is correct.
upvoted 5 times
  Exam_Master_Me 4 months, 2 weeks ago

I agree with Onlyfunmails, Step 12 on page (https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-
review) states:
"In the Programs section, select the program you want to use. Default Program is always present." To have a NEW program, you
first need to CREATE it. Therefore the answer is correct.
upvoted 1 times

The answer is correct. The question itself refers to assigning a "collection of reviews" which means a access review program. In order to
assign a program to a access review it must first be created , otherwise only the default program can be assigned. So that is why it is first
step.
upvoted 9 times

I agree with PDR, and notice that it says "The review will be assigned to a NEW collection of reviews". So new collection means the
collection "program" needs to be created first.
upvoted 2 times

Correct Answers
upvoted 2 times
  gcpora 7 months ago

Given answer is correct as the first step will be to create a review program, then create access review control and last set reviewers to
group owners.
upvoted 2 times

Identity Governance is not included in the Microsoft Azure Security Technologies –
Skills Measured.
Configure Azure AD Privileged Identity Management

monitor privileged access
configure Access Reviews
activate Privileged Identity Management
upvoted 1 times

Given answer is correct.
upvoted 3 times
  jaredl 4 months, 3 weeks ago

Are Group Owners equal to Resource Owners? No. I think the reviews should be the selected Resource Owners, who might no be the
Group Owners.
upvoted 2 times
  kiketxu 6 days ago

correct answers
upvoted 1 times
Question #10 Topic 1
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
You con gure an access review named Review1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:

Box 1: User3 only -
Use the Members (self) option to have the users review their own role assignments.
Box 2: User3 will receive a con rmation request
Use the Should reviewer not respond list to specify what happens for users that are not reviewed by the reviewer within the review period. This
setting does not impact users who have been reviewed by the reviewers manually. If the nal reviewer's decision is Deny, then the user's access
will be removed.
No change - Leave user's access unchanged
Remove access - Remove user's access
Approve access - Approve user's access
Take recommendations - Take the system's recommendation on denying or approving the user's continued access
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
  Otto_Aulicino 10 months, 1 week ago

This is missing the question image with the drop-down menus. At least I believe it is missing something here.
upvoted 13 times 
Missing drop downs - https://i.ibb.co/GVvd9c2/Capture3.jpg
I believe this is wrong and answer to the 2nd drop down is user2 will retain the Password admin role - this is because everything I can see
relating to smart recommendations (which are configured to take effect if the user doesnt complete the review in the alloted time)
suggest that the recommended action is Deny if the user hasnt logged in after 30 days - User 2 logs in bi-weekly so wouldnt trigger this
recommendation.
upvoted 18 times
  vlq 7 months ago

You're definitely right, I prove it in my test environment :-)
upvoted 4 times
  ITAdmin2019 4 weeks, 1 day ago

Hi,
Do you have a link for the smart recommendations? I can't see anywhere which states what the system recommendations are
upvoted 1 times

Since the "Auto apply results" is set to Disable I would go with:
User3 can perform Review1 for: User 3 only.

If User2 fails to complete Review1 by March 20, 2019: User2 will retain the Password administrator role.
I don't see how the User3 would receive a confirmation request, makes no sense to me.
upvoted 13 times

Set Mail notifications to Enable (which is Default) to have Azure AD send email notifications to reviewers when an access review starts,
and to administrators when a review completes.
Set Mail notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to
administrators when a review completes.
upvoted 3 times
  Nikunj13 2 months, 1 week ago

Yes, as User2 logs in biweekly, recommendations will be to retain the access.
Box 1 : User3 only

Box 2 : Retain access for User2
upvoted 1 times
  clos 3 days, 13 hours ago

is it possible since User3 is GlobalAdmin?
upvoted 1 times
  SamSan 6 months, 3 weeks ago

If the auto-apply results are disabled, then User 3 will get a confirmation request to approve User2 to maintain the password admin role.
If the auto-apply results were enabled, then User3 will not get a confirmation request.
upvoted 2 times

I don't see how User3 would receive a confirmation request.. anyone having a different thought on this ?
upvoted 2 times

Because the image shows in case the user does not respond “take recommendations “
upvoted 1 times

Yes but no where in the question does it state that User 3 is "Self". Therefore I think it would be "User 2 will retain the Password
administrator role"
upvoted 1 times

Question #1 - User3 can perform Review1 for "User3 only"
Question #2 - If User2 fails to complete Review1 by March 20, 2019 - User3 will receive a confirmation request.
Big question is what are the defaults of Advanced Settings:
1. Show recommendations Enable (default)
2. Require reason on approval Enable (default)
3. Mail notification Enable (default)
4. Reminders Enable (Default)
When you look at the example... instead of "Remove access" and replace with "Take recommendations" which just means the defaults.
upvoted 3 times
  Srini300 5 months, 2 weeks ago

This is a one time review hence runs right after the policy crated. 
User 3 gets a notification for other users including user2 as he is also a Global admin.
Actions are not applied automatically as "Upon completion settings" is disabled which means reviewer/GlobalAdmin needs to take actions
manually?
conclusion, User 2 will retain his privillage until himself or Global Admin takes actions. Policy just flags it as non compliance??
upvoted 4 times

https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-
review#:~:text=Use%20the%20Should%20reviewer%20not,user's%20access%20will%20be%20removed.
Answer is correct.
The user2 will retain the role until the user3 made the decision to remove the access or leave the user's access unchanged. Since the "auto
apply results" is disabled, the user3 will receive mail notification on the decision of the access review.
upvoted 4 times

User 3 Only.
User2 will retain the Password admin role.
upvoted 2 times

1. User 3 only ( because reviewers are set to self)
2. User 2 will retain the password administrator role ( because the user already signed in atleast once in 30days or 20days in this case)
upvoted 4 times

Quite Simple, we have 4 options:
"Use the (Should reviewer not respond list) to specify what happens for users that are not reviewed by the reviewer within the review
period. This setting does not impact users who have been reviewed by the reviewers manually. If the final reviewer's decision is Deny, then
the user's access will be removed.
No change - Leave user's access unchanged (User 2 will retain the role)
Remove access - Remove user's access (role will be revoked)
Approve access - Approve user's access (no answer option)
Take recommendations - Take the system's recommendation on denying or approving the user's continued access (The current selected
option)
Since it's not set to explicit revoke, or unchanged we only have option 3 left, "retrieve a confirmation request"
upvoted 1 times
  addy007 4 months, 1 week ago

1. User3 only
2. User3 will receive a confirmation request
upvoted 2 times

Explanation/Reference:
Explanation:
Box 1: User3 only
Use the Members (self) option to have the users review their own role assignments.
Box 2: User3 will receive a confirmation request
Use the Should reviewer not respond list to specify what happens for users that are not reviewed by the reviewer within the review period.
This setting does not impact users who have been reviewed by the reviewers manually. If the final reviewer’s decision is Deny, then the
user’s access will be removed.
No change – Leave user’s access unchanged
Remove access – Remove user’s access
Approve access – Approve user’s access
Take recommendations – Take the system’s recommendation on denying or approving the user’s continued access
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
upvoted 2 times
  doublekill 2 months, 2 weeks ago

Finally the answer, is correct?
upvoted 1 times

This is a one time review hence runs right after the policy crated.
User 3 gets a notification for other users including user2 as he is also a Global admin.
Actions are not applied automatically as "Upon completion settings" is disabled which means reviewer/GlobalAdmin needs to take actions
manually?
conclusion, User 2 will retain his privillage until himself or Global Admin takes actions
upvoted 1 times

1. User3 only 
2. (User 2 is a typo in the question) User3 will receive a confirmation request
upvoted 1 times

sorry the typo is in the answer. The correct one will be: User2 will receive a confirmation request
upvoted 1 times

Where is the Hot Area for this question? Why don't I see it. Nor do I see any button to click on?
upvoted 4 times

https://i.ibb.co/GVvd9c2/Capture3.jpg
upvoted 1 times

super confused here...
upvoted 1 times

another bad question without select and place question. no way to learn this way
upvoted 3 times
DRAG DROP -
You create an Azure subscription.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Select and Place:
Correct Answer:
Step 1: Consent to PIM -
Step: 2 Verify your identity by using multi-factor authentication (MFA)

Click Verify my identity to verify your identity with Azure MFA. You'll be asked to pick an account.
Step 3: Sign up PIM for Azure AD roles
Once you have enabled PIM for your directory, you'll need to sign up PIM to manage Azure AD roles.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
  junkz 1 year, 1 month ago

this is a subjectibe question. technically, the click flow is consent to pim in the blade->register mfa->sign up resource, however, the actual
"consent to pim" button (inside the conset to pim blade), is actually enabled after you register MFA
upvoted 2 times

MFA, Consent and Signup - I think this should rather be the sequence.
upvoted 7 times

Agree, Even the description says, MFA is pre-requisite for enabling PIM.
upvoted 1 times

but when you consent to pim you are required to validate your identity using MFA. A new window pops up and you are required to
sign in with MFA, that's what this sequence means. I think the suggested answer is correct.
upvoted 4 times

agree - the answer list does not include "register for MFA" (which of course is a required step) but says "verify your identity with
MFA" , so the answer provided is correct
upvoted 5 times

Agree to your explaination
upvoted 2 times
  Cabelo 6 months, 1 week ago

Yes, this is the correct answer, you need to confirm your identity with MFA firstly as can you see in the picture - https://ibb.co/tbJ8jKt
after that you will be able to consent for PIM.
upvoted 2 times
  Sakmoto 9 months, 2 weeks ago

Go to the source mentioned at the bottom of answer and it will show you the correct steps via Microsoft. Consent, verify MFA, sign up
roles
upvoted 1 times
  dumpmaster 8 months ago

I don't need MFA for PIM, I don't see this on the Microsoft docs:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new
upvoted 1 times

You dont need MFA to use PIM but you will need MFA to configure it.
1. You click the "Consent to Pim" button but it requires you to VERIFY YOUR IDENTITY w MFA.
2. Then you Consent.
3. Then you signup or add roles.
upvoted 1 times

1) Consent to PIM
2) Discover Resources
3) SignUP PIM for other AD roles
upvoted 1 times

1) Consent to PIM
2) Discover priveleged Roles
3) Discover Resources
and then SignUp PIM for other AD roles.
upvoted 1 times
  PA 5 months ago
But after Consent to PIM , it requires you to verify your identity with MFA
upvoted 1 times

Step 1: Consent to PIM. Step: 2 Verify your identity by using multi-factor authentication (MFA). Step 3: Sign up PIM for Azure AD roles
upvoted 8 times
  thetrapt 4 months, 3 weeks ago

Right Answer, validated here https://cloudacademy.com/course/implementing-azure-active-directory-privileged-identity-
management/enable-pim/
upvoted 2 times
  LTTAM 4 months, 1 week ago

Hey guys, is it just me or is this diagram outdated and does not apply to the current Azure interface? I can't even follow along to this
question. I did some labs and nowhere do I see anything as described in this question or the answers.
upvoted 5 times

Agree... I tried to test it and there is no "Consent to PIM" option
upvoted 1 times

IN THE EXAM 
upvoted 2 times
  buyog 3 months ago

I think the correct order should be: Verify identity with MFA > Consent to PIM > Sign up PIM for Azure AD roles. You can start the process
of consenting to PIM by clicking the "consent to PIM" button first but you can't complete the process without first verifying your identity.
There is a CONSENT button that you have to click after you verify with MFA.
upvoted 1 times
  Sanju101 3 months ago

YES
NO
YES - From device in the New York office... which IP would it use Natted one or in office one? I guess in office one.
upvoted 1 times
  shivamrocks19 2 months, 3 weeks ago

1. MFA
2. Consent
3. Sign up 1. mfa
2. concent
3. Sign up PIM for Azure AD roles(Yes to manage AZ AD roles with PIM)
upvoted 1 times

given answer is correct
upvoted 1 times
  guddusao 2 months, 2 weeks ago

guys... see the given image carefully, once u selected the Consent to PIM then see the right hand image. As it is asking verify your identity
with MFA now.
upvoted 2 times
  BMK 1 month, 2 weeks ago

Why can't see the same image in my azure subscribed login? has the console GUI features changed? FYI - I simple searched PIM in search
bar and got page that doesn't highlight verify part as we see in this image
upvoted 1 times
  ShefAZ 1 month ago

Even I did not saw consent option
upvoted 1 times

Answer provided is correct - lecture 26 Nick Colyer 2:07 onwards
upvoted 1 times
  Stuudent 3 weeks ago

Seems outdated?
"When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management): We automatically enable PIM for the organization..."
upvoted 1 times

Anyone knows the correct answer for
https://freedumps.certqueen.com/2020-new-updated-microsoft-az-500-exam-dumps/
question 8
???
upvoted 1 times

It's correct. MFA, Consent and Signup.
upvoted 1 times
HOTSPOT -
Your company has two o ces in Seattle and New York. Each o ce connects to the Internet by using a NAT device. The o ces use the IP
addresses shown in the following table.
The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The MFA service settings are con gured as shown in the exhibit. (Click the Exhibit tab.)
Hot Area:
Correct Answer:
Box 2: No - 
Use of Microsoft Authenticator is not required.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Veri cation
process.
Box 3: No -
The New York IP address subnet is included in the "skip multi-factor authentication for request.
References:
https://www.cayosoft.com/difference-enabling-enforcing-mfa/

10.10.0.0/16 is a private address space. Won't azure only see the public (NAT) IP? Since that is not excluded, I would think users from that
subnet (Seattle) would have to be authenticated with the Authenticator app.
upvoted 4 times
  tamilonline 1 year ago

Authenticator app is not part of user authentication method .. It can see ip details ireespective to private/public.
upvoted 6 times

The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication,
you can only use public IP address ranges.
source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips
MFA Server is deprecated, so that's no option anymore.

upvoted 1 times
  Zen74 7 months, 1 week ago

You are correct. I have this running in production. You put in your external IP that azure would see. So if you filter all users out a single
IP through firewall that is what you put as trusted. (in our case it is a /23 range) and set that to exclude from MFA in the Conditions-
>Locations->Exclude.
upvoted 1 times
  Mustafas 1 year ago

Authenticator App is not the available method for authenticating users in this case.
upvoted 6 times
  Sam7877 10 months, 2 weeks ago

It should be yes, no ,
yes as New york submit is not trusted.
upvoted 4 times
  T11324 10 months, 1 week ago

Look at the last question, If user 2 signs in, user 1 must authenticate.. Is that a typo? Why does user 1 have to authenticate for user 2?
upvoted 7 times
  D0yle 9 months, 4 weeks ago

I think that it is typo, so I think Yes, No,Yes
upvoted 7 times

Yes,
No,
Yes - because the PIP is not listed.
upvoted 1 times

that is what I was thinking . it is yes , no, no if it is not a typo as obviously doesnt have an requirement for user 1
upvoted 2 times
  Wallace44 8 months, 2 weeks ago

The new york subnet is in trusted IPs so they wouldn't get an MFA prompt surely?
upvoted 1 times
  reklamos 8 months ago

It is a typo. It should be User2 everywhere.
upvoted 3 times

It's not a typo. That's a trick question from Microsoft. Microsoft tends to do this so people read the full question.
The given answer is correct.

upvoted 1 times 
  armin 8 months, 2 weeks ago
For the first statement, because of the user1is Enabled and not Enforced, the MUST sounds wrong.
upvoted 5 times

Yes
No
No
right ones
upvoted 16 times
  Aston1818 6 months, 2 weeks ago

I think its no for the last question as the ip given in the exception is the public NAT one!
upvoted 3 times
  Gorha 7 months, 2 weeks ago

This looks like NO, NO, NO as User1 is only MFA enabled. and given the typo in the last question
upvoted 2 times

The NY office isn't in the "skip from" field? So maybe it should be a Yes for 3. Yes No Yes.
upvoted 1 times

Gorha if you are MFA enabled you it means you are required to use MFA but you have not yet completed the MFA registration. At the
next logon once MFA registration is complete the MFA status will automatically be updated to Enforced. Answer is Yes, No No
upvoted 5 times

I will go with YES, NO , NO
upvoted 6 times
  Tom84 7 months ago

Yes, No, No
upvoted 2 times
  MidCities 6 months, 3 weeks ago

On the exhibit, skip MFA for requests from federated users on my intranet is checked. However, the next option, skip MFA for requests
from following range of IP address subnets does not appear to be checked. Wouldn't this make the two IP ranges below moot for this
question? In other words, I see two (2) options to check and only one is checked. If this is true, then does that change the answer for Box 3
and if so, why, because I keep going back and forth on Box 3.
upvoted 1 times

YES , NO , YES.... When looked at the solution it clearly says The New York IP address subnet is included in the "skip multi-factor
authentication for request for the third one but the answer is no which is not correct
upvoted 2 times

my question is a public NAT considered as exception?
upvoted 1 times
  Eitant 5 months, 1 week ago

Yes. The only time that the internal IP's are considered as an exception is if you are using an express route connection.
upvoted 2 times

One key item that is not mentioned is the Checkbox "Skip multi-factor authentication for requests from federated users on my intranet.
That basically means to me: You dont need to use MFA if you are in an Internal network. So the configuration of 10.10.0.0/16 in the
exclusion range is useless. Also, "connects to Internet by using a NAT device." So AZ AD will only see the P-Nat traffic since its coming from
an external tenant.
User1 signs in from IP adx 134.18.14.10, must auth via phone. - Yes
User 2 signs in from Seattle, auth via MS Auth app - No (MS Auth APP is not a method for verification)
User 2 signs in from NY, auth via phone - NO (P-Nat for NY office is in exclusion list)
upvoted 4 times
  AMZ 1 month ago

I Agree with answer Yes,No,No. One thing I would say is that you would need to specify the private IP if you had AD FS.
upvoted 1 times
  Gallager 5 months ago

The 3rd question is USER 2 - USER 2 (just finished the exam) an this one appeared.
upvoted 4 times
  elphynomenon 4 months, 3 weeks ago 

The views have the following values based on the MFA state of the users:
Disabled
This is the default state for a new user not enrolled in multi-factor authentication.
Enabled
The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to
complete the process the next time they sign in.
Enforced
The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor
authentication. Otherwise, the user will be prompted to completer the process at next sign-in
upvoted 2 times
  elphynomenon 4 months, 3 weeks ago

Answer is going to be
YES
NO
YES
going by the explanation above

upvoted 2 times

THE CORRECT ANSWER IS
YES
NO
NO
Because in the docs it is stated that

" The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure Multi-Factor Authentication, you can
only use public IP address ranges"
In this case the public Ip address is already added to the excluded ips
upvoted 8 times

The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure Multi-Factor Authentication, you can
only use public IP address ranges.
Excerpt from microsoft website

upvoted 1 times

IN THE EXAM
upvoted 2 times

The answer given is correct.
upvoted 1 times

YES
NO
YES - From device in the New York office... which IP would it use Natted one or in office one? I guess in office one.
upvoted 1 times

Trusted IP bypass works only from inside of the company intranet. If you select the All Federated Users option and a user signs in from
outside the company intranet, the user has to authenticate by using two-step verification.
upvoted 3 times

exactly so since if you pay attention the IP for newyork office is wrong man! so it will include the MFA ... so Yes NO YES
upvoted 1 times

YES NO NO given answer is correct
upvoted 2 times

3rd scenario does not make sense is it referring to user 1 or user 2? don't know how you can provide an answer without knowing which
user, first 2 I agree with the answer provided
upvoted 1 times
  realname007 2 weeks, 3 days ago 

anyone knows the correct answer for
https://freedumps.certqueen.com/tag/az-500-exam-free-dumps-questions/
question 14
???
upvoted 1 times

1. YES, that IP is not excluded.
2. NO, MS App is not allowed (the options are missing in the screenshot)
3. NO, as the IP is excluded. (considering a typo when says User1, it should refer to User2)
upvoted 1 times
Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active
Directory (Azure AD) tenant.
You need to con gure each subscription to have the same role assignments.
A. Azure Security Center
B. Azure Blueprints
C. Azure AD Privileged Identity Management (PIM)
D. Azure Policy
Correct Answer: C
The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role
assignments.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user

az blueprints can also set role assignments, so technically speaking it would be more efficient to deploy the assignments than to go inside
each sub and click-create-make perm the assignments
upvoted 32 times

Yes, the answer should be Azure Blueprint.
upvoted 2 times
  Oz 12 months ago
the same question is answered later with Azure Blueprint and reference provided covers the question 100%
So correct answer is Azure Blueprint
upvoted 31 times
  CheeZee 8 months, 3 weeks ago

The answer is definitely Azure Blueprints
upvoted 7 times
  kk1 8 months, 1 week ago

it must be B
upvoted 2 times
  goofyfoot 7 months, 2 weeks ago

Agredd Blueprints https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
upvoted 2 times
  IsildursHeir 7 months, 1 week ago

Absolutely. Very clearly outlined here.
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-definition
upvoted 1 times

B is correct!
upvoted 3 times

Correct - B. Azure Blueprints
upvoted 1 times
  gcpora 7 months ago

Its Azure Blueprint.
upvoted 1 times

Its Azure Blueprint the same questions is answered as Azure Blueprint in upcoming questionaries
upvoted 1 times 
  jjccie 6 months, 2 weeks ago
Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects
and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an
organization's standards, patterns, and requirements.
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Role Assignments
Policy Assignments
Azure Resource Manager templates
Resource Groups
upvoted 2 times

Answer is B - Azure Blueprints
upvoted 2 times
  JVRAO 6 months ago

Management group option is helpful but this is not in the choices. Then it should be Blueprint.
upvoted 1 times

azure blueprints
upvoted 1 times

Management Groups or Azure Blueprint.
Correct Answer is Azure Blueprint
upvoted 1 times
  naarevalog 5 months, 2 weeks ago

Is a Blueprint
upvoted 1 times
  Sujoy 5 months, 1 week ago

BluePrint for sure. Maybe BludPrint shud be renamed CarbonCopy
upvoted 1 times
  Tinus087 5 months ago

if everyone in this discussion agrees with answer B, why is it not updated?
I don't pretend to know everything about Azure but the fierce discussions per questions makes me wonder if this platform is good enough
for my exam preparations.
I know this message is moderated before publishing. please do somthing about the quality.
upvoted 3 times

B for sure,
Azure Blueprints
upvoted 2 times
  nenoAZ 4 months, 2 weeks ago

hi, i'm not sure, but.. could it be PIM? Because BluePrints is yet in preview mode and Microsoft not recommended previews in production
environments. What do you think ab
out?
upvoted 1 times
  sanjayb 4 months, 1 week ago

PIM allows you to set 'Administrative' roles but the question doesn't specify the type of roles so Azure Blueprint is an appropriate
answer.
upvoted 1 times

C) Blueprint -> Role Assignment -> Add an existing user or group to a built-in role to make sure the right people always have the right
access to your resources. Role assignments can be defined for the entire subscription or nested to a specific resource group included in
the blueprint.
upvoted 2 times

IN THE EXAM
upvoted 2 times

Definitely B
upvoted 1 times
  reggaebauy 1 month ago


I think B. Blueprints can be deployed to multiple subscriptions at the same time.

Role Assignments
Policy Assignments
Azure Resource Manager templates (ARM templates)
Resource Groups
upvoted 1 times

Answer is Blueprints
upvoted 2 times
  Mehblah 1 week, 6 days ago

Azure Blueprint
upvoted 1 times
HOTSPOT -
You have an Azure Container Registry named Registry1.
You add role assignment for Registry1 as shown in the following table.
Which users can upload images to Registry1 and download images from Registry1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User1 and User4 only -

Owner, Contributor and AcrPush can push images.
Box 2: User1, User2, and User4 -

All, except AcrImagineSigner, can download/pull images.
References:
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles
  Bizzle 7 months, 3 weeks ago

Upload Image: User 1 and User 4
Down load image: User 1,2 and 4
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
upvoted 13 times

Correct Answers
upvoted 2 times
  Rajuuu 6 months ago

The upload image may need signing .
Upload Image :- User 1, User 3 and User 4
Download Image :- User 1, 2 and 4
upvoted 1 times

wrong. Signer has only signing rights and nothing else.
refer to the authorization matrix here https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
suggessted answers are correct.

upvoted 2 times

Answers are correct
upvoted 2 times
  Spamuel 4 months, 1 week ago

Suggested answers are correct
upvoted 1 times

IN THE EXAM
upvoted 3 times
  angelsrp 3 months, 1 week ago

Answers are correct
upvoted 2 times
  pkasthur 2 months, 1 week ago

answers are correct
upvoted 1 times
  atulg 2 months ago

AcrPush doesn't has pull image rights, so how can User1 pull images?
upvoted 1 times
  atulg 2 months ago

please ignore. Wrong question.
upvoted 1 times

You have an Azure subscription.

You create an Azure web app named Contoso1812 that uses an S1 App service plan.
You create a DNS record for www.contoso.com that points to the IP address of Contoso1812.
You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Turn on the system-assigned managed identity for Contoso1812.
B. Add a hostname to Contoso1812.
C. Scale out the App Service plan of Contoso1812.
D. Add a deployment slot to Contoso1812.
E. Scale up the App Service plan of Contoso1812.
Correct Answer: BE
B: You can con gure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your
users access it using either www.contoso.com or contoso.com as a fully quali ed domain name (FQDN).
To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for veri cation
A "CNAME" record for the www name that points to the A record
E: To map a custom DNS name to a web app, the web app's App Service plan must be a paid tier (Shared, Basic, Standard, Premium or
Consumption for Azure
Functions). I -
Scale up the App Service plan: Select any of the non-free tiers (D1, B1, B2, B3, or any tier in the Production category).
References:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
  deniskh 11 months, 2 weeks ago

According to other sources, there is also a F answer for this question that is actually the right answer. "F. Upload a PFX file to
Contoso1812". To access via HTTPS, you need to upload PXF file. The right answers are B & F.
upvoted 42 times

This is spot on.
upvoted 4 times
  kainme 1 month, 4 weeks ago

right.
upvoted 1 times
  DINESHAJ10 10 months, 3 weeks ago

S1 app service plan already is eligible for SSL, so no need to scale up .
upvoted 5 times

S1 Service plan already support Custom domains and SSL.
As the second answer we could chose "adding deployment slot" for safety reason but again it is not a necessity for user to access the
website.
NOT A VERY GOOD QUESTION.

upvoted 5 times

S 1 already has a suport for Custom domain- no need of scale
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
upvoted 1 times

  barchetta 9 months, 2 weeks ago
F1 is the free tier not s1. Perhaps this was a change.
upvoted 1 times

yes 'deniskh' comment is right, should be also F answer which makes correct answer to be:
B
F
upvoted 2 times
  Zen74 7 months, 1 week ago

yeah i run many prod web apps on S1 with custom domain... so this is wrong no need to scale to implement custom DNS.
upvoted 2 times

"F. Upload a PFX file to Contoso1812".
upvoted 1 times
  Borris69 6 months, 2 weeks ago

it says https://www.contoso.com, and S1 doesn't support HTTPS. This is why you need to Sacle up.
upvoted 1 times
  armin 6 months, 2 weeks ago

This is not correct.
Secure Sockets Layer (SSL) Certificates for custom domains is available on Basic, Standard, and Premium service plans. SSL Certificates
enables secure connections (https://) to your custom domain Website.
upvoted 1 times

Not true.
S1 is a standard service plan which includes SSL.
MS:
SSL Connections
Azure App Service supports two types of SSL connections: Server Name Indication (SNI) SSL Connections and IP Address SSL
Connections. SNI-based SSL works on modern browsers while IP-based SSL works on all browsers.
There is no charge to use SNI-based SSL. Standard and Premium service plans include the right to use one IP SSL at no additional
charge. Free and shared service plans do not support SSL. You can purchase the right to use additional SSL connections for the rates
below. In all cases the SSL certificate itself must be purchased separately.
upvoted 1 times

In case there is not an F answer:
Add a hostname (since its a custom domain and the hostname needs to be configured)
Add a deployment slot (S1 Standard Tier Level 1 App Service supports custom domains, deployment slots, and most normal web stuff like
tls)
Im choosing deployment slot because nothing else makes sense. A deployment slot can be used as a pre-prod/staging and then easily
swapped into Prod if needed.
System identity - dont need it
Scale up - more powerful resources? S1 is enough to do it if needed.
Scale out - more vms?
upvoted 1 times
  ens1z 6 months ago

B. Add a hostname to Contoso1812.
F. Upload a PFX file to Contoso1812.
Explanation:
B: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have
your users access it
using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for verification
A "CNAME" record for the www name that points to the A record
F: To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS.
References: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-
domain
upvoted 4 times

This is in the exam. Correct answers.
1. Addd hostname
2. Upload .pfx
upvoted 8 times
  iseemoya 4 months ago

https://vceguide.com/which-two-actions-should-you-perform-622/ 
upvoted 2 times
  mlourh 2 months, 3 weeks ago

E is wrong the plan is already S1, then there will be another Answer, to upload the certifcate so the web app will be accessible via HTTPS
upvoted 1 times
  awssecuritynewbie 1 month ago

where the hell is option F ... lol i think the image is not complete
upvoted 1 times

Add hostname and upload PFX file are mandatory for this. (There is missing PFX related answer)
upvoted 1 times
You have an Azure subscription named Sub1.
policies.
Solution: You create a lock on Sa1.
A. Yes
B. No
Correct Answer: B
References:

Correct Answer.
upvoted 2 times
  maj79 5 months, 1 week ago

agree to the answer
upvoted 1 times

B, for sure
upvoted 1 times

Agree with you. it must be a NO, because any lock doesn't revoke the access.
upvoted 1 times

IN THE EXAM
upvoted 1 times
  VinciTheTechnic1an 1 month, 4 weeks ago

NO, user must use a policy.
upvoted 1 times

How to delete SAS, means I can generate it again changing variables but I am not able to delete it.
upvoted 1 times

Not the SAS, but the Stored Access Policy should be deleted. You can create a SAS based on a Stored Access Policy. When you delete the
Stored Access Policy, all the SAS uri's that were created based on this Stored Access Policy, will stop working.
upvoted 1 times
  Sam_samules 16 hours, 14 minutes ago

Lock would ensure no deletion, but resources can still access it.
IMO B is the correct answere.
https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations
upvoted 1 times

Solution: You deploy Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription.
A. Yes
B. No
Correct Answer: B
References:

Wrong: https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture
upvoted 17 times
  PlasticMind 11 months ago

Azure AD domain Services is the only supported way for HD Insight cluster integration integration with active directory. so AAD connect
to synchronise identities from an on-premises active directory to Azure AD and then Azure AD domain services for the HD Insights
integration
upvoted 8 times
  ochiwi 7 months, 2 weeks ago

i agree since there's indication that a setup of an Azure AD exists which is a requirement for HD insight, should work...
upvoted 1 times
  barchetta 10 months ago

The question indicates ad is in hybrid mode already. However, there is no network connectivity so that has to be done. So I guess I agree
with the answer.
upvoted 5 times

correct answer is A.
ofc ADDS is a requirements to integrate hdinsight with aad.
upvoted 5 times

Contentious question at best, I would suggest though the answer is no. Although enabling Azure AD DS would allow you to join HD
insights cluster to domain services an in therefore support AD integration. The question stipulates the ON PREMISE ad credentials are
used.
As they already have a hybrid environment setup I believe access to the existing DC's is required to satisfy the question. Enabling Azure
ADDS is really only recommended to be enabled for legacy applications that require ADDS when you do not already have domain services,
although it will replicate the users with a sync engine in the background I hesitantly say the suggested answer is correct in a
technicality.........
Additionally I agree that interpretation is certainly open to challenge and futher more these HDinsight questions seem to be well out of
scope of this exam and ambigous at best
upvoted 5 times
  swip 7 months, 2 weeks ago 

Oh one more thing I just realised, Enabling Azure AD DS would actually only work if password hash sync was enabled. If AAD connect
was setup to use passthrough or ADFS then Azure AD DS woun't work anyways, I guess that further supports the suggested answer
upvoted 3 times
upvoted 3 times
  Root_Access 6 months, 1 week ago

Adamasbue is correct, following the link you will find:
• An Active Directory domain (managed by Azure AD DS). The domain name must be 39 characters or less to work with Azure HDInsight.
• Secure LDAP (LDAPS) enabled in Azure AD DS.
• Proper networking connectivity from the HDInsight virtual network to the Azure AD DS virtual network, if you choose separate virtual
networks for them. A VM inside the HDInsight virtual network should have a line of sight to Azure AD DS through virtual network peering.
If HDInsight and Azure AD DS are deployed in the same virtual network, the connectivity is automatically provided, and no further action is
needed.
upvoted 1 times

I’ve Answer needs to be Yes. As ADDS enables user authentication and then syncs with the Active directory.
upvoted 1 times

Correct Answer is A.
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds
upvoted 3 times
  mail4sks 5 months, 1 week ago

I am confused, but look at the question it says "You have a hybrid configuration of Azure Active Directory (Azure AD).", does it not mean
that the virtual network configuration part which is given under the explanation is already in place?. f yes then the right answer should be
A
upvoted 1 times
just wanted to confirm ,if correct ans is B ?
upvoted 2 times

A, for sure.
upvoted 2 times
  Hemn1990 4 months, 4 weeks ago

You have hybrid enviroment so AD DS is alredy in place, you would need site to site vpn so the answer is no.
upvoted 6 times

Answer should be YES
In the Docs, AADDS is a prerequisite for KD insight
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds
upvoted 1 times
  slyBabs 4 months ago

https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster
Correct answer should be A
upvoted 2 times
  bj112 2 months ago

Ans:A
ADDS is a required to integrate hdinsight with AAD
upvoted 1 times

I would say NO!
because you do need the networking part to be done such as VPN site to site connection and etc
upvoted 1 times
  reggaebauy 1 month ago

I think "B" is correct. Please note that the question reads that you have a Azure AD Hybrid not a Hybrid Cloud.
upvoted 2 times
  ndowson 2 weeks ago

No Mention of ESP in the question , so answer is no..B
upvoted 1 times
Your network contains an Active Directory forest named contoso.com. You have an Azure Directory (Azure AD) tenant named contoso.com.
You plan to con gure synchronization by using the Express Settings installation option in Azure AD Connect.
You need to identify which roles and groups are required to perform the planned con guration. The solution must use the principle of least
privilege.
Which two roles and groups should you identify? Each correct answer presents part of the solution.
A. the Domain Admins group in Active Directory
B. the Security administrator role in Azure AD
C. the Global administrator role in Azure AD
D. the User administrator role in Azure AD
E. the Enterprise Admins group in Active Directory
Correct Answer: CE
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

Correct Answer as per provided link.
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials

Azure AD Global Administrator credentials
upvoted 8 times
  farslayer9 6 months, 1 week ago

Wrong, the provided answer is correct: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express
upvoted 1 times
  stewfreed 1 day, 5 hours ago

the C and E is good answer.
here the prerequisite
source:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites
excerpt:
-->Accounts
You must have an Azure AD Global Administrator account for the Azure AD tenant you want to integrate with. This account must be a
school or organization account and can't be a Microsoft account.
If you use express settings or upgrade from DirSync, you must have an Enterprise Administrator account for your on-premises Active
Directory.
upvoted 1 times

C, E, for sure.
Role ==> Global administrator
Group ==> Enterprise Admins
upvoted 5 times

C, E for sure.
The Global administrator role in Azure AD
The Enterprise Admins group in Active Directory
upvoted 2 times
  AZ_Student 3 months, 1 week ago

The suggested answer is correct C and E.
upvoted 2 times
  abosa 87 3 months ago

Answre is C, E
upvoted 3 times

CE is correct 
upvoted 1 times

C and E is the correct.
upvoted 1 times
DRAG DROP -
You create an Azure subscription with Azure AD Premium P2.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Select and Place:
Correct Answer:

Correct Answer
upvoted 5 times
  pi3r 6 months, 2 weeks ago

Not sure about the order of the 2 firts..
We need to click on "Consent to Pim" but the first action is to login with MFA before "Consent"..
Another trouble question. I think the "Login with MFA" should be first but not sure..
Some screenshot with action order are available here: https://inyourcloud.fr/azure-pim/
upvoted 4 times

Wrong answer...
1. Verify your identity with MFA
2. Consent to PIM
3. apply/select AZ AD roles
upvoted 11 times

precise answer 
upvoted 1 times

Just confirm:
1) Consent to PIM (You need permission to PIM as you need subscription owner role)
2) Discover Privileged roles (Need to discover Privileged account,Security account and other account roles)
3) Discover Resources (need to activate subscription which will be applied)
upvoted 2 times

MFA recommended, but not required
upvoted 2 times

Agreed... MFA is not required - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-
started
upvoted 1 times
  hhexam 5 months ago

I think:
1 - Consent to PIM
2 - Sign up PIM for Azure AD roles
3 - Discover privileged roles
upvoted 2 times
  MagnusFA 5 months ago

Reviewed Orelly tutorial and confirm it's
1. Verify your identity with MFA
2. Consent to PIM
3. Sign up PIM for AAD Roles
upvoted 3 times
  thetrapt 4 months, 3 weeks ago

I think your answer is wrong. According to https://www.youtube.com/watch?v=0HSLrB_Ph-4, to enable PIM:
1. Consent to PIM
2. Verify you MFA
3. Sign up PIM for AAD Roles.
upvoted 11 times
  ddmoto 4 months, 2 weeks ago

As per your video, action wise its
1. Verify your identity with MFA(This is the first action that you take, this option is visible in consent to pim option though)
2. Consent to PIM
3. Sign up PIM for AAD Roles
upvoted 2 times
  Zjorzke 4 months, 1 week ago

Answer is in steps:
Verify id through mfa
Consent to pim
Sign up pim for azure ad roles
The first are initiated by starting the “Consent to pim” process
See in the transcript: https://cloudacademy.com/course/implementing-azure-active-directory-privileged-identity-management/enable-

pim/
upvoted 2 times

IN THE EXAM
upvoted 2 times

IN THE EXAM
upvoted 6 times

Ans is correct
1. click on consent to PIM
2. It will ask to verify your identity using MFA
3. once identity is verified, login again and go to Manage roles
upvoted 2 times
  rand1220 1 month ago

What’s the source of your response?
Some persons argued in earlier posts that MFA comes before consenting to PIM
upvoted 1 times 
  Stuudent 2 weeks, 6 days ago
Outdated?
When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management):
We automatically enable PIM for the organization
upvoted 2 times
  AnxiousKid 6 days, 13 hours ago

What is the correct answer on this item?
upvoted 1 times
Solution: You deploy an Azure AD Application Proxy.
A. Yes
B. No
Correct Answer: B
Reference:

B, for sure.
upvoted 7 times
  orekz 4 months, 1 week ago

Definitely, B is the correct answer
upvoted 3 times
  AZ_Student 3 months, 1 week ago

Absolutely, B.
upvoted 2 times
policies.
Solution: You regenerate the access keys.
A. Yes
B. No
Correct Answer: B
Instead you should create a new stored access policy.
Reference:

wrong, the sas of sap is generated with keys
upvoted 14 times

SAS signatures must be signed by the Access Keys. Since Access Policies make use of SAS, ultimately, If you regenerate Access Keys, all the
SAS which are dependent on the Access Keys will be invalidated. So it should be "yes".
upvoted 32 times

I think the answer is correct - this link outlines the way a SAS signature can be revoked - https://docs.microsoft.com/en-
us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions#shared-access-signatures
This states 4: the ACCOUNT key that was used to create the SAS was regenerated.
The answer states the "access" key - therefore I believe the answer to be correct as stated.
upvoted 12 times
  Tango 9 months, 1 week ago

I agree.
upvoted 2 times

what the difference between the Account Key and Access Key?
upvoted 3 times

Account Key is the access key for storage account, so they are the same thing.
https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-add-storage
upvoted 1 times

I think ans needs to be Yes -
https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions#shared-access-signatures
This states 4: the ACCOUNT key that was used to create the SAS was regenerated.
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
upvoted 2 times

I just tested it also. Ans should be Yes
upvoted 2 times

The answer should be yes. An access key is the same as an account key. This code snippet is my reference:
# Get the access key for the Azure Storage account
$storageAccountKey = (Get-AzStorageAccountKey `
-ResourceGroupName $resourceGroupName `
-Name $storageAccountName)[0].Value
upvoted 2 times

The answer should be yes, go on the page to create a SAS, there is an information icon next to signing key, once you hover over it, it says:
When you regenerate your access keys, you must update any Azure resources and applications that access this storage account to use the
new keys. Additionally, any existing SAS tokens will also need to be regenerated. This action will not interrupt access to disks from your
virtual machines.
So regenerating your access key that was used to sign your SAS will revoke access.
upvoted 2 times
  GregP 6 months, 1 week ago

it says "by using several shared access signatures (SASs) and stored access policies" so wouldn't changing the keys be an overkill? you
could just generate new SAS or policy? therefore making the answer "no"
upvoted 2 times

Revoking the access keys invalidates all SAS policies. Overkill or not, it is one method.
upvoted 1 times

Wrong Answer. Wrong Answer Wrong Answer.
Regenerating access keys will invalidate the SAS signed by the access key.
So when presented with a Shared Access Signature, the signature will be verified by the signer. Who signed the SAS? Well, one of the
access keys was used to sign the SAS. Now that the access keys are regnerated, it renders the old SAS ineffective.
upvoted 7 times
  kratos13 5 months ago

The answer to this completely contradicts Topic1, Question2 ::

Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored
access policies.
You discover that unauthorized users accessed both the file service and the blob service.
Solution: You create a new stored access policy.
Correct Answer: A
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier
breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy
immediately effects all of the shared access signatures associated with it.
References:
upvoted 1 times

A, for sure
upvoted 4 times

The Answer is YES
In the docs checked no 4, it says regenerating an access key causes the SAS to fail
upvoted 7 times

Correct answer is A since it doesn't specify which Access Key has been regenerated (Key1 or Key2).
Storage Access Policies use 'Key1' to generate the signature. So, if you regenerate key2, it won't have any affect on the signature.
upvoted 2 times
  LTTAM 4 months ago

WRONG ANSWER. It is YES. As per Microsoft:
"A shared access signature URI is associated with the account key used to create the signature, and the associated stored access policy (if
any). If no stored access policy is specified, the only way to revoke a shared access signature is to change the account key."

