Aindumps - Az 300.v2019!05!15.by .Alexander.102q

AZ-300.
102q
Number: AZ-300
Passing Score: 800
Time Limit: 120 min
AZ-300
Website: https://vceplus.com
VCE to PDF Converter: https://vceplus.com/vce-to-pdf/
Facebook: https://www.facebook.com/VCE.For.All.VN/
Twitter : https://twitter.com/VCE_Plus
https://www.vceplus.com/
Microsoft Azure Architect Technologies (beta)

Question Set 1
QUESTION 1
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following
table.
www.vceplus.com - Free Questions & Answers - Online Courses - Convert VCE to PDF - VCEplus.com
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager
template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. Container1
B. VM1
C. Storage2
D. RG1
Correct Answer: D
Section: [none]
Explanation
Explanation/Reference:
QUESTION 2
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Modify the IP address space of VNet2.

B. Move VM1 to Subscription2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Correct Answer: C
Section: [none]
Explanation
QUESTION 3
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global
Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted
locations.
What should you do?
A. From the Azure portal, modify session control of Policy1.

B. From multi-factor authentication page, modify the user settings.
C. From multi-factor authentication page, modify the service settings.
D. From the Azure portal, modify grant control of Policy1.
Correct Answer: D
Section: [none]
Explanation
QUESTION 4
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
https://www.vceplus.com/ What
should you do first?
A. From the Azure portal, modify the Access control (IAM) settings of RG1.
B. From the Azure portal, modify the Policies settings of RG1.
C. From the Azure portal, modify the Access control (IAM) settings of VM1.
D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
Correct Answer: D
Section: [none]
Explanation
Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/active-

directory/managed-identities-azure-resources/overview
QUESTION 5
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that
ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.
You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
A. From on-premises network, deploy Active Directory Federation Services (AD FS).
B. From Azure AD, add and verify a custom domain name.

C. From on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options.
Correct Answer: B
Section: [none]
Explanation
QUESTION 6
You have an Active Directory forest named contoso.com.
You install and configure AD Connect to use password hash synchronization as the single sign-on(SSO) method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?
A. From Azure PowerShell, run Start-AdSyncSycnCycle –PolicyType Initial.

B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
C. From Synchronization Service Manager, run a full import.
D. Run Azure AD Connect and disable staging mode.
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-
operations
QUESTION 7
HOTSPOT
You have an Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-
overview
QUESTION 8
You have an Azure subscription that contains 100 virtual machines.
You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Microsoft Azure Storage Explorer, view the Account Management properties.
B. From Azure Cost Management, create a Cost Management report.
C. From the Azure portal, configure the Advisor recommendations.
D. From Azure Cost Management, open the Optimizer tab and create a report.
Correct Answer: D
Section: [none]
Explanation
QUESTION 9
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
A. three rules and three action groups

B. one rule and one action group
C. three rules and one action groupD. one rule and three action groups
Correct Answer: C
Section: [none]
Explanation
QUESTION 10
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Upload a configuration script.

B. Create an automation account.
C. Create a new virtual machine scale set in the Azure portal.
D. Create an Azure policy.
E. Modify the extensionProfile section of the Azure Resource Manager template.
Correct Answer: CE
Section: [none]
Explanation
Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/virtual-machine-

scale-sets/tutorial-install-apps-template
QUESTION 11
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Customer insights
B. Monitor
C. Advisor
D. Metrics
Correct Answer: C
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-
recommendations
QUESTION 12
An app uses a virtual network with two subnets. One subnet is used for the application server. The other subnet is used for a database server. A network virtual
appliance (NVA) is used as a firewall.
Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database server that stores sensitive data. A Border Gateway
Protocol (BGP) route is used for the traffic to the on-premises database server.
You need to recommend a method for creating the user-defined route.
Which two options should you recommend? Each correct answer presents a complete solution.
A. For the virtual network configuration, use a VPN.

B. For the next hop type, use virtual network peering.
C. For the virtual network configuration, use Azure ExpressRoute.
D. For the next hop type, use a virtual network gateway.
Correct Answer: AC
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-
overview
QUESTION 13
You manage a solution in Azure that consists of a single application which runs on a virtual machine (VM). Traffic to the application has increased dramatically.
The application must not experience any downtime and scaling must be dynamically defined.
You need to define an auto-scale strategy to ensure that the VM can handle the workload.
Which three options should you recommend? Each correct answer presents a complete solution.
A. Deploy application automatic vertical scaling.

B. Create a VM availability set.
C. Create a VM scale set.
D. Deploy application automatic horizontal scaling.
E. Deploy a custom auto-scale implementation.
Correct Answer: CDE

Section: [none]
Explanation
QUESTION 14
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication
(MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution.
A. Short Message Service (SMS) messages

B. Azure AD passwords
C. Email addresses
D. Security questions
E. App passwords
Correct Answer: AB
Section: [none]
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 15
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Explanation:
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM resources using Azure
resource lock.
References: https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-lock-to-control-your-azure-
resources/
QUESTION 16
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by
using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 17
using templates.
Solution: From the Subscription blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 18
using templates.
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
QUESTION 19
DRAG DROP
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Select and Place:
Correct Answer:
Section: [none]
Explanation
Explanation:
Step 1: Install the Azure File Sync agent on Server1

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service

Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint

Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud
endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-
guide
QUESTION 20
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
A. a dataset CSV file

B. an XML manifest file
C. a driveset CSV file
D. a PowerShell PS1 file
E. a JSON configuration file
Correct Answer: AC
Section: [none]
Explanation
Explanation:
A: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the
dataset.csv file
C: Modify the driveset.csv file in the root folder where the tool resides.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-
files
QUESTION 21
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Correct Answer: C
Section: [none]
Explanation
Explanation:
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-
windows
QUESTION 22
HOTSPOT
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: [none]
Explanation
Explanation:
IP forwarding enables the virtual machine a network interface is attached to:
Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A
virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
https://www.quora.com/What-is-IP-forwarding
QUESTION 23
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
A. Add a gateway subnet to VNet1.

