Attempt 4

Question 1 of 50
You have an Azure AD tenant that uses Azure AD Connect to sync with an Active Directory
Domain Services (AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure portal. The users
must be able to use two methods to reset their password.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
 Run Azure AD Connect and select Password writeback.
This answer is correct.
 From Password reset in the Azure portal, configure the Authentication methods settings.
Correct Answer
 Run Azure AD Connect and select Password writeback.
 From Password reset in the Azure portal, configure the Authentication methods settings.
You must run the Azure AD Connect Wizard to enable Password writeback. You must configure
the authentication option to enable the two methods required to reset a password.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft Learn
Implement Azure AD self-service password reset - Training | Microsoft Learn
Question 2 of 50
You have an Azure subscription.
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:
 Id: 8755b347-3545-3876-3987-999999999999
 DisplayName: Ben Smith
 Mail: bsmith@contoso.com
 UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Which statement accurately describes the user?
Your Answer
 The user was deleted.
This answer is incorrect.
Correct Answer
 The user was a guest in the tenant.
For guest users, the user principal name (UPN) will contain the email of the guest user
(bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant
(@fabrikam.com). Regular Azure AD users appear in a format of user@fabrikam.com.
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 3 of 50
You plan to create 100 new users by using the Bulk create users operation in the Azure Active
Directory admin center.
You need to create a CSV file that contains the user information.
Which attributes should you specify in the CSV file for each user?
Your Answer
 <code>displayName, userPrincipalName, passwordProfile,</code> and
<code>accountEnabled</code>
Correct Answer
 <code>displayName, userPrincipalName, passwordProfile,</code> and
<code>accountEnabled</code>
When you use the Bulk create users operation, you must specify four things: the display name,
the UPN, the initial password, and whether the account is enabled or disabled. All other fields
are optional.
Bulk create users in the Azure Active Directory portal - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 4 of 50
You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource group
named RG1. You must use the principle of least privilege.
Which role should you assign to User1?
Your Answer
 Reader
Correct Answer
 Reader
The Reader role allows you to view all the resources but does not allow you to make any
changes. The Contributor role allows you to manage all the resources, the Billing Reader role
provides read access only to billing data, and the Tag Contributor role allows you to manage
entity tags without providing access to the entities themselves.
Azure built-in roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 5 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
 Manage containers within the storage accounts.
 View account keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
 Storage Account Contributor
Correct Answer
 Storage Account Contributor
Storage Account Contributor allows the management of storage accounts. It provides access to
the account key, which can be used to access data via Shared Key authorization. Storage Blob
Data Contributor grants permissions to read, write, and delete Azure Storage containers and
blobs. Reader allows you to view all resources but does not allow you to make any changes.
Owner grants full access to manage all resources, including the ability to assign roles in Azure
RBAC.
Question 6 of 50
You need to configure Azure AD Conditional Access to allow access to a specific IP address
range. The solution must minimize costs.
Which Azure AD edition should you use?
Your Answer
 Azure AD Premium P1
Correct Answer
 Azure AD Premium P1
Premium P1 allows you to configure Conditional Access based on an IP address range. Premium
P2 allows you to configure Conditional Access based on an IP address range but with a higher
cost.
What is Conditional Access in Azure Active Directory? - Microsoft Entra | Microsoft Learn
Configure Azure Active Directory - Training | Microsoft Learn
Question 7 of 50
You have an Azure subscription that contains an Azure AD tenant. The tenant contains a user
named User1.
You need to assign User1 a role that allows the user to create and manage all types of resources
in the subscription. The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
 Contributor
Correct Answer
 Contributor
Users with the Contributor role can create and manage all types of resources but cannot delegate
new access to other users. Users with the Reader role can view existing Azure resources but
cannot perform any action against them. Users with the API Management Service Contributor
role can only manage API Management services and APIs. Users with the Owner role provides
full access to all resources, including the right to delegate access to others.
Question 8 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a
virtual machine that runs daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75
percent of the allocated budget.
Your Answer
 From Cost Management + Billing, modify the Budgets settings.
 Create an action group of type Runbook, and then select Stop VM as
an action.
Correct Answer
 From Cost Management + Billing, modify the Budgets settings.
 Create an action group of type Runbook, and then select Stop VM as
an action.
You must go to Cost Management + Billing, and then Budgets to edit the budget associated with
the resource group resources. You must also create a new action group of the Runbook type, and
then choose Stop VM as an action. The cost analysis will not stop the virtual machine from
running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Configure subscriptions - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains 150 virtual machines.