Here is the link: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions#shared-access-
signatures
upvoted 3 times

totally agree. thanks for well explaning. It's a YES.
upvoted 1 times

A is right for me
upvoted 1 times
  Tirzak 2 months ago

Correct answer: A because generating the access keys would void any existing shared access signatures.
upvoted 1 times

NO, it must be store access policy
upvoted 1 times
  Shaw90 1 month, 1 week ago

Please read this:
upvoted 1 times
  Kamal_SriLanka 1 week, 6 days ago

The Answer is YES Tested and working.
.
upvoted 1 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
Azure AD Privileged Identity Management (PIM) is enabled for the tenant.

In PIM, the Password Administrator role has the following settings:
✑ Maximum activation duration (hours): 2
✑ Send email notifying admins of activation: Disable
✑ Require incident/request ticket number during activation: Disable
✑ Require Azure Multi-Factor Authentication for activation: Enable
✑ Require approval to activate this role: Enable
Selected approver: Group1 -
You assign users the Password Administrator role as shown in the following table.
Hot Area:
Correct Answer:
Box 1: Yes -
Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to
the role at all times.
Box 2: No -
MFA is disabled for User2 and the setting Require Azure Multi-Factor Authentication for activation is enabled.
Note: Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor
authentication 
(MFA) check, providing a business justi cation, or requesting approval from designated approvers.
Box 3: Yes -
User3 is Group1, which is a Selected Approver Group
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles

I believe your written answers are correct, but the graphic shows the exact opposite of the written answers.
upvoted 46 times
  ForeverStudent 8 months, 3 weeks ago

Agree with JohnCrawford, The explanation text is correct but the answer image shows the exact opposite.
upvoted 2 times

right answers:
No
Yes
Yes
upvoted 2 times
  RStover 7 months, 1 week ago

Nope. Y N Y is the right answer
upvoted 12 times
  chotonee 7 months, 2 weeks ago

@e3rh could you explain your claims?
Thanks
upvoted 1 times
  bkaage 7 months, 2 weeks ago

This should be
Yes - the wording is ambiguous but if the user is active as a Password admin they have it without request
Yes - A user showing Disabled for MFA just means they haven't set it up and will be prompted to do so when applicable. It does not disable
MFA for the user - see this article - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Yes - Yes the user can approve their own request
upvoted 6 times

Per the link:
Disabled = user not enrolled in Azure Multi-Factor Authentication
Enabled = The user has been enrolled in Azure Multi-Factor Authentication, but hasn't registered. They receive a prompt to register the
next time they sign in
That makes the answer: NO, NO, YES
upvoted 1 times

sorry for the typo: its:
YES, NO, YES
upvoted 10 times

bkaage, I have to disagree with your conclusion on user 2. The graphic is illustrating the old way (although still used) of implementing
MFA. When you say a user will be "prompted to do so" relating to enrolling in MSA you are correct but there are 2 ways to enable the
requirement, in the old way as per relates to this question you must change the user to enabled and once they have enrolled their
status cahgned to enforced. I believe you are getting confused with the CA based MFA enrolment in which case you don't touch the
MFA control panel (disabled, enabled, enforced) you simply create a CA rule requiring MFA and the user is prompted at next login to fill
in the details. Although it did make me wonder if requiring the user in PIM to use MFA has the same effect (and I believe it does indeed)
makes you correct how ever user require at least an AD P1 license to use this which is not stated in the question. I have to conclude
JohnCrawford to be correct
upvoted 1 times

You are right.
When a user is active or activates MFA is automatically requested/required.
upvoted 1 times

i don't know they will be prompted when the MFA Is disabled
"Azure Multi-Factor Authentication for activation: required" this means to enable activation you require MFA so you cannot take on a
role when you do not have MFA
upvoted 1 times

Correct answer is :
Yes
No
Yes
upvoted 9 times
  djecak 6 months, 1 week ago

Users can’t approve their own requests. Tested in actual PIM deployment. So, last one is a no.
upvoted 7 times
  S202021 2 months, 3 weeks ago

User's can approve their own requests. There is an config option under PIM-> settings where the request approval can be set to no.
upvoted 2 times

User can't approve access grant under Pim, but can approve to retain/ remove access under access review (self)
upvoted 1 times

Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor
authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges
assigned to the role at all times.
YES - User1 Assignment type is Active which allows User1 to have Password Admin role with no action.
YES - User2 has MFA disabled but the "Require approval to aqctivate this role is Enabled. User2 can request an approval.
YES - User3 can activate a password role and approve their own request because User3 is part of Group1 which is the Selected Approver.
upvoted 6 times

It's a set up requirement for User to MFA to request for admin role, and User2's MFA is disabled, so User2 cannot request for admin
role.
upvoted 1 times
  Maaarteen93 6 months ago

Hi, sorry but I tested and graph seems correct:
1: NO, the active assignment means that the role is allready assigned and not re-assigned upon sign in
2: YES, User2 MFA disabled and is prompted to register it upon request, so user2 CAN request access
3: NO, You cannot approve/deny your own requests even if you are an approver for the role. (tested it)
upvoted 3 times

Just tested this in my Azure Environment.
Answer is correct in the Image
No, For user1 --> the role will be activated upon assignment. it wont wait until user1 sign-in
Yes, User2 asked to MFA verify before activation eventhough his MFA status is disabled
No, User3 cannot approve his/her own requests even if you are an approver for the role. The approve will be send to User2 (who is
another member of Group1)
upvoted 3 times

Answer should be YES, YES, YES
1) YES, as it's Active and no need to be approved.
2) YES, as it's Eligible need to be approved. Once User2 can approve by himself or by others, Depends on other configuration
3) YES, it's also assign as Eligible, so need to be approved. can request or can do by himself.
upvoted 3 times

Answer is Correct
YES, NO, YES
Yes, because he is Active (no need to activate anymore)
No ( becuase MFA is disabled)
Yes (because he is in the group of the approvals)
upvoted 8 times

Mfa can be assigned specifically (enforced/enabled) or not (disabled). Mfa can also be required dynamically through conditional access,
pim or id protection, and if mfa registration has not been enforced but it is enabled for you (all users, or through group in mfa blade) you
will be asked to register before doing mfa. And both can be used at the same time. One is legacy way the other is new style.
It is tricky how the mfa status is specified. Enforced means the account has been configured specifically to always do mfa no matter what.
Disabled can mean the account has not been configured specifically to always do mfa. It could also mean the account is not a member of
the group that is allowed to use mfa when needed. In this case I choose the meaning “Disabled can mean the account has not been
configured specifically to always do mfa” because the other has enforce
upvoted 3 times

ACTIVE assignment means you are made a member of the role directly forever or within specific timeframe without ever needing to
request for the role
ELIGIBLE assignment means you are always allowed to request membership of the role, or within specific timeframe. The role assignment
depends on the amount of time configured and if all required actions have been performed (mfa, approvals, etc)
When being a requester and approver for a role you cannot approve or deny. Call it segregation of duties
upvoted 4 times

Very well explained. I have tried this lab. Answers are Yes, Yes, No
upvoted 2 times

Therefore I would choose
Yes – direct member. Tried this
Yes – eligible and when requested to do mfa registration kicks in. This assumes mfa enabled at tenant level for either all users or specific
group the account is in
No- you cannot approve your request. Tried this
upvoted 7 times
  dudes22 4 months, 1 week ago

I tried this as well. MFA kicks in indeed, but after completing the MFA the activate window keeps grey and MFA is still not enabled for
this user so I would say NO as the user is unable to complete the request.
upvoted 1 times
  dudes22 4 months, 1 week ago

NVM please remove. I would go for YES YES NO indeed
upvoted 3 times
  silverdeath 4 months, 1 week ago

Yes, Yes, Yes
upvoted 1 times
  envy 3 months, 3 weeks ago

1.YES
2.YES (tested: can request activation even without MFA)
3.NO (tested: cannot approve self request)
upvoted 11 times

Tested too, Yes, Yes, no
upvoted 2 times

test, should be Yes Yes No
upvoted 3 times

Yes,Yes, No
upvoted 3 times
  Wakwas 1 month, 3 weeks ago

The first one is no, it shows that user 1's mfa is disabled and you cant activate the role without MFA so its N Y N
upvoted 3 times
  Bluediamond 1 month, 2 weeks ago

I just tested this... YNN
upvoted 2 times

Ah, just realized that I did not set Group1 as approver... so making that change and then it is YnY
upvoted 2 times

okay this is weird... so made the change and user3 can NOT approve their own request.
upvoted 2 times

lol the answer shows no but the Box 1 : says yes ? lol what is going on haha
upvoted 1 times
  Mist 1 month ago

Y - Assignment is active 
Y - Assignment is eligible
N - Cannot self-approve even if user3 is part of the group of approver.
upvoted 1 times
  Mist 1 month ago

Correction.
Y - Assignment is active
N - Activation requires MFA but user2 MFA is disabled.
N - Cannot self-approve even if user3 is part of the group of approver.
upvoted 2 times
  Kamal_SriLanka 1 week, 6 days ago

Yes , Yes, No
upvoted 1 times
  mo_moniem 1 week, 3 days ago

More than one said that he tested the the scenario and came up with a different answer !! I believe that the configuration may vary from
an environment to another. so maybe testing is not a proper way for answering . anybody disagree ?
upvoted 1 times

It could be because the question might changed or updated from the begining.
Please, check the differences between Active and Elegible. It will help.
Answers:
1. YES - It's active.
2. YES - Can send the request (Once approved it couldn't work because MFA is disabled)
3. NO - Autoapproval isnt possible even in the approvers group.
upvoted 2 times
You have a hybrid con guration of Azure Active Directory (Azure AD). You have an Azure SQL Database instance that is con gured to support
Azure AD authentication.
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account.
You need to ensure that developers can connect to the instance by using Microsoft SQL Server Management Studio. The solution must minimize
authentication prompts.
Which authentication method should you recommend?
A. Active Directory - Password
B. Active Directory - Universal with MFA support
C. SQL Server Authentication
D. Active Directory - Integrated
Correct Answer: A
Use Active Directory password authentication when connecting with an Azure AD principal name using the Azure AD managed domain.
Use this method to authenticate to SQL DB/DW with Azure AD for native or federated Azure AD users. A native user is one explicitly created in
Azure AD and being authenticated using user name and password, while a federated user is a Windows user whose domain is federated with
Azure AD. The latter method
(using user & password) can be used when a user wants to use their windows credential, but their local machine is not joined with the domain
(for example, using a remote access). In this case, a Windows user can indicate their domain account and password and can authenticate to
SQL DB/DW using federated credentials.
Incorrect Answers:
D: Use Active Directory integrated authentication if you are logged in to Windows using your Azure Active Directory credentials from a federated
domain.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-con gure
  TsuKiQAQ 1 year, 1 month ago

Active Directory - Integrated is correct answer
upvoted 21 times
  Ronanh 1 year, 1 month ago

nope it is Active Directory password authentication
Use this method when connecting with an Azure AD principal name using the Azure AD managed domain. You can also use it for
federated accounts without access to the domain, for example when working remotely.
Use this method to authenticate to SQL DB/DW with Azure AD for native or federated Azure AD users. A native user is one explicitly
created in Azure AD and being authenticated using user name and password, while a federated user is a Windows user whose domain
is federated with Azure AD. The latter method (using user & password) can be used when a user wants to use their windows credential,
but their local machine is not joined with the domain (for example, using a remote access). In this case, a Windows user can indicate
their domain account and password and can authenticate to SQL DB/DW using federated credentials.
upvoted 16 times
  mat73 11 months, 2 weeks ago

I agree with password authentication. It does not say that dev connect from a machine joined into the domain.
upvoted 7 times
  dumpmaster 7 months, 4 weeks ago

I've tested in my machine and I was able to connect using Active Directory Password authetication. I tried Integred but did not
working (my machine is domain joined).
upvoted 9 times

Directory password authentication is the correct answer
upvoted 3 times
  Deeman 10 months, 4 weeks ago

Unless I'm mistaken and unless the others can say with absolute confidence they chose Password Authentication and got it right, the
question is open; it doesn't say that the Developers aren't joined to the domain? If they are, then they Integrated is definitely correct. If
they are not joined to the Domain, then Password authentication is correct. This question may not have been written right.
upvoted 5 times 
  DINESHAJ10 10 months, 2 weeks ago
anwer is D - based on two reasons: 1) Its mentioned as hybrid connectivity, Which means domains are already joined 2) With less
authentication prompts, with integrated, there wont be authentication prompts as it works based on windows ticket
upvoted 9 times

Active Directory - Integrated.
Also its mentioned that Developers are using Microsoft SQL Server Management Studio to connect, client machines are Windows, i will
vote for Active Directory - Integrated
upvoted 4 times

Correction: AD – PASSWORD, agree with user cloudera explanation, as users are from on-premise. Thanks.
https://docs.microsoft.com/en-us/sql/ssms/f1-help/connect-to-server-database-engine?view=sql-server-2017
upvoted 3 times

The question does say minimise authentication prompts - is that an indication towards Integrated? I am leaning towards
password though.
upvoted 1 times

but their local machine is not joined with the domain (for example, using a remote access). In this case, a Windows user can indicate their
domain account and password and can authenticate to SQL DB/DW using federated credentials.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#active-directory-
password-authentication
A IS CORRECT ANSWER
upvoted 1 times
  cloudera 10 months, 1 week ago

https://docs.microsoft.com/en-us/sql/ssms/f1-help/connect-to-server-database-engine?view=sql-server-2017
upvoted 2 times
  cloudera 10 months, 1 week ago

The question talk about on-premises AD account which mean the correct answer is "AD – PASSWORD". We use this method if you
logged in to Windows using a credential from a domain that is NOT FEDERATED with Azure.
AD – INTEGRATED: We use this method to connect SQL Database if you are logged in to Windows using your Azure Active Directory
credentials from a FEDERATED domain.
** AD PASSWORD and INTEGRATED are also known as non-interactive meaning no further verification is needed to connect unlike
Universal with MFA (interactive) does.
upvoted 8 times
  FatBaba 10 months, 1 week ago

If I read your explananation is must be integrated.
upvoted 1 times
  Roddy 4 months, 2 weeks ago

https://docs.microsoft.com/en-us/sql/ssms/f1-help/connect-to-server-database-engine?view=sql-server-ver15
upvoted 2 times
  Roddy 4 months, 2 weeks ago

Perfect explanation... the answer is A
upvoted 2 times
  Tango 9 months, 1 week ago

Use integrated authentication if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account so the
answer A is correct.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell
upvoted 1 times
  Tango 9 months ago

Question 9 Topic is AD Integrated since the question mentioned that the workstations are Azure AD joined.
upvoted 1 times
  azurearch 9 months ago

Active Directory - Integrated
Azure Active Directory Authentication is a mechanism of connecting to MicrosoftAzure SQL Database by using identities in Azure Active
Directory (Azure AD). Use this method for connecting to SQL Database if you are logged in to Windows using your Azure Active Directory
credentials from a federated domain.
hence answer AD password is right 
upvoted 1 times

A is correct: it isn't joined to the same domain, but to another domain.
If its joined to the same domain, then it would be integrated
upvoted 2 times

D.. The word ON-PREMISE Active directory means we need integration
upvoted 3 times

AD - Integrated - Correct
If its hybrid, then integrated
if AAD - then password + MFA

upvoted 2 times

This is wrong the correct answer is A
upvoted 1 times
  cybrtrk 7 months ago

Here's a statement direct from the microsoft docs:
Active Directory password authentication:

"Use this method to authenticate to SQL DB or MI with Azure AD cloud-only identity users, or those who use Azure AD hybrid identities"
Active Directory integrated authentication:

To use integrated Windows authentication, your domain's Active Directory must be federated with Azure Active Directory, or should be a
managed domain that is configured for seamless single sign-on for pass-through or password hash authentication.
SO, since the question states this is hybrid Azure AD, the answer should be A: Password.
Ref:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell
upvoted 5 times

pretty clear. Thanks!
upvoted 1 times
  cybrtrk 7 months ago

HOWEVER, Integrated authentication will not prompt you for a username/password, since it will use your current login credentials, so if
you're looking for the answer with the least password prompts, the answer would be 'integrated', not password.
you may also interpret 'hybrid' as meaning Federated, which would provide more evidence to the 'integrated' answer. ("To use integrated
Windows authentication, your domain's Active Directory must be federated with Azure Active Directory")
upvoted 1 times

Active Directory - Integrated is the correct correct answer.. Same question answered as AD Integrated in later part of questionnaires
upvoted 3 times
  sourabh7257 4 months, 3 weeks ago

yes there are so many such questions. Same questions and different answers on different pages. needs correction
upvoted 1 times

Active Directory Password Authentication is used for Azure databases using Azure AD principal name.
Active Directory Integrated Authentication also works with Azure AD principal name but it is using a federated domain.
The statement is to use the password from their on-premise domain and not the AZ principal. AD - Integrated
upvoted 1 times
  bwradders 5 months, 1 week ago

Azure AD Connect is implied in this question, and I assume networking between on-prem and Azure is implied also. So AD Integrated is
the correct answer as the question is asking for minimal prompts.
upvoted 1 times

answer is correct as developers machine may not be joined to domain.
upvoted 1 times
  Gallager 5 months ago

What are the diferences with question #9 - Topic 4? (page 18 of this site)
Does this next line chage all?
"**All users have computers that run Windows 10 and are hybrid Azure AD joined**.
upvoted 1 times 
  PA 4 months, 4 weeks ago
which option is correct here ? A or D .. As per below it looks to me D .

Azure Active Directory Authentication is a mechanism of connecting to MicrosoftAzure SQL Database by using identities in Azure Active
Directory (Azure AD). Use this method for connecting to SQL Database if you are logged in to Windows using your Azure Active Directory
credentials from a federated domain. For more information, see Connecting to SQL Database By Using Azure Active Directory
Authentication.
upvoted 1 times

The answer is A
Active Directory - Integrated would have been correct if it was not a hybrid connection.
A is correct because it is syncing with Azure AD (i.e there is an hybrid connection between the on-prem AD and Azure AD) and would use
your domain credential to login into Management Studio
upvoted 3 times
  Eitant 4 months, 2 weeks ago

The environment is a hybrid domain so we can assume that the developers computers are domain joined.
Active Directory integrated authentication Use this method if you are logged into Windows using your Azure Active Directory credentials
from a federated domain, or a managed domain that is configured for seamless single sign-on for pass-through and password hash
authentication.
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#active-directory-
integrated-authentication
upvoted 3 times

Folks this question should be fairly straightforward. The key to this scenario is the 'Hybrid Configuration'. As per Microsoft:
"... those who use Azure AD hybrid identities, the Authentication keyword must be set to Active Directory Password."
Straight from Microsoft. Here is the link:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#active-directory-
integrated-authentication
upvoted 6 times

I think the A is correct: We are in hybrid Environment. Don'y forget , we have Azure SQl an not on-premise SQL, Then the both
authentication methods are: Azure AD authentication and SQL Authentication. Selecting Azure AD Authentication within an hybride
environment : AD---> Azure AD (Password hash Synced or other) the user can use their local Password: AD password.
upvoted 1 times
  wzlinux 2 months, 1 week ago

Directory password
upvoted 1 times
  Adamantium 2 months, 1 week ago

Q:What would you recommend?
A: I would recommend: "Integrated Authentication"
because "Use this method if you are logged into Windows using your Azure Active Directory credentials from a federated domain, or a
managed domain that is configured for seamless single sign-on for pass-through and password hash authentication"
from
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure
upvoted 1 times
  pikahu 2 months ago

There is a question later on that is word for word the same except for one minor difference:
"All users have computers that run Windows 10 and are hybrid Azure AD joined."
The answer to that question is Active Directory - Integrated due to it having a federated domain: the local credentials are validated against
Azure.
However this question asks to rely solely on on-prem credentials. So the answer to THIS question is A. Active Directory - Password.
upvoted 1 times
  jimmyjose 1 month, 3 weeks ago

"Windows Integrated Authentication" is a well-known method of authentication. The user is not prompted for credentials if already logged
onto the domain.
However, "Active Directory - Integrated" is used if you are logged in to Windows using your Azure Active Directory credentials from a
"FEDERATED DOMAIN".
In this case, there is no mention about federation.


Hence, the answer is "Azure Active Directory - Password".
upvoted 4 times
You plan to use Azure Resource Manager templates to perform multiple deployments of identically con gured Azure virtual machines. The
password for the administrator account of each deployment is stored as a secret in different Azure key vaults.
You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during
each deployment.
The name of the key vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?
A. a key vault access policy
B. a linked template
C. a parameters le
D. an automation account
Correct Answer: C
You reference the key vault in the parameter le, not the template. The following image shows how the parameter le references the secret and
passes that value to the template.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter
  rharbeg 1 year ago

The correct answer should be B
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#reference-secrets-with-
dynamic-id
upvoted 28 times
  ExamUser 7 months, 1 week ago

You're correct. The question states the need to retrieve credentials for different deployments, and linked template's the only
mechanism for it.
upvoted 2 times

Yep, you are absolutely right!
upvoted 1 times
  Deeman 10 months, 4 weeks ago

I agree. It should be a linked template. Here is a direct quote "In either case, you can dynamically generate the resource ID for a key vault
secret by using a linked template.
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file."
upvoted 5 times
  asktomsk 8 months, 3 weeks ago

C is the correct answer. The question assumes passwords are already in Key Vault and should be passed as inline parameters. So you can
create a parametes file to support it.
upvoted 5 times
  kk1 8 months, 1 week ago

I will go with B
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-
dynamic-id
because, In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template.
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file.
In your parent template, you add the nested template and pass in a parameter that contains the dynamically generated resource ID. The
following image shows how a parameter in the linked template references the secret.
upvoted 2 times

definitely is B. a linked template. comment of @Deeman, clear from docs.

upvoted 1 times

B is correct!
upvoted 1 times
  NKnab 6 months, 3 weeks ago

Check the given url and that will proove the answer provided is correct
upvoted 1 times

No, it's B
You clearly did not read the whole article of the given url. The second part says:
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters
file.
upvoted 1 times
  AnuV 6 months, 1 week ago

Static ID - Parameter File
Dynamic - Linked Template
upvoted 9 times
  examkid 6 months, 1 week ago

I'm going for the parameter file, and this is why:
Within the Azure Key Vault Access Policies it is possible to enable the setting. "enabledForTemplateDeployment"
This is useful if you don't want to put any secure value (like a password) in your template or parameter file.
The solution to this is to retrieve the value by referencing the Key Vault and secret in the parameter file. The secret itself is not exposed
because you only reference the Key Vault ID of the secret.
"parameters" : {
.....
"adminPassword" : {
"reference" : {
"keyVault" : {
"id" : "/subscriptions/<subscription-id>/resourceGroups/<re-name>/providers/Microsoft.KeyVault/vaults/<vaultname>"
},
"secretName" : "ExamplePassword"
}
}
You can also specify the version of the secret that needs to be retrieved using: "secretVersion"
upvoted 1 times
  shaheer1991 6 months, 1 week ago

The correct answer is B "a linked template" and I'm backing this up by the below link:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
in the question it says:

You need to identify a method to dynamically construct a resource ID that will designate the key vault
containing the appropriate secret during each deployment. The name of the key vault and the name of the
secret will be provided as inline parameters.
-------------
if you check the pictures in the link, you'll find that answer B, supports the dynamic solution and the picture used to describe it contains
"inline parameter" unlike the answer in the solution.
case closed
upvoted 9 times
  farji 5 months ago

you can dynamically generate the resource ID for a key vault secret by using a linked template.
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file.
upvoted 1 times

B, for sure.
Linked Template
upvoted 1 times

Answer is B
the key point is dynamically
you cannot dynamically generate the resource ID in the parameter file
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli 
Under the reference secrets with dynamic ID, you will see why B is correct.
upvoted 2 times
  kingnag1 4 months, 3 weeks ago

answer is C - You retrieve the value by referencing the key vault and secret in your parameter file.
upvoted 1 times

This is correct but the question talks about dynamically. if you check this document
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
You will see why C is wrong. Read the question carefully
B is the Answer
upvoted 3 times
  jonclem 4 months ago

Re: Answer B - https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/linked-templates
I believe with many the correct solution is C. parameters file. I also asked a bunch of DevOps engineers and they all said parameters file.
upvoted 1 times

Folks the correct answer is B: Linked Template
Microsoft directly states... "You can't dynamically generate the resource ID in the parameters file because template expressions aren't
allowed in the parameters file."
Why are folks trying to justify the wrong answer with no anecdotal evidence or links to support their answers. You are just confusing
people. Folks, please read the link below and do the lab. Then you will know the answer is B: Linked Template.
Link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-powershell
upvoted 3 times
  Kiran42 3 months, 1 week ago

B is the correct Answer.
"you can dynamically generate the resource ID for a key vault secret by using a linked template." - https://docs.microsoft.com/en-
us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
upvoted 1 times

I think all who voted for B misunderstood the question. I think in this scenario, the key vaults are existing already, what the question is
asking is how to 'dynamically' know which key vault to use for a given VM deployment. So C - Parameter file is the answer.
upvoted 1 times

Which STATIC value would you use for the parameter to DYNAMIC assign different keyvaults for each machine???
upvoted 1 times
  levo017 2 months, 1 week ago

You are right, I played it out, AND the MS documented clearly. Linked Template is the answer.
upvoted 1 times

I choose B
dynamic-id
upvoted 1 times

Parameter file works. If the Key Vault ID never changes. But in this case it doesn't.
Here requirements define: "password for the administrator account of each deployment is stored as a secret in different Azure key vaults."
In other words you need to reference a key vault secret that varies based on the current deployment.
Well then a static parameter file with single key vault id won't work.
On the other hand you can't dynamically generate the key vault ID in the parameters file because template expressions aren't allowed in
the parameters file.
But you can pass parameter values to a key vault ID generation template -> which in turn passes as output the dynamically generated key-
vault ID to a another linked template that does the actual VM deployment as its input parameters.
Parameter File with (current key vault info) -> Key Vault ID generating Template -> output: current KeyVaultID -> as inline parameters ->
VM deployment template.
See more detaile description and the diagram shown on the link:
dynamic-id
upvoted 1 times 
But you can pass parameter values to a key vault ID generation template -> which in turn passes as output the dynamically generated key-
vault ID to a another linked template that does the actual VM deployment as its input parameters.
Parameter File with (current key vault info) -> Key Vault ID generating Template -> output: current KeyVaultID -> as inline parameters ->
VM deployment template.
See more detaile description and the diagram shown on the link:
dynamic-id
So the correct answer is: Linked Template
upvoted 1 times
  gills 1 month, 2 weeks ago

Answer is B (Linked Template)
. Keyword is ---> dynamically construct a resource ID
SS
upvoted 1 times
  azayra 1 month ago

in my udemy test its B. linked template
upvoted 1 times

agree now that its B - cos of the dynamic ID bit
upvoted 1 times

I can understand how this question can generate as many comments...
Please check the doc. The answer is "parameter file" for sure.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter
upvoted 1 times

My apologies, so tired at this time. I was absolutely wrong. Please check in the doc "Reference secrets with dynamic ID" part. I thought
it was talking about static.
The answer is "linked template"
upvoted 1 times
HOTSPOT -
You create a new Azure subscription that is associated to a new Azure Active Directory (Azure AD) tenant.
You create one active conditional access policy named Portal Policy. Portal Policy is used to provide access to the Microsoft Azure Management
cloud app.
The Conditions settings for Portal Policy are con gured as shown in the Conditions exhibit. (Click the Conditions tab.)
The Grant settings for Portal Policy are con gured as shown in the Grant exhibit. (Click the Grant tab.)

Hot Area:
Correct Answer:
Box 1: No -
The Contoso location is excluded
Box 2: Yes -
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

the answer is incorrect. the location is not exclude in the picture
upvoted 4 times

Box 1: No. Site is not excluded, it is included. However, answer is still "No" because not all controls are enforced. User could access portal
single-factor via authorized app.
upvoted 10 times

Also, Box 3 should be No. This conditional access policy only applies to users authenticating from the Contoso network.
upvoted 12 times

"Exclude" tab does not have "Any location" as an option, therefore, it must be the Include tab. The included picture should put a dotted
square around Include.
upvoted 11 times
  robori 6 months, 1 week ago

Yes, it is INCLUDE indeed.
upvoted 2 times

Box 2 should be No as well. this is only for portal access not for Web Services.
And not all controls are enforced.
upvoted 10 times 
Its a No NO and NO
upvoted 32 times

I tend to agree with Ramir.
upvoted 1 times

Box 1: Yes. Contoso is included and there is no any browser in approved client app list
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement
upvoted 1 times
  Wallace44 8 months, 3 weeks ago

But there is... https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-
approved-client-app
(That link is direct from "See list of approved client apps" button on Azure portal)
Microsoft Edge is listed
upvoted 2 times

NO, NO, NO
upvoted 6 times
  PJR 9 months ago

No - I believe the screen shot is wrong and should show "exclude" for Contoso trusted location. If this is not the case then the answer is
Yes
No - the only cloud app included in the policy as noted in the description "Portal Policy is used to provide access to the Microsoft Azure
Management cloud app" - not web services
Yes - I believe the screen shot is wrong and should show "exclude" for Contoso trusted location. Therefore the include would be all
locations and MFA would apply as the question states "Portal Policy is used to provide access to the Microsoft Azure Management cloud
app"
upvoted 5 times
  khnshu 8 months, 4 weeks ago

if you look at the screenshot the word exclude is highlighted in blue, therefore contoso is the domain which is excluded.
answers NO, NO, YES

upvoted 18 times
  Anamak2 5 months, 1 week ago

hilighted in blue means its not Exclude screen its Include UI screen
upvoted 2 times

No
No
Yes
upvoted 6 times

I reckon the answers are NO, NO, NO
See where it says Grant access? Require MFA and require approved client apps is checked. BUT.. it says require *one* of the selected
controls.
If you're within contoso, the word "must" doesnt apply to you since either of the grant conditions can apply so you don't have to have MFA
controls on your account.
If you're outside of contoso, you don't know whether you'd MFA apply to you since you're not within the specified location.
The web app thing is a no-brainer. That has to be a no, since the policy is only for people trying to access the Azure management portal.
So - No, No and No, in my opinion.

upvoted 10 times

NO, NO , YES
upvoted 7 times

based on @Kerbob answer, I am assuming it an Include time for contoso
so Answers are :
1) Yes (manage asses to azure portal) - https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-
management
2) No (web services are not defined in the list)
3) No (outside of contoso) 
upvoted 3 times

Location is excluded in the screenshot, so correct answer is :
No
Yes
Yes
upvoted 3 times

There is no exluded location. The screenshot shows included locations. Just check conditional access policies in Azure: include has 'any
location' as an option while Exclude doesn't have this option.
I think it is No, No, No
upvoted 4 times

I mean YES, No, No
(the first one is from contoso, which is included)
upvoted 3 times

The screenshot shows the location included, not excluded.
upvoted 3 times
  purishd 6 months, 2 weeks ago

What is the final verdict on this question? Why doesn't examtopics fix this once and for all?
upvoted 4 times
  Eitant 5 months, 1 week ago

NO - Users can use Microsoft EDGE (approved client app) to use AZ Portal
NO - Users can use Microsoft EDGE (approved client app) to use web services
NO - Users external Contoso location are not required to use MFA
upvoted 10 times

1st thing is 1st the location is excluded, it's highlighted in blue.
--------------------
1- No , because Contoso is excluded
2- No, because the policy was set on Azure management not on a web app
3- No, because it says "must" when actually the choices says either 1 of the 2 controls, either MFA or the user is logging from an approved
client app like "windows edge"
---------------------------
I'd have to say more words were needed on the 3rd one but I'd have to go with my guts
upvoted 2 times
  jeanarro 3 months, 2 weeks ago

only the include option has the possibility to mark "any location", check the portal
upvoted 2 times

To solve if it is Included or Excluded... Highlighted Blue Excluded means IT IS NOT selected.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa?toc=/azure/active-directory/conditional-
access/toc.json&bc=/azure/active-directory/conditional-access/breadcrumb/toc.json#configure-the-conditions-for-multi-factor-
authentication
Look at picture of Excluded vs Included.
Cloud Apps or Actions section includes Azure Management which means Azure Portal. Not web services.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-cloud-
applications
YES - Contoso location requires MFA to use AZ Portal

NO - Contoso location does not require MFA to use web
NO - External users from Contoso location are not required to use MFA for AZ portal
upvoted 12 times
  Krakow 5 months ago

Contoso location requires MFA OR approved client app like Microsoft Edge. Users can access portal via Edge without a need to MFA. It
is triple NO.
upvoted 2 times
  chaudh 5 months ago

It's User, not app.
upvoted 1 times
  Sultan9909 5 months, 3 weeks ago

just tested it. It is include and not exclude . The reason is simple if you look at the picture. You can not exclude ANY LOCATION
upvoted 2 times

I tested this completely with my Azure Environment.

The Correct answers are
No - 'MUST' is strong word. if Users are using Microsoft Edge browser from iOS phone, MFA is
not required as Edge is approved client app. (actually tested this)
No - Conditional Access Policy is for Azure Portal only. not for webservices
No - Contoso location is included in CAP. so users external from Contoso location are not
required to use MFA for AZ portal
People who are thinking its exclude Contoso location. Exclude doesn't have Any Location option.
upvoted 11 times

Answer is: No, No, Yes.
upvoted 4 times
  tps 5 months ago

I think answer is No, No and No. I found most of folks have doubts on last box. If we take a look closely then this policy for MFA is
applicable to Contoso domain only and under Locations tab, Contoso is chosen as Selected Location which clarifies the answer.
upvoted 1 times

box 1 - no : reason is simple, require one of the selected control is checked under multiple controls section. this means if user is coming
from approved client app does not need MFA.
box 2 - no : reason is access is applied for azure portal only
box 3 - no : reason is policy is applied for users in contoso location only
upvoted 2 times
location is included . In case of exclude you will see only two options ..
upvoted 1 times
Yes, No , NO
upvoted 2 times
  pmr123 4 months, 3 weeks ago

It should be no no no... location is included only and it's not excluded
upvoted 1 times

The answer is
YES
NO
NO
Why?
1. Because Contoso is added to the selected location in the include tab under locations. I labbed it. if you think it is under exclude. Exclude
has only 2 options and include has 3 options.
Why the selection of client apps doesnt mater is because, in the Grant pane, it says REQUIRE ONE OF ......... Hopefully you all understand
2. No, we are not referring to any web services
3. NO. because it only scoped to contoso to staff in contoso to require MFA.
YES
NO
NO
upvoted 9 times

very wrong,
answer is No No, Yes
Since the conditional access policy is set only for the branch office location, the conditional access policy won’t apply to the external
users.
upvoted 2 times

Sorry, the correct answer is No, No, No
Since there is a flexibility on using either control, users could either use MFA or use a Hybrid Azure AD joined device, it’s not
necessary that the user needs to use only MFA
Since the conditional access policy is set only for the branch office location, the conditional access policy won’t apply to the external
users.
upvoted 2 times

Hybrid Azure AD joined device isn't checked - approved apps *is* though, so your logic still holds. Edge is an approved mobile
app, and you can get to the Azure Portal, or to WebApps, with Edge. So:
1) No 
2) No
3) No
upvoted 1 times
  Bobo_Lee 4 months, 3 weeks ago

Is there any missing picture for the second Grant access?
upvoted 3 times
  addy007 4 months, 2 weeks ago

It is Yes, No, No.
upvoted 3 times

Folks, you are reading the diagram WRONG!!! "Exclude" is HIGHLIGHTED in BLUE. This means it is active. The excluded location is Contoso.
With that being said, the answers are:
NO - Contoso is excluded and do not need MFA

NO - The policy only applies to Azure Management. Not to Web Services.
NO - Require ONE of the selected controls. This means you can use EITHER Client App or MFA.
upvoted 5 times

only the include option has the possibility to mark "any location", check the portal
upvoted 2 times

I think it will be No, No, No. The MFA is one of both Grant controls, the option is not both selected options of Grant are required, if One of
them (MFA or Approved app) is used, the user can connect to the portal. the Conditional Access didn't affect other Web app ,it applied only
on Management Portal. Then the word "Must" is not always correct. the user can use approved app (brwoser) and can connect. only, it
there is nothing in approved apps. then the only option is the MFA.
upvoted 2 times

I choose NO NO NO
upvoted 1 times
  prratt 2 months, 2 weeks ago

Fully tested and verified . correct ans is NO NO Yes. Don't go for any other ans.
upvoted 1 times

after follow all the thread I discard any doubt. The Location in Include. The Image does not show the selected "include" tab.
YES
NO
NO
I have checked with Whizlab practice test too, they have splitted in three different questions and it's cleared.
upvoted 2 times
  DummyNyx 2 months ago

Yes No No is the correct answer. 'Exclude' if shown as blue highlight means IT IS NOT selected. With that, Contoso is 'INCLUDED' and
must use MFA to access the portal.
upvoted 1 times

Really the all 3 answers depends on if locations are to include or exclude are selected. This is what everyone is arguing about. From this
diagram we can't really agree on it. Until we sit for the exam we won't know
if : Include the listed locations or Exclude the listed locations.
So if the first diagram is showing Locations - Include Contoso: Then

Ans1: Yes - Anybody in Contoso location must use MFA.
Ans2: No . Web Services are not targeted by this policy. In fact nothing is said about web services.
Ans3: No. This policy if only applies to locaton: Contoso.(if include)
On the other hand if the first diagram is showing Locations - Exclud Contoso:
Ans1: No (because contoso) users are excluded from the insistence of MFA by the policy.
Ans3: Yes. This policy would only exclude anyone from the locaton: Contoso from having to use MFA to access the portal.
upvoted 3 times

dude! i was about to just say the same thing!
So basically the grant access is what happens when you are granted access when you meet the conditional access policy the location
which is contoso!
you don't need MFA to access the web services
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies 
upvoted 1 times

to backup my comment check this video at 2:10 you see the exclude tab is BLUE means it is not selected!
https://www.youtube.com/watch?v=c_izIRNJNuk&ab_channel=MicrosoftAzure
upvoted 2 times
  AMZ 4 weeks ago

Just tested this too, according to image it should be YES,NO,NO
upvoted 2 times

Really the all 3 answers depends on if locations are to include or exclude are selected. This is what everyone is arguing about. From this
diagram we can't really agree on it. But this video resolves the issue. Video below is cued to show what include looks like vs exclude looks
like. It is whatever that shows in blue is a link that can be selected, but not currently selected. Whatever is currently selected is in black.
How to deploy conditional access | Azure Active Directory:
https://youtu.be/c_izIRNJNuk?t=133
So if the first diagram is showing Locations - Include Contoso: Then

Ans1: Yes - Anybody in Contoso location must use MFA.
Ans3: No. This policy if only applies to locaton: Contoso.(if include)
On the other hand if the first diagram is showing Locations - 'Exclude Contoso' shows up on the test then it is
Ans1: No (because contoso) users are excluded from the insistence of MFA by the policy.
Ans3: Yes. This policy would only exclude anyone from the locaton: Contoso from having to use MFA to access the portal
upvoted 8 times
  cm9245822 1 month ago