B. Create a subnet on VNet1 and VNet2
C. Modify the address space of VNet1
D. Configure a service endpoint on VNet2
Correct Answer: C
Section: [none]
Explanation
Explanation:
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the
same as VNet2, and thus overlaps. We need to change the address space for VNet1.
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-
constraints
QUESTION 24
SIMULATION
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it
would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully
perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each
lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab

You may start the lab by clicking the Next button.
You plan to allow connections between the VNET01-USEA2 and VNET01-USWE2 virtual networks.
You need to ensure that virtual machines can communicate across both virtual networks by using their private IP address.
The solution must NOT require any virtual network gateways.
What should you do from the Azure portal?
Correct Answer: See explanation below.

Section: [none]
Explanation
Explanation:
Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity
purposes.
Peer virtual networks

Step 1. In the Search box at the top of the Azure portal, begin typing VNET01-USEA2. When VNET01-USEA2 appears in the search results, select it.
Step 2. Select Peerings, under SETTINGS, and then select + Add, as shown in the following picture:
Step 3. Enter, or select, the following information, accept the defaults for the remaining settings, and then select
OK. Name: myVirtualNetwork1-myVirtualNetwork2 (for example) Subscription: elect your subscription.
Virtual network: VNET01-USWE2 - To select the VNET01-USWE2 virtual network, select Virtual network, then select VNET01-USWE2. You can select a virtual
network in the same region or in a different region.
Now we need to repeat steps 1-3 for the other network VNET01-USWE2:
Step 4. In the Search box at the top of the Azure portal, begin typing VNET01- USEA2. When VNET01- USEA2 appears in the search results, select it.
Step 5. Select Peerings, under SETTINGS, and then select + Add.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
QUESTION 25
SIMULATION
Overview
To start the lab

Another administrator attempts to establish connectivity between two virtual networks named VNET1 and VNET2. The administrator reports that connections
across the virtual networks fail.
You need to ensure that network connections can be established successfully between VNET1 and VNET2 as quickly as possible.
Correct Answer: See solution below.

Section: [none]
Explanation
Explanation:
You can connect one VNet to another VNet using either a Virtual network peering, or an Azure VPN Gateway.
To create a virtual network gateway
Step 1: In the portal, on the left side, click +Create a resource and type 'virtual network gateway' in search. Locate Virtual network gateway in the search return and
click the entry. On the Virtual network gateway page, click Create at the bottom of the page to open the Create virtual network gateway page.
Step 2: On the Create virtual network gateway page, fill in the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the 'Choose a virtual network' page. Select the
VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you previously created a
valid gateway subnet, this setting will not appear.
Step 4: Select Create New to create a Gateway subnet.
Step 5: Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard.
Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-
portal?
QUESTION 26
You have an Azure tenant that contains two subscriptions named Subscription1 and Subscription2.
In Subscription1, you deploy a virtual machine named Server1 that runs Windows Server 2016. Server1 uses managed disks.
You need to move Server1 to Subscription2. The solution must minimize administration effort.
A. Create a new virtual machine in Subscription2
B. In Subscription2, create a copy of the virtual disk
C. Create a snapshot of the virtual disk
D. From Azure PowerShell, run the Move-AzureRmResource cmdlet
Correct Answer: D
Section: [none]
Explanation
Explanation:
To move existing resources to another resource group or subscription, use the Move-AzureRmResource cmdlet.
References: https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-move-resources#move-
resources
QUESTION 27
You have an Azure subscription.
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
A. the processor
B. the memory
C. Integration Services
D. the hard drive
E. the network adapters
Correct Answer: D
Section: [none]
Explanation
Explanation:
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports
only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a
generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=azure virtual-machines

windows toc.json
QUESTION 28
You have an Azure policy as shown in the following exhibit.
What is the effect of the policy?
A. You can create Azure SQL servers in any resource group within Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
Correct Answer: B
Section: [none]
Explanation
Explanation:
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1
QUESTION 29
You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines.
Your company has three cost centers named Manufacturing, Sales, and Finance.
You need to associate each virtual machine to a specific cost center.
What should you do?
A. Add an extension to the virtual machines

B. Modify the inventory settings of the virtual machine
C. Assign tags to the virtual machines
D. Configure locks for the virtual machine
Correct Answer: C
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-
tags QUESTION 30
You have an Azure subscription that contains two storage accounts named storagecontoso1 and storagecontoso2. Each storage account contains a queue
service, a table service, and a blob service.
You develop two apps named App1 and App2. You need to configure the apps to store different types of data to all the storage services on both the storage
accounts.
How many endpoints should you configure for each app?
A. 2
B. 3
C. 6
D. 12
Correct Answer: A
Section: [none]
Explanation
Explanation:
Each app needs a service endpoint in each Storage Account.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-
security
QUESTION 31
SIMULATION
Overview
To start the lab

You plan to create 100 Azure virtual machines on each of the following three virtual networks:
- VNET1005a
- VNET1005b - VNET1005c
All the network traffic between the three virtual networks will be routed through VNET1005a.
You need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect to other virtual machines by using their private IP
address. The solutions must NOT require any virtual gateways and must minimize the number of peerings.
What should you do from the Azure portal before you configuring IP routing?

Section: [none]
Explanation
Explanation:
Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears in the search
results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1005a
Address space: 10.0.0.0/16

Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: Repeat steps 3-5 for VNET1005b (10.1.0.0/16, 10.1.0.0/24), and for VNET1005c 10.2.0.0/16, 10.2.0.0/24).
References: https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-
classic
QUESTION 32
SIMULATION
Overview
To start the lab

Another administrator reports that she is unable to configure a web app named corplod8548987n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address. The solution must minimize Azure-related costs.