You plan to create an Azure Policy definition named Policy1 that has the resource provider mode
set to indexed.
You need to identify the tools used to perform the task.
Which two tools can you use? Each correct answer presents a complete solution.
Your Answer
 Azure Cloud Shell
 Azure Command-Line Interface (CLI)
Correct Answer
 Azure Cloud Shell
 Azure Command-Line Interface (CLI)
Based on the resource type, the resource manager mode supported values are set to either all or
indexed. You must use either Azure CLI or Azure Cloud Shell to set this value in a policy
definition. Resource graphs allow queries to resources and not to create policy definitions. The
Azure portal does not allow you to set a specific mode.
Configure Azure Policy - Training | Microsoft Learn
Details of the policy definition structure - Azure Policy | Microsoft Learn
Question 10 of 50
You have an Azure AD tenant and several offices.
You need to assign permissions to the administrator of each office to manage the users in their
respective office.
What should you use to manage the permissions?
Your Answer
 administrative units
Correct Answer
 administrative units
You can have administrative units and assign the administrators privilege over each unit. You
can have one unit for each office. Azure tags are name-value pairs that are used to organize
resources in the Azure portal. Azure identity management secures access to resources and
protects applications and data at the front gate. Azure Policy is a service that allows you to create
polices that enforce and control the properties of a resource.
Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 11 of 50
You plan to create a storage account named storage1.
You need to ensure that storage1 provides POSIX-compliant access control lists (ACLs).
Which option should you configure when creating storage1?
Your Answer
 hierarchical namespace
Correct Answer
 hierarchical namespace
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace must be
used. The remaining options are valid for a storage account, but do not provide the POSIX-
compliant feature.
Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn
Configure storage accounts - Training | Microsoft Learn
Question 12 of 50
Your need to create an Azure Storage account that meets the following requirements:
 Stores data in a minimum of two availability zones
 Provides high availability
Which type of storage redundancy should you use?
Your Answer
 read-access geo-redundant storage (RA-GRS)
Correct Answer
 zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure
availability zones in the primary region. For ensuring high availability, Microsoft recommends
using ZRS in the primary region and also replicating to a secondary region.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 13 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder
named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
 <code>Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -
recursive </code>
 <code>Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -
Container " corpimages" </code>
Correct Answer
 <code>Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -
recursive </code>
 <code>Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -
Container " corpimages" </code>
The AzCopy command allows you to copy all files to a storage account. You then use Get-
ChildItem with the path parameter, recurse to select everything, and then use the Set-
AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 14 of 50
You have an Azure Storage account.
You need to copy data to the storage account by using the AzCopy tool.
Which two types of data storage are supported by AzCopy? Each correct answer presents a
complete solution.
Your Answer
 blob
 file
Correct Answer
 blob
 file
You can provide authorization credentials by using Azure AD, or by using a shared access
signature (SAS) token. Both storage types, blob and file, are supported in AzCopy.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 15 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
 Hierarchical namespace: Disabled
 Default access tier: Hot
 Blob public access: Enabled
 Blob soft delete: Enabled (7 days)
 Container soft delete: Enabled (7 days)
 Versioning: Disabled
 Change feed: Enabled
 NFS v3: Disabled
 Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
 Versioning
Correct Answer
 Versioning
Versioning must be enabled for both the source and destination accounts. In this scenario,
versioning is currently disabled.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 16 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
You need to configure object replication from storage1 to storage2.
Which three features should be enabled before configuring object replication? Each correct
answer presents part of the solution.
Your Answer
 change feed for storage1
 blob versioning for storage1
Correct Answer
 change feed for storage1
Object replication can be used to replicate blobs between storage accounts. Before configuring
object replication, you must enable blob versioning for both storage accounts, and you must
enable the change feed for the source account.
Configure object replication - Azure Storage | Microsoft Learn
Question 17 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos. Users reported
that 99 percent of the assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the
solution.
Your Answer
 <code>Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -
EnableLargeFileShare </code>
 <code>Update-AzRmStorageShare -ResourceGroupName RG1 -Name -
StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400 </code>
Correct Answer
 <code>Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -
EnableLargeFileShare </code>
 <code>Update-AzRmStorageShare -ResourceGroupName RG1 -Name -
StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400 </code>
You must enable the storage account to support large files and update the storage account quota
to 102,400 GB. You do not need to change the type of storage account, and you are updating the
existing share.
