You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com
Solution: You instruct User2 to create the user accounts. Does that meet the goal? Yes No. You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com
Solution: You instruct User4 to create the user accounts. Does that meet the goal? Yes No. You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com
Solution: You instruct User3 to create the user accounts. Does that meet the goal? Yes No. You have an Azure subscription named Subscription1 that contains a resource group named RG1. In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point Contributor on LB1 / Contributor on LB2 Network Contributor on LB1 / Network Contributor on LB2 Network Contributor on RG1 / Network Contributor on RG1 Owner on LB1 / Owner on LB2. You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users
What should you do first? From contoso.com, modify the Organization relationships settings From contoso.com, create an OAuth 2.0 authorization endpoint Recreate AKS1 From AKS1, create a namespace. You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days
Which two groups should you create? Each correct answer presents a complete solution
NOTE: Each correct selection is worth one point a Microsoft 365 group that uses the Assigned membership type a Security group that uses the Assigned membership type a Microsoft 365 group that uses the Dynamic User membership type a Security group that uses the Dynamic User membership type a Security group that uses the Dynamic Device membership type. You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
User3 is the owner of Group1. Group2 is a member of Group1
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No
NOTE: Each correct selection is worth one point User 3 can perform an access review of User1 User 3 can perform an access review of UserA User 3 can perform an access review of UserB. You have the Azure management groups shown in the following table:
You add Azure subscriptions to the management groups as shown in the following table:
You create the Azure policies shown in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No
NOTE: Each correct selection is worth one point You can create a virtual network in Subscription1 You can create a virtual machine in Subscription2 You can add Suscription1 to ManagementGroup11. You have an Azure policy as shown in the following exhibit:
What is the effect of the policy? You are prevented from creating Azure SQL servers anywhere in Subscription 1. You can create Azure SQL servers in ContosoRG1 only. You are prevented from creating Azure SQL Servers in ContosoRG1 only. You can create Azure SQL servers in any resource group within Subscription 1. You have an Azure subscription that contains the resources shown in the following table:
You assign a policy to RG6 as shown in the following table:
To RG6, you apply the tag: RGroup: RG6
You deploy a virtual network named VNET2 to RG6
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point
None / None Department: D1 only / RGroup: RG6 only Department: D1, and RGroup: RG6 only / Label: Value1 only Department: D1, and Label: Value1 only / Label: Value1 only. You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2. Which resources should you identify? VM1, storage1, VNET1, and VM1Managed only VM1 and VM1Managed only VM1, storage1, VNET1, VM1Managed, and RVAULT1 RVAULT1 only. You recently created a new Azure subscription that contains a user named Admin1
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure PowerShell and receives the following error message: “User failed validation to purchase resources"
Error message: “Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/? LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time”
You need to ensure that Admin1 can deploy the Marketplace resource successfully. What should you do? From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet From the Azure portal, register the Microsoft.Marketplace resource provider From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet From the Azure portal, assign the Billing administrator role to Admin1. You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1
You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties? From the Licenses blade, assign a new license From the Directory role blade, modify the directory role From the Groups blade, invite the user account to a new group. You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts
You purchase 10 Azure AD Premium P2 licenses for the tenant
You need to ensure that 10 users can use all the Azure AD Premium features. What should you do? From the Licenses blade of Azure AD, assign a license From the Groups blade of each user, invite the users to a group From the Azure AD domain, add an enterprise application From the Directory role blade of each user, modify the directory role. You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager
Subscription1 contains a virtual machine named VM1
You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent
What should you do first? Create an automation runbook Deploy a function app Deploy the IT Service Management Connector (ITSM) Create a notification. You sign up for Azure Active Directory (Azure AD) Premium
You need to add a user named admin1@contoso.com as an administrator on all the computers that will be joined to the Azure AD domain
What should you configure in Azure AD? Device settings from the Devices blade Providers from the MFA Server blade User settings from the Users blade General settings from the Groups blade. You have Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:
For each of the following statements, select Yes if the statement is true. Otherwise, select No
NOTE: Each correct selection is worth one point User1 can add Device2 to Group1 User2 can add Device1 to Group1 User2 can add Device2 to Group2. You have an Azure subscription that contains a resource group named RG26
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table
SQLDB01 is backed up to RGV1
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails. You need to delete RG26.