Section: [none]
Explanation
Explanation:
Step 1:
Find and select application corplod8548987n3:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
To add an IP restriction rule to your app, use the menu to open Network>IP Restrictions and click on Configure IP Restrictions
Step 3:
Click Add rule
You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective immediately.
Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule
References: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-
restrictions
QUESTION 33
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named VM2 that
operates as a router.
You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.
You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.
You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution.
A. On the peering connections, allow forwarded traffic

B. Create a route filter
C. On the peering connections, allow gateway transit
D. Create route tables and assign the table to subnets
E. On the peering, use remote gateways
Correct Answer: CE
Section: [none]
Explanation
Explanation:
Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network
to flow through the gateway.
The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual
network.
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-
constraints
QUESTION 34
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs).
A monitoring solution on a different network will need access to the VMs inside the scale set.
You need to define public access to the VMs.
Solution: Deploy a standalone VM that has a public IP address to the virtual network.
https://www.vceplus.com/ Does
the solution meet the goal?
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
QUESTION 35
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs).
A monitoring solution on a different network will need access to the VMs inside the scale set.
You need to define public access to the VMs.
Solution: Implement an Azure Load Balancer.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Testlet 2
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there
may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and
other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this
case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the
questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question,
click the Question button to return to the question.
Overview
ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam, Inc. that shares
the Los Angeles office.
ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises
workloads to Azure.
ADatum uses Microsoft Exchange Online for email.
Existing Environment
On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory
forest named adatum.com and run Windows Server 2016.
The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft
Online Services. Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.
Azure Environment
You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources shown in the following table.
AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.
Requirements
Planned Changes
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.
Infrastructure Requirements
ADatum identifies the following infrastructure requirements:

- A new web app named App1 that will access third-parties for credit card processing must be deployed.
- A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately.
- The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
- The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified. - All migrated and newly deployed Azure
virtual machines must be joined to the adatum.com domain.
- AG1 must load balance incoming traffic in the following manner:
- http://corporate.adatum.com/video/* will be load balanced across Pool11.
- http://corporate.adatum.com/images/* will be load balanced across Pool12.
- http://www.adatum.com will be load balanced across Pool21. - http://fabrikam.com will be load balanced across Pool22.
- ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available.
- ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available. - ER1 and ER2 must be
configured to fail over automatically. Application Requirements
App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.
Pricing Requirements
ADatum identifies the following pricing requirements:
- The cost of App1 and App2 must be minimized

- The transactional charges of Azure Storage accounts must be minimized
QUESTION 1
What should you create to configure AG2?
A. multi-site listeners
B. URL path-based routing rules
C. basic routing rules
D. an additional public IP address
E. basic listeners
Correct Answer: A
Section: [none]
Explanation
Explanation:
- http://www.adatum.com will be load balanced across Pool21. - http://fabrikam.com will be load balanced across
Pool22.
You need to configure an Azure Application Gateway with multi-site listeners to direct different URLs to different pools.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
Question Set 1
QUESTION 1
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named
Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
Explanation:
The Contributor role lets you manage everything except access to resources. It allows you to create and manage resources of all types, including creating Azure
logic apps.
References: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles#contributor
QUESTION 2
A company backs up data to on-premises servers at their main facility. The company currently has 30 TB of archived data that infrequently used. The facility has
download speeds of 100 Mbps and upload speeds of 20 Mbps.
You need to securely transfer all backups to Azure Blob Storage for long-term archival. All backup data must be sent within seven days.
Solution: Backup data to local disks and use the Azure Import/Export service to send backups to Azure Blob Storage.
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
QUESTION 3
Solution: Create a file share in Azure Files. Mount the file share to the server and upload the files to the file share. Transfer the files to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 4
Solution: Use the Set-AzureStorageBlobContent Azure PowerShell command to copy all backups asynchronously to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 5
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines that run Windows
Server 2016.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery.
You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1.
You need to add Host1 to ASR1.
What should you do?
A. Download the installation file for the Azure Site Recovery Provider.
Download the storage account key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines. B.
Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.

Install the Azure Site Recovery Provider on Host1 and register the server.
C. Download the installation file for the Azure Site Recovery Provider. Download the storage account key.
Install the Azure Site Recovery Provider on Host1 and register the server.
D. Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
Correct Answer: B
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-
tutorial
QUESTION 6
You plan to migrate an on-premises Hyper-V environment to Azure by using Azure Site Recovery. The Hyper-V environment is managed by using Microsoft
System Center Virtual Machine Manager (VMM).
The Hyper-V environment contains the virtual machines in the following table:
Which virtual machine can be migrated by using Azure Site Recovery?
A. FS1
B. CA1
C. DC1
D. SQL1
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-
requirements
QUESTION 7
You have an Azure subscription named Subscription1 that contains two Azure networks named VNet1 and VNet2. VNet1 contains a VPN gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to
connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Select Allow gateway transit on VNet1.

B. Download and re-install the VPN client configuration package on Client1.
C. Enable BGP on VPNGW1.
D. Select Allow gateway transit on VNet2.
Correct Answer: B
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-
routing
QUESTION 8
HOTSPOT
Your company has offices in New York and Los Angeles.
You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1.
Each network uses the address spaces shown in the following table:
You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: [none]
Explanation
QUESTION 9
You have a Microsoft SQL Server Always On availability group on Azure virtual machines.
You need to configure an Azure internal load balancer as a listener for the availability group.
What should you do?
A. Create an HTTP health probe on port 1433.

B. Set Session persistence to Client IP.
C. Set Session persistence to Client IP and protocol.
D. Enable Floating IP.
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-
listener
QUESTION 10
You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?
A. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app
B. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app
C. a phone call, an email message that contains a verification code, and a text message that contains an app password
D. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app
Correct Answer: B
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-
authentication-methods
QUESTION 11
You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
A. the default for all the roles in Azure AD Privileged Identity Management
B. an Azure AD Identity Protection user risk policy
C. an Azure AD Identity Protection sign-in risk policy
D. the multi-factor authentication service settings
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-
mfasettings
QUESTION 12
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
Reader
Security Admin
Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Assign User1 the Owner role for VNet1.

B. Assign User1 the Network Contributor role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1.
Correct Answer: A
Section: [none]
Explanation
QUESTION 13
You are building a custom Azure function app to connect to Azure Event Grid.
You need to ensure that resources are allocated dynamically to the function app. Billing must be based on the executions of the app.
What should you configure when you create the function app?
A. the Windows operating system and the App Service plan hosting plan
B. the Docker container and an App Service plan that uses the B1 pricing tier C. the Windows operating system and the
Consumption plan hosting plan
D. the Docker container and an App Service plan that uses the S1 pricing tier
Correct Answer: C
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/azure-functions/functions-
scale
QUESTION 14
You have an Azure Service Bus.
You need to implement a Service Bus queue that guarantees first-in-first-out (FIFO) delivery of messages.
What should you do?
A. Enable partitioning
B. Enable duplicate detection
C. Set the Lock Duration setting to 10 seconds
D. Enable sessions
E. Set the Max Size setting of the queue to 5 GB
Correct Answer: D
Section: [none]
Explanation
Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-

service-bus-queues-compared-contrasted
QUESTION 15
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Add a service endpoint to VNet1.