Object replication overview - Azure Storage | Microsoft Learn
Question 18 of 50
You create an Azure Storage account.
You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have
not been used for 30 days.
What should you do first?
Your Answer
 Enable access tracking.
Correct Answer
 Enable access tracking.
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be
based on the time the blob was last modified or the time the blob was last accessed (read or
write). To perform an action based on the access time, access tracking must be enabled. This can
incur additional storage costs.
Configure a lifecycle management policy - Azure Storage | Microsoft Learn
Question 19 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
 Archive
Correct Answer
 Archive
Archive is an offline tier that is optimized for storing data that is rarely accessed and has flexible
latency requirements. Data in the Archive tier must be stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 20 of 50
You plan to use the following two Azure Resource Manager (ARM) templates to provision
virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Virtual Machine."
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
},
"dnsLabelPrefix": {
"type": "string",
"defaultValue": "[concat('vm-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual
Machine."
}
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
}
Which two resources should you provision to ensure that the password can be stored securely?
Your Answer
 Azure Key Vault
 Access Policy
Correct Answer
 Azure Key Vault
 Access Policy
You must create a new key vault, create the password from there, and then specify the
parameters. You must also create a Key Vault access policy to use in the template.
ARM template documentation | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Question 21 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an
Azure Blob storage container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
 <code>-TemplateUri </code>
Correct Answer
 <code>-TemplateUri </code>
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored
locally in a resources group as a template spec, or from a web-based location. You can use the -
TemplateUri parameter to specify a web-based location, such as GitHub or an Azure Blob
Storage account. You can use -Templatefile to specify a local file. You can use -
TemplateSpecId to specify a template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 22 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure
Resource Manager (ARM) library.
What can you configure during the deployment of the template?
Your Answer
 the resource group
Correct Answer
 the resource group
When you deploy a resource by using a template, you can mention the resource group for the
deployment. The resource group is a container for Azure resources and makes it easier to manage
the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 23 of 50
Your company has a set of resources deployed to an Azure subscription. The resources are
deployed to a resource group named app-grp1 by using Azure Resource Manager (ARM)
templates.
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
 Deployments
Correct Answer
 Deployments
Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review
warnings. Navigating to the Metrics blade provides metrics information (CPU, resources) to
users. On the Deployments blade for the resource group (app-grp1), all the details related to a
deployment, such as the name, status, date last modified, and duration, are visible. Navigating to
the Policy blade only provides information related to the policies enforced on the resource group.
Azure AD deployment checklist - Microsoft Entra | Microsoft Learn
Configure Azure resources with tools - Training | Microsoft Learn
Question 24 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You
have a virtual machine named VM1 that is connected to Subnet1. VM1 runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
Your Answer
 From the Azure portal, add a network interface.
Correct Answer
 From the Azure portal, add a network interface.
A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to
Subnet1, VM1 already has a network interface attached that is connected to Subnet1. To connect
VM1 directly to Subnet2, you must create a new network interface that is connected to Subnet2.
Next, you must attach the new network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network
bridge allows you to connect multiple existing network connection in Windows together.
Changing the IP configurations of the existing network interface results in VM1 being connected
to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 25 of 50
You are deploying a virtual machine by using an availability set in the East US Azure region.
You have deployed 18 virtual machines in two fault domains and 10 update domains.
Microsoft performed planned physical hardware maintenance in the East US region.
What is the maximum number of virtual machines that will be unavailable?
Your Answer
 2
Correct Answer
 2
18 virtual machines are shared across 10 update domains. The first 10 virtual machines go to 10
update domains, so eight update domains will have two virtual machines. When there is physical
hardware maintenance, some virtual machines will be unavailable based on their configuration.
If there was a rack failure, then 18 virtual machines will be distributed to two fault domains with
nine virtual machines each.
Availability sets overview - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 26 of 50
Your development team plans to deploy an Azure container instance. The container needs a
persistent storage layer.
Which service should you use?
Your Answer
 Azure Files
Correct Answer
 Azure Files
You can persist data for Azure Container Instances with the use of Azure Files. Azure Files
offers fully managed file shares hosted in Azure Storage that are accessible via the industry
standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn
Explore Azure Storage services - Training | Microsoft Learn
Question 27 of 50
You have an Azure subscription that contains a Docker container named container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
Your Answer
 Publish
Correct Answer
 Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish
option and select Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a
Docker container as web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you
publish a Docker container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 28 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service
Bus.