What should you do first? Delete VM1 Stop VM1 Stop the backup of SQLDB01 Delete sa001. You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1
Subscription1 has a user named User1. User1 has the following roles:
Reader Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users
What should you do? Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1 Assign User1 the Owner role for VNet1 Remove User1 from the Security Reader and Reader roles for Subscription1 Assign User1 the Network Contributor role for RG1. You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com
You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name
Which type of DNS record should you create? MX NSEC PTR RRSIG. You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. Does this meet the goal? Yes No. You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal? Yes No. You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1
Adatum contains a group named Developers. Subscription1 contains a resource group named Dev
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal? Yes No. You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups
You need to send a report to the finance department. The report must detail the costs for each department
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order Assign a tag to each resource group Assign a tag to each resource Download the usage report From the Cost analysis blade, filter the view by tag Open the Resource costs blade of each resource group. You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1
You need to view the error from a table named Event. Which query should you run in Workspace1? Get-Event Event | where {$_. EventType == "error"} Event | search "error" search in (Event)* | where EventType –eq "error" Get-Event Event | where {$_.EventTye –eq "error"}. You have an Azure subscription that contains a virtual network named VNET1 in the East US 2 region. A network interface named VM1-NI is connected to VNET1
You successfully deploy the following resources in an Azure Resource Manager template
For each of the following statements, select Yes if the statement is true. Otherwise, select No
NOTE: Each correct selection is worth one point VM1 and VM2 can connect to VNET1 If an Azure datacenter becomes unavailable, VM1 or VM2 will be available If the East US 2 region becomes unavailable, VM1 or VM2 will be availabel. You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table
RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2
What is the effect of the move? The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1 The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1 The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1 The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1. You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9- 99a7-4fd71546436e
You need to create a custom RBAC role named CR1 that meets the following requirements:
Can be assigned only to the resource groups in Subscription1
Prevents the management of the access permissions for the resource groups
Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point "/subscriptions/c276fc76-9cd4-44c9- 99a7-4fd71546436e" - "Microsoft.Security/" "/subscriptions/c276fc76-9cd4-44c9- 99a7-4fd71546436e"/resourceGroups" - "Microsoft.Resources/" "/subscriptions/c276fc76-9cd4-44c9- 99a7-4fd71546436e" - "Microsoft.Authorization/" "/subscriptions/c276fc76-9cd4-44c9- 99a7-4fd71546436e"/resourceGroups" - "Microsoft.Authorization/". You have an Azure subscription
Users access the resources in the subscription from either home or from customer sites.
From home, users must establish a point-to-site VPN to access the Azure resources.
The users on the customer sites access the Azure resources by using site-to-site VPNs
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016
You need to ensure that the connections to App1 are spread across all the virtual machines
What are two possible Azure services that you can use? Each correct answer presents a complete solution
NOTE: Each correct selection is worth one point an internal load balancer a public load balancer an Azure Content Delivery Network (CDN) Traffic Manager an Azure Application Gateway. You have an Azure subscription
You have 100 Azure virtual machines
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering
Which blade should you use? Monitor Advisor Metrics Customer insights. You have an Azure Active Directory (Azure AD) tenant
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal
Which three settings should you configure? To answer, select the appropriate settings in the answer area
NOTE: Each correct selection is worth one point Users and groups Cloud apps Conditions Grant Sessions. You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1
An external partner has a Microsoft account that uses the user1@outlook.com sign in
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com – Generic authorization exception”
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant. What should you do? From the Users blade, modify the External collaboration settings. From the Custom domain names blade, add a custom domain. From the Organizational relationships blade, add an identity provider. From the Roles and administrators blade, assign the Security administrator role to Admin1. You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1
You need to ensure that User1 can assign a policy to the tenant root management group. What should you do? Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources Create a new management group and delegate User1 as the owner of the new management group. You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table
You create two user accounts that are configured as shown in the following table
To which groups do User1 and User2 belong? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point Group1 only / Group2 only Group1 and Group2 only / Group2 only Group1, Group2, and Group3 / Group2 and Group3 only Group1 only / Group1 and Group2 only. You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users shown in the following table
You need to modify the JobTitle and UsageLocation attributes for the users
For which users can you modify the attributes from Azure AD? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point User1 and User2 only / User1 and User2 only User1, User2, and User3 / User1 and User2 only User1 and User3 only / User1, User2, and User3 User1 only / User1, User2, and User3. You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription
Solution: You assign the Network Contributor role at the subscription level to Admin1. Does this meet the goal? Yes No. You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription
Solution: You assign the Owner role at the subscription level to Admin1. Does this meet the goal? Yes No. You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription
Solution: You assign the Reader role at the subscription level to Admin1. Does this meet the goal? Yes No. You have an Azure subscription that contains a user named User1
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege
Which role-based access control (RBAC) role should you assign to User1? Owner Virtual Machine Contributor Contributor Virtual Machine Administrator Login. You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Access Control tab)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Tenant tab)
For each of the following statements, select Yes if the statement is true. Otherwise, select No
NOTE: Each correct selection is worth one point Admin1 can add Admin 2 as an owner of the suscription Admin3 can add Admin 2 as and owner of the suscription Admin2 can create a resource group in the suscription. You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1
VM1 runs services that will be used to deploy resources to RG1
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1
What should you do first? From the Azure portal, modify the Managed Identity settings of VM1 From the Azure portal, modify the Access control (IAM) settings of RG1 From the Azure portal, modify the Access control (IAM) settings of VM1 From the Azure portal, modify the Policies settings of RG1. You have an Azure subscription that contains a resource group named TestRG. You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG. What should you do first? Modify the backup configurations of VM1 and modify the resource lock type of VNET1 Remove the resource lock from VNET1 and delete all data in Vault1 Turn off VM1 and remove the resource lock from VNET1 Turn off VM1 and delete all data in Vault1. You have an Azure DNS zone named adatum.com
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure. What should you do? Create an NS record named research in the adatum.com zone Create an PTR record named research in the adatum.com zone Modify the SOA record of adatum.com Create an A record named *.research in the adatum.com zone. You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com domain name
You have a domain name of contoso.com registered at a third-party registrar
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com
Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order Add a record to the public contoso.com DNS zone Add an Azure AD tenant Configure company branding Create an Azure DNS zone Add a custom name Verify the domain. This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market
Contoso products are manufactured by using blueprint files that the company authors and maintains
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only
Requirements Planned Changes
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure
Move the existing product blueprint files to Azure Blob storage
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project
Technical Requirements
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure
Minimize the number of open ports between the App1 tiers
Ensure that all the virtual machines for App1 are protected by backups. Copy the blueprint files to Azure over the Internet
Ensure that the blueprint files are stored in the archive storage tier. Ensure that partner access to the blueprint files is secured and temporary
Prevent user passwords or hashes of passwords from being stored in Azure. Use unmanaged standard storage for the hard disks of the virtual machines
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible
User Requirements
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD. Designate a new user named Admin1 as the service admin for the Azure subscription
Admin1 must receive email alerts regarding service outages
Ensure that a new user named User3 can create network objects for the Azure subscription
You need to configure the Device settings to meet the technical requirements and the user requirements. Which two settings should you modify? To answer, select the appropriate settings in the answer area Users may join device to Azure AD [None] / Additional local administrators on Azure AD joined devices [Selected] Users may join device to Azure AD [Selected] / Require Multi-Factor Auth to join devices [Yes] Additional local administrators on Azure AD joined device [Selected] / Require Multi-Factor Auth to join devices [Yes] Users may join device to Azure AD [Selected] / Additional local administrators on Azure AD joined devices [Selected]. This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market
Contoso products are manufactured by using blueprint files that the company authors and maintains
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only
Requirements Planned Changes
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure
Move the existing product blueprint files to Azure Blob storage
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project
Technical Requirements
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure
Minimize the number of open ports between the App1 tiers
Ensure that all the virtual machines for App1 are protected by backups. Copy the blueprint files to Azure over the Internet
Ensure that the blueprint files are stored in the archive storage tier. Ensure that partner access to the blueprint files is secured and temporary
Prevent user passwords or hashes of passwords from being stored in Azure. Use unmanaged standard storage for the hard disks of the virtual machines
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible
User Requirements
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD. Designate a new user named Admin1 as the service admin for the Azure subscription
Admin1 must receive email alerts regarding service outages
Ensure that a new user named User3 can create network objects for the Azure subscription
You need to meet the user requirement for Admin1. What should you do? From the Azure Active Directory blade, modify the Groups From the Azure Active Directory blade, modify the Properties From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings From the Subscriptions blade, select the subscription, and then modify the Properties.
|