B. Add a public IP address space to VNet1.
C. Create a route-based virtual network gateway.
D. Reset GW1.
E. Delete GW1.
F. Add a connection to GW1.
Correct Answer: CE
Section: [none]
Explanation
QUESTION 16
You have an Azure subscription that contains the resources shown in the following table.
Subnet1 is on VNET1. VM1 connects to Subnet1.
You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
A. Modify the address space used by VNET1.

B. Modify the address space used by Subnet1.
C. Create a subnet named GatewaySubnet on VNET1.
D. Create a local network gateway.

E. Delete Subnet1.
Correct Answer: AE
Section: [none]
Explanation
QUESTION 17
A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and Azure-based VMs communicate using ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and must not require
Multiprotocol Label Switching (MPLS) support.
You need to recommend a solution that provides continued operations.
What should you recommend?
A. Set up a second ExpressRoute connection.

B. Increase the bandwidth of the existing ExpressRoute connection.
C. Increase the bandwidth for the on-premises internet connection.
D. Set up a VPN connection.
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-
failover
QUESTION 18
You have a web app named WebApp1 that uses an Azure App Service plan named Plan1. Plan1 uses the D1 pricing tier and has an instance count of 1.
You need to ensure that all connections to WebApp1 use HTTPS.
A. Scale up Plan1.
B. Modify the connection strings for WebApp1.
C. Scale out Plan1.
D. Disable anonymous access to WebApp1.
Correct Answer: A
Section: [none]
Explanation
Explanation:
The D1 (Shared) pricing tier does not support HTTPS.
QUESTION 19
You have an Azure subscription that contains an Azure Service Fabric cluster and a Service Fabric application named FabricApp.
You develop and package a Service Fabric application named AppPackage. AppPackage is saved in a compressed folder named AppPackage.zip.
You upload AppPackage.zip to an external store.
You need to register AppPackage in the Azure subscription.
A. Run the New-ServiceFabricApplication cmdlet.

B. Repackage the application in a file named App.sfpkg.
C. Create a new Service Fabric cluster.
D. Copy AppPackage.zip to a blob storage account.
Correct Answer: B
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-package-apps#create-
an-sfpkg
QUESTION 20
You develop an entertainment application where users can buy and trade virtual real estate. The application must scale to support thousands of users.
The current architecture includes five Azure virtual machines (VM) that connect to an Azure SQL Database for account information and Azure Table Storage for
backend services. A user interacts with these components in the cloud at any given time.
Routing Service – Routes a request to the appropriate service and must not persist data across sessions.
Account Service – Stores and manages all account information and authentication and requires data to persist across sessions
User Service – Stores and manages all user information and requires data to persist across sessions.
Housing Network Service – Stores and manages the current real-estate economy and requires data to persist across sessions.
Trade Service – Stores and manages virtual trade between accounts and requires data to persist across sessions.
Due to volatile user traffic, a microservices solution is selected for scale agility.
You need to migrate to a distributed microservices solution on Azure Service Fabric.
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for each component.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 21
Solution: Create a Service Fabric Cluster with a stateless Reliable Service for Routing Service. Create stateful Reliable Services for all other components.
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
QUESTION 22
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for Routing Service. Deploy a Guest Executable to Service Fabric for each component.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 23
You create an Azure Time Series Insights event handler. You need to send data over the network as efficiently as possible and optimize query performance.
What should you do?
A. Create a query plan

B. Send all properties
C. Use a Tag ID
D. Use reference data
Correct Answer: D
Section: [none]
Explanation
Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/time-

series-insights/how-to-shape-query-json
QUESTION 24
You are creating an IoT solution using Azure Time Series Insights.
You configure the environment to ensure that all data for the current year is available.
What should you do?
A. Add a disaster recovery (DR) strategy.

B. Set a value for the Data retention time setting.
C. Change the pricing tier.
D. Create a reference data set.
Correct Answer: D
Section: [none]
Explanation
QUESTION 25
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database

B. Azure SQL Database
C. Azure File Storage
D. Azure Data Lake Store
Correct Answer: C
Section: [none]
Explanation
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-
service
QUESTION 26
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named Data. Data contains 5,000 files.
You need to synchronize the files in Data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Download an automation script

B. Create a sync group
C. Install the Azure File Sync agent on Server1
D. Create a container instance
E. Register Server1
Correct Answer: BCE

Section: [none]
Explanation
Explanation:
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (E): Register Server1.

Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3 (B): Create a sync group and a cloud endpoint.

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud
endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-
guide
QUESTION 27
You plan to back up an Azure virtual machine named VM1.
You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
A. VM1 does not have the latest version of WaAppAgent.exe installed

B. A Recovery Services vault is unavailable
C. VM1 has an unmanaged disk
D. VM1 is stopped
Correct Answer: A
Section: [none]
Explanation
Explanation:
The Warning state indicates one or more issues in VM’s configuration that might lead to backup failures and provides recommended steps to ensure successful
backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues.
References: https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-
checks/
QUESTION 28
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer Computer1 that runs Windows
10. Computer1 is connected to the Internet.
You add a network interface named Interface1 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
A. Attach a network interface

B. Start VM1
C. Delete the DenyAllOutBound outbound port rule
D. Delete the DenyAllInBound inbound port rule
Correct Answer: B
Section: [none]
Explanation
Explanation:
Incorrect Answers:
A: The network interface has already been added to VM.
C: The Outbound rules are fine.
D: The inbound rules are fine. Port 3389 is used for Remote Desktop.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Processing stops
once traffic matches a rule. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not
processed.
References: https://docs.microsoft.com/en-us/azure/virtual-network/security-
overview
QUESTION 29
You are designing an Azure solution.
The solution must meet the following requirements:
Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules
Provide SSL offloading capabilities
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?
A. server-level firewall rules
B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Load Balancer
Correct Answer: B
Section: [none]
Explanation
Explanation:
If you require "SSL offloading", application layer treatment, or wish to delegate certificate management to Azure, you should use Azure's layer 7 load balancer
Application Gateway instead of the Load Balanacer.
Incorrect Answers:
D: Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided.
References: https://docs.microsoft.com/en-us/azure/application-gateway/overview
QUESTION 30
Solution: Deploy a Windows container to Azure Service Fabric for each component.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Testlet 2
Case study
case study.