Which scale trigger should you use?
Your Answer
 event-driven
Correct Answer
 event-driven
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure
Service Bus, an event-driven trigger can be used to run the escalation method. The remaining
scale triggers cannot use a scale rule based on messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Scaling in Azure Container Apps | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 29 of 50
You need to create an Azure App Service web app that runs on Windows. The web app requires
scaling to five instances, 45 GB of storage, and a custom domain name. The solution must
minimize costs.
Which App Service plan should you use?
Your Answer
 Standard
Correct Answer
 Standard
The Standard service plan can host unlimited web apps, up to 50 GB of disk space, and up to 10
instances. The plan will cost approximately $0.10/hour. The Free plan only offers 1 GB of disk
size and 0 instances to host the app. The Premium plan offers 250 GB of disk space and up to 30
instances and will cost approximately $0.20/hour. The Basic plan offers 10 GB of disk space and
up to three virtual machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
Question 30 of 50
You plan to deploy a web app to a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the following
requirements:
 Supports a custom domain name
 Provides the ability to scale out automatically based on demand.
 Minimizes administrative effort
 Minimizes costs
Which solution should you recommend?
Your Answer
 Azure App Service
Correct Answer
 Azure App Service
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure
Kubernetes Service (AKS), and Azure Container Instances are more difficult to administer and
more costly.
Overview - Azure App Service | Microsoft Learn
Configure Azure App Service plans - Training | Microsoft Learn
Question 31 of 50
You have an Azure virtual network named VNet1.
You deploy an Azure App Service web app named WebApp1.
You need to ensure that you can access WebApp1 by using an IP address from VNet1.
What should you do?
Your Answer
 Add a private endpoint connection to WebApp1.
Correct Answer
 Add a private endpoint connection to WebApp1.
A private endpoint connection will expose a web app on a virtual network and provide the web
app with an IP address on the virtual network. The web app can then be accessed through the
virtual network instead of using the public endpoint.
VNet integration provides web app outbound access to a virtual network. Azure Bastion provides
administrative RDP/SSH access to virtual machines through the Azure portal. Peering provides
connections between virtual networks.
Connect privately to an Azure Web App using Private Endpoint | Microsoft Learn
Host a web application with Azure App Service - Training | Microsoft Learn
Question 32 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
You add a new subdomain named test.contoso.com.
You plan to delegate test.contoso.com to a different DNS server.
How should you configure the domain delegation?
Your Answer
 Add an NS record set named test to the contoso.com zone.
Correct Answer
 Add an NS record set named test to the contoso.com zone.
You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be
created at the apex of the zone named contoso.com. You do not need to create the SOA record
set in test.contoso.com. It must only be created in contoso.com. You do not need to create or
modify the DNS A record.
Delegate a subdomain - Azure DNS | Microsoft Learn
Host your domain on Azure DNS - Training | Microsoft Learn
Question 33 of 50
You have an Azure subscription that contains the following virtual networks:
 VNet1 has an IP address range of 192.168.0.0/24.
You need configure virtual network peering.
Which two peerings can you create? Each correct answer presents complete solution.
Your Answer
 VNet1 can be peered with VNet2.
Correct Answer
VNet1 and VNet2 have non-overlapping IP addresses. For virtual network peering, both virtual
networks must have non-overlapping IP addresses.
Azure Virtual Network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
Question 34 of 50
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual network named VNet1 and a VPN gateway. Sub2 contains a virtual
network named VNet2.
You have an on-premises device named Device1 that runs Windows and has a Point-to-Site
(P2S) VPN client installed.
You configure network peering between VNet1 and VNet2.
You need to ensure that Device1 can access VNet2 when a VPN connection is established.
What should you do?
Your Answer
 Download and reinstall the P2S VPN client on Device1.
Correct Answer
 Download and reinstall the P2S VPN client on Device1.
Point-to-Site (P2S) VPN clients must be downloaded and reinstalled again after virtual network
peering is successfully configured to ensure that the new routes are downloaded to the client.
A private endpoint and Azure Front Door are not required nor used to be able to access VNet2
from VNet1.
Device1 already has a digital certificate when you install the P2S VPN client, so you do not need
to create new certificate manually.
Create, change, or delete an Azure virtual network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
Question 35 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual
machines.
You plan to configure a network security group (NSG) that will allow inbound traffic over TCP
port 8080 to two virtual machines on each subnet. The NSG will be associated to each subnet.