Best comment which explains every possible solution, thank you!
upvoted 1 times
  Daniel777 2 weeks, 5 days ago

This one seems to provide the best explanation. Thanks DeepMoon!
upvoted 1 times
  Stuudent 2 weeks, 4 days ago

This answer is incorrect, ans1 shold be no because they may use authenticated app instead of MFA- option One of selected is chosen.
upvoted 1 times

No. No. No
upvoted 1 times
  kati 2 weeks, 1 day ago

I think the answer is correct.
Exclude is highlighted in the question and contoso is excluded for Azure Management application which include below underlying
services.
Azure portal
Azure Resource Manager provider
Classic deployment model APIs
Azure PowerShell
Azure CLI
Visual Studio subscriptions administrator portal
Azure DevOps
Azure Data Factory portal.
Hence when he access Azure Portal no MFA is required other than that I believe MFA will be required
upvoted 1 times
An administrator named Admin1 has access to the following identities:
✑ An OpenID-enabled user account
✑ A Hotmail account
✑ An account in contoso.com
✑ An account in an Azure AD tenant named fabrikam.com
You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?
A. contoso.com only
B. contoso.com, fabrikam.com, and Hotmail only
C. contoso.com and fabrikam.com only
D. contoso.com, fabrikam.com, Hotmail, and OpenID-enabled user account
Correct Answer: C
When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new
account's tenant. If you do so, all users, groups, or service principals who had role based access (RBAC) to manage subscriptions and its
resources lose their access. Only the user in the new account who accepts your transfer request will have access to manage the resources.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer https://docs.microsoft.com/en-us/azure/billing/billing-
subscription-transfer#transferring-subscription-to-an-account-in-another-azure-ad-tenant
  mpknz 7 months, 3 weeks ago

anyone have a reference which supports the answer that you cant transfer the subscription to a hotmail or openid account?
upvoted 1 times

I have actually seen hotmail or outlook accounts being the admins of subscriptions. I guess the point here is that they are not in an
AAD. They first need to be in that AAD with that hotmail or outlook and then they can be subscription admins. That wasn't the case
here so thus we cannot make them admins. It requires a bit of wild imagination but seems most these questions do? I have no idea
what an "OpenID account" is, or whether they are supported.
upvoted 1 times

You cannot pass a subscription to a Hotmail or OpenID account because they are not tenants. A subscription is owned by a tenant.
That's the reason.
upvoted 7 times

Answer is correct.
Because the account within Azure AD is Fabrikam it can only be transfered as per Microsoft Documentation.
Be aware of this important information when transferring accounts:
You can make these transfers:
From a work or school account to another work or school account.
From a Microsoft account to a work or school account.
From a Microsoft account to another Microsoft account.
The target account must be a valid Azure Commerce account to be a valid target for transfers. For new accounts, you are asked to create
an Azure Commerce account when signing in to the Azure Enterprise portal. For existing accounts, you must first create a new Azure
subscription before the account is eligible.
You can't make a transfer from a work or school account to a Microsoft account.
When you complete a subscription transfer, Microsoft updates the account owner.
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/ea-portal-get-started#change-account-owner
upvoted 1 times
  lnn_az 5 months, 3 weeks ago 

Hi sf2020,
the reference which you provided is for Azure Enterprise Portal. As per question, we need use Azure Account Center to transfer.
upvoted 1 times

C, for sure.
contoso.com and fabrikam.com only
upvoted 6 times

Answer C is correct. Here is the link:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer#transfer-a-subscription-to-
another-azure-ad-tenant-account
upvoted 1 times

Just remark that contoso is the actual owner, so no sense of transfer, and the transfer to another tenant is permitted with named
conditions...!
upvoted 1 times
Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active
Directory (Azure AD) tenant.
You need to con gure each subscription to have the same role assignments.
A. Azure Security Center
B. Azure Policy
C. Azure AD Privileged Identity Management (PIM)
D. Azure Blueprints
Correct Answer: D
Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and
central information technology groups to de ne a repeatable set of Azure resources that implements and adheres to an organization's
standards, patterns, and requirements.
✑ Role Assignments
✑ Policy Assignments
✑ Azure Resource Manager templates
✑ Resource Groups
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
  Atanu 10 months, 4 weeks ago

Conflict with Question 13. Same question .. but two different answers...Which one to go with?
upvoted 4 times

Azure Blueprint is the correct answer for both question.
upvoted 23 times
  DA0410 1 day, 13 hours ago

Good observation. If I am not wrong , Q13 answer should be blueprint.
upvoted 1 times

Azure Blueprint is the correct answer
upvoted 4 times

Azure Blueprint
upvoted 2 times
  kingnag1 5 months, 1 week ago

blue print
upvoted 1 times

D, for sure.
Azure Blueprint
upvoted 2 times

Azure Blueprint is correct
upvoted 2 times
  planb7000 3 months, 3 weeks ago

Blueprint
upvoted 1 times
  ajir 3 months, 1 week ago


Azure Blueprint
upvoted 2 times
Question #1 Topic 2
You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1.
Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04.
You create a service endpoint for MicrosoftStorage in Subnet1.
You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service
endpoint.
What should you do on VM1 before you deploy the container?
A. Create an application security group and a network security group (NSG).
B. Edit the docker-compose.yml le.
C. Install the container network interface (CNI) plug-in.
Correct Answer: C
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and
Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network,
and connecting them directly to other containers and virtual network resources. The plug-in doesn't rely on overlay networks, or routes, for
connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview

C is correct
upvoted 6 times

Correct Answer
upvoted 2 times

C, for sure.
Install the container network interface (CNI) plug-in. 
upvoted 3 times
  jbuenoo 2 months, 1 week ago

reference: https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview
upvoted 2 times
  DA0410 1 day, 13 hours ago

Correct. When a Pod comes up in the virtual machine, Azure CNI assigns an available IP address from the pool and connects the Pod to
a software bridge in the virtual machine. When the Pod terminates, the IP address is added back to the pool.
upvoted 1 times
Question #2 Topic 2
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
A. device con guration policies in Microsoft Intune
B. an Azure Desired State Con guration (DSC) virtual machine extension
C. application security groups
D. Azure Logic Apps
E. security policies in Azure Security Center
F. Azure Advisor
Correct Answer: B
You can use Azure Automation State Con guration to manage Azure VMs (both Classic and Resource Manager), on-premises VMs, Linux
machines, AWS VMs, and on-premises physical machines.
Note: Azure Automation State Con guration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes
automatically receive con gurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure
Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux
machines, in the cloud or on-premises.
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

B is correct
upvoted 4 times

Correct Answer
upvoted 1 times
  cloudguy365 7 months, 1 week ago

B is correct.
The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State
Configuration (DSC) service
upvoted 1 times

B, for sure.
An Azure Desired State Configuration (DSC) virtual machine extension
upvoted 4 times
  jaredl 4 months, 3 weeks ago

I have used Azure automation DSC to specify what's to be installed on VM. The question asks about what NOT to be installed. I don't see
how a DSC could do that.
upvoted 1 times
  nihao381 4 months ago

You would set Ensure='Absent' for the features you want removed. https://docs.microsoft.com/en-
us/powershell/scripting/dsc/reference/resources/windows/windowsfeatureresource?view=powershell-7
upvoted 2 times

the correct answer is E
You can use Azure Security Policies to ensure this requirement is met
upvoted 1 times

Don't know too much about Security Policy, but it should be more security-oriented. DSC can config every aspects of an VM (
including all windows features ).
upvoted 1 times

I choose B
upvoted 1 times

The option is also written as :
B: Azure Automation State Configuration
upvoted 1 times
  gh999l 3 days, 2 hours ago

Azure Advisor is the correct answer
upvoted 1 times
  duytran216 16 hours, 39 minutes ago

B is correct
upvoted 1 times
Question #3 Topic 2
DRAG DROP -
You have an Azure subscription that contains the virtual networks shown in the following table.
The Azure virtual machines on SpokeVNetSubnet0 can communicate with the computers on the on-premises network.
You plan to deploy an Azure rewall to HubVNet.
You create the following two routing tables:
✑ RT1: Includes a user-de ned route that points to the private IP address of the Azure rewall as a next hop address
✑ RT2: Disables BGP route propagation and de nes the private IP address of the Azure rewall as the default gateway
You need to ensure that tra c between SpokeVNetSubnet0 and the on-premises network ows through the Azure rewall.
To which subnet should you associate each route table? To answer, drag the appropriate subnets to the correct route tables. Each subnet may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
  Elpida 11 months, 1 week ago

What is the "Gateway Subnet"? It's not mentioned in the question.
upvoted 2 times

The GatewaySubnet is used for S2S VPN which is used, so I think they are expecting us to infer that's required.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#do-i-need-a-gatewaysubnet
upvoted 4 times
  yebo 11 months ago 

My understanding is that the HubVNet is connected to the OnPremNet through VPN, so there's a GW Subnet on HubVNet and on
OnPremNet. Traffic from OnPremNet (using private IPs) must be redirected to private IP of AzureFirewall (RT1). All traffic from HubVNet,
including its subnet and its connected VNET SpokeVNet MUST leave the HubVNet through AzureFirewall (so it has to be STATIC default GW
> BGP disabled), so it must be sent to its private IP and then go through the VPN to reach the OnPremNet. This question refers to this
article : https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
upvoted 9 times

RT1 - Gateway Subnet
RT2- HubVnetSubnet0
upvoted 2 times

Answers should be:
RT1 -> HubVnetSubnet0
RT2-> Gateway Subnet
upvoted 9 times
  Manoharan 5 months, 1 week ago

As per https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
RT1 associated to HubVnetSubnet0
RT2 Associated to SpokeSubnet
Isn't Gateway Subnet associated with HubVnet? seems there is no option to chose Spokesubnet.
upvoted 2 times

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2fazure%2fvirtual-
network%2ftoc.json
upvoted 1 times
  Psycho 6 months ago

I found in another source the following answers: GatewaySubnet and SpokeVNetSubnet0. Among the options I don't find
"SpokeVNetSubnet0", so I don't know whick source is more recent.
upvoted 4 times
  purishd 6 months ago

The answers choices are incorrect and memory based. Your logic is correct.
upvoted 2 times

RT1 = Spokevnet
RT2 = Gateway subnet
upvoted 21 times

This is what I chose in the exam, not sure it this was correct as the given answers to the question have a different order.
upvoted 1 times
  ed7 5 months, 4 weeks ago

What the point to deploy Azure firewall to HubVNet, while Firewall subnet sits on spoke Vnet?
upvoted 1 times
RT1 associated to HubVnetSubnet0
RT2 Associated to SpokeSubnet...
As per doc below are details ...
A route from the hub gateway subnet to the spoke subnet through the firewall IP address
A default route from the spoke subnet through the firewall IP address
upvoted 1 times

It is correct
upvoted 2 times

you cannot disable BGP propagation on VPNGateway subnet. So right answers: RT1: Gateway subnet RT2: Sopkesubnet0. if you check
hybrid tutorial (link above) you will that in the example as well.
upvoted 1 times

Yes you can.
Review this link for more information
https://azure.microsoft.com/en-us/updates/disable-route-propagation-ga-
udr/#:~:text=If%20you're%20connecting%20your,BGP%20routes%20from%20being%20propagated.
upvoted 1 times 
Ideally it should be
1. SpokeVNETsubnet0
2. Gateway Subnet
If you think i am wrong, take your time to go though this documentation https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-
portal
I do not know why this question is not complete

The answer is
1. SpokeVNETsubnet0 ( you want to route traffic from the spoke subnet to the on-prem, you will associate the route table that says
everything goes through the firewall in the Hub VNET)
2. Gateway Subnet ( on the contrary when reversing the flow of network, you want the connection to hit the gateway subnet to route back
to the firewall.
I will advise everyone to take a look at the microsoft documentation i linked to understand more
upvoted 20 times

I hope we know there is such a thing as Gateway transit in VNET Peering ?
So obviously we won't b attaching anything to SpokeVnet as we'll enable VNet Transit on Hubspoke.
We will then Attach the default route to the gatewaySubnet and then disable GBP on Hubspoke.
upvoted 1 times

If you understand what gateway transit means or stand for you will know you are wrong.
When you enable gateway transit when configuring VNET peering, it means the the spokeVNET should use the HubSubnet Gateway to
route traffic. again. I advise you to take a look at the documentation and go through that Tutorial yourself to understand the
Networking between peered regions then on to ON-Prem and back.
upvoted 1 times

RT1: GatewaySubnet
RT2: SpokeVNetSubnet0
upvoted 5 times
  silverdeath 4 months, 1 week ago

RT1: GatewaySubnet
RT2: SpokeVNetSubnet0
There are three key requirements for this scenario to work correctly:
- A User Defined Route (UDR) on the spoke subnet that points to the Azure Firewall IP address as the default gateway. Virtual network
gateway route propagation must be Disabled on this route table.
- A UDR on the hub gateway subnet must point to the firewall IP address as the next hop to the spoke networks.
No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.
- Make sure to set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke and UseRemoteGateways when peering VNet-Spoke to
VNet-Hub.
ref : https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
upvoted 5 times

#silverdeath is correct in the assessment. The link provided has an amazing lab that demonstrates this very scenario in depth and
proves that the correct is:
RT1: GatewaySubnet
RT2: SpokeVnetSubnet0
Link: https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
upvoted 1 times

that's correct
upvoted 1 times
  NickDouglas 4 months ago

SpokeVNETsubnet option is missing , which is most suitable for RT1
R2: HUBVnetSubnet0
Check the pre-req on this link

https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
upvoted 1 times
  envy 4 months ago

RT1 = Spokevnet
explain: https://aidanfinn.com/?p=21653
upvoted 2 times

  envy 4 months ago
RT1 = HubVnetSubnet0
RT2 = SpokeVNetSubnet0
"Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks."
https://docs.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network
and https://aidanfinn.com/?p=21653
upvoted 3 times

the given answer is correct
Here you put the clause of the template which will be used to the extension resource.
upvoted 1 times

Here "Gateway subnet" is missing in question which is definitely on-prem subnet. Answers will be..
RT1 --> gateway Subnet

RT2 --> SpokeVNet
Clearly explained here.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
upvoted 2 times

Gateway subnet on HubVNet has a VPNGw connecting to the on prem.
Any packets coming from on-prem should first hit the VPNGateway (in the HubVNet/Gateway Subnet) , then be routed to the Azure
Firewall on (SpokeVNet/AzureFirewallSubnet) via RT1 on(in the HubVNet/Gateway Subnet) . Then go to the SpokeVNet/Subnet0 where the
clients are.
Anything exiting SpokeVNetSubnet0 should hit RT2 to be routed to AzureFirewall before it filtered and sent to the VPNGw (in the
HubVNet/Gateway Subnet).
upvoted 1 times
  fmlvaz 1 month ago

Form the link that everyone share: https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
My comprehensive is that:
RT1 - GWSubNet
RT2 - HubVnet
On the tutorial:
"To route the spoke subnet traffic through the hub firewall, you can use a User Defined route (UDR) that points to the firewall with the
Virtual network gateway route propagation option disabled. The Virtual network gateway route propagation disabled option prevents
route distribution to the spoke subnets. This prevents learned routes from conflicting with your UDR. If you want to keep Virtual network
gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-
premises over BGP.
Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks. No UDR is
required on the Azure Firewall subnet, as it learns routes from BGP."
Only on the SpokeVnet they recommend disable route propagation, ...."with the Virtual network gateway route propagation option
disabled."
upvoted 1 times

RT1 = Spokevnet
there is no point to Disables BGP route propagation on the hub subnet its a GW protocol
upvoted 1 times
  Johnnien 3 weeks, 6 days ago

More complete question:
https://cdn.shortpixel.ai/client/q_glossy,ret_img/https://freedumps.certqueen.com/wp-content/uploads/2020/10/image217-1.jpg
upvoted 2 times
Question #4 Topic 2
HOTSPOT -
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016.
You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed.
How should you complete the policy? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: DeployIfNotExists -
DeployIfNotExists executes a template deployment when the condition is met.
Box 2: Template -
The details property of the DeployIfNotExists effects has all the subproperties that de ne the related resources to match and the template
deployment to execute.
Deployment [required]
This property should include the full template deployment as it would be passed to the Microsoft.Resources/deployment
References:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

If I am not mistaken this policy is not completed? "template" is simply the last command in the script and it has not been identified but will
need to be? Im so going to get this one wrong if it isnt identical.
upvoted 1 times

There is a default Azure police for that:
"Deploy default Microsoft IaaSAntimalware extension for Windows Server"
upvoted 2 times
  Sizz 6 months, 3 weeks ago

Sources:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMAntimalwareExtension_Deploy.json
upvoted 1 times

Correct Answer. Refer https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists-example
upvoted 3 times

Answers are correct.

DeployIfNotExist / Template
upvoted 7 times

Correct
upvoted 2 times
Question #5 Topic 2
You are con guring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the auto-generated service principal to authenticate to the Azure Container Registry.
What should you create?
A. an Azure Active Directory (Azure AD) group
B. an Azure Active Directory (Azure AD) role assignment
C. an Azure Active Directory (Azure AD) user
D. a secret in Azure Key Vault
Correct Answer: B
When you create an AKS cluster, Azure also creates a service principal to support cluster operability with other Azure resources. You can use
this auto-generated service principal for authentication with an ACR registry. To do so, you need to create an Azure AD role assignment that
grants the cluster's service principal access to the container registry.
References:
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-auth-aks

Im not sure this is right. When you auto create a service principle it defaults the role to contributor. Before running the script, update the
ACR_NAME variable with the name of your container registry. The SERVICE_PRINCIPAL_NAME value must be unique within your Azure
Active Directory tenant. If you receive an "'http://acr-service-principal' already exists." error, specify a different name for the service
principal.
You can optionally modify the --role value in the az ad sp create-for-rbac command if you want to grant different permissions. For a
complete list of roles, see ACR roles and permissions.
upvoted 1 times

but would that service principal contributor role be only assigned to the cluster and not to the registry, therefore you need to assign it
to the registry itself?
upvoted 1 times

the given answer is the most reasonable between the choices.
upvoted 1 times

B for sure.
(Azure AD) role assignment
upvoted 10 times

1. When you create an AKS cluster, Azure also creates a service principal to support cluster operations with other Azure resources.
2. This service principal can already authenticate to AAD (since it was created in AAD by Azure).
3. But it needs to be RBAC permissions on the ACR Registry to pull images.
4. To do so, you need to create an Azure AD role assignment that grants the cluster's service principal access to the container registry.
upvoted 1 times

1. When you create an AKS cluster, Azure also creates a service principal to support cluster operability with other Azure resources.
2. This service principal can already authenticate to AAD (since it was created in AAD).
3. But it needs to be RBAC permissions on the ACR Registry to pull images.
To do so, you need to create an Azure AD role assignment that grants the cluster's service principal access to the container registry.
upvoted 2 times

Perfectly explained. Thanks!
upvoted 1 times
Question #6 Topic 2
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table.
You create the Azure policies shown in the following table.
You create the resource locks shown in the following table.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking

Answer is incorrect. You cannot create a new VM in an RG with a read-only lock on it. You will receive an error when attempting to do so
informing you that the selected resource group is read only.
upvoted 29 times

  Kiri 1 year ago
"A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
These operations require a POST request."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
upvoted 17 times
  snelkoppeling 1 year ago

You cannot start VM1 because of read only lock on VM1
You cannot start VM2 because of read only lock on RG2
You cannot create a new VM in RG2 because of read only lock on RG2
upvoted 105 times

your answers are all correct
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the Reader role.
upvoted 6 times
  jbarszcz 8 months, 2 weeks ago

just tested it. No/No/No
upvoted 30 times
  chinJ 7 months, 2 weeks ago

what about policy definition, which gave exception for VM's in Rg2?
upvoted 2 times

Azure Policy is more about whether deployment of a resource type is allowed. Starting a VM is not a deployment. See:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
upvoted 1 times

NO, NO, NO
upvoted 4 times

Correct Answer :
No - can't change state
No - can't change state
No - RG is read only
upvoted 4 times

No NO NO
upvoted 3 times

Answer should be:
No, No, No
1.) cannot perform write operation because following scope(s) are locked:
'subscriptions/xxxx/resourceGroups/xxx' Please remove the lock and try again.
2.) When creating a VM in a resource group with a Read Only lock an error is shown:
"The selected resource group is read only"
3.) Because of the read only lock virtual machines cannot be started nor stopped when the lock is added after the machine started. (not
part of this use case, but still good to know.
The article referenced in the answer states different because that is scoped to blueprints.
In the Lock Resources pages is states the following regarding starting VMs:
"A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
upvoted 8 times

As an addition:
When the 'ReadOnly' lock is applied to the Resource Group through Azure Blueprints, the answer should be No, No, Yes
The effect of a locks applied to a resource group through an Azure blueprint is different
When I apply a read-only lock on my resource group via Azure Blueprint I cannot change the properties and tags of the resource group,
but I am still able to deploy resources and start/stop virtual machines.
upvoted 3 times

  AtulS 6 months, 1 week ago
If the Lock is on RG the resources that are not locked can be changed or created. So answers are correct.
upvoted 2 times

Answer is correct .
Read Only-Resource group :- The resource group is read only and tags on the resource group can't be modified. Not Locked resources can
be added, moved, changed, or deleted from this resource group.
upvoted 2 times

ignore my previous response…
tested now..
Answer is No, No , No
upvoted 5 times
  Maximillian 5 months, 3 weeks ago

Answer should be No, No, No but I would like to give another side of the story for the third answer. Everyone says the third answer is
bound to the read-only lock but it's actually got nth to do with the read-lock but rather on the allowed resource types policy. When I
experimented it, the policy should tick not only the virtual machines but the nsg, storage accounts and network interfaces. That's why it's
a No.
upvoted 1 times
  Manoharan 5 months, 1 week ago

Just tested Answer is No, No, No
upvoted 3 times

NO
NO
NO
is the correct answer
upvoted 3 times

Also tested: “computer says NO” 3x
upvoted 2 times
  Raj2020 3 months, 4 weeks ago

Agree all the 3 answer is No,No,No
Tested in my Lab, irrespective of the policy definition allowed or not allowed, if the read-only lock enable none of the write operation is
allowed on the locked resource.
upvoted 1 times

wrong answer:
It should be NO, NO NO,
Since there is a lock on the resource group, you can’t create a virtual machine in the resource group.
Since there is a lock on the resource group which has the virtual machine, the virtual machine would also have the lock and hence can’t be
started.
Since there is a read-only lock on the virtual machine, it is not possible to start the virtual machine.
upvoted 1 times

3x NO for sure
upvoted 1 times
  neethubalan 2 months, 3 weeks ago

i too thought no, no, no but the question is assuming that "you" are the owner. Can an owner locks themselves from editing? if yes then
the answer is no no no
upvoted 1 times

should be NO NO NO
upvoted 1 times
  Sahilkondel 1 month, 1 week ago

Tested. No for all options.
upvoted 1 times

when you apply a read only lock on a resource that has VM's inside them you cannot start it"
"A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.

"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources"
upvoted 1 times

when you apply a read only lock on a resource that has VM's inside them you cannot start it"
"A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources"
upvoted 1 times

udemy test is 3x NO
upvoted 2 times
  YeJune 6 days, 12 hours ago

No, No, No
upvoted 1 times
Question #7 Topic 2
HOTSPOT -
You have Azure virtual machines that have Update Management enabled. The virtual machines are con gured as shown in the following table.
You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Update1: VM1 and VM2 only -

VM3: Windows Server 2016 West US RG2
Update2: VM4 and VM5 only -
VM6: CentOS 7.5 East US RG1 -


For Linux, the machine must have access to an update repository. The update repository can be private or public.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-update-management

Im not sure this is right, I cant find a reference which states update management is limited to resource groups. You can create a
"computer group" as a target which I believe can include any device in AAD. Perhaps someone else can verify.. still digging.
upvoted 1 times

Its based on OS, only windows machines can be added to windows update management group and same applies to linux. the answer is
right.
upvoted 28 times
  HarryD 7 months, 3 weeks ago

https://docs.microsoft.com/en-us/azure/automation/automation-update-management
The Update Management solution requires linking a Log Analytics workspace to your Automation account. For a definitive list of
supported regions, see Azure Workspace mappings. The region mappings don't affect the ability to manage VMs in a separate region
from your Automation account.
upvoted 2 times

I agree. That does mean the proposed answer is correct.
upvoted 1 times

Answer is Correct. You can add machines to the update management irrespective of the region and resource group provided they are of
same OS time. i think region agnostic is a recent feature
upvoted 5 times

Correct. Answer is correct
upvoted 4 times

Provided answers are correct
upvoted 4 times

Agree with provided answer
upvoted 1 times
  TauruSH 2 months, 1 week ago

How can this answer be correct,neither their resource group are same nor their region!!!!
i Think for 1st one it should be "For VM4 only" and for second one "For VM1,VM2 and VM5 Only"
upvoted 2 times
  tms2020 2 months, 1 week ago

Update Management assesses and applies security updates to all connected Windows Server and Linux servers in a workspace as per
https://docs.microsoft.com/en-us/azure/automation/update-management/update-mgmt-overview
Hence both update management solutions applicable to all the machines provided they should not be in stopped state
upvoted 2 times
  btxy4 1 month, 3 weeks ago

https://docs.microsoft.com/en-us/azure/automation/update-management/update-mgmt-groups
Choose either Windows or Linux.
upvoted 1 times

I don't know, look at point 4 here:
The list of virtual machines is filtered to show only the virtual machines that are in the same subscription and location. If your virtual
machines are in more than three resource groups, the first three resource groups are selected.
https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-portal
upvoted 1 times
  deepu1982 1 week ago

Update Management can be used to natively deploy to machines in multiple subscriptions in the same tenant, its a tenant level . Answer is
correct
upvoted 1 times

Question #8 Topic 2
HOTSPOT -
You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table.
Currently, you have not provisioned any network security groups (NSGs).
You need to implement network security to meet the following requirements:
✑ Allow tra c to VM4 from VM3 only.
✑ Allow tra c from the Internet to VM1 and VM2 only.
✑ Minimize the number of NSGs and network security rules.
How many NSGs and network security rules should you create? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
NSGs: 2 -
Network security rules: 3 -

Not 2: You cannot specify multiple service tags or application groups) in a security rule.
References:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Correct answer is this.
1) You can only assign 1 NSG to a subnet, and there is only one subnet in the description. So Box 1 is 1
2) You can have AppGroup3 as the source and AppGroup4 as destination in one rule then deny traffic. That's one rule.
You can have Internet tag as a source and AppGroup12 as the destination. That's rule 2.
SO Box 2 is 2 .
upvoted 11 times
  gills 3 weeks, 5 days ago

This is in correct. The communication control between two VMs within the subnet, cannot controlled by a NSG at the subnet level. So
there is going to be an NSG assigned to to a NIC. The control of traffic between internet and VM can be controlled by a NSG at the
subnet. So there is two NSG for sure!
upvoted 1 times

Sorry, I have to re-post.
Correct answer is this.
1) You can only assign 1 NSG to a subnet, and there is only one subnet in the description. So Box 1 is 1
2) Number of rules in NSG can be any, they are processed in sequence.
Rule 1: You can have AppGroup3 as the source and AppGroup4 as destination in one rule then allow traffic.
Rule 2: You can have Service Tag "Internet" as a source and AppGroup12 as the destination. then allow traffic.
Rule 3: YOu can have source as the subnet range and destination as subnet range then deny all traffic, so only above rules will be allowing
traffic.
SO Box 2 is 3.
You still have 3 default rules that allow traffic from VNET, LoadBalancer and deny all other inbound traffic.
upvoted 41 times

there is no requirement to allow traffic from one appgroup to another, question is just to allow traffic from internet to vm1 and 2.
upvoted 3 times

i would like to agree with @Oz. I have read somewhere that NSG are allow by default.. so we need to add a rule for deny. Just
experimented in portal and found that when you create a NSG the portal automatically added a Deny rule with priority 65500
so Answer is 1 and 3
upvoted 5 times

Well not outrightly correct, remember we can attach a subnet to a NIC also
upvoted 2 times
  David_986969 5 months, 2 weeks ago

Actuallu you only need 1 NSG rule, because by default the communication between VM´s in the same subnet is enable when you
create de NSG
upvoted 6 times

In agreement that it's possible with 1 NSG and 3 rules, but given the "Tip" in one of the articles people are linking to, would it be better
practice to create a separate NSG for the NIC-specific rules, and keep the Subnet-wide NSG to the rule for Internet->ASG?
Does anyone know where the listed answer came from? I'm wondering how hard I should try to 'justify' it, or figure out why it's right
(assuming it reflects the actual test answer) or should I go with the answer we've figured out as technically correct if I encounter it on
the test?
upvoted 1 times

Box 1 is 2, one NSG for the subnet, 1 NSG at interface level
Box 2 is 2, 1 deny for NSG at interface level, 1 permit with Application Group for NSG at subnet level
upvoted 2 times

While this direction is correct, how many NSGs can the permit allow? The answer says you cannot permit multiple NSGs with a single
permit rule.
upvoted 1 times

i mean permit multiple APplication Groups
upvoted 1 times
  Moh1818 11 months, 1 week ago 

Since all VMs are in one subnet ,then i believe we have to create 2 NSGs & assign to VM4 & VM2 NIC
upvoted 1 times
  Moh1818 11 months, 1 week ago

please ignore the previous post
upvoted 4 times
  yebo 11 months ago

why can't we have 1 NSG at the subnet level with 3 rules ??
1) 65003 (priority) VirtualNetwork (src) > VirtualNetwork (dst) DENY (> override AllowVNetInBound ALLOW default rule)
2) 65004 (priority) AppGroup4 (src) > AppGroup3 (dst) ALLOW
2) 65501(priority) Internet (src) > AppGroup12 (dst) ALLOW (> override DenyAllInbound DENY default rule)
upvoted 2 times
  yebo 11 months ago

Small correction for the priority of rule 3):
3) 100(priority) Internet (src) > AppGroup12 (dst) ALLOW
upvoted 3 times

I believe we'd have to create a nsg in the interface of vm4. The default woud be inound deny any any. then we'd need to create a rule to
allow from vm3 inbound. So 1 nsg and 1 rule. Then to allow the other two to access the internet we'd need to create 1 nsg and 2 rules to
allow outbound for the two vms. so 2 nsg's and 3 custom rules. I think this is right.
upvoted 2 times

Tip
Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface,
but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group
associated to a network interface, you can have unexpected communication problems that require troubleshooting.
hence it should be only 1 nsg, having another nsg at NIC level would cause a conflict
upvoted 3 times
  dle84 8 months ago

The answer was based on the reference here:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
upvoted 3 times

but the reference has 2 subnets. As per the question, we have only one Subnet
upvoted 1 times
  LA1985 7 months, 2 weeks ago

displayed answer is correct :
two NSG : NGS1 at network level, and NSG2 to apply to VM4
NGS1 : deny 10.0.0.0/24 to 10.0.0.0/24 , and allow any to AppGourp12

NSG2 : allow from AppGroup3 to AppGroup4
upvoted 3 times

One NSG and 3 rules:
rule 1: VM4 to VM3 source AppGroup4 t oAppGroup3 allow
rule 2: VM1 & VM3 source internet destination AppGroup12 allow
rule 3: denyallinternet source internet destination Any effect Deny
upvoted 1 times

Correct Answer :
1 - One NSG can be used.
1 - all vm's in same vNET can talk to each other, so would need just one rule for internet.
upvoted 6 times

Clearly states one vNET in second line ;)
upvoted 1 times

Oz's correct because 1 NSG at the subnet with 3 rules will meet the requirements.
upvoted 2 times
  cybrtrk 7 months, 1 week ago

Since application group traffic is controlled independently from 'regular' network traffic, 1 NSG will work. If there was a condition that said
'you must not use ASGs for the traffic between VM3 and VM4' then you'd need another NSG on VM4's NIC.
So I'll also agree with: 1 NSG and 2 rules.
upvoted 2 times 
Since all VMs are in same subnet, we have to apply NSG at NIC level. NSG at subnet level will only work if traffic needs to go out from
subnet.
Also, no need to worry about permits etc as we need to just cover 2 requirements mentioned.
1) Allow traffic to VM4 from VM3 only (In this case we can apply 1 NSG at NIC4 and allow 1 rule permit VM3, default will be implicit deny)
2) Allow traffic from the Internet to VM1 and VM2 only. (In this case we apply 1 NSG to both NICs NIC1 and NIC2 and add 1 rule Allow from
internet to AppGroup12 which will cover both VMs).
So my answer would be 2*NSGs and 2*Rules
upvoted 2 times

and yes, we cann apply ASG to NSG as per provided link "Any, or an individual IP address, classless inter-domain routing (CIDR) block
(10.0.0.0/24, for example), service tag, or application security group"
upvoted 2 times

In first case manual deny entry need to be added also else default vnet to vnet permit will allow all traffic within VMs. considering this i
guess we need to add 1 more rule so total 3 rules and 2 nsgs imo.
upvoted 2 times

I believe that the answer should be 1 nsg and one rule; to allow inbound traffic from the internet to vm1 and vm2. Since vm3 and vm4 are
located in the same vnet, they can communicate by default. I agree with AS007's reasoning.
upvoted 1 times

Correction:
An nsg is to be created and assigned to the subnet. The default rules allow traffic from other machines within the vnet and none from
the internet. Another rule is to be added; one that will allow internet to ASG12 (this still restricts internet traffic to the other vms)-> this
addresses Req1.
Another NSG is to be created and assigned to NIC4. Two rules need to be added, the first to restore the deny all traffic, and the second
one to allow only traffic from ASG3 -> this addresses Req 2.
This yields two NSGs and 3 rules.
upvoted 1 times

Answer seems to be correct, you need w NSGs, one for the subnet and the other for the NIC.
Subnet NSG needs to allow internet to appgroup including VM1 and VM2 as the only rule.
NIC NSG needs two rules, one to allow vm to vm connection and the other to block anything else cause by default within vnet traffic is
allowed.
upvoted 2 times
  Stone90 6 months, 2 weeks ago

Oz is right, you can only assign 1 NSG to a subnet.
https://feedback.azure.com/forums/217313-networking/suggestions/10093566-multiple-network-security-groups-per-subnet
upvoted 1 times
  armin 6 months, 1 week ago

This question is based on the following link:
"It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example, if a
rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each
other. Another rule would have to be added specifically to allow this"
one subnet level NSG (with two rules AppGroup3 as the source and AppGroup4 as destination ) is enough for controlling the connectivity
between VM3 and VM4.
The same NSG can be used for allowing traffic to VM1 and VM2 (AppGroup12 as the Allow destination)
So the answer is 1-3
upvoted 2 times
  shaheer1991 6 months ago

I'd have to agree with the given solution for the following reasons
1- NSG on subnet level will be activated from traffic going into the subnet or outside it.
2- by default you have a deny rule for internet traffic
3- by default you have an allow rule for internal connections
after stating the above 3 points, I believe.
1- you need 1 NSG-1 for subnet to allow internet traffic to the ASG for VM1 & 2
2- you need 1 NSG-2 on the NIC level of VM4, if I didn't do so and I added the rule to NSG-1 it will not apply correctly as VM3 will be within
the same subnet of VM4, hence won't go through the NSG-1. That being said, NSG-2 would have a deny all rule & an allow rule for ASG3...
which makes it 2 NSGs and 3 rules

an NSG on subnet level with allow internet rule
another NSG on NIC4 level with 2 rules allowing ASG3 and denying the rest.
---------------------------------------- 
I have to say if it wasn't for point 1 above I'd have went with 1 NSG and 3 rules.
upvoted 2 times

Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface,
but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group
associated to a network interface, you can have unexpected communication problems that require troubleshooting. from here
upvoted 1 times
  az500_cho 5 months, 1 week ago

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#intra-subnet-traffic
"It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example,
if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with
each other. Another rule would have to be added specifically to allow this."
You can also deny intra-subnet traffic in NSG (applied to Subnet level) .
I wld go for 1 NSG on subnet, and 3 rules in the NSG.
1st rule - deny all traffic (refer to the link above)
2nd rule - allow Internet access to VM1 and VM2
3rd rule - allow VM3 to VM4 traffic.
upvoted 3 times

Just tested this with my Azure Environment
NSG1 for Subnet with rule1 - to allow traffic from internet to AppGroup12
NSG2 for NIC4 with rule2 - to allow traffic from AppGroup3 to AppGroup4 (priority 1000) and rule3 - to deny traffic from any to AppGroup4
(priority 1001)
Total 2 NSG with 3 Security Rules.

upvoted 3 times
  Srini300 5 months, 2 weeks ago

Why do we need rule 3 to deny? isn't there a default deny?
upvoted 2 times
  Krakow 5 months, 1 week ago

You are right - there is. Rule 65500 DenyAllInBound by default. Answer is 1 NSG and 2 rules.
upvoted 2 times

I agree with this answer.
upvoted 1 times

ignore my previous post.
correct answer is 1 NSG with 3 Security Rules

NSG1 for Subnet with
rule1 - to allow traffic from internet to AppGroup12 (priority 1000)
rule2 - to allow traffic from AppGroup3 to AppGroup4 (priority 1001)
rule3 - to deny traffic from any to AppGroup4 (priority 1002)
upvoted 4 times

There is no need to create last rule as there are 3 rules ALWAYS by default and rule 65500 DenyAllInBound among them. Answer is 1
NSG and 2 rules.
upvoted 2 times
  chaudh 4 months, 4 weeks ago

default security rule allows all communication between resources in the same virtual network
upvoted 1 times

Correct Answer is:
1) You can only assign 1 NSG to a subnet and you can create multiple rules in a NSG group, so you only need ONE Network Security Group
2) By Default when you create a NSG the rule that says that VM´s in the same subnet is enable with two other rules. Now you have to
allow internet to VM1 and VM2 since they are in the same Application Security Group, you generate only ONE NSG rule to fit this
requierement.
The answer is One and One
upvoted 4 times
Box1 == 1
Box2=3
Please see below link... 
upvoted 4 times

Answer should be 1 and 1.
1 NSG for the subnet (there is only one subnet in one VNet)
1 Rule to allow Internet to Comms with AppGroup12 (VM1 and VM2)
No other rules are needed, because the default rules will allow the other VMs to talk to each other on the Subnet\VNet.
upvoted 4 times

Sorry, I retract that. The statement is Allow traffic to VM4 from VM3 only.
So the answer should be 1 and 3 as per previous answers provided by others.
upvoted 2 times

Judging from the picture
1. We create our first NSG attached to the subnet first. (1NSG),create inbound rule to allow internet traffic to VM1 and VM2 using their
already assigned ASGs
2. We can create and add a new NSG to the NIC of VM4 to allow only traffic from VM3.
Which makes us have 2 NSG and 2 Network security Rule
3. We then create another inbound rule to allow internet traffic to VM1 and VM2 then associate it to the AppGroup12 ASG.
SO i think the ideal answer is 2NSGs 2 Network security rules

upvoted 1 times

please ignore No3, i Forgot to delete that entry
upvoted 1 times
  M4gnet1k 4 months, 3 weeks ago

Correct answer is:
- 1 NSG
- 1 Security Rule
Explanation for the 1 NSG: By default a NSG allows communication of its resources in the same VNet.
Explanation for the 1 Security rule: By default always exist 3 Security Rules in NSG. The first of all is the allow for communication inside the
VNet, so here we have the first requirement. For the second one we have to create a rule (internet traffic). So the answer is that we have to
create only 1 rule (the one that allows Internet traffic), the other 3 does not count! (you do not create them, they are by default).
upvoted 2 times

I think this is wrong.
The question says no prior NSG
1. We create an NSG and attach it to the subnet (1)
2. The question then states that only VM1 and 2 should allow internet traffica inbound
we create a security rule that states any source (*) inbound to our destination, which would be (ASG) for simplicity sake which our 2
VMs are a part of should only be allowed. all others would get denied
3. It says only VM3 should be able to talk to VM4.
Now we create another NSG and attach it to the NIC of VM4, and allow only Traffic from VM3, since we all know that traffic from
subnets are allowed in the same VNET
which would make it 2 NSGs 2 Security rules
upvoted 2 times
  Freeze 4 months, 2 weeks ago

Gboyega you are correct but look at it this way, cant we put all the rules in a single nsg and attach at the subnet? inbound traffic
meant for VM4 that is not from VM3 can be dropped at the subnet eliminating the need for another nsg, leaving us with 1NSG, 2
Rules, what do you think?
upvoted 1 times
  addy007 4 months, 1 week ago