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer
the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an
All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a
question, click the Question button to return to the question. Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1
pricing tier.
The network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains
all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added
frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs).
Planned Changes
Contoso plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.

Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical requirements
Contoso must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
QUESTION 1
You need to meet the technical requirement for VM4.
What should you create and configure?
A. an Azure Logic App

B. an Azure Service Bus
C. an Azure Notification Hub
D. an Azure Event Hub
Correct Answer: D
Section: [none]
Explanation
Explanation:
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those
events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a
subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
Question Set 1
QUESTION 1
You have an Azure App Service API that allows users to upload documents to the cloud with a mobile device. A mobile app connects to the service by using REST
API calls.
When a new document is uploaded to the service, the service extracts the document metadata. Usage statistics for the app show significant increases in app
usage.
The extraction process is CPU-intensive. You plan to modify the API to use a queue.
You need to ensure that the solution scales, handles request spikes, and reduces costs between request spikes.
What should you do?
A. Configure a CPU Optimized virtual machine (VM) and install the Web App service on the new instance.
B. Configure a series of CPU Optimized virtual machine (VM) instances and install extraction logic to process a queue.
C. Move the extraction logic into an Azure Function. Create a queue triggered function to process the queue.
D. Configure Azure Container Service to retrieve items from a queue and run across a pool of virtual machine (VM) nodes using the extraction logic.
Correct Answer: C
Section: [none]
Explanation
QUESTION 2
You create a social media application that users can use to upload images and other content.
Users report that adult content is being posted in an area of the site that is accessible to and intended for young children.
You need to automatically detect and flag potentially offensive content. The solution must not require any custom coding other than code to scan and evaluate
images.
What should you implement?
A. Bing Visual Search

B. Bing Image Search
C. Custom Vision Search
D. Computer Vision API
Correct Answer: D
Section: [none]
Explanation
QUESTION 3
DRAG DROP
You are developing Azure WebJobs.
You need to recommend a WebJob type for each scenario.
Which WebJob type should you recommend? To answer, drag the appropriate WebJob types to the correct scenarios. Each WebJob type may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/app-service/webjobs-create#webjob-
types
QUESTION 4
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
B. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
C. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
D. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
Correct Answer: D
Section: [none]
Explanation
Explanation:
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.
References: https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-
manage
QUESTION 5
You create the following Azure role definition.
{
"Name": "Role1",
"Id": "80808080-8080-8080-8080-808080808080",
IsCustom : false,
"Description": "",
"Actions" : [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read"],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}
You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part of solution.
A. IsCustom
B. DataActions
C. Id
D. AssignableScopes
E. Description
Correct Answer: AD
Section: [none]
Explanation
Explanation:
Part of example: "IsCustom":
true,
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId3}"
]
}
References: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-
roles
QUESTION 6
You have an Azure App Service named WebApp1.
You plan to add a WebJob named WebJob1 to WebApp1.
You need to ensure that WebJob1 is triggered every 15 minutes.
What should you do?
A. Change the Web.config file to include the 1-31 1-12 1-7 0*/15* CRON expression
B. From the properties of WebJob1, change the CRON expression to 0*/15****.
C. Add a file named Settings.job to the ZIP file that contains the WebJob script. Add the
1-31 1-12 1-7 0*/15* CRON expression to the JOB file
D. Create an Azure Automation account and add a schedule to the account. Set the recurrence for the schedule
Correct Answer: B
Section: [none]
Explanation
Explanation:
You can enter a CRON expression in the portal or include a settings.job file at the root of your WebJob .zip file, as in the following example: {
"schedule": "0 */15 * * * *"
}
References: https://docs.microsoft.com/en-us/azure/app-service/webjobs-
create
QUESTION 7
You have an on-premises virtual machine named VM1 configured as shown in the following exhibit.
VM is started.
You need to create a new virtual machine image in Azure from VM1.
Which three actions should you perform before you create the new image? Each correct answer presents part of the solution.
A. Remove the Backup (volume shadow copy) integration service

B. Generalize VM1
C. Run Add-AzureRmVhd and specify a blob service container as the destination
D. Run Add-AzureRmVhd and specify a file share as the destination
E. Reduce the amount of memory to 16 GB
Correct Answer: ABC

Section: [none]
Explanation
Explanation:
Sysprep removes all your personal account and security information, and then prepares the machine to be used as an image.
The Add-AzureRmVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
References: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/add-azurermvhd?view=azurermps-
6.13.0 https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource
Testlet 2
Case Study
case study.

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso created a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1
pricing tier.
The network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains
all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added
frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs).
Requirements
Planned Changes
Contoso plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office

Migrate the virtual machine hosted on Server1 and Server2 to Azure
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD)
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office Ensure
that routing information is exchanged automatically between Azure and the routers in the Montreal office Enable Azure Multi-Factor
Authentication (MFA) for the users in the finance department only
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
Connect the New York office to VNet1 over the Internet by using an encrypted connection
Create a workflow to send an email message when the settings of VM4 are modified
Create a custom Azure role named Role1 that is based on the Reader role
Minimize costs whenever possible
QUESTION 1
You need to configure a host name for WebApp2.
A. In Azure AD, add contoso.com as a custom domain name
B. In the public DNS zone of contoso.onmicrosoft.com, add an NS record
C. In Azure AD, add webapp2.azurewebsites.net as a custom domain name
D. In the public DNS zone of contoso.com, add a CNAME record
Correct Answer: C
Section: [none]
Explanation
Explanation:
Scenario: Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
When you create a Cloud Service, Azure assigns it to a subdomain of cloudapp.net. For example, if your Cloud Service is named "contoso", your users will be able
to access your application on a URL like http://contoso.cloudapp.net. Azure also assigns a virtual IP address.
However, you can also expose your application on your own domain name, such as contoso.com.
References: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-
name-portal
QUESTION 2
Which pricing tier should you recommend for WebApp1?
A. D1
B. P1v2
C. S1
D. B1
Correct Answer: C
Section: [none]
Explanation
Explanation:
Standard supports up to 10 instances, and would be enough as the Standard plan includes auto scale that can automatically adjust the number of virtual machine
instances running to match your traffic needs.
Scenario: Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances
Incorrect Answers:
D: Basic supports only up to 3 instances.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Question Set 1
QUESTION 1
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.
You need to enable two-step verification for Azure users.
What should you do?
A. Create an Azure AD conditional access policy.