You need to recommend a solution to configure the inbound access by using the fewest number
of NSG rules possible.
What should you use as the destination in the NSG?
Your Answer
 a service tag
Correct Answer
 an application security group
Application security groups allow you to group together the network interfaces from multiple
virtual machines, and then use the group as the source or destination in an NSG rule. The
network interfaces must be in the same virtual network.
You can use the IP address of each virtual machine as the destination, but you must create a rule
for each virtual machine.
Using the subnets will require four rules and will also allow traffic to all the virtual machines on
those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
Azure application security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 36 of 50
You are planning the deployment of a custom ASP.NET application that will run on Internet
Information Server (IIS). The application will be hosted on four Azure virtual machines. The
virtual machines will belong to the same virtual network and subnet and have a private IP
address. The application will use a Microsoft SQL Server database to store content.
You need to configure load balancing for the application. The solution must ensure that the
application is safe from any attacks, such as SQL injection or cross-site scripting (XSS) attacks.
What should you configure?
Your Answer
 an Azure application gateway
Correct Answer
 an Azure application gateway
Application gateway allows you to configure load-balanced virtual machines on a private IP
address and provide a web app firewall to block any SQL injection, header, and cross-site
scripting XSS attacks. An internal load balancer cannot provide load balancing on a public front.
A network security group (NSG) is only used to open ports on virtual machines. A public load
balancer does not provide web app firewall capabilities to block attacks.
Load-balancing options - Azure Architecture Center | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 37 of 50
You have an Azure subscription that contains an ASP.NET application. The application is hosted
on four Azure virtual machines that run Windows Server 2022.
You have a load balancer named LB1 to load balances requests to the virtual machines.
You need to ensure that site users connect to the same web server for all requests made to the
application.
Your Answer
 Set Session persistence to Client IP.
 Set Session persistence to Protocol.
Correct Answer
 Set Session persistence to Client IP.
 Set Session persistence to Protocol.
By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the
same web server for all requests made to the application. Setting Session persistence to None
disables sticky sessions and an inbound NAT rule is used to forward traffic from a load balancer
frontend to a backend pool.
Azure Load Balancer distribution modes | Microsoft Learn
Question 38 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set
named AVSet1.
You need to configure Azure Load Balancer with a backend system of VM1 and VM2. The
solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
 Basic Azure Load Balancer with Basic SKU public IP
Correct Answer
 Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load
Balancer supports only Basic SKU public IP. Azure Standard Load Balancer is zone-redundant,
but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Question 39 of 50
You migrate a web app from on-premises to Azure. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server
and must check whether the server is listening on port 80.
Which command should you run?
Your Answer
 <code>netstat -an </code>
Correct Answer
 <code>netstat -an </code>
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will
perform a ping/ICMP test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the
virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Question 40 of 50
You have an Azure subscription that contains multiple virtual machines and a public load
balancer named PLB1. PLB1 is configured to balance ports 80 and 443 on the virtual machines.
A virtual machine named VM1 will be used to connect to all other virtual machines by using
RDP.
You need to forward all RDP requests to VM1 only.
What should you do?
Your Answer
 Configure an inbound NAT rule.
Correct Answer
 Configure an inbound NAT rule.
Configuring an inbound NAT rule allows you to connect to virtual machines on an Azure virtual
network by using the Azure Load Balancer IP address and port number.
Configure VPN NAT rules for your gateway - Azure Virtual WAN | Microsoft Learn
Question 41 of 50
You have an Azure subscription that contains the following resources:
 Eight virtual networks
 24 virtual machines
 16 storage accounts
You need to implement a monitoring solution that provides the ability to view diagnostics and
telemetry data generated by Azure resources.
What should you include in the solution?
Your Answer
 a Log Analytics workspace
Correct Answer
 a Log Analytics workspace
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other
Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace
has its own data repository and configuration and can combine data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Learn
Determine Log Analytics uses - Training | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two
virtual machines named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure
Monitor metrics.
Your Answer
 Use packet capture.
 Install AzureNetworkWatcherExtension.
Correct Answer
 Use packet capture.
 Install AzureNetworkWatcherExtension.
Azure Network Watcher variable packet capture allows you to create packet capture sessions to
track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies
both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal |
Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains virtual machines, virtual networks, application
gateways, and load balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?