NSG -1 & NSG's rule - 3 (Apart of Default rules)
upvoted 2 times
  SLG 4 months ago

As per me 1 NSG and 2 Network security rules (to ensure we have minimum number of NSG and Rules)
NSG will be applied on Subnet
Network Security Rule will be configured as below
Rule 1 - to allow traffic from Internet to VM1 and VM 2 using source as AppGroup12 (ASG)
Rule 2 - Security rule to Deny traffic from VM 1 and VM2 to VM4 (as to allow traffic to VM4 from VM3 only) using AppGroup12 (ASG for VM1
and VM2) in Source and AppGroup4 in Destination. (As default allow traffic within subnet VM4 will be allowed from VM3 using default rule.
upvoted 1 times

2 NSG and 2 Rule, by default, all VMs have internet access
NSG1 : on subnet and deny internet out going for multiple IPs (VM3 and VM4)
NSG2: on VM4 and deny inbound from application group (VM1 and VM2)
upvoted 1 times


(update) 2 NSG 3 Rule
upvoted 2 times

correct answer 2 and 3
Here we are going to implement 2 network security groups. One at the subnet layer for allowing traffic onto demovm1 and demovm2.
And one for NIC4 to allow traffic from demovm3.
Here we need to implement one rule at the subnet layer to allow traffic from the Internet onto demovm1 and demovm2. Next, we need to
add one network security group rule for NIC4 to allow traffic from only NIC3 via their private IP address. And then we need to add one
more rule to Deny all other traffic.
upvoted 2 times

You don't need to add a rule to deny traffic as that rule is already implemented as a default rule. You need 2 rules. One to allow traffic
to internet on the subnet NSG and one to allow traffic from vm3 to vm4 at NIC NSG on VM3. VM3 won't be allowed to go to internet
due to default rule not allowing outbound traffic.
upvoted 2 times

one NSG and 2 rules i agree with you
upvoted 1 times

I think that 1 NSG and 2 rules should be the correct answer...
1 NSG at the subnet level with default rules.
2 extra rules:
1) Allow traffic to VM4 from VM3 only: default rule allows all internal subnet traffic, so we create a rule that denies traffic from VM1 and
VM2 to VM4
2) Allow traffic from internet to VM1 and VM2 only: we create a rule that allows internet traffic to AppGroup12
upvoted 4 times
  examacc 3 months, 2 weeks ago

Ans 2 2,
1 NSg for NIC with one rule,
1 NSg for Subnet to all internet
upvoted 1 times
  GraceCyborg 2 months, 2 weeks ago

answer is 1,1.
-vm3 and vm4 is allowed to talk to each by default in the same subnet
-vm1 and vm2 is under the same ASG, you need 1 rule (allow internet service tag to that ASG)
upvoted 2 times

I thought like you, but to my view "Allow traffic to VM4 from VM3 only". "Only" is the key to need the the first rule. You need to deny
traffic to only allow to VM3 as all the traffic between the virtualnetwork is allowed by default.
For the second rule, you need to allow from internet to ASG of VM1 and VM2. Please note, don't need to allow "TO" internet.
Therefore 1 NSG and 2 rules. Thoughts?
upvoted 1 times

Correct answer is 2-3
Traffic within a subnet should be filtered by NSG at the nic level and not at the subnet level.
1 NSG assosiated with nic on VM4
1 Rule denying all (default traffic is open within virtual networks)
1 Rule allow traffic from VM3 to VM4 with a lower priority than the deny rule
Traffic from outside the subnet into the subnet should be filtered at the subnetlevel.
1 NSG assosiated with the subnet
1 Rule allowing traffic from internet to the application securitygroup containing VM1 and VM2 (default all traffic from Internet is Deny )
upvoted 5 times

Correct answer is
1) 1(Bcoz one subnet can have only one NSG)
2) 3(three rules, two which are defined and one to deny all other inflow from other IPs)
upvoted 1 times
  joe30333 2 months, 1 week ago

minimum NSG is 1. The same NSG can be associated for both NIC and Subnet.
Rules minimum is 2.
upvoted 3 times

So we need traffic to the internet for VM 1&2 IP 10.0.0.10-11 ( one apppgroup12) so there is one rule we need to create ...it does not
require to be assigned as s rouce NIC1. it can be their IP address or app security group
Then that is all the traffic between vm4 and allowed by the default rule which is "AllowVNetInBound" 
you cannot even delete them ( tested it )
we need 1 NSG and 1 rule..

pay attention to the "Destination Virtualnetwork" this means anything in the SAME VIRTUALNETWORK ...
upvoted 1 times
  theodosis 1 month, 3 weeks ago

2 NSG,
- one to subnet
- one to interface
2 Rules,
- One Outbound Rule on subnet NSG, to deny source 10.0.0.100 (VM3) and 10.0.0.200 (VM4) and destination tag Internet
(with apg you will need two rules since multiple groups are not supported).
Default Outbound 65001 allows Internet outbound (Allowing internet for VM 1 and 2)
- One Inbound Rule on VM4 interface NSG to deny source 10.0.0.10 (VM1), 10.0.0.11 (VM2) to 10.0.0200 (VM4)
Default Inbound Rule 65000 allows traffic between networks. (Allowing VM4 to VM3)
upvoted 1 times

NSG's: 3 Rules:
1st NSG is connected to the VM3 Nic to allow only VM4. (It contains only 1 rule: allow VM4)
2nd NSG is for the subnet. It contains 2 rules.
1st rule to allow traffic from the internet to VM1,
2nd rule to allow traffic from the internet to VM2
NSG's come with default rules. One is the implicit deny rule. So we don't have to create that.
We are asked "How many NSGs and network security rules should you create?"
We have to create 2 NSGs. (1 for VM3 Nic, other for the subnet).
We have to create a total of 3 rules.
upvoted 1 times
  jinxie 1 month, 1 week ago

Why would you create 2 NSG's when it can be done by 1. you only have 1 subnet, mixing subnet nsg's with NIC nsg's is asking for
trouble in a practical environment.
upvoted 1 times
  jinxie 1 month, 1 week ago

From what I can see you can do it with 1 NSG on the subnet and with 2 rules.
create an inbound deny rule to deny all traffic to vm4 except from vm3
finally the second ask is allow traffic from the internet to only vm1 and 2 so that is another inbound rule. By default internet traffic is
denied on inbound so you need to create a 2nd rule to allow internet traffic inbound to the two servers.
In conclusion the bare minimum rules you need to create is 2 inbound rules on 1 NSG
upvoted 1 times
  fmlvaz 1 month ago

My answer is One NSG and 3 rules,
1- Traffic VM3 ->VM4
2 - Allow internet to the required Machine.
3 - Implicit Deny
We can do that because "Intra-Subnet traffic
It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example, if a
rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each
other. Another rule would have to be added specifically to allow this.2
upvoted 1 times
  DeepMoon 4 weeks ago

Question stipulates:
You are required to minimize NSG's and network rules.
Then asked how many do you have to create to meet the requirements.
Create NSG 1: Apply to VM4 Nic.

Create one inbound rule in it to: "Allow only traffic from '10.0.0.100 (vm3) ". Implicit deny will deny everything else.
Create NSG 2: Apply in to the Subnet1:

Create rule 1 inbound rule (priority 100) "Allow 'Internet' Inbound to AppGroup12 (which contains VM1 & 2)".
Create rule 2 inbound:(priority 200) " Deny inbound internet traffic to all others in the subnet".
NSG 2: rule 2 is required. Without that all VMs on subnet 1 can initiate connections to the internet.
Because of default outbound rule: AllowInternetOutbound. It is not necessary to create a reciprocal inbound rule for this. (See url below:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Box1: You need to create 2 NSGs.

Box 2: You need to create a 3 network security rules.
upvoted 3 times
  kati 3 weeks, 6 days ago

we will need one NSG and three rule, the exact solution is available in the below link
upvoted 3 times 
  shanan_ilen 2 weeks, 1 day ago
Thank you :)
upvoted 1 times
  awssecuritynewbie 1 week, 5 days ago

So i recreated this using :
1vnet
1subnet
1 NSG that is attached to four network interfaces
i created 1 rule for the incoming of internet traffic to vm1&2 that require it using application security group same as the question
"appgroup12" and it all works. app security group must be on the same vnet which they are all in this question.. the traffic between Vnets
is permitted by default.
1nsg
1rule
upvoted 1 times

Once you attach the one nsg for all 4 VMs due to default rules virtualnetwork to virtualnetwork rule enables communication between
all 4 VMs, but we should allow traffic to vm4 to vm3 only.
upvoted 1 times

Back on this question....it's clear for all of us that only one NSG is needed, just configured for the subnet.
But for the rules, let's check...
✑ Allow traffic to VM4 from VM3 "only". (Only is the hint)
By default all traffic in the virtual networks is allowed, but you need to deny VM1 and VM2 traffic to VM4. To let only allow from VM3. So,
here 1 rule to deny traffic from the AppGroup12
✑ Allow traffic from the Internet to VM1 and VM2 only.
By default all the outbound traffic is allowed to Internet, but no inbound. For this, we need to add another rule to allow from internet to
AppGroup12.
Just 1 NSG with 2 rules should be the answer for this question.
upvoted 1 times
Question #9 Topic 2
HOTSPOT -
You have an Azure key vault.
You need to delegate administrative access to the key vault to meet the following requirements:
✑ Provide a user named User1 with the ability to set advanced access policies for the key vault.
✑ Provide a user named User2 with the ability to add and delete certi cates in the key vault.
✑ Use the principle of least privilege.
What should you use to assign access to each user? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
User1: RBAC -
RBAC is used as the Key Vault access control mechanism for the management plane. It would allow a user with the proper identity to:
✑ set Key Vault access policies
✑ create, read, update, and delete key vaults
✑ set Key Vault tags 
Note: Role-based access control (RBAC) is a system that provides ne-grained access management of Azure resources. Using RBAC, you can
segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
User2: A key vault access policy
A key vault access policy is the access control mechanism to get access to the key vault data plane. Key Vault access policies grant
permissions separately to keys, secrets, and certi cates.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault

You grant data plane access by setting Key Vault access policies for a key vault. To set these access policies, a user, group, or application
must have Contributor permissions for the management plane for that key vault.
You grant a user, group, or application access to execute specific operations for keys or secrets in a key vault. Key Vault supports up to
1,024 access policy entries for a key vault. To grant data plane access to several users, create an Azure AD security group and add users to
that group.
upvoted 1 times

Given Answers are correct.
Management plane and RBAC: You grant the access at a specific scope level by assigning appropriate RBAC roles. To grant access to a user
to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope.
Data plane and access policies: You grant data plane access by setting Key Vault access policies for a key vault.
upvoted 3 times

Correct Answers
upvoted 2 times

RBAC and KeyVault Access Policies
upvoted 1 times

Answer is correct
upvoted 1 times

Access model overview
Access to a key vault is controlled through two interfaces: the management plane and the data plane. The management plane is where
you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and
updating access policies. The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys,
secrets, and certificates.
To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication
establishes the identity of the caller. Authorization determines which operations the caller can execute.
Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access
control (RBAC) and the data plane uses a Key Vault access policy.
upvoted 3 times

Answers are correct
upvoted 2 times
HOTSPOT -
You have two Azure virtual machines in the East US2 region as shown in the following table.
You deploy and con gure an Azure Key vault.

You need to ensure that you can enable Azure Disk Encryption on VM1 and VM2.
What should you modify on each virtual machine? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
VM1: The Tier -

The Tier needs to be upgraded to standard.
Disk Encryption for Windows and Linux IaaS VMs is in General Availability in all Azure public regions and Azure Government regions for
Standard VMs and VMs with Azure Premium Storage.
VM2: The type -

Need to change the VMtype to any of A, D, DS, G, GS, F, and so on, series IaaS VMs.
Not the operating system version: Ubuntu 16.04 is supported.
References:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview https://docs.microsoft.com/en-

us/azure/security/azure-security-disk-encryption-faq#bkmk_LinuxOSSupport

Wrong recommendation.
VM1: change type, doesn't support A-series and Basic VMs. (Windows VMs are available in a range of sizes. Azure Disk Encryption is not
available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory.)
VM2: no idea, may be type. OS: Ubuntu 16.04-DAILY-LTS and Tier: Standard supported.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-vms-and-operating-systems
https://devblogs.microsoft.com/premier-developer/azure-storage-encryption-and-azure-disk-encryption-demystified/
upvoted 4 times

Disk encryption isnt available for basic VMs. So VM1 - change tier. I'd have thought VM2 - change type, not sure.
upvoted 1 times

VM1 you have to change Tyer and type since A and Basic don´t support encryption, and form me VM2 can be encrypted perfectly
upvoted 2 times

its type A not supported.
and OS linux only official isos and this is a nightly build (https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-
encryption-faq#:~:text=You%20can't%20apply%20Azure,called%20out%20previously%20are%20supported.)
upvoted 1 times

I looked this up, ls4 series ubuntu is supported. https://docs.microsoft.com/en-us/azure/virtual-machines/linux/generation-2 So
apparently this is wrong.
upvoted 2 times
  dirgiklis 9 months, 1 week ago

Answer is correct.
VM1: A-series have two tiers Basic and Standard (Basic is not supported)
VM2: L4s is Generation 2 VM size (G2 is not supported)
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/generation-2
upvoted 21 times

But you can have a VM L4s using Generation 1. Maye this is a wrong question or incomplete.
upvoted 2 times

this is CORRECT
upvoted 1 times

very thorough, thanks !
upvoted 1 times

1- Type
2- Tier
upvoted 1 times

VM1: tier
Unsupported scenarios: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#unsupported-
scenarios
* Encrypting basic tier VM
VM2: the operating system version

Unsupported scenarios: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux#unsupported-scenarios
* Encrypting custom images on Linux VMs - Ubuntu 16-04-DAILY-LTS is not available from Azure Marketplace
upvoted 4 times

16.04-DAILY-LTS is listed as supported OS ==> https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-
overview#supported-operating-systems
upvoted 4 times
  ExamWynner 3 months ago

The only possible choice left is "type"
upvoted 2 times


Answers are correct. Below links clearly mentioned this.
Azure Disk Encryption is not available on Basic, A-series VMs.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-vms
Azure Disk Encryption is not available on Generation 2 VMs) and Lsv2-series VMs).
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-vms-and-operating-systems
upvoted 7 times

A L4s is not a LsV2.
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/linux/#lsv2-series
upvoted 3 times

in the exam!
upvoted 4 times

Answer 1: Tier
Answer 2: OS
Ubuntu 16.04 is a Generation 2 VM and therefore does not support Azure Disk Encryption.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2#generation-1-vs-generation-2-capabilities
upvoted 1 times

I thin the answer is correct
in the docs
1. Basic A series are not supported
2 Gen 2 Vms which L4s falls under is not supported for azure disk encrption
so Tier and Type is correct
check out this document, check the yellow pane

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-vms-and-operating-systems
click the support for generation 2 VMs hyperlink to see what VMs falls under L4s fall under that
upvoted 1 times
  n1koolkat 4 months, 3 weeks ago

1 Tier
2 Type https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
upvoted 1 times

Correct answer , G2 VMs doesn't support encryption
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2
Generation 1 vs. generation 2 capabilities
upvoted 1 times

I guess 2nd is Server OS. Ubuntu 16.04 is not supported for Azure disk encryption. See this.
https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2#generation-2-vm-sizes
upvoted 1 times

Ubuntu 16.04-DAILY-LTS is specifically mentioned as supported.
https://docs.microsoft.com/en-gb/azure/virtual-machines/linux/disk-encryption-overview
upvoted 2 times

Are we seriously expected to know the level of detail which machine is which generation BY HEART?! A a SECURITY ENGINEER? I must say I
am getting frustrated with the level of the questions, this is not something one needs to know by heart, it can be looked up.
upvoted 2 times

i agree dude
upvoted 1 times

1. Type A is not supported, as same than Basic.
2. The question is wrong. It's OS because is valid, it isn't Gen2 and its a valid Tier. 
Those who prepared this question, should correct it. I saw similiar question in other sites and the statement is different. Don't believe this
wrong question will be in the exam.
GL all!
upvoted 1 times
  Respar 2 days, 3 hours ago

I think the answer for VM2 is correct.
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
upvoted 1 times
You have an Azure virtual machines shown in the following table.
You create an Azure Log Analytics workspace named Analytics1 in RG1 in the East US region.
Which virtual machines can be enrolled in Analytics1?
A. VM1 only
B. VM1, VM2, and VM3 only
C. VM1, VM2, VM3, and VM4
D. VM1 and VM4 only
Correct Answer: A
Note: Create a workspace -
✑ In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list lters based on your input.
Select Log Analytics.
Click Create, and then select choices for the following items:
Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace. OMS workspaces are now referred to as Log Analytics
workspaces.
Select a Subscription to link to by selecting from the drop-down list if the default selected is not appropriate.
For Resource Group, select an existing resource group that contains one or more Azure virtual machines.
Select the Location your VMs are deployed to. For additional information, see which regions Log Analytics is available in.
Incorrect Answers:
B, C: A Log Analytics workspace provides a geographic location for data storage. VM2 and VM3 are at a different location.
D: VM4 is a different resource group.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access

vm1 and 4 can, analytics integration is bound by region, not RG
upvoted 39 times

Agreed. The answer given is incorrect. @Junkz is correct. Whether or not you can add a resource to a log analytics workspace depends on
its location being the same as the workspace's location.
upvoted 11 times

https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview
It says clearly:
You can deploy Azure VMs from any region. These VMs aren't limited to the regions supported by the Log Analytics workspace.
So correct answer should be: VM1, VM2, VM3 and VM4
upvoted 65 times

No, your interpretation is wrong, refer below...Its region specific.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
Select the Location your VMs are deployed to.
upvoted 1 times

Yes, you can deploy Log Analythics to certain regions but the you can add VMs from anywere, including from your local network.
upvoted 5 times 
  Dubiwhite 11 months ago
log analytics space is only relevant to a subscription. vms with different regions and resource groups can be assigned to a workspace in
different regions or resource groups.
upvoted 7 times

It seems to be possible across subscriptions as well:
https://dzone.com/articles/collecting-log-analyticsoms-data-across-subscriptions
upvoted 2 times
  Huodong 3 months, 3 weeks ago

Indeed, across subscriptions are OK. I have done it in Azure portal.
upvoted 2 times
  T11324 10 months, 1 week ago

Oz is right. I just tested it myself now. A mix of VM's in different regions, both same and different Rg's and os. all connected fine.
upvoted 12 times

The words region nor location can be found in the provided link.
upvoted 1 times

Oz is right, I guess the exam was written almost 2 years ago, since then so much has changed, perhaps in early days, there was limitation
of the regions, but with Azure advances this is no longer the case. But the real question is has Microsoft updated the correct answer in the
exam?
upvoted 11 times

obviosly is D, based on Regions
upvoted 1 times
  AdnanEzzi 7 months, 2 weeks ago

Answer is C: VM1, VM2, VM3 and VM4. Log Analytics is not restricted by region or resource group.
upvoted 14 times

Yep, verified by just connecting four VMs across regions, all connected. The answer is C.
upvoted 8 times

i Agree with AdnanEzzi, verified and checked in the other papers as well, it is C
upvoted 1 times

I will go with C because Microsoft has been updating questions since past few months with all the virtual labs and stuff and sure they
might have updated it
upvoted 1 times
  jwkin 7 months, 1 week ago

If they updated the test answer then the answer should be C: VM1, VM2, VM3, VM4. Excerpts from https://docs.microsoft.com/en-
us/azure/azure-monitor/insights/vminsights-enable-overview "You can monitor Azure VMs in any region. The VMs themselves aren't
limited to the regions supported by the Log Analytics workspace." So region doesn't matter. "You can enable multiple Azure VMs or virtual
machine scale sets across a specified subscription or resource group" So you can enable across the subscription so resource group is not
a limiting factor either.
upvoted 5 times
  kk1 7 months ago

correct answer is "C"
upvoted 4 times

Answer is wrong you should be good adding all of them regardless of RG and geo location. I created an RG in west europe with a VM in it
and add the VM to the same log analytics workspace that had my east us machines from a different RG.
upvoted 1 times

The Log Analytics workspace and Automation account must be in the same subscription, but can be in different resource groups deployed
to the same region - must be D
upvoted 1 times

Just Tested ..Log Analytics can include VM’s from different regions and RG..
Answer is all VMS”S
upvoted 2 times

Log analytics not acting in West europe region.
g y g p g
upvoted 1 times

So we can create Log analytics in US region and install agents on machines on any region then with providing Log Analytics Workspace
key and connection we can collect data from any machine in any region.Answer is VM1, VM2, VM3 and VM4
upvoted 2 times

C for sure.
Log Analytics can include VM’s from different Regions and Resource Groups.
upvoted 4 times

Since log analytics workspace is global service unlike storage account answer could be all vm's..you can select any vm's
upvoted 1 times

ANSWER IS DEFINITELY C.
Created the same scenario in My lab. and you can connect VMs from different regions
upvoted 5 times

all vms!
upvoted 3 times

Answer is C: VM1, VM2, VM3 and VM4. Log Analytics is not restricted by region or resource group.
upvoted 4 times

Definitely C. Why to confuse folks with such Answers :)
upvoted 2 times
  VirtualMatrix 2 months, 1 week ago

Correct answer is C. Irrespective of any region or resource group the VMs can be connected to the workspace. Even you can onboard on-
premises VM. This just needs installation of monitoring agent with Workspace Key and primary/secondary key.
upvoted 1 times

Tested. Option C.
upvoted 2 times

+1 to Answer C: VM1, VM2, VM3 and VM4.
Log Analytics is not restricted by region or resource group.
upvoted 1 times
Exhibit -
You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is con gured as shown in the exhibit. (Click the tab.)
You plan to deploy the cluster to production. You disable HTTP application routing.
You need to implement application routing that will provide reverse proxy and TLS termination for AKS services by using a single IP address.
What should you do?
A. Create an AKS Ingress controller.
B. Install the container network interface (CNI) plug-in.
C. Create an Azure Standard Load Balancer.
D. Create an Azure Basic Load Balancer.
Correct Answer: A
An ingress controller is a piece of software that provides reverse proxy, con gurable tra c routing, and TLS termination for Kubernetes
services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls

Right.
upvoted 6 times

question in the exam
upvoted 3 times

correct
upvoted 1 times

A, for sure
Create an AKS Ingress controller.
upvoted 2 times

A is CORRECT
upvoted 2 times
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy de nitions to manage the security of the subscriptions.
You need to deploy the policy de nitions as a group to all three subscriptions.
Solution: You create a policy de nition and assignments that are scoped to resource groups.
A. Yes
B. No
Correct Answer: B
References:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-management-groups/
  Rp69 1 year ago

URL provided re-directs to a broken link
upvoted 2 times

You assign policies to Management Groupor 1 Subscription (and optionally 1 RG)
upvoted 3 times

upvoted 2 times

Answer B (no) is correct. You can only group subscriptions in management groups, NOT i resource groups... as they are for resources ;)
https://azure.microsoft.com/features/management-groups/
upvoted 2 times

B, for sure.
Management Groups and not Resource Groups
upvoted 2 times

CORRECT
upvoted 1 times
Solution: You create a resource graph and an assignment that is scoped to a management group.
A. Yes
B. No
Correct Answer: A
References:

I believe the solution should state "you create a resource group..." not a resource graph... looks like a typo.
upvoted 4 times

Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription
simultaneously. However, you need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be
applied to the management group.
upvoted 18 times

g01d is right.. You bundle up policies into Initiatives and apply the initiatives to the management groups. Not resource graphs.
upvoted 6 times
  amal2885 7 months, 3 weeks ago

Correct answer is No
upvoted 1 times
  kk1 7 months, 2 weeks ago

correct answer "NO"
Ref:
https://docs.microsoft.com/en-us/azure/governance/management-groups/create
upvoted 1 times

B is correct
upvoted 1 times

the intention of the solution is resource group but its looks like a content issue that spelled group as graph. Watch out for its correction in
the exam if so it will be A else B
upvoted 1 times

I correct myself its No is the correct answer as there should be a policy initiative applied at the management group
upvoted 1 times

The answer should be to use Management Group and not a Resource Group/Graph .
No.
upvoted 1 times

Answer is B (No).
correct solution is to "Create a Management Group and assign an initiative to the Management Group"
upvoted 5 times

B, for sure.
Use Management Group
upvoted 3 times

This series of questions appeared on my exam on 02/07/2020
upvoted 1 times

CORRECT
upvoted 1 times
  jenkiiz 4 months, 2 weeks ago

the question was corrected so it's YES for MANAGEMENT GROUP
upvoted 6 times

No, B
The resource graph is used for querying resources and not for assigning policies.
upvoted 2 times
  GraceCyborg 2 months, 2 weeks ago

should by typo (resource graph) = policy definition
upvoted 2 times
  jt2214 2 months, 1 week ago

this is a typo, should read :Solution: You create an initiative and an assignment that is scoped to a management group.
thus making it true.
upvoted 3 times

but in the question it does not say the subs are under any sort of management groups ? so how we don't have any management group
then how we can apply policy to?
upvoted 1 times

in the exam from what i heard
upvoted 1 times

The question should be...
"You decide to create MG and then scope the policies at the MG level"
...and then, the answer is YES
upvoted 1 times
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016.
You need to deploy Microsoft Antimalware to the virtual machines.
Solution: You add an extension to each virtual machine.
A. Yes
B. No
Correct Answer: A
You can use Visual Studio to enable and con gure the Microsoft Antimalware service. This entails selecting Microsoft Antimalware extension
from the dropdown list under Installed Extensions and click Add to con gure with default antimalware con guration.
References:
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware

I am not sure where the Visual Studio came from in the answer to this question. It sounds more like resource manager to do that.
upvoted 1 times

upvoted 1 times

answer is right,
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware#antimalware-deployment-scenarios
upvoted 4 times

The answer is A
upvoted 1 times

Eventhough adding an extension to each virtual machine meets the goal.
Correct way to do this for 50 virtual machine should be using the below Policy Definition.
Deploy default Microsoft IaaSAntimalware extension for Windows Server

Built-in
This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware
extension.
upvoted 4 times

ANSWER IS CORRECT
upvoted 3 times

right answer. DSC extension is the way
upvoted 1 times
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016.
You need to deploy Microsoft Antimalware to the virtual machines.
Solution: You connect to each virtual machine and add a Windows feature.
A. Yes
B. No
Correct Answer: B
Microsoft Antimalware is deployed as an extension and not a feature.
References:
  rajatw 6 months, 3 weeks ago

Correct Answer. It's B
upvoted 3 times

B, for sure
upvoted 2 times

B IS CORRECT
upvoted 3 times

Windows feature is not for DSC extensions. NO is the correct answer.
upvoted 1 times
From Azure Security Center, you create a custom alert rule.

You need to con gure which users will receive an email message when the alert is triggered.
What should you do?
A. From Azure Monitor, create an action group.
B. From Security Center, modify the Security policy settings of the Azure subscription.
C. From Azure Active Directory (Azure AD), modify the members of the Security Reader role group.
D. From Security Center, modify the alert rule.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Custom alerts were in preview and are deprecated as of end of June 2019. https://docs.microsoft.com/en-us/azure/security-
center/security-center-features-retirement-july2019#menu_investigate
upvoted 2 times

Right, I use Azure monitor for some of my clients.
upvoted 4 times
  joilec435 6 months, 3 weeks ago

sentinel
upvoted 3 times
  Awraith 3 months, 3 weeks ago

I believe answer is correct, by elimination, but I think best way to set notifications is to go to Pricing & Setting in ASC and Settings | Email
notifications.
upvoted 1 times

That is very very wrong. Best solution is definately to define an action group
upvoted 1 times
You are con guring and securing a network environment.

You deploy an Azure virtual machine named VM1 that is con gured to analyze network tra c.
You need to ensure that all network tra c is routed through VM1.
What should you con gure?
A. a system route
B. a network security group (NSG)
C. a user-de ned route
Correct Answer: C
Although the use of system routes facilitates tra c automatically for your deployment, there are cases in which you want to control the routing
of packets through a virtual appliance. You can do so by creating user de ned routes that specify the next hop for packets owing to a speci c
subnet to go to your virtual appliance instead, and enabling IP forwarding for the VM running as the virtual appliance.
Note: User De ned Routes -

For most environments you will only need the system routes already de ned by Azure. However, you may need to create a route table and add
one or more routes in speci c cases, such as:
✑ Force tunneling to the Internet via your on-premises network.
✑ Use of virtual appliances in your Azure environment.
✑ In the scenarios above, you will have to create a route table and add user de ned routes to it.
Reference:
https://github.com/uglide/azure-content/blob/master/articles/virtual-network/virtual-networks-udr-overview.md

answer is correct
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
upvoted 6 times

correct answer
upvoted 3 times

C, for sure.
User-defined route
upvoted 1 times

C IS CORRECT
upvoted 2 times
HOTSPOT -
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzureRmNetworkSecurityRuleCon g and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: able to connect to East US 2

The StorageEA2Allow has DestinationAddressPre x {Storage/EastUS2}
Box 2: allowed -
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPre x {1.2.3.4/32} and DestinationAddressPre x {10.0.0.5/32}
Note:
The Get-AzureRmNetworkSecurityRuleCon g cmdlet gets a network security rule con guration for an Azure network security group.
Security rules in network security groups enable you to lter the type of network tra c that can ow in and out of virtual network subnets and
network interfaces.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

The second part of your answer is incorrect. The FTP traffic is coming from 1.2.3.4/32 and going to 10.0.0.10/32. The NSG rule for port 21
allows traffic from 1.2.3.4 to 10.0.0.5 NOT 10.0.0.10. 10.0.0.5/32 equates to a single IP address. 10.0.0.5. There is no rule allowing FTP
traffic to 10.0.0.10.
upvoted 74 times

A refresher on /32 : /32 is represents the NETWORK part in the CIDR notation. Rule of thumb = network part is immutable.
upvoted 1 times

/32 indicates the the explicit IP address you've given and not the network. Anything less than 32 would indicate a network/subnetwork,
but the /32 is the exact IP.
upvoted 20 times

I guess the reason its allowed is because there is no "Deny rule" to say that all other FTP or any other traffic is denied to 10.0.0.10
upvoted 1 times
  kagba 8 months, 2 weeks ago

there is always an implicit deny at the end of all rules in NSGs so this isnt correct, all traffic should be dropped.
upvoted 17 times

I would say answers are correct.
NSG is allow by default. that why it always us to define Allow and Deny rules. Firewall/Gateway are deny by default thats why you can
define only Allow rules in them.
upvoted 1 times

NSGs only have a default allow scoped to the same VNet; these addresses are not on the same VNet. Either there's a typo in the
question, or the answer to #2 is incorrect.
Source: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 2 times
  PA 4 months, 3 weeks ago 

2nd : Dropped
upvoted 2 times

should be
1. ABLE TO CONNECT TO EAST US2
2. DROPPED (because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be
dropped.
upvoted 9 times

I agree with the above:
1. EAST US2 (priority allows this rule before the drop rule)
2. Dropped (IP-adress does not match, hence block applied (last default rule in nsg)
upvoted 1 times

second option is wrong, it should be DROPPED... Inbound FTP is only for 10.0.0.5
upvoted 1 times
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
On NIC1, you con gure an application security group named ASG1.

On which other network interfaces can you con gure ASG1?
A. NIC2 only
B. NIC2, NIC3, NIC4, and NIC5
C. NIC2 and NIC3 only
D. NIC2, NIC3, and NIC4 only
Correct Answer: C
Only network interfaces in NVET1, which consists of Subnet11 and Subnet12, can be con gured in ASG1, as all network interfaces assigned to
an application security group have to exist in the same virtual network that the rst network interface assigned to the application security group
is in.
Reference:
https://azure.microsoft.com/es-es/blog/applicationsecuritygroups/

• All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface assigned to an application security group
named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1.
You cannot add network interfaces from different virtual networks to the same application security group.
upvoted 11 times

Application ecurity group is assign at the resource group level
upvoted 1 times

You cannot add network interfaces from different virtual networks to the same application security group.
So given ans is correct - C. NIC1,NIC2 and NIC3 are in same VNET
upvoted 10 times

hence answer A is correct
upvoted 1 times

Correction : hence answer C is correct
upvoted 2 times

Same subnet - correct is A
upvoted 1 times

Same VNET, not Subnet - so C. is correct answer 
upvoted 11 times

ASG operates within the boundary of NSG, which operates on Subnet.
upvoted 1 times

Ignore my previous comment. ASG has be in boundary of VNet, not Subnet.
upvoted 1 times

A is the correct answer.
upvoted 2 times

C. is correct answer
upvoted 7 times
  farslayer9 6 months, 1 week ago

C is correct, ASGs exist in the same VNET, not subnet.
upvoted 4 times
  SadioMane 5 months, 3 weeks ago

Yup. Answer is C.
upvoted 2 times

Answer is correct.
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface NIC1 assigned to an application security group
named ASG1 is in the virtual network named VNET1, then all subsequent network interfaces assigned to ASG1 must exist in VNET1. so
NIC2 and NIC3 (which is associated with Subnet11 and Subnet12 under VNET1) is the correct answer.
You cannot add network interfaces from different virtual networks to the same application security group
upvoted 5 times

C for sure,
Part of the same Vnet
upvoted 3 times

C is Correct
They are part of the Same VNET
Confirmed in the Lab
upvoted 6 times

correct C
Application Security Groups are a region-specific resource. It can only be associated with NICs in the same region as the application
security group. And once you associate an application security group with one network interface in an Azure virtual network, the
application security group can only be associated with network interfaces in the same Azure virtual network.
upvoted 2 times

C is correct - All network interfaces assigned to an application security group have to exist in the same virtual network that the first
network interface assigned to the application security group is in. For example, if the first network interface assigned to an application
security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must
exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
upvoted 2 times
You have 15 Azure virtual machines in a resource group named RG1.

All virtual machines run identical applications.
You need to prevent unauthorized applications and malware from running on the virtual machines.
What should you do?
A. Apply an Azure policy to RG1.
B. From Azure Security Center, con gure adaptive application controls.
C. Con gure Azure Active Directory (Azure AD) Identity Protection.
D. Apply a resource lock to RG1.
Correct Answer: B
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you
control which applications can run on your Azure and non-Azure VMs (Windows and Linux), which, among other bene ts, helps harden your VMs
against malware. Security
Center uses machine learning to analyze the applications running on your VMs and helps you apply the speci c whitelisting rules using this
intelligence.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application

correct answer
upvoted 9 times

Answer B is the answer
upvoted 2 times

B is Correct
upvoted 3 times
You plan to deploy Azure container instances.

You have a containerized application that validates credit cards. The application is comprised of two containers: an application container and a
validation container.
The application container is monitored by the validation container. The validation container performs security checks by making requests to the
application container and waiting for responses after every transaction.
You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must
communicate to each other only on ports that are not externally exposed.
What should you include in the deployment?
A. application security groups
B. network security groups (NSGs)
C. management groups
D. container groups
Correct Answer: D
Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is
useful when building an application sidecar for logging, monitoring, or any other con guration where a service needs a second attached
process.
Reference:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups

correct answer.
upvoted 4 times

D, for sure.
Using Container Group
upvoted 8 times
HOTSPOT -
You create resources in an Azure subscription as shown in the following table.
VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is con gured as shown in the exhibit. (Click the Exhibit tab.)
Hot Area:
Correct Answer:
Box 1: Yes -
Access from Subnet1 is allowed. 
Box 2: No -
No access from Subnet2 is allowed.
Box 3: Yes -
Access from IP address 193.77.10.2 is allowed.

why is Access from IP address 193.77.10.2 allowed? it though only IP address with 193.77.0.0 are allowed
upvoted 1 times

sorry answered my own question . It was a CIDR range
CIDR to IP Range
Result
CIDR Range 193.77.0.0/16
Netmask 255.255.0.0
Wildcard Bits 0.0.255.255
First IP 193.77.0.0
First IP (Decimal) 3243048960
Last IP 193.77.255.255
Last IP (Decimal) 3243114495
Total Host 65,536
CIDR
193.77.0.0/16
upvoted 7 times

NO
NO
YES
upvoted 3 times

upvoted 18 times

answer is correct :
Yes
No
Yes
upvoted 20 times

correct answer.
upvoted 7 times
  gustavo935 5 months ago

But the rule says Deny to 193.77.0.0/16
upvoted 1 times

The first command just display the summary of the storage network rules (the deny is the default action rules).
The second command display IpRules details and as you can see it's allow.
The third command display the Virtual Network Rule details.
upvoted 3 times

right! ;)
upvoted 1 times

can somebody plz post correct ans for this..i thought answers are NO, YES, YES.. for the first one we have deny rule in place, then how
come access would be allowed.
upvoted 1 times

the deny is the default action rules. There are rules that allowing access.
upvoted 2 times

u can't explain better. Thx

upvoted 2 times

Given Answer is Correct
YES
NO
YES
upvoted 9 times

I noticed you are always correct and test scenarios in lab. Thats great and thanks for helping out.
upvoted 1 times
  Exam_Master_Me 4 months, 1 week ago

Yes (Subnet 1 = Action Allow [NetworkRules]
No (Subnet 2 is never allowed at all)
YES (IP .../16 is allowed in [NetworkRuleset.IPRules.]
upvoted 8 times

this correct answer is Yes, No, No
Here only one IP is allowed access from the Internet and that is 193.77.0.0/16
upvoted 1 times
  Trucutru 3 months, 3 weeks ago

the allowed ip range is 193.77.0.0/16 and the allowed ip from the internet would be 193.77.0.0 - 193.77.255.255
the answer is Y-N-Y
upvoted 2 times
  mm79 3 months, 3 weeks ago

That's a range so anything starting with 193.77 is allowed
upvoted 1 times

you need to learn subnetting my friend.
upvoted 1 times
Solution: You create a policy initiative and assignments that are scoped to resource groups.
A. Yes
B. No
Correct Answer: B
Instead use a management group.
simultaneously.
Reference:

There's a prev question where some guys state initiative is the correct instead of resource graph
simultaneously. However, you need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be
applied to the management group.
upvoted 8 times

Yes. Initiative is a way of grouping policies together. For example an inbuilt initiative is Azure Security Center rules (actually are a bunch
of policies combined in an initiative) that run when Azure Security Center runs.
So policies are grouped as initiatives and can be applied at a management group level to enforce policies on subscriptions that fall
under that management group.
In here, the suggessted flow is to create an initiative, which is correct, but assigning needs to be to a management group.
hence, no.
upvoted 5 times

upvoted 1 times

keyword is " policy management of three Azure subscriptions." that means better take managment groups instead of assign it 3 times to
three ressource groups, which is techical possible but not nice
upvoted 3 times

B, for sure.
Using Management Groups
upvoted 7 times
  Freeze 4 months, 2 weeks ago

Answer is Correct
Apply initiative to management groups
upvoted 4 times
  Stuudent 1 week, 2 days ago

This is a tricky question and the key word is "assignmentS" (plural) in my opinion. When I read first time I was like "create assignment to
three subscriptions" -> so yeah, create assignment to management group and exclude any subscriptions you don't want, meets the goal,
answer A. But since you can't actually assign a policy to three subscriptions WITHOUT using the management group and they tell you to
create three separate assignments - that's why it's a no. Right?
upvoted 1 times

Question #1 Topic 3
HOTSPOT -
You plan to use Azure Monitor Logs to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Log Analytics Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
References:
https://blogs.technet.microsoft.com/manageabilityguys/2015/11/19/enabling-the-microsoft-monitoring-agent-in-windows-json-templates/

Broken reference link - Oops! That page can’t be found
upvoted 1 times

https://docs.microsoft.com/en-us/archive/blogs/manageabilityguys/enabling-the-microsoft-monitoring-agent-in-windows-json-
templates
upvoted 2 times
  Razgrad 9 months, 1 week ago

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows?toc=%2Fazure%2Fazure-monitor%2Ftoc.json
upvoted 3 times
  kk1 7 months, 2 weeks ago

Log Analytics virtual machine extension for Windows
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows?toc=%2Fazure%2Fazure-
monitor%2Ftoc.json#extension-schema
upvoted 3 times

Answer is correct
upvoted 5 times

Answer is Correct
upvoted 4 times
  juselasmc 2 months, 2 weeks ago

IN THE EXAM
upvoted 3 times
  Stuudent 1 week, 2 days ago 

Please someone confirm if these kinds of questions are really in the exam. How is anyone expected to know the contents of an obscure
template from 2015 article by HEART? Are we supposed to compile code in our heads as well?
upvoted 2 times
  musiman 1 week ago

These kind of ridiculously detailed questions in Microsoft's exams promotes the use of ExamTopics.com as an exam prep tool. It is
almost impossible to pass the exam without first practicing the questions. This works counterproductive. Due to Covid-19 the
performance labs have also disappeared from the exams. They were a better way of testing if someone knows his stuff.
upvoted 2 times

I can't believe they remove labs because of the COVID, from where you get that info? Please post here.
Probably they remove because they took a lot of time in the exam and need to be upgraded frecuently.
upvoted 1 times

Yes, this is in the exam. It's a simple ARM template to configure the Monitoring agent, with need parameters for workspace
configuration. You don't need to learn ARM (what isn't wrong btw), you need to understand what piece of code is, what is doing and
know the key parameters.
upvoted 2 times
Question #2 Topic 3
You are assigned the Global administrator role for the tenant. You are responsible for managing Azure Security Center settings.
You need to create a custom sensitivity label.
What should you do?
A. Create a custom sensitive information type.
B. Elevate access for global administrators in Azure AD.
C. Change Azure Security Center to use Standard-tier-pricing.
D. Enable integration with Microsoft Cloud App Security.
Correct Answer: A
First, you need to create a new sensitive information type because you can't directly modify the default rules.
References:
https://docs.microsoft.com/en-us/o ce365/securitycompliance/customize-a-built-in-sensitive-information-type
  Andy998 5 months, 2 weeks ago

Answer is correct.
upvoted 1 times

can only find this https://protection.office.com/sensitivity?viewid=sensitivitylabels but its related to office ..
labels are manged in AIP https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade
and not security center isn it?

upvoted 1 times
  networklabs 5 months, 1 week ago

Question is talking about Office 365 security center, not the Azure one, so the answer is correct
upvoted 1 times

A, for sure.
upvoted 2 times

A is Correct
upvoted 4 times

I think this one explains it better: Create a custom sensitive information type in the Security & Compliance Center
https://docs.microsoft.com/en-us/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-worldwide
upvoted 4 times 
Question #3 Topic 3
HOTSPOT -
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users
who had more than ve failed sign-in attempts.
How should you con gure the query? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
The following example identi es user accounts that failed to log in more than ve times in the last day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent -
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5

| project-away Account1
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
  Davidq3 5 months, 1 week ago

Correct
upvoted 1 times

agree with answer
upvoted 1 times

Answer is Correct
upvoted 6 times
Question #4 Topic 3

In Azure Security Center, you have a security playbook named Play1. Play1 is con gured to send an email message to a user named User1.
You need to modify Play1 to send email messages to a distribution group named Alerts.
What should you use to modify Play1?
A. Azure DevOps
B. Azure Application Insights
C. Azure Monitor
D. Azure Logic Apps Designer
Correct Answer: D
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the
playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks

Correct...
upvoted 3 times

correct answer
upvoted 2 times

Answer D is correct
upvoted 2 times
  gustavo935 5 months ago

The playbook names changed to Workflow automation
upvoted 4 times

Answer is Correct
upvoted 3 times
  celomomo 19 hours, 11 minutes ago

D is correct
upvoted 1 times
Question #5 Topic 3
You create a new Azure subscription.

You need to ensure that you can create custom alert rules in Azure Security Center.
A. Onboard Azure Active Directory (Azure AD) Identity Protection.
B. Create an Azure Storage account.
C. Implement Azure Advisor recommendations.
D. Create an Azure Log Analytics workspace.
E. Upgrade the pricing tier of Security Center to Standard.
Correct Answer: BD
D: You need write permission in the workspace that you select to store your custom alert.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-custom-alert

Custom Alerts were only in Preview and have since been retired. https://docs.microsoft.com/en-us/azure/security-center/security-center-
features-retirement-july2019#menu_customalerts
upvoted 6 times

Agreed , the replacement for this is Azure Sentinel. So just look out if the question is adpoted for that
upvoted 7 times

You have to upgrade the pricing tier of security center to have custom alert rules feature
upvoted 2 times

Wrong
Correct Answers is D and E
You need to upgrade the pricing tier of Azure Security Center to standard. You can also create a new Log Analytics workspace which can
be used by Azure Security Center to send data with regards to your Azure resources
upvoted 4 times
  Saar5 2 months, 2 weeks ago

so what is the correct answer?
upvoted 1 times
  Pankaj_Leo 2 months, 2 weeks ago

D and E
upvoted 3 times
  jaykrist 2 months ago

https://docs.microsoft.com/en-us/azure/security-center/security-center-features-retirement-july2019#custom-alert-rules-preview
upvoted 1 times
  ipindado2020 1 month, 3 weeks ago

DE is the way
upvoted 2 times
Question #6 Topic 3
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is con gured
to collect security-related performance counters from the connected servers.
You need to con gure alerts based on the data collected by LAW1. The solution must meet the following requirements:
✑ Alert rules must support dimensions.
✑ The time it takes to generate an alert must be minimized.
✑ Alert noti cations must be generated only once when the alert is generated and once when the alert is resolved.
Which signal type should you use when you create the alert rules?
A. Log
B. Log (Saved Query)
C. Metric
D. Activity Log
Correct Answer: C
Metric alerts in Azure Monitor provide a way to get noti ed when one of your metrics cross a threshold. Metric alerts work on a range of multi-
dimensional platform metrics, custom metrics, Application Insights standard and custom metrics.
Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
  AdnanEzzi 7 months, 1 week ago

The answer is correct. But the correct link is this - https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-logs
upvoted 7 times

Thank you for sharing the link. It clearly mentions the dimension & logs need to be produced once
upvoted 2 times

C, for sure
There are many benefits for using Metric Alerts for Logs over query based Log Alerts in Azure; some of them are listed below:
Metric Alerts offer near-real time monitoring capability and Metric Alerts for Logs forks data from log source to ensure the same.
Metric Alerts are stateful - only notifying once when alert is fired and once when alert is resolved; as opposed to Log alerts, which are
stateless and keep firing at every interval if the alert condition is met.
Metric Alerts for Log provide multiple dimensions, allowing filtering to specific values like Computers, OS Type, etc. simpler; without the
need for penning query in analytics.
upvoted 8 times

C is correct according to the docs
upvoted 3 times
Question #7 Topic 3
DRAG DROP -
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
✑ Identify the user who deleted a virtual machine three weeks ago.
✑ Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, drag the appropriate con guration settings to the correct details. Each con guration setting
may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box1: Activity log -

Azure activity logs provide insight into the operations that were performed on resources in your subscription. Activity logs were previously
known as "audit logs" or "operational logs," because they report control-plane events for your subscriptions.
Activity logs help you determine the "what, who, and when" for write operations (that is, PUT, POST, or DELETE).
Box 2: Logs -
Log Integration collects Azure diagnostics from your Windows virtual machines, Azure activity logs, Azure Security Center alerts, and Azure
resource provider logs. This integration provides a uni ed dashboard for all your assets, whether they're on-premises or in the cloud, so that you
can aggregate, correlate, analyze, and alert for security events.
References:
https://docs.microsoft.com/en-us/azure/security/azure-log-audit

Correct
upvoted 1 times

correct answer. undeniably.
upvoted 7 times

Answer is Correct
upvoted 4 times

Correct
upvoted 1 times
  Spamuel 4 months ago

Correct, but think "Logs" should be titled "Resource Logs"
upvoted 3 times

Correct
upvoted 1 times
Question #8 Topic 3
HOTSPOT -
You create an alert rule that has the following settings:
✑ Resource: RG1
✑ Condition: All Administrative operations
Actions: Action groups con gured for this alert rule: ActionGroup1
✑ Alert rule name: Alert1

You create an action rule that has the following settings:
✑ Scope: VM1
✑ Filter criteria: Resource Type = "Virtual Machines"
✑ De ne on this scope: Suppression
✑ Suppression con g: From now (always)
✑ Name: ActionRule1
Note: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1:
The scope for the action rule is set to VM1 and is set to suppress alerts inde nitely.
Box 2:
The scope for the action rule is not set to VM2.
Box 3:
Adding a tag is not an administrative operation.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/alerts-action-rules

Wrong, if you tag the resource group you will get an alert. For Vms is confuse question. I guess YES, NO, YES.
upvoted 1 times 
Box 1 and Box 2 are correct, Box 3 should be yes

So its: NO, YES, YES. the surpression on for VM1 and not RG1
upvoted 6 times

Box 3: Adding a tag to RG1 is NOT Administrative operation, so alert is NOT triggered and answer is NO
upvoted 8 times

Yes - Adding Tags to RG1 does fire an alarm...
From the event created (JSON)
"eventCategory": "Administrative"
"operationName": {
"value": "Microsoft.Resources/tags/write",
"localizedValue": "Write tags"
"resourceGroupName": "RG1",
upvoted 1 times
  LiamRT 1 month, 2 weeks ago

I saw similar in the JSON file for the alert created when I added a tag to RG1
upvoted 1 times

A Tag is not an administrative task, so you would not get any alert
upvoted 2 times
  sprlftr 6 months, 2 weeks ago

I tested this in a demo tenant and believe it to be NO, NO, YES.
upvoted 5 times

I would say its correct, the action is suppressed for VM1 so no alert. also 3rd option is not an administrative action.
upvoted 4 times
  geekgurl 6 months ago

VM2 is never mentioned - wtf
upvoted 6 times

Seems like information about VM2 is missing!? It doesn't say whether or not it is actually in RG1!! So the answer should be "it depends!" :/
upvoted 1 times

No, Yes, Yes was my answer in the exam. Not sure if it is correct.
upvoted 3 times
  maharjansumit 4 months ago

V1 and V2 are both part of RG1 and V1 has rule which states Suppression, So 1st answer is No, 2nd answer is yes because V2 is part of
RG1, 3rd Answer is yes
upvoted 1 times
  Crash27 3 months, 3 weeks ago

Where is V2 mentioned in this question? If it isn't mentioned the answer must be 'No' surely??
upvoted 2 times

https://vceguide.com/hotspot-956/
upvoted 1 times

i just tested this in Azure Environment. Correct Answer is No, No, Yes
upvoted 5 times

Yes, No, No
upvoted 1 times
  Amiroo 5 months, 1 week ago

YES , NO , NO
upvoted 1 times
  XJ 5 months ago
I think it's No - Alert rule - Suppression VM1; Yes (if this is a mistake/type in the descriotion that VM2 is part of RG1); No - Adding a tag to
RG1 is NOT Administrative operation, so alert is NOT triggered and answer is NO 
upvoted 1 times
  summut 5 months ago

The answer should ne No, No, No.
NO. Because the alert is surpressed for VM1 by Action rule.
NO. Then there is no mention of VM2 in the question so why would an alert be raised (is it in RG1?)
NO. Tags are not and Administrative operation
upvoted 17 times
  12mario13 4 months, 3 weeks ago

NO NO NO
upvoted 3 times

Tag is Administrative operation so Box 3 is yes
upvoted 1 times

Tagging a VM does generate an Administrative event with name 'Create or Update Virtual Machine'
upvoted 2 times

tested.
1) No, as scope is resource group, not VM, all administrative operation are related to resource group
2)No,
3)No, add tag is not administrative operation
upvoted 1 times

The correct answer is No, Yes, No
Since there is a suppression rule specifically for the virtual machine, the alert rule would not be triggered.
Yes, since there is an alert rule at the resource group level, an alert would be generated.
Working with resource tags will not generate alerts.

upvoted 3 times
  Ace786 2 months, 3 weeks ago

Tested in Lab
answer is
NO
NO
NO
upvoted 4 times
  NickT 2 months, 2 weeks ago

See missing VM2 info
https://vceguide.com/hotspot-956/
upvoted 12 times

dude you are a saver! people just argue without having the full info haha more likes for this comment please
upvoted 2 times

Tested:
Actually the answer is
Yes - starting VM1 will fire an alarm even though it is set to be supressed (to be found in Monitor-alerts with a status of "supressed"
This means that the action group will not be informed...
(Yes an alarm is fired, but No action is taken)
Yes - starting VM2 will fire an alarm, startin a VM is an administrative task, and supression rule is only applied to VM1
Yes - Adding Tags to RG1 does fire an alarm...

From the event created (JSON)
"eventCategory": "Administrative"
"operationName": {
"value": "Microsoft.Resources/tags/write",
"localizedValue": "Write tags"
"resourceGroupName": "RG1",
In my oppinion answer is
YES,YES,YES
upvoted 1 times


NO NO NO
if the scope is RG then alerts are not generated for VM's under it.
upvoted 1 times

correct answer is
NO(Bcoz vm1 is marked for suppression)
YES(bcoz it is assigned to whole resource group where suppression is marked only for VM1 so VM2 will be able to get alert)
NO(tags has no role to alerts)
upvoted 6 times

Agree with you, tagging does not generate any input in the activity log. NO, YES, NO.
upvoted 2 times

Yes, adding tag at resource group level will create an activity. The answer is
NO, YES,YES.
upvoted 1 times

plz, check it.
upvoted 1 times

Question is confusing. Tested the whole scenario with given configuration.. you would still get alerts in Azure Monitor but notification set
in the ActionGroup will not be triggered for VM1. Tags are not admin actions so neither alert nor notification will trigger. VM2 assuming if
part of the RG1 will trigger both alert and notification.
upvoted 2 times

i tested this and the alert scope is the resource group! so everything in it is applied, but for VM1 you have supressed it so you would not
get a alert but for vm2 that is under the same resource you will get a alert and for TAG i would say not admin as i did not get any alerts
when i configured it.
upvoted 1 times
  Stuudent 1 week, 1 day ago

I need help with this one :/
The question does not specify, what the ActionGroup should do...
I setup the alert rule (except the action group) and the action rule, started both VMs and edited the tag of the R1. No alerts whatsoever....
upvoted 1 times
  AnxiousKid 6 days, 3 hours ago

What is the correct answer for this item, guys?
upvoted 1 times

1. NO because VM1 alerts are suppresed.
2. YES, because it was no included to suppress (We have to consider VM2 in the same RG)
3. NO, because tag is not activity which is going to trigger any alert.
upvoted 1 times
  boubakri 4 days, 20 hours ago

Box 1:
The scope for the action rule is set to VM1 and is set to suppress alerts indefinitely.
Box 2:
The scope for the action rule is not set to VM2.
Box 3:
Adding a tag is not an administrative operation.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules
upvoted 1 times
  boubakri 4 days, 20 hours ago

so no yes no
upvoted 1 times
Question #9 Topic 3
DRAG DROP -
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1.
You plan to add the System Update Assessment solution to LAW1.
You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-targeting

answer is correct
upvoted 4 times

The provided answer is Correct
upvoted 8 times
  bystic 2 months, 1 week ago

i was waiting for you to add "for sure" :D
upvoted 6 times

For sure :)
upvoted 2 times
You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.
You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
B. an application security group
C. Azure Active Directory (Azure AD) conditional access
D. just in time (JIT) VM access
Correct Answer: D
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound tra c to your Azure VMs, reducing exposure to attacks while
providing easy access to connect to VMs when needed.
Note: When just-in-time is enabled, Security Center locks down inbound tra c to your Azure VMs by creating an NSG rule. You select the ports
on the VM to which inbound tra c will be locked down. These ports are controlled by the just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit
them to successfully request access to a VM. If the request is approved, Security Center automatically con gures the Network Security Groups
(NSGs) and Azure Firewall to allow inbound tra c to the selected ports and requested source IP addresses or ranges, for the amount of time
that was speci ed. After the time has expired, Security
Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

D is correct.
upvoted 2 times

D, for sure
upvoted 4 times

D is correct
upvoted 2 times
You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network tra c to an Azure Storage account.
A. Install the Network Performance Monitor solution.
B. Enable Azure Network Watcher.
C. Enable diagnostic logging for the NSG.
D. Enable NSG ow logs.
E. Create an Azure Log Analytics workspace.
Correct Answer: BD
A network security group (NSG) enables you to lter inbound tra c to, and outbound tra c from, a virtual machine (VM). You can log network
tra c that ows through an NSG with Network Watcher's NSG ow log capability. Steps include:
✑ Create a VM with a network security group
✑ Enable Network Watcher and register the Microsoft.Insights provider
✑ Enable a tra c ow log for an NSG, using Network Watcher's NSG ow log capability
✑ Download logged data
✑ View logged data
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg- ow-logging-portal

Answer and URL provided are correct ::
Create a VM with a network security group

Enable Network Watcher and register the Microsoft.Insights provider
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
Download logged data
View logged data
~ https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 3 times

B, D for sure.
Using Azure Network Watcher and NSG flow logs.
upvoted 11 times
You have an Azure subscription that contains the virtual machines shown in the following table.
From Azure Security Center, you turn on Auto Provisioning.

You deploy the virtual machines shown in the following table.
On which virtual machines is the Log Analytics agent installed?
A. VM3 only
B. VM1 and VM3 only
C. VM3 and VM4 only
D. VM1, VM2, VM3, and VM4
Correct Answer: D
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are
created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2,
2012, 2012 R2,
2016, version 1709 and 1803
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
  frks 6 months, 2 weeks ago

same question but microsoft monitor instead of log analyzer
upvoted 6 times

same question in exam.
upvoted 10 times

D is correct
upvoted 2 times
Question #1 Topic 4
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
A. an application permission without admin consent
B. a delegated permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent
Correct Answer: B
Delegated permissions - Your client application needs to access the web API as the signed-in user, but with access limited by the selected
permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions - Your client application needs to access the web API directly as itself (no user context). This type of permission
requires administrator consent and is also not available for public (desktop and mobile) client applications.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-con gure-app-access-web-apis

Ans C also seems to be right ?
"Adding a delegated permission to an application does not automatically grant consent to the users within the tenant. Users must still
manually consent for the added delegated permissions at runtime, unless the administrator grants consent on behalf of all users."
upvoted 2 times

B is correct answer.- Some higher-privileged permissions require administrator consent - here we need just access to key vault.
upvoted 3 times

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents
to the permissions that the app requests, and the app is delegated permission to act as the signed-in user when making calls to the target
resource. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require
administrator consent.
upvoted 4 times

Im not sure there is enough data in the question to answer.
upvoted 1 times

Wait, I think I get it "on behalf of the application users." that is the critical statement.
upvoted 4 times

Answer is correct - have validated
upvoted 12 times

in the exam
upvoted 4 times
  macphy 1 week, 6 days ago

Barchetta's comment is correct. "on behalf of the application users.", this means, you need an application permission (A or D).
At this time, application permission requires the concent, so the answer is D.
upvoted 1 times
  jinxie 4 days, 6 hours ago

you do not need to grant admin permissions for delegated keyvault access so the given answer is correct. to replicate, create a
webapp, go to authetnicaton/authorization. enable appservice Authentication and generate a new appregistration. Go to AAD, to go
appregistrations, API permissions and add the keyvault permission for delegated users. you will notice that the admin permission is 
marked with "-" meaning it is not required.
upvoted 1 times
  am20 3 days, 17 hours ago

I think the answer is D based on this https://www.youtube.com/watch?v=6R3W9T01gdE
upvoted 1 times
  am20 3 days, 15 hours ago

correction. agree with jinxie. Answer B is correct. you can also watch this https://www.youtube.com/watch?v=YWvl0cIilyA
upvoted 1 times
Question #2 Topic 4
DRAG DROP -
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The company is developing an application named App1. App1 will run as a service on server that runs Windows Server 2016. App1 will
authenticate to contoso.com and access Microsoft Graph to read directory data.
You need to delegate the minimum required permissions to App1.
Which three actions should you perform in sequence from the Azure portal? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: Create an app registration

First the application must be created/registered.
Step 2: Add an application permission
Application permissions are used by apps that run without a signed-in user present.
Step 3: Grant permissions -

Incorrect Answers:
Delegated permission -
Delegated permissions are used by apps that have a signed-in user present.
Application Proxy:
Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent


Correct Answers
upvoted 3 times

correct answer
upvoted 1 times

Correct. This is on the exam.
upvoted 3 times

Correct Answers
Application permissions allow an application in Azure Active Directory to act as it's own entity, rather than on behalf of a specific user.
Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user
upvoted 7 times
  Loga 4 days, 7 hours ago

Agreed, for sure.
upvoted 1 times
  Adamantium 2 months, 1 week ago

Specific supporting documentation
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
upvoted 1 times
Question #3 Topic 4
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory Azure (Azure AD) tenant named
contoso.com.
The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens.
You need to register App1 in Azure AD.
What information should you obtain from the developer to register the application?
A. a redirect URI
B. a reply URL
C. a key
D. an application ID
Correct Answer: A
For Native Applications you need to provide a Redirect URI, which Azure AD will use to return token responses.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

Correct Answer
upvoted 8 times
  gekvprasad 7 months ago

Correct Answer
upvoted 3 times

Validated in Azure Portal. Correct Answer
upvoted 2 times

correct answer
upvoted 2 times

A, for sure.
upvoted 5 times

The provided link
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
100% States that the answer is wrong, and should be Application_id

upvoted 1 times
  cloudycloud 1 month, 3 weeks ago

the application ID is provide by AAD
upvoted 1 times

Correction: Sorry my answer was to "request authorization code" but original question is "register app in AD"
Answer is correct
upvoted 1 times
Question #4 Topic 4
From the Azure portal, you are con guring an Azure policy.
You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects.
Which effect requires a managed identity for the assignment?
A. AuditIfNotExist
B. Append
C. DeployIfNotExist
D. Deny
Correct Answer: C
When Azure Policy runs the template in the deployIfNotExists policy de nition, it does so using a managed identity.
References:
https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources

Correct
upvoted 4 times

correct answer
upvoted 3 times

C, for sure.
upvoted 2 times
Question #5 Topic 4
HOTSPOT -
You plan to implement an application that will consist of the resources shown in the following table.
Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
CosmosDB1: Create database users and generate resource tokens.

Azure Cosmos DB resource tokens provide a safe mechanism for allowing clients to read, write, and delete speci c resources in an Azure
Cosmos DB account according to the granted permissions.
WebApp1: Authenticate Azure AD users and relay resource tokens
A typical approach to requesting, generating, and delivering resource tokens to a mobile application is to use a resource token broker. The
following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document
database data:

References:
https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/cosmosdb/authentication

Correct Answers
upvoted 4 times

same question in exam
upvoted 3 times

I am not sure that CosmosDB generates token. As it's acting as backend db for webapp I guess it's also relays on token.
upvoted 1 times

no mention of 'mobile application' in question
upvoted 1 times

The provided is correct.
upvoted 3 times

Correct:
The mid-tier service is also responsible for authenticating the client (for example, by using Azure Active Directory). Once the client
successfully authenticates, the mid-tier service requests a resource token associated with the authenticated user from the Cosmos DB
account and relays the token back to the client. At that point, the client can use the token to access Cosmos DB resources directly.
https://mobilemonitoringsolutions.com/introduction-to-azure-cosmos-db-security/
upvoted 2 times
  jbuenoo 2 months, 3 weeks ago

Answers seem to be correct: https://docs.microsoft.com/en-us/azure/cosmos-db/media/secure-access-to-data/resourcekeyworkflow.png
upvoted 2 times
Question #6 Topic 4
HOTSPOT -
You need to create an Azure key vault. The solution must ensure that any object deleted from the key vault be retained for 90 days.
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: -EnablePurgeProtection -
If speci ed, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.
Box 2: -EnableSoftDelete -
Speci es that the soft-delete functionality is enabled for this key vault. When soft-delete is enabled, for a grace period, you can recover this key
vault and its contents after it is deleted.
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-azurermkeyvault

Question parameters are incorrect:
--enable-soft-delete must be enabled before you can --enable-purge-protection
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is
enabled. It can be turned on via CLI or PowerShell.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-soft-delete#purge-protection
az keyvault create --name ContosoVault --resource-group ContosoRG --location westus --enable-soft-delete true --enable-purge-protection
true
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-cli#enabling-purge-protection
upvoted 3 times

I think its the other way round, but the two chosen options are correct.
upvoted 1 times
  juniorhs86 5 months, 1 week ago

I think its correct. It is a powershell command and the order does not matter much.
New-AzureRmKeyVault
[-Name] <String> 
[-ResourceGroupName] <String>
[-Location] <String>
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-EnableSoftDelete]
[-EnablePurgeProtection]
[-Sku <SkuName>]
[-Tag <Hashtable>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-azurermkeyvault?view=azurermps-6.13.0
upvoted 3 times

Answer is correct
upvoted 3 times

they are in the other way. First "Enable-Soft-Delete" then "Enable-Purge-Protection"
upvoted 1 times
Question #7 Topic 4
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
A. In Azure AD, create a role.
B. In Azure Key Vault, create a key.
C. In Azure Key Vault, create an access policy.
D. In Azure AD, enable Azure AD Application Proxy.
Correct Answer: A
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to
retrieve them.
Managed identities for Azure resources overview makes solving this problem simpler, by giving Azure services an automatically managed
identity in Azure Active
Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault,
without having any credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager,
use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code
access to the speci c secret or key in Key Vault.
References:
https://docs.microsoft.com/en-us/azure/key-vault/quick-create-net https://docs.microsoft.com/en-us/azure/active-directory/managed-
identities-azure-resources/overview
  Oz 1 year ago
Ref: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
The correct answer is "set access policy" to the managed identity that app will use.
Example:
az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get list
This command gives the identity (MSI) of the app service permission to do get and list operations on your key vault.
upvoted 36 times

Yes correct answer should be "create an access policy"
"You may need to configure the target resource to allow access from your application. For example, if you request a token to Key Vault,
you need to make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be
rejected, even if they include the token"
https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
upvoted 6 times

Im convinced that if this was a storage SAS it would require a role assignment but since this is an app which uses a service identity it is an
access policy. I just watched a video on pluralsight and he uses a policy. I hope this is on the test because I spent hours researching.
upvoted 3 times

Wait a minute.. does this have something to do with the fact that the DEVELOPER REGISTERED THE APP? Perhaps that is the cath here. this
is making me crazy.
upvoted 7 times

The Application has to be registered in Azure AD to be used by Access Policy. So the correct answer is to use Access Policy.
upvoted 2 times

Set-AzKeyVaultAccessPolicy -VaultName ContosoKeyVault -ObjectId (Get-AzADGroup -SearchString 'Contoso Security Team')[0].Id -
PermissionsToKeys backup,create,delete,get,import,list,restore -PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge 
to create access policy, we need to have custom role in place. hence i guess answer is right
upvoted 3 times

No, The correct answer is create an access policy. The developer has already registered the Web App, when he does this a service
principal name is generated, just create a police to allow acess.
upvoted 3 times

C is correct: Access Policy. RBAC are for management plane in the Key Vault.
Access policy is for data plane, which required here for accessing the secret.
upvoted 2 times

C is correct: Access Policy. RBAC are for management plane in the Key Vault.
Access policy is for data plane, which required here for accessing the secret.
upvoted 2 times

Correct Answer - C. In Azure Key Vault, create an access policy.
upvoted 2 times
  spamoff 7 months ago

"An application developer registers an application in Azure Active Directory (Azure AD)."
not registerED, but registerS. Maybe this is a catch?
We need to make sure that every application registered by developer has access to the KeyVault.
In this case the "A" could be the correct answer.
ref: https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault
upvoted 1 times

Access Policy is the correct answer.
upvoted 2 times
  NeilKK 5 months, 2 weeks ago

A is correct Answer
Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate.
upvoted 2 times

Access policy is deep security for key vault as you can assign user separately to key, secret and certificates. RBAC is general entry
upvoted 1 times

C, for sure.
Access Policy for Azure KeyVault
upvoted 4 times

C for sure
https://docs.microsoft.com/en-us/azure/key-vault/general/managed-identity
upvoted 3 times

C IS THE CORRECT ANSWER
upvoted 6 times
  ark007thegreat 4 months ago

C is correct answer. See below Link
https://docs.microsoft.com/en-us/azure/key-vault/general/group-permissions-for-apps
The simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Use an App Service managed
identity to access Azure Key Vault for details. If you are creating an on-prem application, doing local development, or otherwise unable to
use a managed identity, you can instead register a service principal manually and provide access to your key vault using an access control
policy.
upvoted 4 times

but does the app not need permission to be able to access the key vault in the first place ??
thanks for ans in advance.
upvoted 1 times

Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault
to retrieve them.
Managed identities for Azure resources feature gives Azure services an automatically managed identity in Azure AD. You can use this 
identity to authenticate to any service that supports AAD authentication, including Key Vault, without having any credentials in your code.
But after Authentication; it requires Authorization to the secret. Key Vault data plane access is mediated by 'Key Vault Access policies' not
RBAC. In Key Vault, RBAC is only used for mediating management plane access.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security#controlling-access-to-key-vault-data
To create the access policy the command is as follows:
Set-AzKeyVaultAccessPolicy
-VaultName <key-vault-name>
-ObjectId <Id>
-PermissionsToSecrets <secrets-permissions>
-PermissionsToKeys <keys-permissions>
-PermissionsToCertificates <certificate-permissions>
https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-powershell#assign-the-access-policy
upvoted 1 times

its C
The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. You can also read key
vault properties and manage access policies.
The data plane allows you to work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
To access a key vault in either plane, all callers (users or applications) must be authenticated and authorized. Both planes use Azure Active
Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data
plane uses a Key Vault access policy.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security#controlling-access-to-key-vault-data
upvoted 1 times

answer is C - glad most people here agree, thought i was missing something
upvoted 1 times

Shouldn't you be creating ppolicy? Answer should be C
upvoted 1 times
Question #8 Topic 4
You have an Azure SQL database.

You implement Always Encrypted.
You need to ensure that application developers can retrieve and decrypt data in the database.
Which two pieces of information should you provide to the developers? Each correct answer presents part of the solution.
A. a stored access policy
B. a shared access signature (SAS)
C. the column encryption key
D. user credentials
E. the column master key
Correct Answer: CE
Always Encrypted uses two types of keys: column encryption keys and column master keys. A column encryption key is used to encrypt data in
an encrypted column. A column master key is a key-protecting key that encrypts one or more column encryption keys.
References:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine

Correct ones
upvoted 6 times

correct answer
upvoted 4 times

C, E, for sure.
upvoted 6 times

IN THE EXAM
upvoted 3 times

I don't get it. Keys has to be stored in a key-vault, thus what we need is to provide access to the key-vault to retrieve the keys ??? Can
anybody explain this Please ?
upvoted 2 times

Read this article: Then You Will be Enlightened My Son
https://www.pass.org/PASS-Blog/introducing-always-encrypted-with-secure-enclaves-in-sql-server-2019-1
Stay Away From the Brahamins at Microsoft Doc For They Would Lead You Astray My Son
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-
ver15
upvoted 3 times
Question #9 Topic 4
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is con gured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using
their on-premises
Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize
authentication prompts.
Which authentication method should you instruct the developers to use?
A. SQL Login
B. Active Directory "" Universal with MFA support
C. Active Directory "" Integrated
D. Active Directory "" Password
Correct Answer: C
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated
with the Azure
AD.
Using an Azure AD identity to connect using SSMS or SSDT
The following procedures show you how to connect to a SQL database with an Azure AD identity using SQL Server Management Studio or SQL
Server Database
Tools.
Active Directory integrated authentication
Use this method if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
1. Start Management Studio or Data Tools and in the Connect to Server (or Connect to Database Engine) dialog box, in the Authentication box,
select Active
Directory - Integrated. No password is needed or can be entered because your existing credentials will be presented for the connection.
2. Select the Options button, and on the Connection Properties page, in the Connect to database box, type the name of the user database you
want to connect to.
(The AD domain name or tenant ID" option is only supported for Universal with MFA connection options, otherwise it is greyed out.)
References:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/sql-database/sql-database-aad-authentication-con gure.md

Correct Ans
upvoted 7 times

correct.
Hybrid AD, and workstations are domain joined. Hence integrated authentication will use a kerberos ticket to authenticate itself to the SQL
server using the logged in user of the workstation.
upvoted 10 times
DRAG DROP -
You have an Azure subscription named Sub1 that contains an Azure Storage account named Contosostorage1 and an Azure key vault named
Contosokeyvault1.
You plan to create an Azure Automation runbook that will rotate the keys of Contosostorage1 and store them in Contosokeyvault1.
You need to implement prerequisites to ensure that you can implement the runbook.
Select and Place:
Correct Answer:
Step 1: Create an Azure Automation account

Runbooks live within the Azure Automation account and can execute PowerShell scripts.
Step 2: Import PowerShell modules to the Azure Automation account
Under "Ãssets' from the Azure Automation account Resources section select "˜to add in Modules to the runbook. To execute key vault cmdlets
in the runbook, we need to add AzureRM.pro le and AzureRM.key vault.
Step 3: Create a connection resource in the Azure Automation account
You can use the sample code below, taken from the AzureAutomationTutorialScript example runbook, to authenticate using the Run As account 
to manage
Resource Manager resources with your runbooks. The AzureRunAsConnection is a connection asset automatically created when we created
"˜run as accounts' above. This can be found under Assets -> Connections. After the authentication code, run the same code above to get all the
keys from the vault.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-Certi cateThumbprint $servicePrincipalConnection.Certi cateThumbprint
}
References:
https://www.rahulpnath.com/blog/accessing-azure-key-vault-from-azure-runbook/

it may be worth noting that if one of the options was 'create a SYSTEM assigned' identity, that would have been step #3.
upvoted 3 times

Answers are correct - verified.
upvoted 14 times

step 3 should be set access policy. this is because the connection resource ("AzureRunAsConnection") has been created automatically.
upvoted 2 times

I'm afraid this question is currently updated and now it has to "Run the Set-AzureRm...." as additional step.
I was confused that nobody posted about Azure KV policy needed.
upvoted 1 times
  Stuudent 4 days ago

Given that Azure RM is now considered outdated, would the Powershel AZ command be Add-AzureAccount?
upvoted 1 times
You have an Azure SQL Database server named SQL1.

You plan to turn on Advanced Threat Protection for SQL1 to detect all threat detection types.
Which action will Advanced Threat Protection detect as a threat?
A. A user updates more than 50 percent of the records in a table.
B. A user attempts to sign as select * from table1.
C. A user is added to the db_owner database role.
D. A user deletes more than 100 records from the same table.
Correct Answer: B
Advanced Threat Protection can detect potential SQL injections: This alert is triggered when an active exploit happens against an identi ed
application vulnerability to SQL injection. This means the attacker is trying to inject malicious SQL statements using the vulnerable application
code or stored procedures.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview

correct answer.
upvoted 3 times

Answer B is correct
upvoted 3 times

B, for sure.
upvoted 5 times

Why not it's C? If any user is added to owenrs group means he can have control to whole the db right? correct me if wrong please
upvoted 2 times
  ExamWynner 3 months ago

Key word: Sign as "Select *"
upvoted 1 times

question should read "sign in as ..."
upvoted 2 times

There is no official list of alerts.
But B & C seems both Valid.
upvoted 1 times
  fmlvaz 4 weeks ago

I think the answer is correct, for the peaple that comment saying that C should be right to, I don´t agree because the definition is attack
or suspicious activity..
Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your
database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential
vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of
the suspicious activity and recommend action on how to investigate and mitigate the threat.
upvoted 1 times

you right. It's B. It asking abotu ATP and unsual activivty
upvoted 1 times
  DS 1 week ago
Answer is A SQL Injection, it inject more than 50%
upvoted 1 times

HOTSPOT -
You have the Azure Information Protection conditions shown in the following table.
You have the Azure Information Protection policies shown in the following table.
You need to identify how Azure Information Protection will label les.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Label 2 only -

How multiple conditions are evaluated when they apply to more than one label
1. The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned rst has the lowest 
position (least sensitive) and the label positioned last has the highest position (most sensitive).
2. The most sensitive label is applied.
2. The most sensitive label is applied.
3. The last sublabel is applied.
Box 2: No Label -
Automatic classi cation applies to Word, Excel, and PowerPoint when documents are saved, and apply to Outlook when emails are sent.
Automatic classi cation does not apply to Microsoft Notepad.
References:
https://docs.microsoft.com/en-us/azure/information-protection/con gure-policy-classi cation

Correct answers...
upvoted 8 times
  jam3sb0nd 7 months, 1 week ago

I think the answer for the first question is Label 1 only. In "Black and White", the label for White is assigned as it is the most sensitive label.
The label for White is Label1.
upvoted 3 times
  DavidSapery 6 months ago

The label conditions are evaluated from the bottom up. So since the Label 2 condition passes, that will be the label applied. Not Label1.
upvoted 2 times

agree it must be label 1 for the first one
upvoted 1 times
  smruk12 6 months, 4 weeks ago

Correct answers are given.
"The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest
position (least sensitive) and the label positioned last has the highest position (most sensitive)"
and
"The most sensitive label is applied."
So in this case label 2 is positioned last and is therefore the most sensitive.
(https://docs.microsoft.com/nl-nl/azure/information-protection/configure-policy-classification)
upvoted 13 times

Black and white, last label is label1
upvoted 2 times

thank you for the detailed explanation.
upvoted 1 times
  jakobaszek 6 months, 1 week ago

Word „black” is Label 2 = policy2
no label for option 2
upvoted 1 times
  Maximillian 5 months, 2 weeks ago

They are not talking about the position of Black and White but the position of the labels in the first table given. Since the first table has the
label2 on the bottom, it will have the higher priority than that label1 according to the Microsoft documentation.
upvoted 8 times

Given answers are correct
upvoted 3 times
  hitandrun 2 weeks, 5 days ago

I feel the second answer is "not labled" - for the reason that the text is written in a notepad, but not in a word document or email. Azure
Identity Protection doesn't apply to notepad.
upvoted 4 times

Just a comment.....autolabeling not applies to any apart from Word, Excel, Powerpoint. But you can label with the AIP UL client from the
Explorer txt, pdf, jpf, and more types of files. 
upvoted 1 times
  kiketxu 4 days 20 hours ago

Btw, both answers are correct.
upvoted 1 times
Your company uses Azure DevOps.

You need to recommend a method to validate whether the code meets the company's quality standards and code review standards.
What should you recommend implementing in Azure DevOps?
A. branch folders
B. branch permissions
C. branch policies
D. branch locking
Correct Answer: C
Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change
management standards.
References:
https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops&viewFallbackFrom=vsts

C is correct.
upvoted 10 times

It's Ok.
upvoted 1 times
  ksinger 1 month, 3 weeks ago

C is OK
upvoted 1 times
DRAG DROP -
You have an Azure subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks

No need access policy!
1. Create Azure Key Vault (Set EnabledForDiskEncryption key to "True")
2. Configure Secrets for Azure Key Vault
3. Run Set-AzureRMVMDiskEncryptionExtension
upvoted 1 times

Correction - we need to have generated Key, not Secrets - Set-AzureRMmVmDiskEncryption command needs KeyEncryptionUrl
parameter. EnabledForDiskEncryption is so called by MS "advanced access policy" - is it the same access policy option in the question?!
upvoted 1 times

As far as i can tell, with powershell there are only two steps:
Step 1: New-AzKeyvault -name MyKV -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
(create a key vault)
Step 2: $KeyVault = Get-AzKeyVault -VaultName MyKV -ResourceGroupName MyResourceGroup
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName MyVM -DiskEncryptionKeyVaultUrl

$KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId
Source: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart
upvoted 2 times

Update to my submission: Set key vault advanced access policies
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and
decrypting the volumes.

If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in
the previous step), you must update its advanced access policies.
upvoted 1 times
  D0yle 9 months, 1 week ago

Now I agree with you. In this case we will just keep not encrypted BEK as a in key vault. My first tughts were that we need also to entypt
this BEK and which means that we need to have aloso Key Encryption Key. The other trycky thing is this "advance access policy" wich is
not the same as access policy that we are using to give access to users or AD principals. Moreover, you can configure this policy
dirubng the provisioning of key vault. Thus, you can have done several VM disk encryptions and to fail on this question ;-).
upvoted 1 times
  ptR95 7 months, 3 weeks ago

any suggestions which order is correct here?
upvoted 1 times

The answer is correct. You need to created a Vault, define a police and run the powershell command.
upvoted 8 times

The steps in the answers are correct. Refer to these instructions that show steps needed to configure VM encryption:
https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-portal-quickstart
upvoted 10 times

the answers are correct
1. Create Azure Key Vault
2. Configure (advanced) access policies
(Hidden Step assume - Set up a key encryption key (KEK))
3. Run Set-AzureRMVMDiskEncryptionExtension
refer https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-key-vault
upvoted 4 times
  m2L 5 months, 1 week ago

the given answers are correct
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and
decrypting the volumes.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/disk-encryption-key-vault
upvoted 2 times

The provided answer is Correct.
upvoted 3 times

I just think that this question should be different, because Microsoft is outdated AzureRM
https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmdiskencryptionextension?view=azurermps-6.13.0
Probably the command should be:

Set-AzVMDiskEncryptionExtension
The order I think is correct.

upvoted 1 times

the provided answers are right, just the cmdlet have changed.
Now is "Set-AzVMDiskEncryptionExtension"
upvoted 1 times
  Stuudent 3 days, 5 hours ago

Tested in Azure, if you create the KeyVault with Powershell:
New-AzKeyvault -name MyKV -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
(as referenced here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart)
I got the following warning:

WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was
created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.
Therefore I conclude that the anserw is correct.

upvoted 1 times
You have an Azure subscription that contains a virtual machine named VM1.
You create an Azure key vault that has the following con gurations:
✑ Name: Vault5
✑ Region: West US
✑ Resource group: RG1
You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup.
Which key vault settings should you con gure?
A. Access policies
B. Secrets
C. Keys
D. Locks
Correct Answer: A
References:

Hmmm,. it is a tricky one - we need to have access policy for Backup Services but in my case it was created atomatically during the
enabling backup of the VM. We still need to have keys in Key Vault and keys come first - then the access policy.
upvoted 2 times

question is which key vault setting you would configure for backing up VM, not what is the first activity to do this.
upvoted 10 times

answer is A. Access policies
upvoted 6 times

correct answer.
upvoted 5 times

A for sure.
Access Policies.
upvoted 5 times

You need that for the VM to be able to access the KeyVault.
upvoted 1 times
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
A. Enable a managed service identity on VM1.
B. Create a secret in KV1.
C. Con gure a service endpoint on SQL1.
D. Create a key in KV1.
Correct Answer: B

this should be A, managed identities->https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/tutorial-windows-vm-access-sql
upvoted 30 times

Question refers access to database using Contained user, which is possible with Key vault Secret. VM access to database is still
supported via managed identities, which is other scenario.
upvoted 5 times

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities
SQL server listed under Azure services that support Azure AD authentication (not in Azure services that support managed identities
for Azure resources)
upvoted 1 times

And how does the vm get the secret from the keyvault?
upvoted 4 times

I agree with @Junkz
upvoted 2 times

my answer is A too
upvoted 1 times

answer is A - junkz link has the clear info explaining including referencing a contained user
upvoted 2 times

Answer is A
upvoted 1 times

B is correct. The managed identity by itself doesn't grantee access to SQL1. other steps are needed, which isn't mentioned in the Q. given
the information B is correct!
upvoted 4 times

Answer is A ..Contained users are supported using Managed identities.
upvoted 1 times 
  turbolife 6 months, 1 week ago
KeyVault is in another region, Answer A

upvoted 3 times

indeed. god view point. Answer is A - managed identity.
However, wouldnt we also need a service endpoint to route traffic from the VM to SQL. Hmm. May be the SQL has public access and
does not need a service endpoint. Hmm, I answered myself while typing this.
Correct answer A, managed identities.

upvoted 1 times

A, for sure
Using Managed Service
upvoted 2 times

A is correct
upvoted 4 times
  ark007thegreat 4 months ago

A is correct answer
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
upvoted 2 times

Answer B is the correct and feasible approach. With just managed identity you can grant db level access to VM1. To securely access the db
from VM1 using the contained db user, you have to store its secret in Key vault and then on VM1 grant access to key vault while
configuring the system managed identity.
upvoted 1 times

It would be C to provide secure access --service endpoint
upvoted 1 times
  thomastrain 2 weeks, 5 days ago

A is correct as junkz and others have stated.
upvoted 1 times
You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table:
In Sub1, you create a virtual machine that has the following con gurations:
✑ Name: VM1
✑ Size: DS2v2
✑ Resource group: RG1
✑ Region: West Europe
✑ Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
A. Vault1 or Vault3 only
B. Vault1, Vault2, Vault3, or Vault4
C. Vault1 only
D. Vault1 or Vault2 only
Correct Answer: A
In order to make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-
located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites

correct answer.
upvoted 10 times
  certi edgeek 5 months ago

Based on https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#encryption-key-storage-
requirements. "Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault
and VMs must reside in the same Azure region and subscription." - So this should be Vault1 only
upvoted 3 times
  Appy z 4 months ago

All vaults are in same subscription and region but different resource group. Hence, answer A stands true.
upvoted 7 times

A, for sure
Same Azure Region for KeyVault
upvoted 6 times

A is correct
upvoted 5 times

Correct.
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault
states: Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries,
Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the
same subscription and region as the VMs to be encrypted.
upvoted 3 times

"Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must 
reside in the same Azure region and subscription."
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview-aad
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets.
Which can each secret be used by an application? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Never - 
Password1 is disabled.
Box 2: Only between March 1, 2019 and May 1,

Password2:
Reference:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultsecretattribute
  jbarszcz 7 months ago

correct
upvoted 8 times

correct answers
upvoted 3 times
  itstoshi 5 months ago

correct
upvoted 2 times

The provided answer is Correct
upvoted 7 times
  Remy 4 months ago

This date format...
upvoted 6 times
  soupfox 2 weeks, 2 days ago

agreed, answer is correct
upvoted 1 times
You have an Azure web app named webapp1.

You need to con gure continuous deployment for webapp1 by using an Azure Repo.
What should you create rst?
A. an Azure Application Insights service
B. an Azure DevOps organizations
C. an Azure Storage account
D. an Azure DevTest Labs lab
Correct Answer: B
To use Azure Repos, make sure your Azure DevOps organization is linked to your Azure subscription.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment

I am wondering why this question is here - it is not in AZ-500 scope?
upvoted 1 times

This is not security. Perhaps not on the exam. This site is free, im not gonna complain unless its on the test and then the complaint will be
to MS not examtopics. Im going to contrbute to ET because I see they are having performance issues.. Im sure they can use some cash.
upvoted 9 times
  anonek 7 months ago

Correct answer is B
upvoted 4 times

correct answer
upvoted 1 times
  Basit_Khan 2 months, 1 week ago

This is related to AZ-400 Exam Topic
upvoted 1 times

This was actually in the Exam Azure-500, I am surprised too.
upvoted 7 times
Topic 5 - Testlet 1
Question #1 Topic 5
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
To start the case study -

To display the rst question on this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study
before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem
statements. If the case study has an
All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to
answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Azure Security Center is set to the Free tier.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
Identity and Access Requirements

Litware identi es the following identity and access requirements:
All San Francisco users and their devices must be members of Group1.
The members of Group2 must be assigned the Contributor role to Resource Group2 by using a permanent eligible assignment.
Users must be prevented from registering applications in Azure AD and from consenting to applications that access company information on the
users' behalf.
Platform Protection Requirements
Litware identi es the following platform protection requirements:
Microsoft Antimalware must be installed on the virtual machines in Resource Group1.
The members of Group2 must be assigned the Azure Kubernetes Service Cluster Admin Role.
Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
Following the implementation of the planned changes, the IT team must be able to connect to VM0 by using JIT VM access.
A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1 must be
available only for Resource Group1.
Security Operations Requirements
Litware must be able to customize the operating system security con gurations in Azure Security Center.
Data and Application Requirements
Litware identi es the following data and applications requirements:
The users in Group2 must be able to authenticate to SQLDB1 by using their Azure AD credentials.

WebApp1 must enforce mutual authentication.
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
You need to meet the identity and access requirements for Group1.
What should you do?
A. Add a membership rule to Group1.
B. Delete Group1. Create a new group named Group1 that has a membership type of O ce 365. Add users and devices to the group.
C. Modify the membership rule of Group1.
D. Change the membership type of Group1 to Assigned. Create two groups that have dynamic memberships. Add the new groups to Group1.
Correct Answer: B
Incorrect Answers:
A, C: You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices.
D: For assigned group you can only add individual members.
Scenario:
Litware identi es the following identity and access requirements: All San Francisco users and their devices must be members of Group1.
The tenant currently contain this group:
References:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership https://docs.microsoft.com/en-
us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

correct is D, O365 group is for accessing other stuff like Sharepoint
upvoted 5 times
  Oz 1 year ago
I agree that D is a correct answer.
Here is the reference to support this.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
It states clearly that "You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and
devices."
upvoted 13 times
  VikasA 1 month, 3 weeks ago

I must say that "Oz" is doing fantastic job by bringing correct answers into the comments and he is doing this for many other exams.
Kudos Oz !!
upvoted 4 times

the images are broken
upvoted 6 times

You can find images again in next page Topic 7 Q1
upvoted 2 times

I checked and you can add another group to an assigned group so I agree, it is D.
upvoted 3 times

images are broken... pls update 
upvoted 2 times
  joshp 8 months ago

I agree that it is D, O365 is a group type and not a membership type so that makes B incorrect. Then as Oz said groups are either for
devices or users but not both.
upvoted 2 times
  chinJ 7 months, 2 weeks ago

answer is :D as we cnt add devices to 0365 groups,"Security groups can be used for either devices or users, but Office 365 groups can be
only user groups." https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule
upvoted 5 times

Correct answer - D. Change the membership type of Group1 to Assigned. Create two groups that have dynamic memberships. Add the
new groups to Group1.
upvoted 7 times
  RTamahawk 6 months, 3 weeks ago

Images are broken...
upvoted 4 times

You can find images again in next page Topic 7 Q1
upvoted 3 times

Dynamic Rules cannot be applied to users and devices together in a single group. B is incorrect..Correct Answer is D.
upvoted 1 times

images unaailable
upvoted 1 times

images unavailable
upvoted 1 times

D, for sure.
Dynamic Rules cannot be applied to users and devices together in a single group
upvoted 1 times

D is the Correct Answer
upvoted 2 times
  BobJayJay4 3 months, 3 weeks ago

I tried B and D on a real azure account. Neither solution works. Are we sure the wording is right on the answers? Can anyone else creat a
main group1 assigned then add two dynamic? Mine greys em out so cant be done
upvoted 1 times

Answer is D.
When you create dynamic groups, they can either contain users or devices. Hence here we need to create two separate dynamic groups
and assign those groups to an Assigned group
upvoted 3 times
  BobJayJay4 3 months, 3 weeks ago

But when I create an assigned group and try to add dynamic groups to them it actually says on the port console not supported and they
are greyed out, Anyone seeing this on a real Azure system? maybe the changed it?
upvoted 1 times

On real Azure, it is possible and not greyed.
upvoted 1 times

It's the D, I just validated it in my tenant
upvoted 2 times

The Answer is D - I have researched it and verified
upvoted 1 times
  KemalM 2 weeks, 5 days ago 

For the ones answering D: You can add dynamic groups to Group1 after making Assigned. However, users or devices in dynamic groups
cannot be read or provisioned. https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-
works#:~:text=The%20Azure%20AD%20user%20provisioning%20service%20can%27t%20read,group%20to%20manage%20access%20to%
20SaaS%20applications%20%29.
So, the answer is correct.
upvoted 1 times
Topic 6 - Testlet 2
Question #1 Topic 6
Introductory Info
Case Study -

statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the
subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Azure AD -
Contoso.com contains the users shown in the following table.
Contoso.com contains the security groups shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
Sub1 contains the locks shown in the following table.


Sub1 contains the Azure policies shown in the following table.
Sub2 -
Sub2 contains the virtual networks shown in the following table.
Sub2 contains the virtual machines shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
You need to ensure that User2 can implement PIM.
What should you do rst?
A. Assign User2 the Global administrator role.
B. Con gure authentication methods for contoso.com.
C. Con gure the identity secure score for contoso.com.
D. Enable multi-factor authentication (MFA) for User2.
Correct Answer: A
To start using PIM in your directory, you must rst enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example,
@outlook.com), to enable PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started
  kristiann21 6 months ago

In the exam, would it be possible to go back to the case study information after viewing the question?
upvoted 1 times
  jd1 5 months ago

Yes, you can see the case study information and question at the same time. I usually read the question/questions before I even look at
the case study, since questions like these don't even require the case study saves time.
upvoted 8 times

Global Administration rights required.
I was thinking MFA, but then the question does not mention MFA, or MFA status it only mentions user 2 has Security Administrator Role.
So obviously if User2 needs to implement PIM, PIM needs to be enabled, and it requires Global Administrator role.
upvoted 12 times

I think Correct Answer is A. This is is the Exam
upvoted 4 times

This seems off to me:
First:
When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management):
We automatically enable PIM for the organization

Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment
Secondly:

Sign in to the Azure portal with a user who is in the Privileged role administrator role.
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new
So no Global Administrator Role seems necessary?

upvoted 1 times
Topic 7 - Testlet 3
Question #1 Topic 7
Introductory Info

Overview -
objects of all the
activated.

Planned changes - 

users' behalf.
Question
You need to ensure that users can access VM0. The solution must meet the platform protection requirements.
What should you do?
A. Move VM0 to Subnet1.
B. On Firewall, con gure a network tra c ltering rule.
C. Assign RT1 to AzureFirewallSubnet.
D. On Firewall, con gure a DNAT rule.
Correct Answer: A
Azure Firewall has the following known issue:
Con ict with Azure Security Center (ASC) Just-in-Time (JIT) feature.
If a virtual machine is accessed using JIT, and is in a subnet with a user-de ned route that points to Azure Firewall as a default gateway, ASC
JIT doesn't work.
This is a result of asymmetric routing "" a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via
the rewall, which drops the packet because there is no established session on the rewall.
Solution: To work around this issue, place the JIT virtual machines on a separate subnet that doesn't have a user-de ned route to the rewall.
Scenario:
References:
https://docs.microsoft.com/en-us/azure/ rewall/overview
  svamptk 1 year ago

This no longer is true. JIT with Azure Firewall protected resources now is GA: https://azure.microsoft.com/en-us/updates/just-in-time-jit-
vm-access-for-azure-firewall-is-now-generally-available/
upvoted 9 times

THIS is why I dont think Im cheating. Thanks for the update svamptk.
upvoted 5 times

Also JIT access is not available with the free tier of Azure security Centre...
upvoted 8 times

so is this question irrelevant or is there still an answer??
upvoted 1 times

Shouldnt it be configuring DNAT?
per https://docs.microsoft.com/en-us/azure/firewall/overview:
Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to
the private IP addresses on your virtual networks.
upvoted 1 times

This is correct
upvoted 1 times

Yes indeed the answer is:
D: On Firewall, configure a DNAT rule.
upvoted 2 times

But question says VM0 connected to Subnet0. So no need to move it to Subnet0. For me answer C
upvoted 4 times

Which one is correct here .. C ?
upvoted 2 times

The answer should be D
1. The VM is already in Subnet0
2. We dont need the Firewall to filter traffic
3. The routing table is to be attached to the Subnet not the AzureFirewallSubnet
4. Configuring a DNAT rule means configuring an inbound rule. So what we are doing is making port 3389 open through the Firewall then
after hitting the public ip of the firewall, it is then Nat'd to the private IP of the VM0 we want to connect to
upvoted 16 times

A very good explanation. Dead on.
upvoted 2 times
  james13 3 months, 2 weeks ago

The DNAT mapping is configured as part of the JIT process. Enabling this is just part way circumventing the proccess and having JIT
just modify NSG access. DNAT. https://charbelnemnom.com/2019/06/how-to-configure-just-in-time-vm-access-for-azure-firewall-in-
azure-security-center/
upvoted 3 times
  examacc 3 months, 2 weeks ago

Only option that makes sense is network traffic filter rule thats B
upvoted 1 times

  publicuser55 3 months, 1 week ago
There’s already another route assign to Subnet0 that is pointing to the Firewall1 as the Default Gateway, for that reason we need to move
VM0 to subnet1. Answer is A
upvoted 2 times

I agree with you. I think the topic in testing is about the routeTable on Subnet0 that's routing traffic to Firewall1, which is on Subnet1.
upvoted 1 times

Sorry, after reading some documents ( not tested ), I think D , using DNAT on Firewallis the answer.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
upvoted 2 times

True, tested.
upvoted 1 times

what would be the point in moving VM0 to subnet1 ?
upvoted 1 times
Question #2 Topic 7
Introductory Info

Overview -
objects of all the
activated.


users' behalf.
Question
HOTSPOT -
You need to deploy Microsoft Antimalware to meet the platform protection requirements.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Scenario: Microsoft Antimalware must be installed on the virtual machines in RG1.

RG1 is a resource group that contains Vnet1, VM0, and VM1.
Box 1: DeployIfNotExists -
DeployIfNotExists executes a template deployment when the condition is met.
Azure policy de nition Antimalware
Incorrect Answers:
Append:
Append is used to add additional elds to the requested resource during creation or update. A common example is adding tags on resources
such as costCenter or specifying allowed IPs for a storage resource.
Deny:
Deny is used to prevent a resource request that doesn't match de ned standards through a policy de nition and fails the request.
Box 2: The Create a Managed Identity setting
When Azure Policy runs the template in the deployIfNotExists policy de nition, it does so using a managed identity. Azure Policy creates a
managed identity for each assignment, but must have details about what roles to grant the managed identity.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

second Question's answer is "the scope" since it is specified RG1 only. the managed identity is created automatically in this scenario
upvoted 23 times

I believe it is about what you have to modify in the policy, not whether or not it is created automatically. In the answer description it is
explaining that it has to be modified to define the role to be assigned.
upvoted 2 times

I think the answer is correct, see the first screenshot on with a checkbox to create a managed identity https://docs.microsoft.com/en-
us/azure/governance/policy/how-to/remediate-resources#configure-policy-definition
upvoted 3 times

junkz is right:
antimalware is only to be deployed to RG1, so a scope must be specified.
also, you don't set up managed identities in a policy template, you set scope.
see: https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-template
upvoted 5 times

If you create a policy definition that has DeployIfNotExists when you come to assign the policy the setting to create a managed identity is
enabled and greyed out, it is a requirement.
To satisfy the requirements you need to specify the the scope of the subscription and then RG
upvoted 3 times

Scope is right answer
upvoted 5 times

It actually depends on how you read the question.

To create an auto remediation for the policy, a managed identity is needed, which can be created from the policy assignment.
Without the MI the deployIfNotExists is not going to work
The question is that the AntiMalware must be installed on the virtual machines in RG1
If a scope was not set, the Antimalware would still be installed on these VM's
As without the Managed Identity the deployment would fail.
So the given answer is correct

upvoted 4 times

Managed Identity is auto created ( unless resources outside the scope is changed as part of policy ). See:
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#manually-configure-the-managed-identity
So I think the answer is D, assign scope so only RG1 VMs are affected.
upvoted 1 times

Answers are
1. DeployifNotExists
2. Scope
upvoted 12 times

you are wrong.
answer given is correct
Good job!
Here we need to set the managed identity setting which would allow the policy to deploy the Antimalware extension onto the virtual
machines.
upvoted 1 times

eug45 Did you do the lab and test it out in Azure? Because if you did, you will see that you are wrong. You specify scope in the ARM,
not managed identity. Please also back up your answer with either a Microsoft link/documentation or do the lab. Or else you just
further confuse people.
Link to further explain DeployIfNotExists - https://docs.microsoft.com/en-

us/azure/governance/policy/concepts/effects#deployifnotexists
upvoted 7 times

agree with you.
1. DeployifNotExists
2. Scope
upvoted 1 times
  Shaw90 1 month, 2 weeks ago

When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy
creates a managed identity for each assignment, but must have details about what roles to grant the managed identity.
So we have to configure the details hence its required that we modify the settings.
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
upvoted 1 times

Answer is correct.
Policies with the deployIfNotExists and modify effect types need the ability to deploy resources and edit tags on existing resources
respectively. To do this, you need to select checkbox option "Create Managed Identity" on the "Remediation" Section of Assign Policy in
Azure Portal.
upvoted 1 times
  jinxie 1 week ago

according to the documentation the only times you would manually configure the managed identity is:
While using the SDK (such as Azure PowerShell)
When a resource outside the assignment scope is modified by the template
When a resource outside the assignment scope is read by the template
source: https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#manually-configure-the-managed-
identity
in other words the answer is wrong and you should use scope instead.
upvoted 2 times

pretty said.
upvoted 1 times 
Question #3 Topic 7
Introductory Info

Overview -
objects of all the
activated.


users' behalf.
Question
DRAG DROP -
You need to deploy AKS1 to meet the platform protection requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
Scenario: Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
Litewire plans to deploy AKS1, which is a managed AKS (Azure Kubernetes Services) cluster.
Step 1: Create a server application
To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. The rst application is a server component that
provides user authentication.
Step 2: Create a client application
The second application is a client component that's used when you're prompted by the CLI for authentication. This client application uses the
server application for the actual authentication of the credentials provided by the client.
Step 3: Deploy an AKS cluster.
Use the az group create command to create a resource group for the AKS cluster.
Use the az aks create command to deploy the AKS cluster.
Step 4: Create an RBAC binding.
Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. Roles de ne the
permissions to grant, and bindings apply them to desired users. These assignments can be applied to a given namespace, or across the entire
cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration
  Andy998 5 months, 1 week ago

upvoted 3 times

There is a managed Azure AD Integration available now that doesn't require you to create server/client apps and role binding as required
earlier. It is totally managed by Microsoft.
https://docs.microsoft.com/en-us/azure/aks/managed-aad
upvoted 2 times

correct answer
The correct order is Create the server application, Create the client application, Deploy the AKS cluster, Create the RBAC binding
upvoted 1 times

correct answers.
Ref: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
upvoted 2 times
  soupfox 2 weeks, 2 days ago

this question is out of dated now, agreed with sanjayb, no need create server app and client app component any more, see this:
https://docs.microsoft.com/en-us/azure/aks/managed-aad#upgrading-to-aks-managed-azure-ad-integration
upvoted 1 times
Topic 8 - Testlet 4
Question #1 Topic 8
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
HOTSPOT -
What is the membership of Group1 and Group2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User1, User2, User3, User4

Contains "ON" is true for Montreal (User1), MONTREAL (User2), London (User 3), and Ontario (User4) as string and regex operations are not
case sensitive.
Box 2: Only User3 -


Match "*on" is only true for London (User3) as "˜London' is the only word that ends with "õn'.
Scenario:
References:

I believe Group 1 should be No Members. Based on PowerShell, the contains operator only returns true for full matches, it's not a regex
match. "on" != "Ontario" or "London". See https://devblogs.microsoft.com/scripting/using-the-powershell-contains-operator
upvoted 4 times

Group1: User 1/2/3/4
upvoted 5 times

This is not powershell. Those diagrams are from the policy blades in the portal.
upvoted 4 times

".*on" is the correct syntax and matches "London" only.
upvoted 1 times

Agree Box 1 should be "No Members"
The Contains operator returns True only when there is an exact match. Partial matches return False. The Contains operator is case
insensitive. Therefore, it will return True when matched, regardless of case
upvoted 3 times

I agree with recommended answer. There are two operation -eq and -contains as per below link.
upvoted 7 times

Group1: User 1/2/3/4
upvoted 3 times

Definitely the group 1 membership is User 1, 2, 3 and 4.
upvoted 3 times

group 2 should have Montreal as it satisfies *on condition
upvoted 2 times
  Archtos 2 months ago

montreal would require *on*
upvoted 1 times
  Archtos 2 months ago

rather .*on.*
upvoted 1 times

Group 1 contains 1,2,3,4 and Group 2 query is incorrect "on.*" or ".*on" https://docs.microsoft.com/en-us/azure/active-directory/users-
groups-roles/groups-dynamic-membership
upvoted 7 times 
Box one: No members. Open the Powershell and test!

upvoted 3 times

This isn't PowerShell though, it's dynamic groups. When you test this in dynamic groups, it returns members 1-4 as expected per
documentation.
upvoted 5 times

Given answers are correct - reason "the rules are different, one says match and other says contain"
upvoted 6 times
  AdnanEzzi 7 months, 1 week ago

The answer is correct. Group 1 - U1, U2, U3 & U4 AND for Group 2 - U3.
upvoted 14 times

Given Answers are correct.. Contains returns true or false and not case sensitive so it will result in User 1/2/3/4
Match bringing in the matched expression in this case "*on" last letters to end is with on which means London in this case.. so answer is
User 3
upvoted 2 times

Actually, when you test this in dynamic groups, the query won't save because it's invalid. If it were ".*on", it would save OK and it would
actually match Users 1-4.
upvoted 3 times

And to follow up, in order to ONLY match user3, the query would have to be (user.city -match ".*on$")
upvoted 4 times

Group1: User1, User2, User3, User4 (-contains search anywhere in the string)
Group2: Fail syntax error but if it was ".*on" it would actually be same as the -contains. If it should be different then it should be
".*on$" like @Sizz also noticed.
All are case in sensetive as the link from @onlyfunmails said

upvoted 2 times

makes perfect sense from a regular expression perspective.
upvoted 1 times

Group1 is users 1, 2, 3 & 4. This isn't PowerShell, so the 'contains' operator in this context is looking for partial matches in a string, and
importantly, is NOT case sensitive.
Group2 should have no members (assuming there are no typos in the question), as the 'matches' operator uses Regex, and '*on' is invalid
(the '*' character matches zero or one of the preceding token, which is missing in this example). Again, this is not case sensitive, but
doesn't matter here anyway.
upvoted 1 times

Given answers are correct.
upvoted 1 times
  David_986969 5 months, 1 week ago

upvoted 1 times
  Hemn1990 5 months ago

Group1 user 1 2 3 4 no doubt.
Group 2 "*on" i couldn't make dynamic group with that dynamic membership rule, so i would go with 0 members.
upvoted 1 times
  Olushola59 4 months, 4 weeks ago

The Answer given is actually correct because firstly the -contain parameter simply just means any of the cities that contains "0n" which is
why Users1,2,3&4 are correct. As for the -match operation in dynamic group membership, the * actually affects how the dynamic rule
would work so for the *on, Cities that have any values after the "on" won't be recognised(such as Montreal and Ontario) but the ones with
values before the on would be recognised and only London falls under that category.
kindly review the specific links below for refernece.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-the-underscore-_-syntax
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-the--match-operator
upvoted 3 times


*ON means either 0 r many..so it would follow user1,2,3,4...Let's assume user3 correct then why can't user 1 which is similar condition met
upvoted 1 times

The correct answer is User 1/2/3/4 for both
When the rule values are evaluated, it is not case sensitive and since the condition is to match either any or zero characters before the
keyword on (“.*on”), all users will be matched.
upvoted 1 times

I have meticulously tested this in Azure with varying syntax. FYI... The dynamic membership rules are NOT cAsE sensitive.
Answer for Box 1 is Users 1-4.
As others have mentioned... there is a typo in Box 2. *on is NOT a valid syntax. Azure will throw an error and will not save the rule. The
correct syntax should be .*on (thats 'dot' and 'asterisk' before 'on'). If this is the case on the exam, the answer for box 2 will be Users 1-4.
upvoted 5 times
  sideheb270 3 months, 2 weeks ago

correct syntax is wrong for second one.
upvoted 1 times

Tesed in a lab
q1= users 1,2,3,4
q2= invalid syntax as stated before, if it's .*on then users 1,2,3,4 as stated before
upvoted 3 times

I have the same result from test in AAD
upvoted 1 times

It should be 1,2,3,4 for both
upvoted 1 times

I first didn't agree but now looking at the documentation i can see that the values are not " String and regex operations are not case
sensitive."
so it would be the correct answer
upvoted 1 times

I first didn't agree but now looking at the documentation i can see that the values are not " String and regex operations are not case
sensitive."
so it would be the correct answer
upvoted 1 times

look at the given aswer it says " "˜London' is the only word that ends with "õn'."
but it is a * not a ~ so how is that even the correct explanation ...confused
upvoted 1 times
  Totalvibe 1 month ago

Definitely answers are correct...it’s a matter of the dynamic management rule and regex conditions.
upvoted 1 times

in the exam guys and i believe it should be removed but they would not listen i have already complained about this.
upvoted 1 times
Question #2 Topic 8
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
HOTSPOT -
You are evaluating the security of the network communication between the virtual machines in Sub2.
Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: Yes. VM3 is on Subnet12. There is no NSG attached to Subnet12 so the tra c will be allowed by default. 
Box 3: No (because VM5 is in a separate VNet).

Note: Sub2 contains the virtual machines shown in the following table.

third question should be correct ,because vm1 can ping public ip ,not route by virtual network
upvoted 9 times
  Mustafas 1 year ago

First Question should be No, as the NSG doesn't allow anything from Internet except TCP 80
Third Question should be Yes
upvoted 13 times
  server1 1 month, 3 weeks ago

VM1 and VM2 are on the same subnet so doesnt matter about internet.
upvoted 2 times

Here is what I have tested in a lab myself.
Q1: No { and it should not be allowed as only TCP 80 is allowed from the "Internet" service tag
Q2: Yes {as it should be for VMs in the same local subnet pinging each other on private IP and no NSG configured}
Q3: Yes {VM5 is in subnet where 1st rule of NSG allows any traffic from any source to the destination}
Admins please correct general answer.
upvoted 66 times

Q1: YES, VM1 and VM2 are both in same Subnet11, so default rules allow them to communicate within same VNET/Sunbnet.
Q2: NO, NSG3 has rule: 200/Any/Any/Any/Any/Deny --> over-writes default rules. only priority 100/150 applicable, which are for ASG1--
>ASG1 and ASG2 --> VNet, VM1 is in ASG1 and VM3 not associated to asg.
Q3: Yes, even VM1 and VM5 are in different VNets, public IP can be pinged with default rules. NSG4/100 allows everything.
upvoted 4 times
  ashoo 10 months ago

Q2: yes, it doesn't process NSG3! There is no NSG for the vm3. so anything is alloweded.
upvoted 4 times
  maknij 9 months ago

Q1 is NO - question is pinging VM2's public IP, not private IP
upvoted 5 times
  Forge 4 months, 1 week ago

Q1: They are asking for public IP not Private

upvoted 2 times
  Omnipitus 1 month, 3 weeks ago

Q1: the question asks about pinging the PUBLIC ip address - not the PRIVATE ip addresses by which they will communicate by virtue
of being on same subnet
upvoted 2 times
  ashoo 10 months ago

agree with that. for be able to ping the public ip of a vm, that vm should have nsg with allowed ICMP traffic from internet. and Nsg2
doesn't have that. but NSG4 does have a rule to allow any inbound traffic form anywhere including internet.
Q1:no
Q2:yes
Q3: yes
upvoted 14 times

I tested this too and came to the same conclusion. The original answers are incorrect.
upvoted 2 times
  Ashabashy 1 month, 3 weeks ago

for q1 , in the second rule you have any any vnet to vnet and it will hit on this line
upvoted 1 times

first question: NSG2 is associated to subbet11 and not nsg1 . it has a rule to allow vnet connection
upvoted 1 times

Q1 = No as the traffic would be coming from the INTERNET tag to VM2. VM2 has 2 NSG's associated to it (1 at the NIC and one at the
subnet) neither of those have a rule allowing ICMP traffic so the traffic would be dropped at the subnet and not even reach the NSG
associated to the NIC (I have labbed this)
Q2 = Yes as there is simply no NSG associated with VM3 and VM3 is in the same subnet
Q3 = No as VM 5 is in a different vNet so the NSG's are not even relevant, there is no route between the vNets in the absence of vNet
peering.
upvoted 5 times

Q3: Yes, as the traffic would be routed over internet - VM5 public IP - and NSG4 bound to Subnet21 allows all inbound traffic
upvoted 2 times

right, well explained. NO, YES, YES.
upvoted 1 times

There is a missing piece that ping works over ICMP, which enabled by 'Any' protocol label. There is no evidence that this is enabled
anywhere for VM1 internet bound ping.
upvoted 2 times

i would say the answer given is correct and explaination is valid
upvoted 2 times

1.) Answer is No
Based on outbound rule 65001 traffic to the internet is allowed
But inbound ICMP traffic is blocked from the Internet. Only port 80 is allowed
2.) Answer is Yes
there is no NSG connected to this subnet nor the NIC so all traffic wil be allowed
3.) Answer is Yes

although VM5 is has an NSG4 that allows ALL traffic from any source to any destination
This is like having no inbound NSG, thus traffic is allowed
upvoted 12 times

No, Yes, Yes.
upvoted 9 times

Q3 should be YES. VM5 is part of NSG4 and the first rule on NSG 4 is Any Any Any Allow. So VM1 should be able to ping Public IP address of
VM5
upvoted 2 times
  Andy998 5 months, 1 week ago 

Given answers are incorrect. For a start, VM1 is in NSG2, so dunno why the given answer starts talking about NSG1...
Correct answers are:
No
Yes
Yes
upvoted 8 times

Similar Question appeared in my exam on 02/07/2020.
It was regarding Internet Https access to the VMs
upvoted 3 times

It's No,Yes,Yes...trust me
upvoted 5 times

The answer is Yes, No, Yes
The network security group NSG2 attached to the subnet does not have a rule to allow incoming ping requests and neither does NSG1
which is attached to NIC2
upvoted 1 times

Sorry, the answer is No, Yes, Yes. This has been confirmed.
upvoted 2 times

NO, yes, yes..... confirmed
upvoted 3 times

Note that, VM1 to public IP address ie, no restriction of outbound traffic to internet. So Q1 and Q3 are Yes.
upvoted 1 times

Note that, VM1 to public IP address ie, no restriction of outbound traffic to internet. So Q1 and Q3 are Yes.
Q2 - VM1 to VM3 is YES.
The correct answer is YES,YES,YES

upvoted 2 times

Guy... TCP is not ICMP for ping. where you see ICMP inbound from internet on NSG2-> Subnet11?
1.NO 2.YES 3.YES.
upvoted 3 times

I Second That, Please don't confuse and go with the answer. NO, YES YES
upvoted 1 times

NO YES YES, validated by .. ME :)
upvoted 2 times

how can the last question be Yes ? when the VM 1 NSG does not allow outbound ?
upvoted 1 times
  kikkens23 1 month ago

Of course it does...look at the second line of the last table about NGS it has a any > any > Internet > allow.
upvoted 1 times
  DaraZ 1 month ago

In the exam Oct 13th, 2020
upvoted 3 times

if icmp is not allowed in NSG2 and vm1 cannot ping Vm2 then how come Vm1 can ping Vm5, Since NS2 does not allow, in the picture there
is no NS4 rule displayed
upvoted 1 times

if icmp is not allowed in NSG2 and vm1 cannot ping Vm2 then how come Vm1 can ping Vm5, Since NS2 does not allow, in the picture there
is no NS4 rule displayed, in case Vm1 is pinging the Public IP of VM2 and Vm5, it does not matter if there is Peering enabled oor not
upvoted 1 times

  macphy 2 weeks, 4 days ago
No, Yes, No. Please see VM1 and VM5 are on different VNETs.
This means, without peering, you cannot ping from VM1 to VM5 with private IP.
And there is no peering settings, so the packet sent from VM1 would be discarded.
upvoted 1 times
  Stuudent 1 day, 2 hours ago

The way I see it the answers are correct for the reasons provided.
Q1: YES - the machines are in one vnet and even one subnet, VM1 allows outbound ping, VM2 (NSG1 and NSG2 apply to it)- allows inbound
traffic within VNET
Q2: VM1 allows outbound, VM3 has no NSG attached to it; both are in one vnet;
Q3: different VNETs, no peering.
upvoted 1 times
Question #3 Topic 8
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
HOTSPOT -
You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2.
Hot Area:
Correct Answer:
Box 1: No. VM4 is in Subnet13 which has NSG3 attached to it.

VM1 is in ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1. Only TCP tra c is allowed from ASG1.
Box 2: Yes.
VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed.
Box3. VM1 is in ASG1. TCP tra c is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on
ports TCP 80 or
TCP 443.

q1: dont forget ping is not tcp.. I know better but forgot.
upvoted 21 times

lol, I was about to kick off, until I read your comment. Face palmed myself and thought I'm an idiot, I also know better
upvoted 4 times
  Stuudent 1 day ago

Well excuse me...:
Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) echo Request messages.
The receipt of corresponding echo Reply messages are displayed, along with round-trip times. ping is the primary TCP/IP command
used to troubleshoot connectivity, reachability, and name resolution. Used without parameters, this command displays Help content.
and
This command is available only if the Internet Protocol (TCP/IP) is installed as a component in the properties of a network adapter in
Network Connections.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping
sounds to me like icmp is operating within TCP and therefore the answer to Q1 should be YES in my opinion.
upvoted 1 times
  TheKing 7 months, 3 weeks ago

You are the king barchetta .
upvoted 6 times

Given answers are correct this time
upvoted 2 times
  ccarlton 5 months ago

lol.. ping is not tcp. I also forgot. ;)
upvoted 6 times

Question from the exam:
From the Internet, you can connect to the web server on VM1 by using HTTP {Y/N}
upvoted 2 times
  Trucutru 4 months, 1 week ago

Answers to jakobaszek:
no, yes, no
upvoted 2 times

I don't understand your answers. VM1 and 2 are both subnet 11 and allow http 80 from internet. VM3 hasn't got an NSG
upvoted 2 times

VM is subnet 12, So it would be yes, yes, yes on Jakobaszek.
upvoted 3 times

i agree
upvoted 1 times

Correct answers to jakobaszek are:
YES - Vm1 is on sNet11 and associated to NSG2. It allows port 80 TCP traffic.
YES - Vm2 is also on sNet11 and associated to NSG2. It allows port 80 TCP traffic.
YES - Vm3 is on sNet12. There is no NSG associated to it. Traffic is open to ALL ports.
upvoted 2 times
  publicuser55 3 months, 2 weeks ago

YES - Vm1 is on subnet11 and associated to NSG2. It allows inbound port 80 TCP traffic.
NO - Vm2 is also on subnet11 and associated to NSG2 that it allows port 80 TCP traffic, but its also associate with NSG1 at the NIC2
level that denies all traffic.
YES - Vm3 is on subnet12. There is no NSG associated to it. Traffic is open to ALL ports.
upvoted 6 times
  japke 3 months, 3 weeks ago

Box3, what NSG has been hit in this case ? NSG2 rule 65000 tough ? Or what is the explanation for the result?
upvoted 1 times


Answer is No, Yes, Yes
No, since there is a DENY rule with a priority of 200 that Deny allows type of traffic. The rule with Priority of 100 only allows the TCP
protocol and not the ICMP protocol.
Yes, there is a rule in NSG2 to allow traffic from ASG2. And this application security group is attached to NIC2 which is attached to the
prodvm2 virtual machine.
upvoted 2 times

given answers are correct!
upvoted 1 times
  publicuser55 3 months, 2 weeks ago

Box1: No. NSG3 only allows TCP traffic, TCP is not ICMP ping.
Box2: No. NSG3 only allows TCP traffic, TCP is not ICMP ping.
Box3: Yes. NSG4 allows all inbound traffic.
upvoted 4 times
  Kampo 2 months, 1 week ago

NO - TCP traffic doesnt allow ICMP. Hence from VM1 you cant ping VM4
YES - All traffic allowed from ASG2 to NSG3
YES - Port 80 allowed from ASG1
upvoted 2 times
  Armando997 2 months, 1 week ago

Given answers are correct
upvoted 1 times

Dont' forget TCP is not ICMP (protocol for ping)
NO
YES
YES
upvoted 1 times

how is the last one is correct it is source ASG1 and distanation ASGS1 .. it is only allowing to it self.
upvoted 1 times

VM4 is part of ASGS1. So, Any TCP is allowed.
upvoted 1 times

VM1 is in Subnet 11 has NSG1 attached. Pings go through to the internet.
VM4 is in Subnet13 which has NSG3 attached to it. Inbound pings are denied.
• VM1 & VM4 are labeled as ASG1.
• NSG3 only allows TCP not ICMP for ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1.
Box 2: Yes.
VM2 is subnet 11. NSG1 allows pings out.
VM4 has a NSG3 setup. It allows any protocol from ASG2 into subnet 13(where VM4 is) so ICMP ping would be allowed.
VM2 is in ASG2 so pings from it are allowed through NSG3.
Box 2: Yes.
VM2 is subnet 11. NSG1 allows pings out.
VM4 has a NSG3 setup. It allows any protocol from ASG2 into subnet 13(where VM4 is) so ICMP ping would be allowed.
VM2 is in ASG2 so pings from it are allowed through NSG3.
Box3. Yes.
VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on
ports TCP 80 or TCP 443.
upvoted 1 times

You miss clarify the box 1. Which is NO
upvoted 1 times
  realname007 2 weeks, 1 day ago

so what is the correct answer for this?
upvoted 1 times
Question #4 Topic 8
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
You need to meet the technical requirements for VNetwork1.
A. Create a new subnet on VNetwork1.
B. Remove the NSGs from Subnet11 and Subnet13.
C. Associate an NSG to Subnet12.
D. Con gure DDoS protection for VNetwork1.
Correct Answer: A
From scenario: Deploy Azure Firewall to VNetwork1 in Sub2.
Azure rewall needs a dedicated subnet named AzureFirewallSubnet.
References:
https://docs.microsoft.com/en-us/azure/ rewall/tutorial- rewall-deploy-portal

Indeed. VNet1 has not subnet for AzureFirewall. Create a new subnet for AzureFirewall named as exactly as AzureFirewallSubnet.
upvoted 11 times

A, for sure.
upvoted 6 times

right!
upvoted 3 times
Topic 9 - Testlet 5
Question #1 Topic 9
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
HOTSPOT -
You assign User8 the Owner role for RG4, RG5, and RG6.
In which resource groups can User8 create virtual networks and NSGs? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: RG4 only -

The policy does not allow the creation of virtual networks in RG5 or RG6.
Box 2: The policy does not allow the creation of NSGs in RG5.
References:

I believe box 1 should be RG6 only. Only NSGs can be created in RG4, and RG5 denies the creation of subnets -- at least one subnet must
be defined when a VNet is created. This leaves only 6, which does not deny the creation of a VNet, only peerings which are not mandatory.
upvoted 41 times

Why do you say only NSG can be created in RG4? There is no explicit deny for any resource in RG4, and user 8 is the owner of RG4
upvoted 4 times
  PJR 9 months, 1 week ago

NoNotSpam is correct - 1 should be RG6 only
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this
defined list.
RG4 has a policy definition of allowed resource types or NSG - that means anything other than NSGs are denied from being created.
upvoted 22 times
  Remy 3 months, 4 weeks ago

Create a Virtual Network is forbidden for RG6 too.
For Box1 reponse should be none RG
upvoted 3 times
  kikkens23 1 month ago

No, it's not. The peering is not permited, which is a config a part of create a vNet
upvoted 1 times

RG 4 & 6 for both.
RG6/RG4 no explicit deny for Vnet and NSG.
upvoted 2 times
  szabolevo 8 months ago

Q1: Answer should be RG5&RG6. Creation of virtualNetworks is not prohibited on RG5&RG6, only subnets and vnet peers are. Subnet is
only needed for net creation through the portal, but e.g. PS will let you create a vent without a subnet.
RG4 can't create virtual network as explained by @PJR.
upvoted 4 times

Q1: You can't create VNet without at least one subnet, so in effect VNet creation in RG5 is not possible, even not strictly restricted
upvoted 3 times

I've tested this myself via the Portal, and creation of a VNet is possible even with the subnet restriction; a subnet called 'default' is
created for the VNet despite the policy.
upvoted 3 times

The first answer should be RG5 and RG6, as szabolevo says.
upvoted 2 times
  LiamRT 3 weeks, 6 days ago

I have created the policies and RGs and confirmed this. Ans 1 should be RG5 and RG6. Ans 2 is RG4 and RG6
upvoted 1 times
  dhriti72 2 days, 9 hours ago

In the answer section does it say there is an option for RG5 & RG6. So the only option for 1 is RG6 (not that I don't agree
with your analysis) 
upvoted 1 times

vlq - bad guess... You can create a Vnet even when policy denies subnet. You should spend some time testing, it really doesn't take
long.
upvoted 2 times
  Mariachi 7 months, 4 weeks ago

1 - R6 only
2 - R4 & R6
upvoted 26 times
  RTamahawk 6 months, 3 weeks ago

I agree with provided answers:
Box1: 4 only
Box2: 4 and 6
upvoted 5 times
  purishd 6 months, 3 weeks ago

Could you please explain your rationale for Box1
for everyone's understanding?
upvoted 1 times

what am i missing here? it's clearly stated that vnet is not allowed in RG5 and RG6. I agree with the given answers
upvoted 1 times

Box :- 6
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this
defined list.
Box 2:- 4 and 6
upvoted 4 times

RG6 Only
RG4 and RG6 Only
is the correct answer. Look no further.

upvoted 3 times

The answer should be
Box 1 - RG6 only
Box 2 - RG 4 & RG 6
upvoted 5 times

1) 4 and 6
2) 4 and 6
upvoted 2 times
  Liz_Gomez 5 months ago

box 1: RG5 and RG6. RG% because you can create by a CLI command a Vnet without subnet.
box 2 is correct.
upvoted 1 times
  Kagekirke 5 months ago

Box 1: RG5 and RG6 isn't even an option... Come on.
upvoted 5 times

RG6
RG4 and RG6
upvoted 1 times

In RG5 note spelling is wrong networksSecurityGroups it should be networkSecurityGroups.
I will test this policy including the wrongspelling policy.
I start with User8 can create virtualNetwork
RG4 no vNET allowed

RG5 Allowed to create vNET ) but subnets not allowed
RG6 Allowed to create vNET ) but couldn't create vNet Peering
User8 can create NSG


RG4 can create NSG
RG5 can not create if it's correct networksSecurityGroups ) make sure if it is miss spelled in the exam than you can create, it a trap but if
it's wrong you can create one in RG5.

RG6 you can create NSG.
BOX 1
RG5 & RG6
BOX2
RG4 & RG6
upvoted 12 times
  Bobo_Lee 4 months, 1 week ago

Tested. This is the right answner
upvoted 3 times

Hamn1990 has it right. Folks, you need to do the labs before you comment here and confuse people. I just spent the past hour re-
creating this scenario and lab.
Box 1: RG5 & RG6 (RG4 only allows resource types of NSG so you can't create vNet)
Box 2: RG4 & RG6 (RG5 does not allow resource types NSG so you cannot create NSG)
upvoted 2 times
  Crash27 3 months, 3 weeks ago

how can Box 1 be RG5 & RG6 it is not even an option to select???
upvoted 6 times

Hi guys. I believe the answer provided is correct because for RG4, there's an explicit "Allow resources" for NSGS' and if you look closely,
you'll notice that both RGs 5 and 6 deny the VNet resource. As for Box 2, RG5 specifically denies NSG resource and RG4 explicitly allows it
and RG6 outrightly blocks the VNet and VNet peerings and would then allow NSG. So i agree with the answer given.
upvoted 1 times
  mackc13 4 months, 3 weeks ago

given answer is correct.
upvoted 1 times

Incorrect buddy. The first box is wrong answer.
Policy Definition: Allowed resource types

Resource Type: networkSecurityGroups
Scope: RG4
Translation: Only allowed resource types of network security group is allowed in RG4. Nothing else. This means you cannot create
anything (including vNets) in RG4. Please do the labs.
upvoted 2 times
  SLG 4 months ago

Box1
RG6 only
(RG4 only allowed resource types NSG (it any other resource is not allowed) and RG5 Vnet cannot be created as Subnet is not allowed
resource type)
defined list.
Box 2
RG4 and RG6 only (agree with answer)
upvoted 4 times

Wrong
You can create virtual networks in all resource groups. Since there is no specific policy to deny the creation of the virtual network itself,
you can create virtual networks in all of these resources groups.
Since there is a policy to not allow network security groups in grp5, you can’t create network security groups in this resource group.
upvoted 2 times

Another wrong post by eug45. I did the lab. You cannot create a vNet in RG4. This is also confirmed by a few others who actually did the
lab.
Answers should be:

Box 1: RG5 & RG6 (RG4 only allows resource types of NSG so you can't create vNet) 
Box 2: RG4 & RG6 (RG5 does not allow resource types NSG so you cannot create NSG)
upvoted 1 times
  BigTone 3 months, 2 weeks ago

There is no option for RG5 and RG6 in box 1. The allowed resource type will deny any resource that is not listed as stated in this URL
https://docs.microsoft.com/en-us/azure/governance/policy/overview. So, you can only create NSGs in RG4, which rules out 3 of the 4
answers, leaving RG6 only
upvoted 2 times
  BigTone 3 months, 2 weeks ago

defined list.
upvoted 1 times
  steph_moto 3 months, 1 week ago

Just did my test and there was this question but the answer for the box 2 (virtual Network) i did not have a selection with RG5 and RG6. I
selected RG6 only but this is really confusing. Not sure if that was the right answer.
upvoted 1 times
  steph_moto 3 months, 1 week ago

actually i would take back what I said. when you create a virtual network, it will actually create a subnet. therefore it should only be RG6.
upvoted 2 times

Hmmm - Did the lab, and strangely enough you can create vnet in RG5, it is created with the default subnet... - We cannot add subnet to
the newly created vnet...
But it doesn't really matter as we know for sure that we can not create vnet in RG4, since only one answer does not include RG4, the
answer here must be "only RG6" allthough it should have been nonexistent answer "only RG5 and RG6"
We can create Vnet in RG6 only... (answer should be RG5 and RG6)
We can create NSG in RG4 and RG6
upvoted 2 times
  sd_sumaiya 2 months, 1 week ago

so what is the right answer as of now guys?
upvoted 2 times

"We can create Vnet in RG6 only... (answer should be RG5 and RG6)
We can create NSG in RG4 and RG6"
guys...this is right! To create a vnet in the portal you always need to specify a subnet what is not allowed. But you can create only the vnet
from PS or AZCLI avoid that portal limitation.
upvoted 1 times

vnet: RG5 (not from the portal, should be done by PS o AZCLI) and RG6
NSG: RG4 and RG6
upvoted 2 times

User 8 owner RG 4, 5 & 6. No locks apply to RG 4, 5, 6.
Resource Groups allowing Virtual Networks: not RG4 (only NSG allowed),
not RG5, (cannot create Subnets; so no VNets (which has a default VNet)
RG6 (cannot create only VNet Peering's; so can create VNets)
Answer Box 1: RG 6
RG allowing NSG's: RG4 allows only NSG's
: RG5 VNet/Subnets, NSGs disallowed
:RG6 NSGs allowed.
Answer Box2: RG4 & 6

upvoted 1 times
  Totalvibe 1 month ago

Given answers are correct, please check policy definitions
upvoted 1 times
Question #2 Topic 9
Introductory Info
Case Study -

Overview -
named contoso.com.
Azure AD -
Sub1 -


Sub2 -
and web requests.
Question
HOTSPOT -
Which virtual networks in Sub1 can User2 modify and delete in their current state? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: VNET4 and VNET1 only -

RG1 has only Delete lock, while there are no locks on RG4.
RG2 and RG3 both have Read-only locks.
Box 2: VNET4 only -

There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
Note: As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from 
accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called
Delete and Read-only respectively.

✑ CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
✑ ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the Reader role.
Scenario:
User2 is a Security administrator.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

Is there information missing? The only info is that User2 is a Security Admin, which does not have inherent rights to modify or delete
VNets. There would have to be a RBAC role assigned at a lower level to allow User2 to do that, but the problem doesn't state that, and I do
not believe Security Admins have permissions to remove locks.
upvoted 5 times

I was thinking the same thing. If I assume that they do have rights to manipulate these VNets, then I arrive at the same answer as
stated here. Otherwise, I don't believe a Security Administrator can do anything with these VNets.
upvoted 2 times

Security Admin is AAD role. Only works in the AAD domain. That was thrown in their to skew your understanding.
VNets permissions are based on Azure Resource Manager resource roles. Which are in a completely different domain.
upvoted 2 times
  Moh1818 11 months, 1 week ago

i believe answer 1 is: Vnet1 ,Vnet3 & Vnet4 only
upvoted 8 times

You are right. Based on : CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
upvoted 1 times
  PJR 9 months, 1 week ago

but RG3 also has a Read-Only lock which according the link you gave above means
"ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the Reader role." - therefore the user cannot modify vNet3 either as
RG3 has a read-only lock as well as a delete lock
upvoted 12 times

Vnet 3 is in RG3 which has readOnly lock
upvoted 2 times

did you miss the read-only lock on RG3 ?
upvoted 1 times

I go with recommended answer and agree with explanation.
Q1: 2/3 read-only locks --> only 1/4 can be modified, even 1 has delete lock
Q2: 1/2/3 had read-only or delete locks, can't delete --> Only 4 can be deleted. 
upvoted 29 times

Agree with you, when a resource has 2 lock the more restrictive takes precedence, and RG3 would take ReadOnly so it's correct your
statement.
upvoted 3 times

Am I losing my mind or does rg3 have a delete lock on it so it can be modified? Aparently the sec admin role has the ability to delete a
resource which Id have to look up.
upvoted 2 times
  JohnAvlakiotis 7 months, 2 weeks ago

It has a Delete AND a Read-only lock.
upvoted 5 times

Well - If user2 does not have the permission to delete, no answers would be correct. Asuming he has the required permission, the
given answer is correct, as rg3 has 2 locks.
upvoted 1 times

There is missing a phrase. Usr2 has been promoted to Contributor of these RGs.
upvoted 1 times
  Mariachi 7 months, 4 weeks ago

1 - VNET1&VNET4 - RG1 has Delete Lock, which means that it can be modified, no Lock on RG4 which means VNET4 can be modifed as well
2 - VNET4 only
RG1 has Delete Lock means you can't delete;

RG2 and RG3, both have Read Only Locks
When you have multiple Locks, the most restrictive one is implemented, which means that for RG3 the Lock is Read-only
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?WT.mc_id=thomasmaurer-blog-
thmaure#who-can-create-or-delete-locks
upvoted 11 times
  TheKing 7 months, 3 weeks ago

Hello Meriachi, do you have plan to join the exam in the soon? If yes can you contact with me we can shar our experience for az-500
exam from my e-mail scalis11az@gmail.com thanks.
upvoted 1 times

The provided answer is Correct.
VNet1 can only be modified.
Vnet4 can be modified and deleted.
upvoted 5 times

totally agree! ;)
upvoted 1 times

don't forget that in this question...there is missing a sentence. Usr2 has been promoted to Contributor of these VNETs RGs (checked
in other practice site)
upvoted 1 times

Hi guys, Read-only lock would mean that the Authorised User cannot modify or delete but delete lock means that the resource cannot be
deleted but it most definitely can be modified.
So the answer would be for Box1, VNet 1,3&4 can be modified but for Box2, VNet4 onlt since the Policy definition does not apply to it.
For your reference:
upvoted 1 times
  mbombom 4 months, 3 weeks ago

The correct answer for Box 1, Vnet 1 and Vnet 4. The most restrictive lock in the inheritance takes precedence, Vnet 3 has both Delete
and Readonly locks applied.
Box 2 is Vnet 4
upvoted 2 times

Hi,
The given answers are actually correct
1. Only VNET one can be modified ( VNET1 has delete lock, and VNET 4 has no restricition)

i created a scenario, if you add both locks like in the question, the read-only lock takes precedence
2. VNET 4 (because no locks are attached)
upvoted 2 times
  mackc13 4 months, 3 weeks ago

given answer is correct
upvoted 3 times

Hi,
The given answers are actually correct
1. VNET 1 and VNET 4. Only VNET one can be modified ( VNET1 has delete lock, and VNET 4 has no restricition)
i created a scenario, if you add both locks like in the question, the read-only lock takes precedence
2. VNET 4 (because no locks are attached)
upvoted 2 times

The given answers are correct
upvoted 1 times
  paradoxx 2 months, 1 week ago

I have another question pool and the User is USER9 not user2, the answer is the same
upvoted 2 times
  Explen 1 month, 3 weeks ago

Thanks, As is, User 2 has no priviledge to make changes, maybe User 9 can do
upvoted 1 times

Guys guys guys .... It says VNET1 has a delete lock so we can still modify just cannot delete the resources in the resource group ... and vnet
4 has no lock so we are allowed..
BOx2: is vnet4 a the rest have read-only and delete lock.
Do Not Delete * Cannot Delete The resources can be altered, but can't be deleted. Not Locked resources can be added, moved, changed,
or deleted from this resource group.
upvoted 1 times

Box 1: VNET4 and VNET1 only -
RG1 has only Delete lock (so you can modify),
RG4 no locks on it. So you can modify it.
RG2 & 3 ReadOnly locks so cannot modify or delete them.

Box 2: VNET4 only
There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
upvoted 1 times
Topic 10 - Testlet 6
Introductory Info

Overview -
objects of all the
activated.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table. 

users' behalf.
Question
You need to ensure that you can meet the security operations requirements.
A. Turn on Auto Provisioning in Security Center.
B. Integrate Security Center and Microsoft Cloud App Security.
C. Upgrade the pricing tier of Security Center to Standard.
D. Modify the Security Center workspace con guration.
Correct Answer: C
The Standard tier extends the capabilities of the Free tier to workloads running in private and other public clouds, providing uni ed security
management and threat protection across your hybrid cloud workloads. The Standard tier also adds advanced threat detection capabilities,
which uses built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to
reduce exposure to network attacks and malware, and more.
Scenario: Security Operations Requirements
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing

"customize the operating system security configurations" what the heck does that mean exactly? Could do that with a policy I bet,
certainly intune. thanks MS. 
upvoted 2 times
  tempce 5 months, 3 weeks ago

Edit security configurations for security policies
Azure Security Center monitors security configurations by applying a set of over 150 recommended rules for hardening the OS. These
rules pertain to firewalls, auditing, password policies, and more. If a machine is found to have a vulnerable configuration, Security Center
generates a security recommendation. The Edit security configuration screen allows customers to customize the default OS security
configuration in Security Center.
We retired this preview feature. To reset your security configurations back to their default values after the retirement date, do so via the
API or Powershell using the following instructions.
upvoted 2 times

Answer: D
upvoted 2 times

Which one is correct here Cor D ?
upvoted 2 times

looks like given Ans is correct :
OS Security Config customization is available for Security Center users in the Standard tier on subscription level only.
upvoted 1 times

Read the scenario carefully , it contains " Azure Security Center is set to the Free tier."
Answer : C
upvoted 6 times
  cstmtrs 2 months ago

I have read the scenario several times, but it clearly says "Azure Security Center is set to the Standard tier." Where did you see the Free
tier ???
upvoted 1 times

Right After this table:
Don't know why people comment without reading......
upvoted 2 times

C is correct
To be able to use features such as Adaptive Application controls or File Integrity monitoring which monitors the underlying virtual
machine, you need to use the Standard tier for Azure Security Center
upvoted 4 times
  paradoxx 2 months, 1 week ago

The new updated question contains "Azure Security Center is set to the Standard tier" so "Modify the Security Center workspace
configuration" is the right answer.
upvoted 3 times

just do a find on the page you see it says " Azure Security Center is set to the Free tier."
so we need the standard tire

upvoted 2 times
Topic 11 - Testlet 7
Introductory Info

Overview -
objects of all the
activated.
Planned changes -

users' behalf.
Question
You need to con gure WebApp1 to meet the data and application requirements.
A. Upload a public certi cate.
B. Turn on the HTTPS Only protocol setting.
C. Set the Minimum TLS Version protocol setting to 1.2.
D. Change the pricing tier of the App Service plan.
E. Turn on the Incoming client certi cates protocol setting.
Correct Answer: AC
A: To con gure Certi cates for use in Azure Websites Applications you need to upload a public Certi cate.
C: Over time, multiple versions of TLS have been released to mitigate different vulnerabilities. TLS 1.2 is the most current version available for
apps running on
Azure App Service.
Incorrect Answers:
B: We need support the http url as well.
Note:
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-con gure-tls-mutual-auth https://azure.microsoft.com/en-
us/updates/app-service-and-functions-hosted-apps-can-now-update-tls-versions/

correct answer is B and E ，mutual certificate need client's certification and server's certification .so we should open the clinet certification
import cability
upvoted 21 times

Same answer here B and E. While A is technically correct, B is a better choice over A because you could still allow HTTP along with
HTTPS.
upvoted 4 times

A. Upload a public certificate: Site already runs https - hence implies that there is a public certificate uploaded already and working
fine
B. Turn on HTTPS Only: Let's pause on this for a moment
C. Set the minimum TLS version to 1.2: Very valid security setting, but is it a must in this case?
D. Change the pricing tier of the App Service plan: There is no indication of a pricing tier in question, so i might skip this choice
E. Turn on Incoming client certificates protocol setting: This is a must as the server needs to request a certificate from the browser.
So a definite answer.
E and ?
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
"If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client
certificates, you should not allow requests to your application over HTTP." -- that means you need to have HTTPS Only when
requesting incomving client certificatees.
So, E - turn on incoming client certificates, and make sure it works B - turn on HTTPS Only.
E and B right answers.

upvoted 19 times
  SnoopyDog 5 months, 1 week ago

https://cname does not necessarily imply certificate in public. https"//litware.inc is an internal cert as FQ DNS says
http://www.litwareinc.com. So we need a public certificate ?
upvoted 1 times

correct B-E
upvoted 2 times
  Kiri 1 year ago

"If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client
certificates, you should not allow requests to your application over HTTP."
upvoted 4 times

Contradicting information: says webapp1 is accessible via http and then we are told we must ENFORCE mutual authentication. So which is
it. I hope this isnt on the exam or Im going to cry.
upvoted 3 times

So was this one on your exam? Wasn't on mine, thankfully.
upvoted 2 times

This means we need to enforce only Https communication with TSL1.2.
Answer is B and C.
upvoted 1 times

Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. To enforce different
TLS versions, follow these steps:
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions
upvoted 1 times 
To set up your app to require client certificates, you can switch On the Require incoming certificate by selecting Configuration >
General Settings from the Azure Portal or you need to set the clientCertEnabled setting for your app to true.
So It should be HTTPS only and allow incoming. TLS1.2 is basic requirement in this case which is enabled by default
upvoted 1 times

http needs to be supported
upvoted 1 times

You can define exclusion that use only http:
This renders: C & E correct. As the web app already using https that means its already has a certificate.
upvoted 3 times

Https comes in 2 flavours i. With and Without Client/Mutual Authentication.Hence the need to enforce HTTPS with TLS1.2 version.
Answer B and C.
upvoted 1 times
  cybrtrk 7 months, 1 week ago

I'm really surprised no one has suggested D & E as the correct answer.
The link you all are referring to clearly says you have to scale your app service plan to B1, then enable client certificates.
upvoted 2 times

This would only be true if we were told that the App Service is running on F1/D1.
upvoted 1 times

There is no information on the current pricing tier for App service and hence cannot select. D and E.
upvoted 1 times

Correct Answer - C and E - Have verified
upvoted 6 times

E is not possible and can be done just by enforcing the HTTPS only setting i.e. B.
upvoted 1 times
  frks 6 months, 2 weeks ago

text says app available via http and https, so certificate is already in place. not sure if tls has any impact. the text doesn't say you have to
have http afterwards, on the contrary, says there will be changes, and what are the requirements after the changes
upvoted 2 times

Https comes in 2 flavours with and without Client Authentication…Prior seems to be a Server Auth only and hence the answer is B and
C.
upvoted 1 times

Correct answer is B and E. No doubt on that.
Refer https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
1. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is
called TLS mutual authentication or client certificate authentication
2. If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client
certificates, you should not allow requests to your application over HTTP. --> Choice B. Turn on HTTPS Only
3. No info about pricing tier. Lets Assume App Service plan must be in the Basic, Standard, Premium, or Isolated tier.
4. Enable client certificates --> choice E. Turn on Incoming client certificates protocol setting
upvoted 6 times

B, E for sure
upvoted 1 times

B and E are the correct answers
upvoted 3 times
  MoniqueArduin 4 months, 1 week ago 

Scenario: Existing Environment
Azure Security Center is set to the Free tier. So App Services is also Free tier.
Correct answers: DE
https://azure.microsoft.com/en-us/pricing/details/security-center/
upvoted 1 times

is it a guess that App services is also on free tier or somewhere written in scenario
upvoted 1 times

the correct answer is B and E
Ensure to turn on the HTTPS only protocol setting. Also ensure to mark the Incoming client certificates protocol setting as turned on for
the Azure Web App
upvoted 1 times
  james13 3 months, 3 weeks ago

Correct answers are C & E
For those suggesting B is correct, WebApp1 is accessible using https://litwireinc.com and http://www.litwareinc.com, restricting to HTTPS
only would prevent users from accessing using the http://www.litwareinc.com site.
A - Not needed, Azure doesnt complete mutual auth requests, it just passes them to the web app (Taken from the MS site - App Service
does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client
certificate.)
C - Although there is no requirement for TLS 1.2, this is a default setting and is best practice. It is also the only remaining valid option.
D - Pricing tier is key to deploying Mutual Auth, but details of the pricing tier are not available in this senario.
E- The Azure configuration should be updated to allow client certificates to pass through - https://docs.microsoft.com/en-us/azure/app-
service/app-service-web-configure-tls-mutual-auth#enable-client-certificates
upvoted 2 times

This is a very good and justifiable point. However, the scenario states that the existing environment is: "...accessible by using https and
http... ". The new requirement says "WebApp1 must enforce mutual authentication". To satisfy this new condition, you must make
changes to the existing environment. And you do that by turning on HTTPS only protocol. Hence the correct answer is B & E.
Link - https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
upvoted 3 times

it's impossible to force mutual authentication without TLS... so, in order to have E you need to have B. B and E are the correct answers, no
doubts!
upvoted 1 times

Guys, what a mess with this question.... I would say B and E initially, but I don't see B isn't correct as the WebApp1 should serve HTTP too.
(Look a the WebApp1 description)
To me is C and E. (Checked in another practice test site)
upvoted 2 times

sry, I was meaning..."I don't see B correct as the.."
upvoted 1 times

BE are correct don't get confused. To enforce E you need B otherwise you cannot enforce E. Remember
upvoted 1 times

and what about HTTP? If you enforce to HTTPS you don't mantain the requisites.
upvoted 1 times

If you access your site over HTTP and not HTTPS, you will not receive any client certificate. This is one of the requirement for WebApp1 in
question.
upvoted 1 times

If you access your site over HTTP and not HTTPS, you will not receive any client certificate. This is one of the requirement for WebApp1 in
question to access it via HTTP and HTTPs both. 
upvoted 1 times
  jinxie 1 week, 3 days ago

no that is a listing of the current state of affairs on that webapp. The requirement is to sort out mutual authentication. This means that
only a client with a valid certificate can access the webapp. if you allow http access you basically allow a user to bypass the security you
are trying to implement. In other words http access needs to be Disabled and client certs need to be Enabled. B and E are the correct
answers anything else makes no sense.
upvoted 1 times
Introductory Info

Overview -
objects of all the
activated.
Planned changes -

users' behalf.
Question
HOTSPOT -
You need to create Role1 to meet the platform protection requirements.
How should you complete the role de nition of Role1? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Scenario: A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1
must be available only for Resource Group1.
Azure RBAC template managed disks "Microsoft.Storage/"
References:
https://blogs.msdn.microsoft.com/azureedu/2017/02/11/new-managed-disk-storage-option-for-your-azure-vms/
https://blogs.msdn.microsoft.com/azure4fun/2016/10/21/custom-azure-rbac-roles-and-how-to-extend-existing-role-de nitions-scope/

Managed disks abstract the disks management in storage, so we should only focus on compute. also, the scope needs to e around RG1
only, as per requirement
upvoted 14 times

  baxt0r 10 months, 3 weeks ago

Microsoft.compute/disks/*
upvoted 16 times

What this means is that the managed disks no longer require to be stored in the Azure Storage. Hence we do not need to use
Microsoft.Storage. Since the managed disks are managed by the VM itself, it falls under compute, hence Microsoft.compute/disks/*
and then the subscription and RG1 needs to be explicit.
upvoted 4 times

Just to flesh out this thread (which I think is spot-on:
* There isn't any reference (unless I'm missing it) to the VMs using managed disks, but . . .
* There is *no* storage account listed in the resources, so doesn't that kinda' mean the *have to* be using managed disks?
upvoted 1 times

its should be Microsoft.compute/disks and the cope should be of Resource Group RG1 as per the protection requirements.
upvoted 3 times

1) Microsoft.Compute/
2) disks
3) /subscrption/{subscriptionId}/resourceGroups/{Resource Group Id}
Explaination:
A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1 must
be available only for Resource Group1.
This proves we need to maintain scope to ResourceGroup 1 only.

Also Resource gropu 1 contanins VNet1, VM0, and VM1 none of them are storage disks
upvoted 25 times

1st Option
1st Option
2nd Option
upvoted 7 times
  IsildursHeir 7 months ago

I second Microsoft.compute/disks
upvoted 2 times

Why not VM/disk in Option 1 ? The Disk in question is a VM disk and not a Managed Disk under Compute.
upvoted 1 times

Looking at the ARM template for a managed disk, the given answer is wrong!
Managed disks belong to the 'Microsoft/compute' resource provider and not 'Microsoft/Storage'
https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-11-01/disks
upvoted 3 times
  SYY 5 months, 2 weeks ago

The correct answer is
2) disks
upvoted 3 times
  SnoopyDog 5 months, 1 week ago

Correct answer. The Managed disks need no association with Storage Group during provisioning.
upvoted 1 times
  ThisIsNotNull 4 months, 4 weeks ago

FYI, anyone looking for a official Azure documentation on the part 3 for this question,
take a look at https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes with the network

resource group option in particular
upvoted 2 times

Correct Answer should be
2) disks

upvoted 1 times

The correct answer ) Microsoft.Compute/
2) disks
Since we have to enable this only for the resource groups, we have to limit the scope to the resource groups
Managed disks come under the resource provider type of “Microsoft.Compute/disks/*”

upvoted 2 times
  Mannishh 3 months ago

examtopics has the best dumps i have see for AZ-500
upvoted 1 times
Introductory Info

Overview -
objects of all the
activated.
Planned changes -

users' behalf.
Question
DRAG DROP -
You need to con gure SQLDB1 to meet the data and application requirements.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.

Select and Place:
Correct Answer:
Step 1: Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS)
Step 2: In SQLDB1, create contained database users.
Create a contained user in the database that represents the VM's system-assigned identity.
Step 3: In Azure AD,create a system-assigned managed identity.
A system-assigned identity for a Windows virtual machine (VM) can be used to access an Azure SQL server. Managed Service Identities are
automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert

credentials into your code.

References:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
  c1265 1 year ago

create a system assigned managed identity should be first step if you refer to link provided, its a prerequisite for next steps
upvoted 3 times

The problem does not stipulate that Azure VMs are used in the authentication. Thus, I believe the answer to be (1) Create AD
Administrator, (2) Created contained user, (3) Connect SSMS. See https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-
authentication-configure?tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities
upvoted 10 times
  baxt0r 10 months, 3 weeks ago

in that case, it would be (1) create AD admin, (2) connect to SSMS with that admin, (3) create contained users
upvoted 31 times

correct order and correct answer, see my comment and the linked video below.
upvoted 1 times

you have 2&3 backwards. baxt0r is right: 1. Create AD admin, 2. connect with SSMS, 3. create contained users.
upvoted 1 times

I think from the link provided , you go in sequence of the steps provided you find the order mentioned by @NoNotSpam
1) Create AD Administrator, (2) Created contained user, (3) Connect SSMS
upvoted 3 times
  jwkin 7 months, 1 week ago

I think it is 1)Create System assigned identity 2)Create AD admin 3)Create contained DB users. https://docs.microsoft.com/en-
us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
upvoted 1 times
  Jonahlisyus 7 months ago

What's the correct answer here?
upvoted 2 times

I believe baxt0r´s answer is right, based on the link "NoNotSpam" had posted, take a look at the sequence:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#create-
contained-database-users-in-your-database-mapped-to-azure-ad-identities
upvoted 1 times

I believe that the answer should be:
1. From the azure portal, create and AAD admin for the sql server => This corresponds to setting the admin account on the SQL server.
2. Connect to the DB using SSMS.
3. In SQLBD1, create contained db users => since we do not have a vm, there is not a way to create a system managed identity manually
as such identity is usually enabled for a resource that supports it through its settings. The contained user SQL command will rely on the
name of the user in AD. This is referenced from the article: "SQL DB requires unique AAD display names. With this, the AAD accounts such
as users, groups and Service Principals (applications) and VM names enabled for managed identity must be uniquely defined in AAD
regarding their display names.")
Ref: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
upvoted 5 times

Correct answer should be:
Create SQL AD admin
Connect using SSMS
create contained users
https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-aad-authentication
upvoted 4 times

I'd have to go with 
1- create AD admin on the SQL server
2- connect to SSMS with that admin you created
3- create contained users
as shown in this video:

https://www.youtube.com/watch?v=pEPyPsGEevw
please note that the link provided in the solution doesn't meet the main ASK here.
upvoted 12 times

Thanks for linking this video. Extremely useful in answering this question.
https://youtu.be/pEPyPsGEevw?t=632
starts at 10.30
1. Go to Azure Sql Server:

Add Active Directory Admin (Needs to be Global Administrator in Azure AD)
- because this is the account that Azure SQL database is going to use to look up other users
2. Go to SSMS and connect to the Sql Server

Active Directory-Password Authentication
Login as Global Admin
3. Add Azure AD users

Create AD users in the database where the login needs to be allowed. Apparently the users confined to a database (and not the
database server) are called contained users.
So, the answer is:
From the Azure portal, create an Azure AD administrator for LitwareSQLServer1
Connect to SQLDB1 by using SSMS
In SQLDB1, create contained database users
The order makes sense, because to create a user in SQLDB1, you need to connect to it first using SSMS.
upvoted 18 times

Correct answer is
Create SQL AD admin

Connect using SSMS
create contained users
upvoted 4 times
  ThisIsNotNull 4 months, 3 weeks ago

I am aware that I am going against the majority in the discussion here. But I still can't help feeling uneasy with the popular solution based
on my haunch that the intention of this question should likely be testing us on our understanding of the requirement statement: "The
users in Group2 must be able to authenticate to SQLDB1 by using their Azure AD credentials"
But the popular recommended answer in this discussion does not really have anything to do with making sure Azure AD credentials can
be used. At least the proposed solution did mention managed identity which is found in Azure AD for token access to the DB.
Hence my hesitation and unease. If the question asks for 4 steps instead of 3, it will be much easier to answer this question.
upvoted 1 times

Hey Let me clarify this for you.
So when you stand up an SQL server, you get to put in a username and password
1. That username and password is mainly for SQL (SQL server Authentication credentials)
2. But if and when we want to integrate it with users in AAD
We go to the SQL Server, under Active directory admin, we add the user who would be able to sign into SSMS with his Azure AD
credentials and not the username we put when firstly creating the SQL Server.
3. SO after creating the SQL AD Admin credentials. we would have to sign into SSMS and using Active Directory credentials
4. After been authenticated to your Server/database. the user can then create a contained user.
Contained user can only authenticate to the database in which they were created/given access too and not the whole server.
If you want me to clarify more. just say. i would check later to explain further and easier.
upvoted 10 times

A very good explanation. Spoken like a SQL guy.
upvoted 1 times

Great breakdown, @gboyega! Any chance you can point to a good reference doc?
upvoted 2 times

system-assigned managed identity first! 
[[SSMS is too tedious..not good for the requirements here]]
Creating an AD admin should be the next thing after...
Contained Users should come last.

Topic 12 - More Questions.
remember guys minimize admin stuff as much as you can!
upvoted 1 times
look this link.. match perfectly : https://docs.microsoft.com/fr-fr/azure/azure-sql/database/authentication-aad-overview so
1 /Create
You have Azurean Azure Active
Resource Directory
Manager templatesadministrator.
that you use to deploy Azure virtual machines.
2/Create contained database users in your database mapped to Azure AD identities.
You need to disable
3/Connect unused
to your Windows
database byfeatures automatically
using Azure as instances
AD identities. (usingofSSMS)
the virtual machines are provisioned.
What should
upvoted you use?
5 times
A. device compliance policies in Microsoft Intune
B. Azure Automation State Con guration
C. application security groups
D. Azure Advisor
Correct Answer: B
You can use Azure Automation State Con guration to manage Azure VMs (both Classic and Resource Manager), on-premises VMs, Linux
machines, AWS VMs, and on-premises physical machines.
Note: Azure Automation State Con guration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes
automatically receive con gurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure
Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux
machines, in the cloud or on-premises.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
  ogbeu 1 6 months ago

Correct
upvoted 1 times

correct answer
upvoted 1 times

B, for sure.
Same as Topic2 Q2.
The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State
Configuration (DSC) service
upvoted 4 times
HOTSPOT -
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users
who had more than ve failed sign-in attempts.
How should you con gure the query? To answer, select the appropriate options in the answer area.
Hot Area:

The following example identi es user accounts that failed to log in more than ve times in the last day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent -
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples

The question asks for last 3 days not just the last day.
upvoted 5 times
  alexgrdi89 6 months, 2 weeks ago

image hot area:
https://ibb.co/GMywTTv
Response: EventId and Count()
upvoted 10 times
  fmlvaz 3 weeks, 5 days ago

Thanks for the image
upvoted 1 times

let timeframe = 3d;
SecurityEvent
upvoted 3 times

SecurityEvent
upvoted 4 times

correct answer. Good one.
upvoted 2 times

Event ID and Count
upvoted 3 times
  Vinz_ 2 months, 2 weeks ago

Same question as Topic 3 - Question #3 
upvoted 2 times
You are securing access to the resources in an Azure subscription.

A new company policy states that all the Azure virtual machines in the subscription must use managed disks.
You need to prevent users from creating virtual machines that use unmanaged disks.
What should you do?
A. Azure Monitor
B. Azure Policy
C. Azure Security Center
D. Azure Service Health
Correct Answer: B

hands down, Azure Policy! correct answer.
upvoted 7 times

Correct answer.
upvoted 4 times
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
A. a secret in Azure Key Vault
B. a role assignment
D. an Azure Active Directory (Azure AD) group
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
  Arun140_73 4 months, 4 weeks ago

B is the correct answer!
upvoted 5 times

B for sure!
upvoted 4 times

Yes, B is correct. You need to create an AcrPull role. https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration
upvoted 1 times

Ques repeats :/
upvoted 1 times 
You are troubleshooting a security issue for an Azure Storage account.

You enable the diagnostic logs for the storage account.
What should you use to retrieve the diagnostics logs?
A. the Security & Compliance admin center
B. SQL query editor in Azure
C. File Explorer in Windows
D. AzCopy
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?
toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=dotnet#download-storage-logging-log-data
To view and analyze your log data, you should download the blobs that contain the log data you are interested in to a local machine. Many
storage-browsing tools enable you to download blobs from your storage account; you can also use the Azure Storage team provided
command-line Azure Copy Tool AzCopy to download your log data.
So AzCopy is the most appropriate answer. AzCopy.

upvoted 14 times

Ques repeated 4th time
upvoted 1 times
You have an Azure Storage account named storage1 that has a container named container1.
You need to prevent the blobs in container1 from being modi ed.
What should you do?
A. From container1, change the access level.
B. From container1, add an access policy.
C. From container1, modify the Access Control (IAM) settings.
D. From storage1, enable soft delete for blobs.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage?tabs=azure-portal

Correct answer's C. Refer to https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal?
toc=/azure/storage/blobs/toc.json
upvoted 1 times

Given answer is correct. B is the correct answer!
upvoted 4 times

The reason C is wrong is because you are using IAM to change permission for a user but it does not focus on the Resource that you are
trying to edit so it means a new user might get the right to modify something.
upvoted 1 times

B is the correct answer.
With IAM you can only restrict access, but not prevent blob from being modified
upvoted 11 times

B is the correct answer
upvoted 4 times

IAM is used to configure permissions on the Azure Storage resource in Azure.
To prevent blobs being modified, which are objects within the storage account, access policies needs to be configured.
B is correct
upvoted 3 times

Answer is RBAC and in this question it's on C
upvoted 1 times

Container- IAM control-- Assign Storage Blob Container Reader permission;
Access policy is additional security
upvoted 1 times

IAM is about permission for Storage Account, this question is asking the content within the container within the Storage Account. it
should be B, access policy on container.
upvoted 1 times
C....Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
upvoted 1 times

you cant give rbac role to whole organization that sounds wired it is clear B
upvoted 4 times 
agreed, role-base is applicable for specific users/identities. While using resource policy (access policy) is ideal for resource itself. B is my
choice.
upvoted 3 times

If you change access level to private only also will be prevented from being modified??
upvoted 1 times
  Spamuel 4 months, 1 week ago

Definitely B - access policy. You can either set an immutable (read only) policy or a legal hold (cannot delete) policy.
upvoted 1 times

Both B and C could achieve the results. However, assigning RBAC (Access Control IAM) to an entire organization (to each individual) does
not seem practical and extreme. Probably the more streamlined approach would be to simply add a 'Read Only' policy to the container.
Not the best worded question and always open to interpretation. I would lean towards to the current answer B: Access Policy to be
correct.
upvoted 4 times

It took some digging, and convincing, but the answer is C (access policy). The "access" part kept sticking for me, especially given the
immutable blob storage link in the given answer, but if you follow the links to the management breakdown (
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutability-policies-manage?tabs=azure-portal ) you quickly come
to this:
Set retention policies and legal holds

Create a new container or select an existing container to store the blobs that need to be kept in the immutable state. The container must
be in a general-purpose v2 or Blob storage account.
Select *Access policy* in the container settings. Then select Add policy under Immutable blob storage.
upvoted 1 times

*ugh* - what I said above, but *B* is the Access Policy choice.
upvoted 1 times

B is the way
upvoted 1 times

Yes. B & C can do that. But why go to all that length. Simply change the access level to read only. See the GUI screen shown on this link.
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#tabpanel_CeZOj-G++Q-1_portal
upvoted 1 times

Nobody seems to consider A. Even though Access level is the simplest. Although it has a less choices in granular control permissions. On
this link scroll down to the graphic below:
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#tabpanel_CeZOj-G++Q-1_portal
upvoted 1 times
You company has an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to create several security alerts by using Azure Monitor.
You need to prepare the Azure subscription for the alerts.
A. An Azure Storage account
B. an Azure Log Analytics workspace
C. an Azure event hub
D. an Azure Automation account
Correct Answer: B
  SecuritycloudArchitect 6 months ago

shouldn't it be storage account and then log analytics workspace
upvoted 3 times

I will go with log analytics workspace. Hopefully, someone can provide a documentation link to support the answer.
upvoted 2 times

The answer is a storage account. You cannot have a log analytics workspace without one.
upvoted 1 times
  gagol14 2 months, 1 week ago

Wrong. Just tested in my lab. I created workspace without storage account creation.
upvoted 1 times

Yes. When you create a log analytics workspace it creates a storage account by default unless you point to an existing account.
upvoted 1 times
  azure456 5 months, 3 weeks ago

Its log analytics workspace.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-create-workspace
upvoted 3 times

Indeed no need anything. Just goto Azure Monitor--< Alerts and create rule
upvoted 2 times

How is this a valid response? There are 4 Choices and your answer is none of them. Where is the value in that without a supporting
link???
upvoted 2 times

Because you allready created a default workspace ;-)
upvoted 1 times

The answer is B.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
upvoted 2 times

LAW based on: "Use the Log Analytics workspaces menu to create a Log Analytics workspace using the Azure portal. A Log Analytics
workspace is a unique environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data
sources and solutions are configured to store their data in a particular workspace."
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-create-workspace
upvoted 1 times

This is AZ104v question - answer is definitely log analytics 
upvoted 1 times
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights.
WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user tra c to Web App1.
You need to ensure that web tests can run unattended.
A. In Microsoft Visual Studio, modify the .webtest le.
B. Upload the .webtest le to Application Insights.
C. Register the web test app in Azure AD.
D. Add a plug-in to the web test app.
Correct Answer: B

Source: https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep
upvoted 5 times

From your given URL wouldn't that mean that the correct answer should be A since it's all about Visual Studio's Multi-steps (That are
being deprecated)???
upvoted 1 times
  ExamWynner 2 months, 4 weeks ago

Appears Step#1 - Visual Studio create Multi-steps, Step#2 - Upload to Application Insight
upvoted 1 times

From your given URL wouldn't that mean that the correct answer should be A since it's all about Visual Studio's Multi-steps (That are being
deprecated)???
upvoted 2 times

FIrst we need to register App in AD
upvoted 1 times

As it says: WebApp1 requires users to authenticate by using OAuth 2.0 client secrets
upvoted 1 times

Its says Azure App does not that mean its already registered
upvoted 1 times

It looks like Option B is correct as per below :
Upload the web test
In the Application Insights portal on the Availability pane select Create Test > Test type > Multi-step web test.
Set the test locations, frequency, and alert parameters.

upvoted 1 times

Answer is A; - Multi-step web test: A recording of a sequence of web requests, which can be played back to test more complex scenarios.
Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability
upvoted 3 times

What about answer D: To bypass the OAuth issue we can use a Plugin.
https://www.bluey.com/2017/05/08/visual-studio-web-tests-oauth-taming-elusive-access-token/
"The most common one is to implement a WebTestPlugin with custom code to negotiate with the OAuth server, get the access token, and
set it to a Context Parameter in your test run."
upvoted 1 times 
  Bobo_Lee 4 months, 1 week ago
https://github.com/uglide/azure-content/blob/master/articles/application-insights/app-insights-monitor-web-app-availability.md#multi-
step-web-tests
I think the answer is A
upvoted 1 times
  GinjaNinja 4 months, 1 week ago

Given answer is correct:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability
Notice the warning at the top of this link, stating this method is no longer recommended. Leading me to believe this question will be
removed from the test
upvoted 1 times
  madhatter 4 months ago

this is security related?
upvoted 2 times

The correct answer is B. However, the answer is strangely worded "... Upload the .webtest file ... " This can cause confusion. Maybe this is
for an older Azure interface or method perhaps.
If you do this lab in the Azure portal, it does not ask you to upload anything. You just specify a URL for the location of your test web app.
Application Insights is the only valid answer out of the selection regardless.
Link: https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability
upvoted 2 times
  windy1 2 months, 2 weeks ago

Question asks "ensure that web tests can run unattended" --> Answer B
upvoted 1 times

I think the important info here is "make sure app can run unattended"
In my oppinion that requires the app to have some kind of credential....
This can be done by registering the app in aad "C"
Any thoughts ???
upvoted 1 times

Think we are all missing a few very important points here...
1. We are admins, not developers (We should not do anything with the app)
2. Developers plan to create an app (It does not yet exist, we should make it possible for them to create it in a way that it can run
unattended)
If we register the app in aad, we will get all the information needed to pass on to the developers...
In my oppinion only possible answer is to register the app
upvoted 3 times

B is correct
upvoted 1 times

B. Azure Security Center
C. Azure Cosmos DB explorer
D. AzCopy
Correct Answer: D

Correct answer. Repeated couple times.
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet#download-storage-logging-log-data
upvoted 7 times
You are securing access to the resources in an Azure subscription.

A new company policy states that all the Azure virtual machines in the subscription must use managed disks.
You need to prevent users from creating virtual machines that use unmanaged disks.
What should you do?
A. Azure Monitor
B. Azure Policy
C. Azure Security Center
D. Azure Service Health
Correct Answer: B

Given answer is correct. This question was already listed two pages back.
upvoted 3 times
  Saar5 2 months, 1 week ago

Was listed before, B fits
upvoted 3 times
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
A. a secret in Azure Key Vault
B. a role assignment
D. an Azure Active Directory (Azure AD) group
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
  Sergi0 4 months ago

upvoted 4 times
You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
A. AcrQuarantineReader
B. Contributor
C. AcrPush
D. AcrImageSigner
E. AcrQuarantineWriter
Correct Answer: CD
References:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust https://docs.microsoft.com/en-us/azure/container-
registry/container-registry-roles
Manage security operations

Contributor and AcrPush
upvoted 5 times
  temidayo 5 months, 1 week ago

No, you are wrong,
Correct answer is
AcrPush
AcrImageSigner
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust
upvoted 7 times

Correct it should be
ArcPush and AcrImageSigner
Because the question states that we should follow the principle of least priviledge
upvoted 2 times

C, D, for sure.
upvoted 4 times

## Same as Question7, Topic12 ##
C & D are correct
Here's why ::
"Sign images
The ability to sign images, usually assigned to an automated process, which would use a service principal. This permission is typically
combined with push image to allow pushing a trusted image to a registry. For details, see Content trust in Azure Container Registry."
~ https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
This allows the user to Sign and Push trusted images, using least privilege.
upvoted 2 times

C and D
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles#sign-images 
upvoted 2 times

B. SQL query editor in Azure
C. File Explorer in Windows
D. AzCopy
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

Given answer is correct!
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet#download-storage-logging-log-data
upvoted 3 times

why is this question being repeated so much? - 3rd time now in a single page
upvoted 1 times
You have an Azure Storage account named storage1 that has a container named container1.
You need to prevent the blobs in container1 from being modi ed.
What should you do?
A. From container1, change the access level.
B. From container1, add an access policy.
C. From container1, modify the Access Control (IAM) settings.
D. From storage1, enable soft delete for blobs.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage?tabs=azure-portal
  romanaa 3 months, 2 weeks ago

so many repetitions
upvoted 8 times

agree!
upvoted 2 times
You company has an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to create several security alerts by using Azure Monitor.
You need to prepare the Azure subscription for the alerts.
A. An Azure Storage account
C. an Azure event hub
D. an Azure Automation account
Correct Answer: B
  fpspam 4 months ago

I think this is correct. Source: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
upvoted 4 times
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights.
WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user tra c to Web App1.
You need to ensure that web tests can run unattended.
A. In Microsoft Visual Studio, modify the .webtest le.
B. Upload the .webtest le to Application Insights.
C. Register the web test app in Azure AD.
D. Add a plug-in to the web test app.
Correct Answer: B
  111ssy 3 months, 1 week ago

Correct answer: B
upvoted 3 times

B. Azure Security Center
C. Azure Cosmos DB explorer
D. AzCopy
Correct Answer: D

Correct. https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
upvoted 3 times
  doublekill 2 months, 1 week ago

This is subliminal ... many repetitions
upvoted 7 times
You have a web app named WebApp1.

You create a web application rewall (WAF) policy named WAF1.
You need to protect WebApp1 by using WAF1.
A. Deploy an Azure Front Door.
B. Add an extension to WebApp1.
C. Deploy Azure Firewall.
Correct Answer: A
References:
https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door

Correct answer.
WAF is supported by Application Gateway and FrontDoor both.

upvoted 5 times

Answer is CORRECT
upvoted 3 times

Supported service
WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service from
Microsoft. WAF on Azure CDN is currently under public preview.
https://docs.microsoft.com/nl-nl/azure/web-application-firewall/overview
upvoted 3 times
You have an Azure subscription.

You con gure the subscription to use a different Azure Active Directory (Azure AD) tenant.
What are two possible effects of the change? Each correct answer presents a complete solution.
A. Role assignments at the subscription level are lost.
B. Virtual machine managed identities are lost.
C. Virtual machine disk snapshots are lost.
D. Existing Azure resources are deleted.
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory

Review the following list of changes that will occur after you associate or add your subscription, and how you might be affected:
Users that have been assigned roles using RBAC will lose their access
Service Administrator and Co-Administrators will lose access
If you have any key vaults, they'll be inaccessible and you'll have to fix them after association
If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the
association
If you have a registered Azure Stack, you'll have to re-register it after association
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
upvoted 7 times

ok for AB
upvoted 1 times
You have an Azure subscription that contains virtual machines.

You enable just in time (JIT) VM access to all the virtual machines.
You need to connect to a virtual machine by using Remote Desktop.
A. From Azure Directory (Azure AD) Privileged Identity Management (PIM), activate the Security administrator user role.
B. From Azure Active Directory (Azure AD) Privileged Identity Management (PIM), activate the Owner role for the virtual machine.
C. From the Azure portal, select the virtual machine, select Connect, and then select Request access.
D. From the Azure portal, select the virtual machine and add the Network Watcher Agent virtual machine extension.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/connect-logon

Correct, https://docs.microsoft.com/nl-nl/azure/security-center/security-center-just-in-time
upvoted 8 times
SIMULATION -
You need to con gure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack
surface of VM1.
To complete this task, sign in to the Azure portal.
Correct Answer: See the explanation below.

To enable the RDP port in an NSG, follow these steps:
1. Sign in to the Azure portal.
2. In Virtual Machines, select VM1
3. In Settings, select Networking.
4. In Inbound port rules, check whether the port for RDP is set correctly. The following is an example of the con guration:
Priority: 300 -
Name: Port_3389 -
Port(Destination): 3389 -
Protocol: TCP -
Source: Any -
Destinations: Any -
Action: Allow -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-nsg-problem
  rubio83 4 months, 2 weeks ago

Should be enable JIT in security center
upvoted 2 times
  Nou 4 months ago

No, its not JIT, this is from the internet you are not requesting access for one user. So need to configure NSG.
upvoted 2 times

It's surprising that they call "reduce the attack surface" to put an ANY rule. Lol!
upvoted 3 times

hahaha so true! haha it would be JIT if it says to allow SSH to a VM for 1 hour ... then it be JIT
upvoted 1 times

I would also say to have the source as Service Tag - Internet, so you only allow RDP connections over internet associated IPs rather than
from ANY.
upvoted 2 times

Perfect! That will surely get you extra points.
upvoted 2 times
  Nnanna29 3 days, 5 hours ago

Definitely! It limits access to only internet instead of 'Any'
upvoted 1 times
  Mahmud1707 2 weeks, 4 days ago

How about specify the Private IP address of the VM?
upvoted 1 times 
Working on the NSG of the VM so you do not need to specify the private IP address of the VM
upvoted 1 times
SIMULATION -
You need to add the network interface of a virtual machine named VM1 to an application security group named ASG1.

1. In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine, VM1 that has a network
interface that you want to add to, or remove from, an application security group.
2. When the name of your VM appears in the search results, select it.
3. Under SETTINGS, select Networking. Select Con gure the application security groups, select the application security groups that you want to
add the network interface to, or unselect the application security groups that you want to remove the network interface from, and then select
Save.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
  111ssy 3 months, 1 week ago

1. In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine that has a network
interface that you want to add to, or remove from, an application security group. When the name of your VM appears in the search
results, select it.
2. Under SETTINGS, select Networking. Select Application Security Groups then Configure the application security groupselect the
application security groups that you want to add the network interface to, or unselect the application security groups that you want to
remove the network interface from, and then select Save. Only network interfaces that exist in the same virtual network can be added to
the same application security group. The application security group must exist in the same location as the network interface.
upvoted 3 times
SIMULATION -
You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod10598168 Azure Storage account.

Step 1:
1. In Azure portal go to the storage account you want to secure. Here: rg1lod10598168
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from Selected networks. To allow tra c from all networks, choose to allow access from
All networks.
4. Click Save to apply your changes.
Step 2:
1. Go to the storage account you want to secure. Here: rg1lod10598168
2. Click on the settings menu called Firewalls and virtual networks.
3. Check that you've selected to allow access from Selected networks.
4. To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual
networks and Subnets options. Enter the 131.107.0.0/16 subnet and then click Add.
Note: When network rules are con gured, only applications requesting data over the speci ed set of networks can access a storage account.
You can limit access to your storage account to requests originating from speci ed IP addresses, IP ranges or from a list of subnets in an Azure
Virtual Network (VNet).
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
SIMULATION -
You need to ensure that connections from the Internet to VNET1\subnet0 are allowed only over TCP port 7777. The solution must use only
currently deployed resources.

You need to con gure the Network Security Group that is associated with subnet0.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively,
browse to
Virtual Networks in the left navigation pane.
2. In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each
subnet. Note the name of the Network Security Group associated to Subnet0.
3. Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
4. In the properties of the Network Security Group, click on Inbound Security Rules.
5. Click the Add button to add a new rule.
6. In the Source eld, select Service Tag.
7. In the Source Service Tag eld, select Internet.
8. Leave the Source port ranges and Destination eld as the default values (* and All).
9. In the Destination port ranges eld, enter 7777.
10.Change the Protocol to TCP.
11.Leave the Action option as Allow.
12.Change the Priority to 100.
13.Change the Name from the default Port_8080 to something more descriptive such as Allow_TCP_7777_from_Internet. The name cannot
contain spaces.
14.Click the Add button to save the new rule.

SIMULATION -
You need to prevent administrators from performing accidental changes to the Homepage app service plan.

You need to con gure a "˜lock' for the app service plan. A read-only lock ensures that no one can make changes to the app service plan without
rst deleting the lock.
1. In the Azure portal, type App Service Plans in the search box, select App Service Plans from the search results then select Homepage.
Alternatively, browse to App Service Plans in the left navigation pane.
2. In the properties of the app service plan, click on Locks.
3. Click the Add button to add a new lock.
4. Enter a name in the Lock name eld. It doesn't matter what name you provide for the exam.
5. For the Lock type, select Read-only.
6. Click OK to save the changes.
SIMULATION -
You need to ensure that a user named Danny11597200 can sign in to any SQL database on a Microsoft SQL server named web11597200 by using
SQL Server
Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials.

You need to provision an Azure AD Admin for the SQL Server.
1. In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web11597200.
Alternatively, browse to SQL Server in the left navigation pane.
2. In the SQL Server properties page, click on Active Directory Admin.
3. Click the Set Admin button.
4. In the Add Admin window, search for and select Danny11597200.
5. Click the Select button to add Danny11597200.
6. Click the Save button to save the changes.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-con gure?tabs=azure-powershell
SIMULATION -
You need to con gure a Microsoft SQL server named Web11597200 only to accept connections from the Subnet0 subnet on the VNET01 virtual
network.

You need to allow access to Azure services and con gure a virtual network rule for the SQL Server.
1. In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web11597200.
Alternatively, browse to SQL Server in the left navigation pane.
2. In the properties of the SQL Server, click Firewalls and virtual networks.
3. In the Virtual networks section, click on Add existing. This will open the Create/Update virtual network rule window.
4. Give the rule a name such as Allow_VNET01-Subnet0 (it doesn't matter what name you enter for the exam).
5. In the Virtual network box, select VNET01.
6. In the Subnet name box, select Subnet0.
7. Click the OK button to save the rule.
8. Back in the Firewall / Virtual Networks window, set the Allow access to Azure services option to On.
SIMULATION -
You need to con gure network connectivity between a virtual network named VNET1 and a virtual network named VNET2. The solution must
ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2.
To complete this task, sign in to the Azure portal and modify the Azure resources.

You need to con gure VNet Peering between the two networks. The questions states, "The solution must ensure that virtual machines
connected to VNET1 can communicate with virtual machines connected to VNET2". It doesn't say the VMs on VNET2 should be able to
communicate with VMs on VNET1. Therefore, we need to con gure the peering to allow just the one-way communication.
browse to
2. In the properties of VNET1, click on Peerings.
3. In the Peerings blade, click Add to add a new peering.
4. In the Name of the peering from VNET1 to remote virtual network box, enter a name such as VNET1-VNET2 (this is the name that the peering
will be displayed as in VNET1)
5. In the Virtual Network box, select VNET2.
6. In the Name of the peering from remote virtual network to VNET1 box, enter a name such as VNET2-VNET1 (this is the name that the peering
will be displayed as in VNET2).
There is an option Allow virtual network access from VNET to remote virtual network. This should be left as Enabled.
7. For the option Allow virtual network access from remote network to VNET1, click the slider button to Disabled.
8. Click the OK button to save the changes.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

anyone knows the updated answer for this using the current interface ?
upvoted 1 times

The provided answer is correct as VMs in Vnet 1 can communicate with VMs in Vnet 2 and not bi-directional communication
upvoted 1 times
SIMULATION -
You need to deploy an Azure rewall to a virtual network named VNET3.
This task might take several minutes to complete. You can perform other tasks while the task completes.

To add an Azure rewall to a VNET, the VNET must rst be con gured with a subnet named AzureFirewallSubnet (if it doesn't already exist).
Con gure VNET3.
browse to
2. In the Overview section, note the Location (region) and Resource Group of the virtual network. We'll need these when we add the rewall.
3. Click on Subnets.
4. Click on + Subnet to add a new subnet.
5. Enter AzureFirewallSubnet in the Name box. The subnet must be named AzureFirewallSubnet.
6. Enter an appropriate IP range for the subnet in the Address range box.
7. Click the OK button to create the subnet.
Add the Azure Firewall.
1. In the settings of VNET3 click on Firewall.
2. Click the Click here to add a new rewall link.
3. The Resource group will default to the VNET3 resource group. Leave this default.
4. Enter a name for the rewall in the Name box.
5. In the Region box, select the same region as VNET3.
6. In the Public IP address box, select an available public IP address if one exists, or click Add new to add a new public IP address.
7. Click the Review + create button.
8. Review the settings and click the Create button to create the rewall.
Reference:
https://docs.microsoft.com/en-us/azure/ rewall/tutorial- rewall-deploy-portal
  vishg 2 weeks, 6 days ago

Also Required to add routing rule.
upvoted 1 times
You have an Azure virtual machine named VM1.

From Azure Security Center, you get the following high-severity recommendation: "Install endpoint protection solutions on virtual machine".
You need to resolve the issue causing the high-severity recommendation.
What should you do?
A. Add the Microsoft Antimalware extension to VM1.
B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.
C. Add the Network Watcher Agent for Windows extension to VM1.
D. Onboard VM1 to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection
  lalithasms 4 months ago

Correct Answer is B
upvoted 1 times

Endpoint protection in VM sense means protection against malware. Answer B's option is download pack for Windows Servers.
upvoted 1 times

Just to be clear, Answer is A.
upvoted 1 times
  Nou 4 months ago

I think it is A, https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-windows
upvoted 2 times

A is correct
upvoted 4 times
  MrMozz 2 months, 4 weeks ago

levo017 - please do your homework before start confusing everybody here.
Microsoft clearly stated that you need to use the extension.
upvoted 2 times

Maybe my words are not exactly clear, but I AM saying option B is not making sense as it's a service pack download. So Answer is A.
upvoted 1 times
  Vinz_ 2 months, 2 weeks ago

I think the provided link is incorrect. Here it is the one I believe is more relevant to the correct answer.
upvoted 1 times

I go for A
upvoted 1 times
  skng010 1 week ago

Answer is A,
upvoted 1 times
SIMULATION -
You need to ensure that web11597200 is protected from malware by using Microsoft Antimalware for Virtual Machines and is scanned every
Friday at 01:00.

You need to install and con gure the Microsoft Antimalware extension on the virtual machine named web11597200.
1. In the Azure portal, type Virtual Machines in the search box, select Virtual Machines from the search results then select web11597200.
Alternatively, browse to Virtual Machines in the left navigation pane.
2. In the properties of web11597200, click on Extensions.
3. Click the Add button to add an Extension.
4. Scroll down the list of extensions and select Microsoft Antimalware.
5. Click the Create button. This will open the settings pane for the Microsoft Antimalware Extension.
6. In the Scan day eld, select Friday.
7. In the Scan time eld, enter 60. The scan time is measured in minutes after midnight so 60 would be 01:00, 120 would be 02:00 etc.
8. Click the OK button to save the con guration and install the extension.

very good. the default is also 120 at 2:00 am
U can also increase it by 60 mins..nothing in between
upvoted 2 times
  LiamRT 3 weeks, 6 days ago

You have to select 'Enable' under 'Run a scheduled scan'. The default selection is 'Disable'
upvoted 1 times
SIMULATION -
You need to ensure that the events in the NetworkSecurityGroupRuleCounter log of the VNET01-Subnet0-NSG network security group (NSG) are
stored in the logs11597200 Azure Storage account for 30 days.

You need to con gure the diagnostic logging for the NetworkSecurityGroupRuleCounter log.
1. In the Azure portal, type Network Security Groups in the search box, select Network Security Groups from the search results then select
VNET01-
Subnet0-NSG. Alternatively, browse to Network Security Groups in the left navigation pane.
2. In the properties of the Network Security Group, click on Diagnostic Settings.
3. Click on the Add diagnostic setting link.
4. Provide a name in the Diagnostic settings name eld. It doesn't matter what name you provide for the exam.
5. In the Log section, select NetworkSecurityGroupRuleCounter.
6. In the Destination details section, select Archive to a storage account.
7. In the Storage account eld, select the logs11597200 storage account.
8. In the Retention (days) eld, enter 30.
SIMULATION -
A user named Debbie has the Azure app installed on her mobile device.
You need to ensure that debbie@contoso.com is alerted when a resource lock is deleted.

You need to con gure an alert rule in Azure Monitor.
1. Type Monitor into the search box and select Monitor from the search results.
2. Click on Alerts.
3. Click on +New Alert Rule.
4. In the Scope section, click on the Select resource link.
5. In the Filter by resource type box, type locks and select Management locks (locks) from the ltered results.
6. Select the subscription then click the Done button.
7. In the Condition section, click on the Select condition link.
8. Select the Delete management locks condition the click the Done button.
9. In the Action group section, click on the Select action group link.
10.Click the Create action group button to create a new action group.
11.Give the group a name such as Debbie Mobile App (it doesn't matter what name you enter for the exam) then click the Next: Noti cations >
button.
12.In the Noti cation type box, select the Email/SMS message/Push/Voice option.
13.In the Email/SMS message/Push/Voice window, tick the Azure app Push Noti cations checkbox and enter debbie@contoso.com in the
Azure account email eld.
14.Click the OK button to close the window.
15.Enter a name such as Debbie Mobile App in the noti cation name box.
16.Click the Review & Create button then click the Create button to create the action group.
17.Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name
eld.
18.Click the Create alert rule button to create the alert rule.
SIMULATION -
You need to con gure a weekly backup of an Azure SQL database named Homepage. The backup must be retained for eight weeks.

You need to con gure the backup policy for the Azure SQL database.
1. In the Azure portal, type Azure SQL Database in the search box, select Azure SQL Database from the search results then select Homepage.
Alternatively, browse to Azure SQL Database in the left navigation pane.
2. Select the server hosting the Homepage database and click on Manage backups.
3. Click on Con gure policies.
4. Ensure that the Weekly Backups option is ticked.
5. Con gure the How long would you like weekly backups to be retained option to 8 weeks.
6. Click Apply to save the changes.
  Lexa 3 months ago

Wrong. Azure portal doesn`t support backup management in the database`s blade. It`s available in the "SQL server" blade.
Go to Search -> "Homepage" -> Database overview -> Click on Server name -> Manage Backups -> Choose database "Homepage" ->
Configure retention -> Long-term Retention Configurations set to 8 weeks.
upvoted 7 times

Lexa is correct. "Manage Backup" navigation is under SQL server and not under Database.
upvoted 1 times
  Scotimus 1 month, 2 weeks ago

The solution instructions seem correct. Step 2 states "Select the server hosting the Homepage database" as there is a link to the Server in
the Overview blade of the SQL Database.
upvoted 1 times
  Johnshoww 1 month, 1 week ago

Did you guys know if simulations are included in the exam?
upvoted 2 times
SIMULATION -
You need to ensure that when administrators deploy resources by using an Azure Resource Manager template, the deployment can access secrets
in an Azure key vault named KV11597200.

You need to con gure an option in the Advanced Access Policy of the key vault.
1. In the Azure portal, type Azure Key Vault in the search box, select Azure Key Vault from the search results then select the key vault named
KV11597200.
Alternatively, browse to Azure Key Vault in the left navigation pane.
2. In the properties of the key vault, click on Advanced Access Policies.
3. Tick the checkbox labelled Enable access to Azure Resource Manager for template deployment.
4. Click Save to save the changes.

You will get lost in properties theres nothing there...August 2020....
just click access policies in the left pane of the KV
the box you need to check to enable access of the ARM templates is the 2nd of 3.
upvoted 6 times 
SIMULATION -
You need to ensure that connections through an Azure Application Gateway named Homepage-AGW are inspected for malicious requests.
You do not need to wait for the task to complete.

You need to enable the Web Application Firewall on the Application Gateway.
1. In the Azure portal, type Application gateways in the search box, select Application gateways from the search results then select the gateway
named
Homepage-AGW. Alternatively, browse to Application Gateways in the left navigation pane.
2. In the properties of the application gateway, click on Web application rewall.
3. For the Tier setting, select WAF V2.
4. In the Firewall status section, click the slider to switch to Enabled.
5. In the Firewall mode section, click the slider to switch to Prevention.
6. Click Save to save the changes.

2. In the properties (SECTION) of the application gateway...
upvoted 4 times

Regarding the mode, as long as the application gateway tier is WAF, all traffic would be inspected by the gateway whether in Detection or
Prevention mode
upvoted 1 times
SIMULATION -
You need to create a web app named Intranet11597200 and enable users to authenticate to the web app by using Azure Active Directory (Azure
AD).

1. In the Azure portal, type App services in the search box and select App services from the search results.
2. Click the Create app service button to create a new app service.
3. In the Resource Group section, click the Create new link to create a new resource group.
4. Give the resource group a name such as Intranet11597200RG and click OK.
5. In the Instance Details section, enter Intranet11597200 in the Name eld.
6. In the Runtime stack eld, select any runtime stack such as .NET Core 3.1.
7. Click the Review + create button.
8. Click the Create button to create the web app.
9. Click the Go to resource button to open the properties of the new web app.
10.In the Settings section, click on Authentication / Authorization.
11.Click the App Service Authentication slider to set it to On.
12.In the Action to take when request is not authentication box, select Log in with Azure Active Directory.
13.Click Save to save the changes.
SIMULATION -
You need to enable Advanced Data Security for the SQLdb1 Azure SQL database. The solution must ensure that Azure Advanced Threat Protection
(ATP) alerts are sent to User1@contoso.com.

1. In the Azure portal, type SQL in the search box, select SQL databases from the search results then select SQLdb1. Alternatively, browse to
SQL databases in the left navigation pane.
2. In the properties of SQLdb1, scroll down to the Security section and select Advanced data security.
3. Click on the Settings icon.
4. Tick the Enable Advanced Data Security at the database level checkbox.
5. Click Yes at the con rmation prompt.
6. In the Storage account select a storage account if one isn't selected by default.
7. Under Advanced Threat Protection Settings, enter User1@contoso.com in the Send alerts to box.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/advanced-data-security

This has changed. Now you must go to Azure Sql servers -> click on your server name.
Security -> Security Center. Under Advanced Threat Protection enter email address: User1@contoso.com and click save.
upvoted 2 times
SIMULATION -
You need to ensure that User2-11641655 has all the key permissions for KeyVault11641655.

You need to assign the user the Key Vault Secrets O cer role.
1. In the Azure portal, type Key Vaults in the search box, select Key Vaults from the search results then select KeyVault11641655. Alternatively,
browse to Key
Vaults in the left navigation pane.
2. In the key vault properties, select Access control (IAM).
3. In the Add a role assignment section, click the Add button.
4. In the Role box, select the Key Vault Secrets O cer role from the drop-down list.
5. In the Select box, start typing User2-11641655 and select User2-11641655 from the search results.

How can Key Vault Secrets Officer mange the permissions?? I think it should be Key vault contributor
upvoted 2 times

The KV Contributor lets you manage key vaults, but not access to them.
upvoted 1 times

Nope, access policy with all key permissions.
upvoted 5 times
  Lexa 3 months ago

I`m agree, this way is more clear than templates.
upvoted 1 times

Key Vault Administrator has more permissions than KV Secrets Officer .
This is getting a little bit confusing

upvoted 1 times
  MrMozz 2 months, 4 weeks ago

Key Vault Administrator and Key Vault Certificates Officer are in preview, hence won't apply to the current exam.
so the answer is wrong Key Vault Contributor is the right Role at this time.
upvoted 1 times
  paradoxx 2 months, 2 weeks ago

On Azure simulation questions Does it need to open Azure portal with your own account or there is a link to open a Microsoft simulation
lab?
upvoted 1 times

The exam provider is hosting a Azure Stack, and exam provider stuff will help you login to the Azure Stack. So it's like a simulation lab.
upvoted 1 times

staff *
upvoted 1 times
You have an Azure web app named WebApp1.

You upload a certi cate to WebApp1.
You need to make the certi cate accessible to the app code of WebApp1.
What should you do?
A. Add a user-assigned managed identity to WebApp1.
B. Add an app setting to the WebApp1 con guration.
C. Enable system-assigned managed identity for the WebApp1.
D. Con gure the TLS/SSL binding for WebApp1.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/app-service/con gure-ssl-certi cate-in-code

The correct answer is D
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
upvoted 3 times

I understand why you say this but if you look carefully...this binding is for custom domains specifically. B is the correct answer from my
research.
upvoted 1 times
  jimmyjose 1 month, 3 weeks ago

The link you provided is correct, but the answer is 'B'.
Under section "Make the certificate accessible", the Azure CLI command is as follows.
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings
WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
The command makes the certificate available to the app code by adding the thumbprint of the certificate. The app setting is
WEBSITE_LOAD_CERTIFICATES, and it is configured
in the command using the parameter 'appsettings'.
Hence, the answer is 'B'.

upvoted 4 times
  mrwhite 4 months, 2 weeks ago

Looks to me that B is the anwer?
To access a certificate in your app code, add its thumbprint to the WEBSITE_LOAD_CERTIFICATES app setting, by running the following
command in the Cloud Shell:
Azure CLI
Copy
Try It
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings
WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
upvoted 8 times
  qruekhvblzfbrztbnz 4 months ago

Seems to me B is correct answer.
upvoted 3 times

Agree - definitely B
upvoted 4 times

B is correct WEBSITE_LOAD_CERTIFICATES
upvoted 1 times 
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user
user1@outlook.com Generic authorization exception."
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Roles and administrators blade, assign the Security administrator role to Admin1.
B. From the Organizational relationships blade, add an identity provider.
C. From the Custom domain names blade, add a custom domain.
D. From the Users blade, modify the External collaboration settings.
Correct Answer: D
You need to allow guest invitations in the External collaboration settings.
  Teesmd 3 months ago

The provided answer "D" is correct: See the link below
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations
upvoted 7 times

D is right, but the setting is located in Azure Active Directory -> External Identities -> External collaboration settings.
upvoted 1 times
You have an Azure subscription named Subscription1.

You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
A. the AzurePerformanceDiagnostics extension
B. Azure HDInsight
C. Linux Diagnostic Extension (LAD) 3.0
D. Azure Analysis Services
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux

upvoted 4 times

Agree with C
upvoted 1 times
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center.
You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort.
A. an alert rule
B. a playbook
C. a function app
D. a runbook
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
  Teesmd 3 months ago

Provided answer (Playbook) is correct
upvoted 7 times
  KitiMan 2 months, 4 weeks ago

Correct answer
upvoted 3 times
✑ Minimizes the number of servers required for the solution.
Correct Answer: B
Incorrect Answers:
network.
References:
  Gracemade 2 months, 3 weeks ago

PTA is the correct answer
upvoted 2 times

PTA for sure as you need to enforce on prem password policies hence pass through to on prem
upvoted 3 times
  JimmyC 2 months, 3 weeks ago

I agree with the previous comments, it should be Pass-Through Authentication. Although password policies should be enforced with the
password hash sync option (Azure will not allow the cloud password to be changed unless it receives an affirmative response from on-
prem), AD account restrictions such as lockout and expiry are not enforced when logging into Azure AD (only fully disabled accounts are
propagated to AAD and enforced, though even then it is only after the next sync cycle).
upvoted 3 times

C IS CORRECT
upvoted 3 times

C is correct
upvoted 1 times

Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn 
upvoted 1 times
From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1.
You perform the following actions:
✑ Push a Windows image named Image1 to Registry1.
✑ Push a Linux image named Image2 to Registry1.
✑ Push a Windows image named Image3 to Registry1.
✑ Modify Image1 and push the new image as Image4 to Registry1.
✑ Modify Image2 and push the new image as Image5 to Registry1.
Which two images will be scanned for vulnerabilities? Each correct answer presents a complete solution.
A. Image4
B. Image2
C. Image1
D. Image3
E. Image5
Correct Answer: BE
Only Linux images are scanned. Windows images are not scanned.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-container-registry-integration
Manage security operations
  futurehendrix 2 months, 4 weeks ago

Provided answer is correct
upvoted 4 times

At least once answer B is wrong? Based on this link
https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction.
When you turn on "Azure Defender for container registries"in ACR it scans images pushed/pulled or imported from other registries. It
then rescans the images within the last 30 days.
So any possible answer here is correct: Image 1, 2, & 3 are pushed. But we don't know when they were pushed. So ok may be more than
30 days.
But image 4 & 5 are pushed it seems recently. Yes they are modifications to old images. So what? they still would be considered new
images.
Since they are implying in the question only two images will be scanned, we can safely assume that would be Images 4 & 5.
So answers are A & E

upvoted 1 times

Yes. Thank you Reyrain! for the link.
I see the errors of my thinking.
So the answer after all is B & D. Windows Images on ACR cannot be scanned. Strange but true.
upvoted 1 times

I didn't find a single reference to this statement "Only Linux images are scanned. Windows images are not scanned " in this link.
https://docs.microsoft.com/en-us/azure/security-center/azure-container-registry-integration
upvoted 2 times
  Reyrain 1 month, 2 weeks ago

https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-usage#availability
upvoted 2 times
  sebbirb 1 month, 2 weeks ago

Here is the link to the solution

upvoted 2 times


It is B and E because the link
says that only Supported registries and images: Linux images in ACR registries accessible from the public internet with shell access.
So only Linux ACR image will be scanned.

upvoted 2 times

Supported registries and images: Linux images in ACR registries accessible from the public internet with shell access
Unsupported registries and images: Windows images
'Private' registries
Registries with access limited with a firewall, service endpoint, or private endpoints such as Azure Private Link
Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime
dependencies without a package manager, shell, or OS
upvoted 1 times
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You need to con gure diagnostic settings for contoso.com. The solution must meet the following requirements:
✑ Retain logs for two years.
✑ Query logs by using the Kusto query language.
✑ Minimize administrative effort.
Where should you store the logs?
A. an Azure event hub
C. an Azure Storage account
Correct Answer: B
Secure data and applications

I agree with answer:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries
upvoted 2 times

basically sentinel
upvoted 1 times

Agreed. B is the correct ans!
upvoted 1 times
Correct Answer: B
Incorrect Answers:
network.
References:
  DougEdouG241 2 months, 3 weeks ago

upvoted 6 times
  kwesiMoro 2 months, 1 week ago

DougEdouG241 us right. The Answer is C
upvoted 2 times

upvoted 1 times
Correct Answer: B
Incorrect Answers:
network.
References:
  maharjansumit 2 months, 4 weeks ago

Password Hash can only deal with username / password, not for password policies.
Correct answer is C
upvoted 5 times

Correct answer is C. You use pass through authentication when you want to apply the same policies you have in your on-prem AD.
The given answer would be correct if you do not want to sinchronize the local policies.
upvoted 2 times

PTA... agreed
upvoted 2 times
  Estoxa 2 months, 3 weeks ago

Are you 100% sure that C is correct?
upvoted 3 times

C IS CORRECT
upvoted 2 times


upvoted 2 times

Az 500 Exam - Free Actual QAs Page 1 Examtopics Practice For Cissp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Az 500 Exam - Free Actual QAs Page 1 Examtopics Practice For Cissp

Uploaded by

Copyright:

Available Formats

27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Veri ed, Online, Free.

ExamTopics Black Friday 2020

 Custom View Settings

Topic 1 - Question Set 1

  anonymous654 11 months ago

  P4YDAY 10 months, 3 weeks ago

  PDR 9 months ago

  IsildursHeir 7 months, 2 weeks ago

  aythan09 6 months ago

  AS007 7 months, 1 week ago

  Ridgy 5 months, 3 weeks ago

  lnn_az 5 months, 3 weeks ago

  ExamWynner 3 months, 1 week ago

  P0d 5 months, 2 weeks ago

  P0d 5 months, 2 weeks ago

  gfhbox0083 5 months ago

  Attaxhan 4 months ago

  BobJayJay4 4 months ago

  wzlinux 2 months, 2 weeks ago

  kiketxu 2 months ago

  kiketxu 6 days, 18 hours ago

  Cpk 1 month, 4 weeks ago

  Cis 1 month ago

  rand1220 1 month ago

  awssecuritynewbie 3 weeks, 4 days ago

  awssecuritynewbie 3 weeks, 3 days ago

  realname007 2 weeks, 3 days ago

Answer - B read the whole article

  JohnCrawford 1 year, 1 month ago

  awssecuritynewbie 1 month, 3 weeks ago

  Kerbob 1 year ago

  Sedge 11 months, 2 weeks ago

  NS 9 months, 4 weeks ago

  kristiann21 5 months, 4 weeks ago

  S_Khan 8 months, 2 weeks ago

  cybrtrk 7 months, 2 weeks ago

  IsildursHeir 7 months, 2 weeks ago

  AS007 7 months, 1 week ago

  jam3sb0nd 7 months, 1 week ago

  Tom84 7 months ago

  faltu1985 6 months, 3 weeks ago

  joilec435 6 months, 3 weeks ago

  Solanki 6 months, 3 weeks ago

  peluca 6 months, 2 weeks ago

  sf2020 6 months, 1 week ago

  examkid 6 months ago

  lnn_az 5 months, 3 weeks ago

there are 4 solutions to meet our goal.

  Bobo_Lee 5 months ago

  gboyega 4 months, 3 weeks ago

  levo017 3 months ago

  server1 2 months, 4 weeks ago

  wzlinux 2 months, 2 weeks ago

  sayak17 2 months, 1 week ago

  mxxii 1 month, 3 weeks ago

  Israel1 4 weeks, 1 day ago

  musiman 1 week, 1 day ago

So my answer would be: YES

  kiketxu 6 days, 18 hours ago

  AS007 7 months, 1 week ago

  gfhbox0083 5 months ago

  wzlinux 2 months, 2 weeks ago