B. Configure a playbook in Azure Security Center.
C. Enable Azure AD Privileged Identity Management.
D. Install an MFA Server.
Correct Answer: A
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-
getstarted
QUESTION 2
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
A. From the Recovery Service vault, delete the backup data

B. Modify the disaster recovery properties of each virtual machines
C. Modify the locks of each virtual machine
D. From the Recovery Service vault, stop the backup of each backup item
Correct Answer: D
Section: [none]
Explanation
Explanation:
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to
receive backup data.
Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL
Servers in Azure VM, and Azure virtual machines.
References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-
vault
QUESTION 3
You have the Azure virtual machines shown in the following table.
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
A. Create a new backup policy
B. Create a new Recovery Services vault
C. Configure the extensions for VM3 and VM4
D. Create a storage account
Correct Answer: B
Section: [none]
Explanation
Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs),
workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
References: https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-
replication
QUESTION 4
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Directory role blade, modify the directory role

B. From the Licenses blade, assign a new license
C. From the Groups blade, invite the user account to a new group
Correct Answer: A
Section: [none]
Explanation
Explanation:
Assign a role to a user
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access
administrator.
4. Press Select to save.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-
portal
QUESTION 5
SIMULATION
Overview
To start the lab

You plan to prevent users from accidentally deleting blob data from Azure.
You need to ensure that administrators can recover any blob data that is deleted accidentally from the storagelod8322489 storage account for 14 days after the
deletion occurred.

Section: [none]
Explanation
Explanation:
Task A: Create a Recovery Services vault (if a vault already exists skip this task, go to Task B below)
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery Services and click Recovery Services vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location
Task B. Create a backup goal

B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click Backup, then on the Getting Started with Backup
blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the Backup Goal blades opens when you click Backup on the
Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Blob Storage, and click OK.
B4. Finish the Wizard.
Task C. create a backup schedule

C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft Azure Backup.
C2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6.In the Select Items to Backup page, click Next.

On the Specify Backup Schedule page, specify Schedule a backup every day, and click Next.
C7. On the Select Retention Policy page, set it to 14 days, and click Next.
C8. Finish the Wizard.
References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-
vault
QUESTION 6
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?
A. From the Azure portal, configure the portal settings

B. From the Azure portal, change the directory
C. From Azure Cloud Shell, run Set-AzureRmContext
D. From Azure Cloud Shell, run Set-AzureRmSubscription
Correct Answer: B
Section: [none]
Explanation
Explanation:
Change the subscription directory in the Azure portal.
The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure Active Directory (AAD), is now available in Azure portal.
It used to be available only to Service Admins with Microsoft accounts, but now it's available to users with AAD accounts as well.
To get started:
1. Go to Subscriptions.
2. Select a subscription.
3. Select Change directory.
Incorrect Answers:
C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and
environment information.
References: https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-
portal/
QUESTION 7
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com ad an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Providers from the MFA Server blade
B. General settings from the Groups blade
C. Device settings from the Devices blade
D. User settings from the Users blade
Correct Answer: D
Section: [none]
Explanation
Explanation:
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on
the device:
The Azure AD global administrator role
The Azure AD device administrator role The
user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
References: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-
admin
QUESTION 8
SIMULATION
Overview
To start the lab

You plan to protect on-premises virtual machines and Azure virtual machines by using Azure Backup.
You need to prepare the backup infrastructure in Azure. The solution must minimize the cost of storing the backups in Azure.

Section: [none]
Explanation
Explanation:
First, create Recovery Services vault.
Step 1: On the left-hand menu, select All services and in the services list, type Recovery Services. As you type, the list of resources filters. When you see
Recovery Services vaults in the list, select it to open the Recovery Services vaults menu.
Step 2: In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.
Step 3: In the Recovery Services vault menu, for example,
Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription. If you have additional subscriptions, you could choose another subscription for the new vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't exist, select Create new and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
References: https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-
scale
QUESTION 9
You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup.
You delete VM1.
You need to remove the backup data stored for VM1.
A. Delete the storage account

B. Stop the backup
C. Modify the backup policy
D. Delete the Recovery Services vault
Correct Answer: C
Section: [none]
Explanation
Explanation:
Azure Backup provides backup for virtual machines — created through both the classic deployment model and the Azure Resource Manager deployment model —
by using custom-defined backup policies in a Recovery Services vault.
With the release of backup policy management, customers can manage backup policies and model them to meet their changing requirements from a single
window. Customers can edit a policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their compliance requirements.
Incorrect Answers:
D: You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured
to receive backup data.
References: https://azure.microsoft.com/en-in/updates/azure-vm-backup-policy-
management/
QUESTION 10
You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
A. the AzurePerformanceDiagnostics extension

B. Linux Diagnostic Extension (LAD) 3.0
C. Azure Analysis Services
D. Azure HDInsight
Correct Answer: A
Section: [none]
Explanation
Explanation:
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure
diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.
References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-
monitoring
QUESTION 11
You have two Azure virtual machines named VM1 and VM2.
You have two Recovery Services vaults named RSV1 and RSV2. VM2 is protected by RSV1.
You need to use RSV2 to protect VM2.
A. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
B. From the RSV1 blade, click Backup items and stop the VM2 backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Correct Answer: C
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-
arm
QUESTION 12
You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1 and a virtual machine named VM1 that runs Windows
Server 2016.
Storageaccount1 contains the disk files for VM1.
You apply a ReadOnly lock to RG1.
What can you do from the Azure portal?
A. Start VM1
B. Upload a blob to storageaccount1
C. View the keys of storageaccount1
D. generate an automation script for RG1
Correct Answer: C
Section: [none]
Explanation
Explanation:
ReadOnly allows authorized users to read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to
the permissions granted by the Reader role.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-
resources
QUESTION 13
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
A. an Azure Key Vault and an access policy.