Your Answer
 Azure Network Watcher
Correct Answer
 Azure Network Watcher
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable
logs for resources on an Azure virtual network. Azure Resource Manager is the deployment and
management service for Azure. Network security groups (NSGs) are used only for security, not
monitoring. Azure Monitor is used for the HTTP Data Collector API to send log data to Log
Analytics.
Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 44 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual
network named VNet3, a virtual machine named VM1, and a public IP address named PubIP1.
All the resources are in the West US Azure region.
You plan to create and configure a network security group (NSG) named NSG1 for the following
types of traffic:
 Remote Desktop Management
 HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
 <code>New-AzNetworkSecurityRuleConfig </code>
 <code>New-AzNetworkSecurityGroup </code>
Correct Answer
 <code>New-AzNetworkSecurityRuleConfig </code>
 <code>New-AzNetworkSecurityGroup </code>
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol,
direction, and port number. New-AzNetworkSecurityGroup creates a network security group
(NSG). -SecurityRules specifies a list of network security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
Azure network security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 45 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Your Answer
 14
Correct Answer
 14
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 46 of 50
You need to create Azure alerts based on metric values and activity log events.
The solution must meet the following requirements:
 Set a limit on how many times an alert notification is sent.
 Call an Azure function when an alert is triggered.
 Configure the alert to have a severity of warning when triggered.
Which two resources should you create? Each correct answer presents part of the solution.
Your Answer
 an action group
 an alert rule
Correct Answer
 an action group
 an alert rule
You must create an action group to set up an action and create an alert rule to set the severity of
the errors. A notification is only used to send email and you do not need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn
Question 47 of 50
You have an Azure subscription that contains two protected virtual machines named VM1 and
VM2. VM1 and VM2 are backed up to a Recovery Service vault named Vault1 by using the
same backup policy.
Your company plans to create additional virtual machines and Recovery Services vaults. During
this process, Vault1 will be decommissioned.
You need to delete Vault1.
Which three actions should you perform before you can delete Vault1? Each correct answer
presents part of the solution.
Your Answer
 Stop the backup of VM1 and VM2.
 Disable the soft delete feature and delete all data.
 Permanently remove any items in the soft delete state.
Correct Answer
 Stop the backup of VM1 and VM2.
 Disable the soft delete feature and delete all data.
 Permanently remove any items in the soft delete state.
You must stop the backups so that you can prepare to move to the new policy. The soft delete
feature is enabled by default, so it must be disabled. You must remove all the items that are in
the soft delete state. Deleting the virtual machines is not required. You cannot delete the policy
without deleting the vault and backup, and a new policy is not required.
Overview of Recovery Services vaults - Azure Backup | Microsoft Learn
Delete a Microsoft Azure Recovery Services vault - Azure Backup | Microsoft Learn
Configure virtual machine backups - Training | Microsoft Learn
Question 48 of 50
You have an Azure virtual machine named Server1 that runs Windows Server.
You need to configure Azure Backup to back up files and folders.
What should you install on Server1?
Your Answer
 the Microsoft Azure Recovery Services (MARS) agent
Correct Answer
 the Microsoft Azure Recovery Services (MARS) agent
The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers. The
MARS agent is mandatory to perform backup and recovery services for any servers.
Manage the Azure recovery services agent - Training | Microsoft Learn
Question 49 of 50
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following configurations:
 Backup schedule frequency: Weekly
 Retain instant recovery snapshot(s) for: 5 days
 Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks
You plan to reduce the amount of storage used by Instant Restore.
You need to instance recovery snapshots to be retained for only two days.
Your Answer
 Change the backup schedule frequency to Daily.
Correct Answer
 Change the backup schedule frequency to Daily.
You can choose to store between one and five instant recovery snapshots and the default value is
two. However, when the backup schedule frequency is weekly, you must retain five instant
recovery snapshots.
Azure Instant Restore Capability - Azure Backup | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
Question 50 of 50
You plan to create an alert in Azure Monitor that will have an action group to send SMS
messages.
What is the maximum number of SMS messages that will be sent every hour if the alert gets
triggered every minute?
Your Answer
 12
Correct Answer
 12
A maximum of one SMS message can be sent every five minutes. Therefore, a maximum of 12
messages will be sent per hour.
Rate limiting for SMS, emails, push notifications - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn

Attempt 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Attempt 4

Uploaded by

Copyright:

Available Formats

Question 1 of 50

"description": "User name for the Virtual Machine."

"description": "Password for the Virtual Machine."

"defaultValue": "[concat('vm-', uniqueString(resourceGroup().id))]",

You might also like