B. an Azure Storage account and an access policy.
C. Azure Active Directory (AD) Identity Protection and an Azure policy.
D. a Recovery Services vault and a backup policy.
Correct Answer: A
Section: [none]
Explanation
QUESTION 14
Your network contains an Active Directory forest named fabrikam.com. The forest contains two child domains named corp.fabrikam.com and
research.fabrikam.com.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
You install Azure AD Connect and sync all the on-premises user accounts to the Azure AD tenant. You implement seamless single sign-on (SSO).
You plan to change the source of authority for all the user accounts in research.fabrikam.com to Azure AD.
You need to prevent research.fabrikam.com from resyncing to Azure AD.
Solution: From the Azure Active Directory admin center, you delete a custom domain.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Explanation:
Instead you should customize the default synchronization rule.
Note:
To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain name. You can't delete a domain name from your
directory if:
Any user has a user name, email address, or proxy address that includes the domain name.
Any group has an email address or proxy address that includes the domain name.
Any application in your Azure AD has an app ID URI that includes the domain name.
References: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-create-
custom-sync-rule
QUESTION 15
Your network contains an Active Directory forest named fabrikam.com. The forest contains two child domains named corp.fabrikam.com and
research.fabrikam.com.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
You install Azure AD Connect and sync all the on-premises user accounts to the Azure AD tenant. You implement seamless single sign-on (SSO).
You plan to change the source of authority for all the user accounts in research.fabrikam.com to Azure AD.
You need to prevent research.fabrikam.com from resyncing to Azure AD.
Solution: You use the Synchronization Service Manager.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Explanation:
Instead you should customize the default synchronization rule.
Note: The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational aspects of the service.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule
Testlet 2
Case Study
may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this
exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.

Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.
Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."
You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources
used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure

The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:
Default Azure system routes that will be the only routes used to route traffic
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company's departments:
Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial
configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups. During the testing
phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
QUESTION 1
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office
B. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
C. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office
D. Join the client computers in the Miami office to Azure AD
E. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
Correct Answer: BE
Section: [none]
Explanation
Explanation:
B: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure
AD Connect.
E: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using
Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Azure AD connect does not port 8080. It uses port 443.
C: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
D: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined.
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-
start
QUESTION 2
Which blade should you instruct the finance department auditors to use?
A. Partner information
B. Cost analysis
C. Resource providers
D. Invoices
Correct Answer: D
Section: [none]
Explanation
Explanation:
You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as
support offers, Enterprise Agreements, or Azure in Open.
1. Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.
2. Click Opt in and accept the terms.
Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
References:
https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date
Question Set 1
QUESTION 1
You are developing a speech-enabled home automation control bot.
The bot interprets some spoken words incorrectly.
You need to improve the spoken word recognition for the bot.
What should you implement?
A. The Skype for Business Channel and use scorable dialogs for improving conversation flow.
B. The Web Chat Channel and Speech priming using a Bing Speech Service and LUIS app.
C. The Skype Channel and use scorable dialogs for improving conversation flow.
D. The Cortana Channel and use scorable dialogs for improving conversation flow.
Correct Answer: B
Section: [none]
Explanation
QUESTION 2
A company is migrating an existing on-premises third-party website to Azure. The website is stateless.
The company does not have access to the source code for the website. They do not have the original installer.
The number of visitors at the website varies throughout the year. The on-premises infrastructure was resized to accommodate peaks but the extra capacity was
not used.
You need to implement a virtual machine scale set instance.
What should you do?
A. Use an autoscale setting to scale instances vertically

B. Create 100 autoscale settings per resource
C. Scale out by one instance when the average CPU usage of one of the instances is over 80 percent
D. Use Azure Monitor to create autoscale settings using custom metrics
E. Use an autoscale setting with unlimited maximum number of instances
Correct Answer: D
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-custom-
metric
QUESTION 3
SIMULATION
Overview
To start the lab

You need to create a web app named corp8548987n2 than can be scaled horizontally. The solution must use the lowest possible pricing tier for the App Service
plan.

Section: [none]
Explanation
Explanation:
Step 1:
In the Azure Portal, click Create a resource > Web + Mobile > Web App.
Step 2:
Use the Webb app settings as listed below.
Web App name: corp8548987n2
Hosting plan: Azure App Service plan
Pricing tier of the Pricing Tier: Standard
Change your hosting plan to Standard, you can't setup auto-scaling below standard tier.
Step 3:
Select Create to provision and deploy the Web app.
References:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-app-in-an-ase https://azure.microsoft.com/en-
us/pricing/details/app-service/plans/
QUESTION 4
Your company is developing an e-commerce Azure App Service Web App to support hundreds of restaurant locations around the world.
You are designing the messaging solution architecture to support the e-commerce transactions and messages. The solution will include the following features:
You need to design a solution for the Inventory Distribution feature.
A. Azure Service Bus

B. Azure Relay
C. Azure Event Grid
D. Azure Event Hub
Correct Answer: A
Section: [none]
Explanation
Explanation:
Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service Bus is most commonly used to decouple applications and services
from each other, and is a reliable and secure platform for asynchronous data and state transfer.
One common messaging scenario is Messaging: transfer business data, such as sales or purchase orders, journals, or inventory movements.
Incorrect Answers:
B: The Azure Relay service enables you to securely expose services that run in your corporate network to the public cloud.
References: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-
overview
QUESTION 5
You are responsible for mobile app development for a company. The company develops apps on Windows Mobile, IOS, and Android.
You plan to integrate push notifications into every app.
You need to be able to send users alerts from a backend server.
Which two options can you use to achieve this goal? Each correct answer presents a complete solution.
A. Azure Web App

B. Azure Mobile App Service
C. Azure SQL Database
D. Azure Notification Hubs
E. a virtual machine
Correct Answer: BD
Section: [none]
Explanation
Explanation:
The Mobile Apps client enables you to register for push notifications with Azure Notification Hubs.
The following platforms are supported:

Xamarin Android releases for API 19 through 24 (KitKat through Nougat)
Xamarin iOS releases for iOS versions 8.0 and later
Universal Windows Platform
Windows Phone 8.1
Windows Phone 8.0 except for Silverlight applications
References:
https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library
Testlet 2
Case Study
Background
Best For You Organics Company is a global restaurant franchise that has multiple locations. The company wants to enhance user experiences and vendor
integrations. The company plans to implement automated mobile ordering and delivery services.
Best For You Organics hosts an Azure web app at the URL https://www.bestforyouorganics.com. Users can use the web app to browse restaurant location,
menu items, nutritional information, and company information. The company developed and deployed a cross-platform mobile app. Requirements
Chatbot
You must develop a chatbot by using the Bot Builder SDK and Language Understanding Intelligence Service (LUIS). The chatbot must allow users to order food
for pickup or delivery.
The chatbot must meet the following requirements:
Ensure that chatbot is secure by using the Bot Framework connector.

Use natural language processing and speech recognition so that users can interact with the chatbot by using text and voice. Processing must be server-based.
Alert users about promotions at local restaurants.
Enable users to place an order for delivery or pickup by using their voice.
Greet the user upon sign-in by displaying a graphical interface that contains action buttons.
The chatbot greeting interface must match the formatting of the following example:
Vendor API
Vendors receive and provide updates for the restaurant inventory and delivery services by using Azure API Management hosted APIs. Each vendor uses their own
subscription to access each of the APIs.
APIs must meet the following conditions:
API usage must not exceed 5,000 calls and 50,000 kilobytes of bandwidth per hour per vendor.
If a vendor is nearing the number of calls or bandwidth limit, the API must trigger email notifications to the vendor.
API must prevent API usage spikes on a per-subscription basis by limiting the call rate to 100 calls per minute.
The Inventory API must be written by using ASP.NET Core and Node.js.
The API must be updated to provide an interface to Azure SQL Database objects must be managed by using code.
The Delivery API must be protected by using the OAuth 2.0 protocol with Azure Active Directory (Azure AD) when called from the Azure web app. You register
the Delivery API and web app in Azure AD. You enable OAuth 2.0 in the web app.
The delivery API must update the Products table, the Vendor transactions table, and the Billing table in a single transaction.
The Best For You Organics Company architecture team has created the following diagram depicting the expected deployments into Azure:
Architecture
Issues
Delivery API
The Delivery API intermittently throws the following exception:
"System.Data.Entity.Core.EntityCommandExecutionException: An error occurred while executing the command definition. See
the inner exception for details. -->System.Data.SqlClient.SqlException: A transport-level error has occurred when
receiving results from the server. (provider: Session Provider, error: 19 – Physical connection is not usable)"
Chatbot greeting
The chatbot’s greeting does not show the user’s name. You need to debug the chatbot locally.
Language processing
Users report that the bot fails to understand when a customer attempts to order dishes that use Italian names.
App code
Relevant portions of the app files are shown below. Line numbers are included for reference only and include a two-character prefix that denotes the specific file to
which they belong.
QUESTION 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution. Determine
whether the solution meets the stated goals.
You need to meet the vendor notification requirement.
Solution: Update the Delivery API to send emails by using a Microsoft Office 365 SMTP server.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/api-management/api-

management-howto-configure-notifications
QUESTION 2
Solution: Configure notifications in the Azure API Management instance.
A. Yes
B. No
Correct Answer: A
Section: [none]
Explanation
References: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-
configure-notifications
QUESTION 3
Solution: Update the Delivery API to send emails by using a cloud-based email service.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation
QUESTION 4
Solution: Create and apply a custom outbound Azure API Management policy.
A. Yes
B. No
Correct Answer: B
Section: [none]
Explanation

Aindumps - Az 300.v2019!05!15.by .Alexander.102q

Uploaded by

Copyright:

Available Formats

Aindumps - Az 300.v2019!05!15.by .Alexander.102q

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aindumps - Az 300.v2019!05!15.by .Alexander.102q

Uploaded by

Copyright:

Available Formats

What are the key points covered in the questions?

What are the key points covered in the questions?

What is discussed regarding Azure Active Directory conditional access policies?

What is discussed regarding Azure Active Directory conditional access policies?

AZ-300.

Microsoft Azure Architect Technologies (beta)

You need to view the template used for the deployment.

You need to connect VNet1 to VNet2.

What should you do first?

A. Modify the IP address space of VNet2.

What should you do?

A. From the Azure portal, modify session control of Policy1.

VM1 runs services that will be used to deploy resources to RG1.

Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/active-

What should you do first?

B. From Azure AD, add and verify a custom domain name.

You need to ensure that the synchronization completes successfully.

What should you do?

A. From Azure PowerShell, run Start-AdSyncSycnCycle –PolicyType Initial.

You have an Azure Storage accounts as shown in the following exhibit.

NOTE: Each correct selection is worth one point.

You regularly create and delete virtual machines.

You need to identify unattached disks that can be deleted.

What should you do?

A. three rules and three action groups

NOTE: Each correct selection is worth one point.

A. Upload a configuration script.

Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/virtual-machine-

Which blade should you use?

You need to recommend a method for creating the user-defined route.

NOTE: Each correct selection is worth one point.

A. For the virtual network configuration, use a VPN.

NOTE: Each correct selection is worth one point.

A. Deploy application automatic vertical scaling.

Correct Answer: CDE

NOTE: Each correct selection is worth one point.

A. Short Message Service (SMS) messages

Does this meet the goal?

Solution: From the RG1 blade, you click Automation script.

Does this meet the goal?

Does this meet the goal?

Solution: From the RG1 blade, you click Deployments.

Does this meet the goal?

You have an Azure subscription that contains an Azure file share.

You need to synchronize files from Server1 to Azure.

Select and Place:

Step 1: Install the Azure File Sync agent on Server1

Step 2: Register Server1.

Register Windows Server with Storage Sync Service

Step 3: Add a server endpoint

NOTE: Each correct selection is worth one point.

A. a dataset CSV file

You plan to create a file share named data.

You have an Azure subscription named Subscription1.

Subscription1 contains the virtual machines in the following table:

You apply RT1 to Subnet1 and Subnet2.

NOTE: Each correct selection is worth one point.

IP forwarding enables the virtual machine a network interface is attached to: