az-104_12july21 (1)

Reference Solution for
az-104.vce
AZ-104
AZ-104
Microsoft Azure Administrator
Version 11.0
This file was created using VCE Simulator from Avanset.com
Score: 800/1000
Version: n/A
Time 0 Minutes
Limit:
Licensed to Trainings vmware trainings.vmware@gmail.com

Manage Azure identities and governance (46 questions)
Case Study (2 questions)
Case study
This is a case study. Case studies are not timed separately. You can use as much
exam time as you would like to complete each case. However, there may be additional
case studies and sections on this exam. You must manage your time to ensure that you are
able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that
is provided in the case study. Case studies might contain exhibits and other resources that
provide more information about the scenario that is described in the case study. Each
question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review
your answers and to make changes before you move to the next section of the exam. After
you begin a new section, you cannot return to this section.
To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the
left pane to explore the content of the case study before you answer the questions. Clicking
these buttons displays information such as business requirements, existing environment, and
problem statements. If the case study has an All Information tab, note that the information
displayed is identical to the information displayed on the subsequent tabs. When you are
ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with
partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and
maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the
following:
 File servers
 Domain controllers
 Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client
computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three
tiers:
2 Licensed to Trainings vmware
trainings.vmware@gmail.com
 A SQL database
 A web front end
 A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS
only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
 Move all the tiers of App1 to Azure.

 Move the existing product blueprint files to Azure Blob storage.
 Create a hybrid directory to support an upcoming Microsoft Office 365 migration
project.
Technical Requirements
Contoso must meet the following technical requirements:
 Move all the virtual machines for App1 to Azure.

 Minimize the number of open ports between the App1 tiers.
 Ensure that all the virtual machines for App1 are protected by backups.
 Copy the blueprint files to Azure over the Internet.
 Ensure that the blueprint files are stored in the archive storage tier.
 Ensure that partner access to the blueprint files is secured and temporary.
 Prevent user passwords or hashes of passwords from being stored in Azure.
 Use unmanaged standard storage for the hard disks of the virtual machines.
 Ensure that when users join devices to Azure Active Directory (Azure AD), the users use
a mobile phone to verify their identity.
 Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
 Ensure that only users who are part of a group named Pilot can join devices to Azure
AD.
 Designate a new user named Admin1 as the service admin for the Azure subscription.
 Admin1 must receive email alerts regarding service outages.
 Ensure that a new user named User3 can create network objects for the Azure
subscription.

Question 47
HOTSPOT
You need to configure the Device settings to meet the technical requirements and the user
requirements.
Which two settings should you modify? To answer, select the appropriate settings in the
answer area.

Solution:
Explanation/Reference
Explanation:
Box 1: Selected
Only selected users should be able to join devices

Box 2: Yes
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a
mobile phone to verify their identity.
Question 48
You need to meet the user requirement for Admin1.
What should you do?
○ From the Azure Active Directory blade, modify the Groups

○ From the Azure Active Directory blade, modify the Properties
○ From the Subscriptions blade, select the subscription, and then modify the Access
control (IAM) settings
● From the Subscriptions blade, select the subscription, and then modify the
Properties
Explanation:
Scenario:
Follow these steps to change the Service Administrator in the Azure portal.
1. Make sure your scenario is supported by checking the limitations for changing the
Service Administrator.
2. Sign in to the Azure portal as the Account Administrator.
3. Open Cost Management + Billing and select a subscription.
4. In the left navigation, click Properties.
5. Click Service Admin.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

Question 1
Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As
a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory
tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?
● Yes
○ No
Explanation:
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Question 2
○ Yes
● No
Explanation:
Reference:

Question 3
○ Yes
● No
Explanation:
Reference:

Question 4
HOTSPOT
You have an Azure subscription named Subscription1 that contains a resource group named
RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named
LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The
solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

Solution:
Explanation:
The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Question 5
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant
named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in
contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
○ From contoso.com, modify the Organization relationships settings.

● From contoso.com, create an OAuth 2.0 authorization endpoint.
○ Recreate AKS1.
○ From AKS1, create a namespace.
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Question 6
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named
contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft
SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted
automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
● a Microsoft 365 group that uses the Assigned membership type

○ a Security group that uses the Assigned membership type
● a Microsoft 365 group that uses the Dynamic User membership type
○ a Security group that uses the Dynamic User membership type
○ a Security group that uses the Dynamic Device membership type
Explanation:
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to
clean up unused groups. Expiration policies can help remove inactive groups from the system
and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site,
etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory
(Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-
policy?view=o365-worldwide

Question 7

HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the
users shown in the following table:
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Solution:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

Question 8
HOTSPOT
You have the Azure management groups shown in the following table:
You add Azure subscriptions to the management groups as shown in the following table:
You create the Azure policies shown in the following table:

Solution:
Explanation:
Box 1: No
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.
Box 2: Yes
Virtual Machines can be created on a Management Group provided the user has the required
RBAC permissions.
Box 3: Yes
Subscriptions can be moved between Management Groups provided the user has the required
RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-
management-groups-and-subscriptions

Question 9
You have an Azure policy as shown in the following exhibit:
What is the effect of the policy?
○ You are prevented from creating Azure SQL servers anywhere in Subscription 1.
● You can create Azure SQL servers in ContosoRG1 only.
○ You are prevented from creating Azure SQL Servers in ContosoRG1 only.
○ You can create Azure SQL servers in any resource group within Subscription 1.
Explanation:
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the
exception of ContosoRG1

Question 10
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table:
You assign a policy to RG6 as shown in the following table:
To RG6, you apply the tag: RGroup: RG6.
You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the
answer area.

Solution:
Explanation:
VNET1: Department: D1, and Label:Value1 only.

Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and
assign them to either a specific resource group or across a whole Azure subscription.
VNET2: Label:Value1 only.
Incorrect Answers:
RGROUP: RG6
Tags applied to the resource group or subscription are not inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies

Question 11
You have an Azure subscription named AZPT1 that contains the resources shown in the
following table:
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
○ VM1, storage1, VNET1, and VM1Managed only

○ VM1 and VM1Managed only
● VM1, storage1, VNET1, VM1Managed, and RVAULT1
○ RVAULT1 only
Explanation:
You can move a VM and its associated resources to a different subscription by using the Azure
portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource group
within the current subscription or to a new subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-
group-and-subscription

Question 12
You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource

Manager template. Admin1 deploys the template by using Azure PowerShell and receives the
following error message: “User failed validation to purchase resources. Error message: “Legal
terms have not been accepted for this item on this subscription. To accept legal terms, please
go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure
programmatic deployment for the Marketplace item or create it there for the first time.”
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?
○ From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet

○ From the Azure portal, register the Microsoft.Marketplace resource provider
● From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
○ From the Azure portal, assign the Billing administrator role to Admin1
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-
azmarketplaceterms?view=azps-4.1.0
Question 13
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
○ From the Licenses blade, assign a new license

● From the Directory role blade, modify the directory role
○ From the Groups blade, invite the user account to a new group
Explanation:
Assign a role to a user
1. Sign in to the Azure portal with an account that's a global admin or privileged role
admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the
appropriate admin roles from the Directory roles list, such as Conditional access
administrator.
4. Press Select to save.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-
assign-role-azure-portal
Question 14
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that
contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
● From the Licenses blade of Azure AD, assign a license

○ From the Groups blade of each user, invite the users to a group
○ From the Azure AD domain, add an enterprise application
○ From the Directory role blade of each user, modify the directory role
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
Question 15
You have an Azure subscription named Subscription1 and an on-premises deployment of
Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of available
memory on VM1 is below 10 percent.
○ Create an automation runbook

○ Deploy a function app
● Deploy the IT Service Management Connector (ITSM)
○ Create a notification
Explanation:
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported
IT Service Management (ITSM) product/service, such as the Microsoft System Center Service
Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts,
Activity Log alerts and Log Analytics alerts).

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview
Question 16
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com as an administrator on all the computers
that will be joined to the Azure AD domain.
What should you configure in Azure AD?
● Device settings from the Devices blade

○ Providers from the MFA Server blade
○ User settings from the Users blade
○ General settings from the Groups blade
Explanation:
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the
following security principles to the local administrators group on the device:
 The Azure AD global administrator role

 The Azure AD device administrator role
 The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To
open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.

2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on
Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

Question 17
HOTSPOT
You have Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:

Solution:
Explanation:
Box 1: Yes
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure
AD
Box 2: No
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is
either a Microsoft account or another locally managed credential.
Box 3: Yes
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

Question 18
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a
project. RG26 contains the resources shown in the following table.
SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion
fails.
You need to delete RG26.
○ Delete VM1
○ Stop VM1
● Stop the backup of SQLDB01
○ Delete sa001
Question 19
You have an Azure subscription named Subscription1 that contains a virtual network named
VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
 Reader
 Security Admin
 Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

○ Remove User1 from the Security Reader role for Subscription1. Assign User1 the
Contributor role for Subscription1.
● Assign User1 the User Access Administrator role for VNet1.
○ Assign User1 the Network Contributor role for VNet1.
○ Assign User1 the Network Contributor role for RG1.

Explanation:
Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question can have other incorrect
answer options, including the following:
1. Name Server (NS)

2. Assign User1 the Contributor role for VNet1.
3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign
User1 the Contributor role for Subscription1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Question 20
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
● MX
○ NSEC
○ PTR
○ RRSIG
Explanation:
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name,
Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly
registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct
answers:
1. MX
2. TXT

The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Question 21
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription
named Subscription1. Adatum contains a group named Developers. Subscription1 contains a
resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the
Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
○ Yes
● No
Explanation:
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in
your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides
access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

Question 22
Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
○ Yes
● No
Explanation:
You would need the Logic App Contributor role.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

Question 23
Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
● Yes
○ No
Explanation:
The Contributor role can manage all resources (and add resources) in a Resource Group.

Question 24
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The
subscription contains 10 resource groups. Each department uses resources in several resource
groups.
You need to send a report to the finance department. The report must detail the costs for each
department.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Solution:

Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a
taxonomy. After you apply tags, you can retrieve all the resources in your subscription with
that tag name and value. Each resource or resource group can have a maximum of 15 tag
name/value pairs. Tags applied to the resource group are not inherited by the resources in
that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can
see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.

You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24
hours after you add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to
confirm the filters and Download if you want to export the view to a Comma-Separated Values
(.csv) file.
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
Question 25
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics
workspace named Workspace1.
You need to view the error event from a table named Event.
Which query should you run in Workspace1?
○ Get-Event Event | where {$_.EventType == "error"}

● search in (Event) "error"
○ select * from Event where EventType == "error"
○ Get-Event Event | where {$_.EventTye –eq "error"}
Explanation:
To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible correct
answers:
1. search in (Event) "error"

2. Event | search "error"
Other incorrect answer options you may see on the exam include the following:
1. select * from Event where EventType is "error"

2. Event | where EventType is "error"
3. search in (Event) * | where EventType –eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-
explorer/kusto/query/searchoperator?pivots=azuredataexplorer

Question 26

HOTSPOT
You have an Azure subscription that contains a virtual network named VNET1 in the East US 2
region. A network interface named VM1-NI is connected to VNET1.
You successfully deploy the following resources in an Azure Resource Manager template.

Solution:
Explanation:
Box 1: Yes
Box 2: Yes
VM1 is in Zone1, while VM2 is on Zone2.
Box 3: No
Reference:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-region

Question 27
You have an Azure subscription named Subscription1. Subscription1 contains the resource
groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
● The App Service plan for WebApp1 remains in West Europe. Policy2 applies to
WebApp1.
○ The App Service plan for WebApp1 moves to North Europe. Policy2 applies to
WebApp1.
○ The App Service plan for WebApp1 remains in West Europe. Policy1 applies to
WebApp1.
○ The App Service plan for WebApp1 moves to North Europe. Policy1 applies to
WebApp1.
Explanation:
You can move an app to another App Service plan, as long as the source plan and the target
plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you
cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
Question 28
HOTSPOT
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-
9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
 Can be assigned only to the resource groups in Subscription1

 Prevents the management of the access permissions for the resource groups
 Allows the viewing, creating, modifying, and deleting of resources within the resource
groups
What should you specify in the assignable scopes and the permission elements of the
definition of CR1? To answer, select the appropriate options in the answer area.

Solution:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-
operations#microsoftresources

Question 29
You have an Azure subscription.
Users access the resources in the subscription from either home or from customer sites. From
home, users must establish a point-to-site VPN to access the Azure resources. The users on
the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The
virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use? Each correct answer presents a
complete solution.
● an internal load balancer

○ a public load balancer
○ an Azure Content Delivery Network (CDN)
○ Traffic Manager
● an Azure Application Gateway
Explanation:
Network traffic from the VPN gateway is routed to the cloud application through an internal
load balancer. The load balancer is located in the front-end subnet of the application.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/vpn
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/application-gateway/overview

Question 30
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier
changed to a less expensive offering.
Which blade should you use?
○ Monitor
● Advisor
○ Metrics
○ Customer insights
Explanation:
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and
underutilized resources. You can get cost recommendations from the Cost tab on the Advisor
dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

Question 31
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor
authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the
answer area.

Solution:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

Question 32
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives
the following error message: “Unable to invite user user1@outlook.com -– Generic
authorization exception.”
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD
tenant.
What should you do?
● From the Users blade, modify the External collaboration settings.

○ From the Custom domain names blade, add a custom domain.
○ From the Organizational relationships blade, add an identity provider.
○ From the Roles and administrators blade, assign the Security administrator role
to Admin1.
Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-
exception-inviting-Azure-AD-gests/td-p/274742
Question 33
You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes
a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?
○ Assign the Owner role for the Azure Subscription to User1, and then modify the
default conditional access policies.
● Assign the Owner role for the Azure subscription to User1, and then instruct
User1 to configure access management for Azure resources.
○ Assign the Global administrator role to User1, and then instruct User1 to
configure access management for Azure resources.
○ Create a new management group and delegate User1 as the owner of the new
management group.
Explanation:
The following chart shows the list of roles and the supported actions on management groups.

Note:
Each directory is given a single top-level management group called the "Root" management
group. This root management group is built into the hierarchy to have all management groups
and subscriptions fold up to it. This root management group allows for global policies and
Azure role assignments to be applied at the directory level. The Azure AD Global Administrator
needs to elevate themselves to the User Access Administrator role of this root group initially.
After elevating access, the administrator can assign any Azure role to other directory users or
groups to manage the hierarchy. As administrator, you can assign your own account as owner
of the root management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

Question 34
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com
contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
To which groups do User1 and User2 belong? To answer, select the appropriate options in the
answer area.

Solution:
Explanation:
Box 1: Group 1 only

First rule applies
Box 2: Group1 and Group2 only

Both membership rules apply.
Reference:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

Question 35
HOTSPOT
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the users
shown in the following table.
You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the
appropriate options in the answer area.

Solution:
Explanation:
Box 1: User1 and User3 only
You must use Windows Server Active Directory to update the identity, contact info, or job info
for users whose source of authority is Windows Server Active Directory.
Box 2: User1, User2, and User3
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-
profile-azure-portal

Question 36
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned
the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
● Yes
○ No
Explanation:
Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner,
contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
Question 37
Solution: You assign the Owner role at the subscription level to Admin1.
● Yes
○ No

Explanation:
Reference:
Question 38
Solution: You assign the Reader role at the subscription level to Admin1.
● Yes
○ No
Explanation:
Reference:

Question 39
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The
solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
○ Owner
● Virtual Machine Contributor
○ Contributor
○ Virtual Machine Administrator Login
Explanation:
Virtual Machine Contributor: Lets you manage virtual machines, but not access to them, and
not the virtual network or storage account they're connected to.
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign roles in
Azure RBAC.
C: Contributor: Grants full access to manage all resources, but does not allow you to assign
roles in Azure RBAC.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as
administrator.
Reference:

Question 40

HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains three global
administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is
configured as shown in the Access control exhibit. (Click the Access Control tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant
exhibit. (Click the Tenant tab.)


Solution:
Explanation:
Box 1: No
Only Admin3, the owner, can assign ownership.
Box 2: Yes
Box 3: No
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-
subscription-administrator

Question 41
You have an Azure subscription named Subscription1 that contains an Azure virtual machine
named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using
the identity of VM1.
● From the Azure portal, modify the Managed Identity settings of VM1
○ From the Azure portal, modify the Access control (IAM) settings of RG1
○ From the Azure portal, modify the Access control (IAM) settings of VM1
○ From the Azure portal, modify the Policies settings of RG1
Explanation:
Managed identities for Azure resources provides Azure services with an automatically
managed identity in Azure Active Directory. You can use this identity to authenticate to any
service that supports Azure AD authentication, without having credentials in your code.
You can enable and disable the system-assigned managed identity for VM using the Azure
portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/qs-configure-portal-windows-vm

Question 42
You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:
You need to delete TestRG.
○ Modify the backup configurations of VM1 and modify the resource lock type of
VNET1
○ Remove the resource lock from VNET1 and delete all data in Vault1
● Turn off VM1 and remove the resource lock from VNET1
○ Turn off VM1 and delete all data in Vault1
Explanation:
When you delete a resource group, all of its resources are also deleted. Deleting a resource
group deletes all of its template deployments and currently stored operations.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-
resource-group?tabs=azure-powershell
Question 43
You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in

Azure.
What should you do?
● Create an NS record named research in the adatum.com zone.

○ Create an PTR record named research in the adatum.com zone.
○ Modify the SOA record of adatum.com.
○ Create an A record named *.research in the adatum.com zone.
Explanation:
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
Question 44
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the contoso.onmicrosoft.com
domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of
@contoso.com.

Solution:
Explanation:
1. Add the custom domain name to your directory

2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Question 45
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics
workspace named Workspace1.
You need to view the error event from a table named Event.
Which query should you run in Workspace1?
○ Get-Event Event | where {$_.EventType == "error"}

● Event | search "error"
○ select * from Event where EventType == "error"
○ Event | where EventType is "error"
Explanation:
The search operator provides a multi-table/multi-column search experience.
The syntax is:

Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible
correct answers:
1. search in (Event) "error"

2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye –eq "error"}

2. select * from Event where EventType is "error"
3. search in (Event) * | where EventType –eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-
explorer/kusto/query/searchoperator?pivots=azuredataexplorer
Question 46
You have a registered DNS domain named contoso.com.
You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from the
internet.
What should you do?
○ Create NS records in contoso.com.

○ Modify the SOA record in the DNS domain registrar.
○ Create the SOA record in contoso.com.
● Modify the NS records in the DNS domain registrar.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

Implement and manage storage (39 questions)
Case study

Overview
maintains.
following:
 File servers
tiers:
 A SQL database
 A web front end
only.
Requirements
Planned Changes

project.

User Requirements
AD.
subscription.

Question 88
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
○ a recovery plan
○ an Azure Backup Server
○ a backup policy
● a Recovery Services vault
Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected
resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a
recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
Question 89
You need to move the blueprint files to Azure.
What should you do?
○ Generate an access key. Map a drive, and then copy the files by using File
Explorer.
● Use Azure Storage Explorer to copy the files.
○ Use the Azure Import/Export service.
○ Generate a shared access signature (SAS). Map a drive, and then copy the files
by using File Explorer.
Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage
data on Windows, macOS, and Linux. You can use it to upload and download data from Azure
blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Reference:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-
data-to-azure-blob-using-azure-storage-explorer

Question 90
HOTSPOT
You need to identify the storage requirements for Contoso.
Solution:
Explanation:
Box 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page
Blobs for these.
Box 2: No
Box 3: No


Case study

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in
Seattle and New York.
Environment
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory
(Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to
the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in
the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:

 Associate NSG2 to VNET1/Subnet2.
 Create container1 and share1.

 Use the principle of least privilege.
 Create an Azure AD security group named Group4.
 Back up the Azure file shares and virtual machines by using Azure Backup.
 Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
 Enable User1 to create Azure policy definitions and User2 to assign Azure policies to
RG1.
 Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer
to VNET1/Subnet1
 Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight
months.
 Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-
only permissions to the Azure file shares.
 Associate NSG1 to the network interface of VM1.

 Create an NSG named NSG2 that will have the custom outbound security rules shown in
 Create a blob container named container1 and a file share named share1 that will use
the Cool storage tier.
 Create a storage account named storage5 and configure storage replication for the Blob
service.
 Create an NSG named NSG1 that will have the custom inbound security rules shown in

Question 91
HOTSPOT
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate

Solution:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
Question 49
You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage
account named contosodata.
Which command should you run?
○ https://contosodata.blob.core.windows.net/public
○ azcopy sync D:\folder1 https://contosodata.blob.core.windows.net/public --
snapshot
● azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --
recursive
○ az storage blob copy start-batch D:\Folder1
https://contosodata.blob.core.windows.net/public
Explanation:
The azcopy copy command copies a directory (and all of the files in that directory) to a blob
container. The result is a directory in the container by the same name.

Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location.
However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
Question 50
In the Azure portal, you plan to create a storage account named storage1 that will have the
following settings:
 Performance: Standard
 Replication: Zone-redundant storage (ZRS)
 Access tier (default): Cool
 Hierarchical namespace: Disabled
You need to ensure that you can set Account kind for storage1 to BlockBlobStorage.
Which setting should you modify first?

● Performance
○ Replication
○ Access tier (default)
○ Hierarchical namespace
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-performance-tiers

Question 51
You have an Azure subscription named Subscription1 that contains the storage accounts
shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?
○ storage1
○ storage2
○ storage3
● storage4
Explanation:
Azure Import/Export service supports the following of storage accounts:
 Standard General Purpose v2 storage accounts (recommended for most scenarios)

 Blob Storage accounts
 General Purpose v1 storage accounts (both Classic or Azure Resource Manager
deployments),
Azure Import/Export service supports the following storage types:
 Import supports Azure Blob storage and Azure File storage

 Export supports Azure Blob storage
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

Question 52
HOTSPOT
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based
on the information presented in the graphic.

Solution:
Explanation:
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts,
General-purpose v1 (GPv1) accounts, and Blob storage accounts.
 General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest
features for blobs, files, queues, and tables.
 Blob storage accounts support all the same block blob features as GPv2, but are limited
to supporting only block blobs.
 General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but
may not have the latest features or the lowest per gigabyte pricing.
Reference:
https://docs.microsoft.com/en-us/azure/storage
/common/storage-account-options

Question 53
You have Azure subscription that includes data in following locations:
You plan to export data by using Azure import/export job named Export1.
You need to identify the data that can be exported by using Export1.
Which data should you identify?
○ DB1
● container1
○ Share1
○ Table1
Question 54
HOTSPOT
You have an Azure Storage account named storage1.
You have an Azure App Service app named App1 and an app named App2 that runs in an
Azure container instance. Each app uses a managed identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must
meet the following requirements:
 Minimize the number of secrets used.

 Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app? To answer, select the appropriate

Solution:
Explanation:
App1: Access keys
App2: Shared access signature (SAS)

A shared access signature (SAS) provides secure delegated access to resources in your
storage account without compromising the security of your data. With a SAS, you have
granular control over how a client can access your data. You can control what resources the
client may access, what permissions they have on those resources, and how long the SAS is
valid, among other parameters.

Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Question 55
HOTSPOT
You need to create an Azure Storage account that meets the following requirements:
 Minimizes costs
 Supports hot, cool, and archive blob tiers
 Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command? To answer, select the appropriate options in the
answer area.
Solution:

Explanation:
Box 1: StorageV2
You may only tier your object storage data to hot, cool, or archive in Blob storage and General
Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure
Storage, as well as industry-competitive transaction prices.
Box 2: Standard_GRS
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide
unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated
within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to

the replica. RA-GRS provides read-only access to the data in the secondary location, in
addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs

Question 56
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server
named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
○ Create a container instance

● Register Server1
● Install the Azure File Sync agent on Server1
○ Download an automation script
● Create a sync group
Explanation:
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share
Step 2 (B): Register Server1.

Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship
between your server (or cluster) and the Storage Sync Service.
Step 3 (E): Create a sync group and a cloud endpoint.

A sync group defines the sync topology for a set of files. Endpoints within a sync group are
kept in sync with each other. A sync group must contain one cloud endpoint, which represents
an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

Question 57

HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)
You assign the policy by using the following parameters:
Microsoft.ClassicNetwork/virtualNetworks
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines

Solution:

Question 58
DRAG DROP
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has
2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions from the list of
actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the
correct orders you select.
Solution:
Explanation:
At a high level, an import job involves the following steps:

Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Determine data to be imported, number of drives you need, destination blob location for your
data in Azure storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with
BitLocker.
Step 2: From the Azure portal, create an import job.

Create an import job in your target storage account in Azure portal. Upload the drive journal
files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job

Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import
job.
Reference:
https://docs.microsoft.com/en-us/az
ure/storage/common/storage-import-export-service

Question 59
HOTSPOT
You have Azure subscription that includes following Azure file shares:
You have the following on-premises servers:
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1.
Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server
endpoint of Group1.

Solution:
Explanation:
Box 1: No
Group1 already has a cloud endpoint named Share1.
A sync group must contain one cloud endpoint, which represents an Azure file share and one
or more server endpoints.
Box 2: Yes
Yes, one or more server endpoints can be added to the sync group.
Box 3: Yes
Yes, one or more server endpoints can be added to the sync group.
Reference:

Question 60
DRAG DROP
You have an Azure subscription named Subscription1.
You create an Azure Storage account named contosostorage, and then you create a file share
named data.
Which UNC path should you include in a script that references files from the data file share? To
answer, drag the appropriate values to the correct targets. Each value may be used once,
more than once or not at all. You may need to drag the split bar between panes or scroll to
view content.
Solution:
Explanation:
Box 1: contosostorage
The name of account
Box 2: file.core.windows.net
Box 3: data
The name of the file share is data.
Example:

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

Question 61
HOTSPOT
You have an Azure subscription that contains an Azure Storage account.
You plan to copy an on-premises virtual machine image to a container named vmimages.
You need to create the container for the planned image.
Which command should you run? To answer, select the appropriate options in the answer
area.

Solution:

Question 62
HOTSPOT
You have an Azure File sync group that has the endpoints shown in the following table.
Cloud tiering is enabled for Endpoint3.
You add a file named File1 to Endpoint1 and a file named File2 to Endpoint2.
On which endpoints will File1 and File2 be available within 24 hours of adding the files? To
answer, select the appropriate options in the answer area.

Solution:
Explanation:
File1: Endpoint3 only

Cloud Tiering: A switch to enable or disable cloud tiering. When enabled, cloud tiering will tier
files to your Azure file shares. This converts on-premises file shares into a cache, rather than a
complete copy of the dataset, to help you manage space efficiency on your server. With cloud
tiering, infrequently used or accessed files can be tiered to Azure Files.
File2: Endpoint1, Endpoint2, and Endpoint3
Reference:
https://docs.microsoft.com/en-us/azure/storage/fi
les/storage-sync-cloud-tiering

Question 63
HOTSPOT
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.

Solution:
Explanation:
Box 1: never
The 10.2.9.0/24 subnet is not whitelisted.
Box 2: never
After you configure firewall and virtual network settings for your storage account, select Allow
trusted Microsoft services to access this storage account as an exception to enable Azure
Backup service to access the network restricted storage account.

Reference:
https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-
with-azure-storage-firewalls-and-virtual-networks/

Question 64
HOTSPOT
You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a
file named File1.txt.
Your on-premises network contains servers that run Windows Server 2016. The servers are
configured as shown in the following table.
You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for
Sync1.
Solution:

Question 68
HOTSPOT
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
 Replicates synchronously.
 Remains available if a single data center in the region fails.
How should you configure the storage account? To answer, select the appropriate options in
the answer area.
Solution:

Explanation:
Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage
clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
Question 69
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each
correct answer presents part of the solution.
○ an XML manifest file

● a dataset CSV file
○ a JSON configuration file
○ a PowerShell PS1 file
● a driveset CSV file
Explanation:
B: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether
you want to import a file or folder or both, add entries in the dataset.csv file
E: Modify the driveset.csv file in the root folder where the tool resides.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

Question 70
You have a Recovery Service vault that you use to test backups. The test backups contain two
protected virtual machines.
You need to delete the Recovery Services vault.
○ From the Recovery Service vault, delete the backup data.

○ Modify the disaster recovery properties of each virtual machine.
○ Modify the locks of each virtual machine.
● From the Recovery Service vault, stop the backup of each backup item.
Explanation:
You can't delete a Recovery Services vault if it is registered to a server and holds backup data.
If you try to delete a vault, but can't, the vault is still configured to receive backup data.
Remove vault dependencies and delete vault

In the vault dashboard menu, scroll down to the Protected Items section, and click Backup
Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and
Azure virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

Question 71
HOTSPOT
You have an Azure subscription named Subscription1 that contains the resources shown in the
following table.
In storage1, you create a blob container named blob1 and a file share named share1.
Which resources can be backed up to Vault1 and Vault2? To answer, select the appropriate

Solution:
Explanation:
Box 1: VM1 only

VM1 is in the same region as Vault1.
File1 is not in the same region as Vautl1.
SQL is not in the same region as Vault1.
Blobs cannot be backup up to service vaults.
Note: To create a vault to protect virtual machines, the vault must be in the same region as
the virtual machines.
Box 2: Share1 only.

Storage1 is in the same region (West USA) as Vault2. Share1 is in Storage1.
Note: After you select Backup, the Backup pane opens and prompts you to select a storage
account from a list of discovered supported storage accounts. They're either associated with
this vault or present in the same region as the vault, but not yet associated to any Recovery
Services vault.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
https://docs.microsoft.com/en-us/azure/backup/backup-afs

Question 72
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
○ a virtual machine
○ an Azure Cosmos DB database
● Azure File Storage
○ the Azure File Sync Storage Sync Service
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob
storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB.
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. Azure File Storage

2. Azure Blob Storage
The question can have other incorrect answer options, including the following:
 Azure Data Lake Store

 Azure SQL Database
 Azure Data Factory
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

Question 73
HOTSPOT
You create the Azure Storage account shown in the following exhibit.

Solution:
Explanation:
Box 1: 3
Locally Redundant Storage (LRS) provides highly durable and available storage within a single
location (sub region). We maintain an equivalent of 3 copies (replicas) of your data within the
primary location as described in our SOSP paper; this ensures that we can recover from
common failures (disk, node, rack) without impacting your storage account’s availability and
durability.
Box 2: Access tier

Change the access tier from Hot to Cool.
Note: Azure storage offers different access tiers, which allow you to store blob object data in
the most cost-effective manner. The available access tiers include:

Hot - Optimized for storing data that is accessed frequently.
Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days
with flexible latency requirements (on the order of hours).
Reference:
https://azure.microsoft.com/en-us/blog/data-series-introducing-locally-redundant-storage-for-
windows-azure-storage/
Question 74
You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data.
○ blob, file, table, and queue

● blob and file only
○ file and table only
○ file only
○ blob, table, and queue only
Explanation:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage
account.
Incorrect Answers:
A, C, E: AzCopy does not support table and queue storage services.
D: AzCopy supports file storage services, as well as blob storage services.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Question 75
HOTSPOT
You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure
File storage.
You need to use AzCopy to copy data to the blob storage and file storage in storage1.
Which authentication method should you use for each type of storage? To answer, select the
Solution:
Explanation:
You can provide authorization credentials by using Azure Active Directory (AD), or by using a
Shared Access Signature (SAS) token.
Box 1:
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for
Blob storage.
Box 2:
Only Shared Access Signature (SAS) token is supported for File storage.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
Question 76
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image
named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent
storage.
You need to configure a storage service for Container1.
What should you use?
○ Azure Files
○ Azure Blob storage
○ Azure Queue storage
● Azure Table storage
Question 77
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1
is available during planned maintenance of the hardware hosting VM1 and VM2.
What should you include in the Availability Set?
○ one update domain

○ two fault domains
○ one fault domain
● two update domains
Explanation:
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes
require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure
fabric is divided into update domains to ensure that not all VMs are rebooted at the same
time.
Incorrect Answers:
A: An update domain is a group of VMs and underlying physical hardware that can be rebooted
at the same time.

B, C: A fault domain shares common storage as well as a common power source and network
switch. It is used to protect against unplanned system failure.
References:
https://petri.com/understanding-azure-availability-sets
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
Question 78
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
○ an Azure Cosmos DB database

● Azure Blob storage
○ Azure Data Lake Store
○ the Azure File Sync Storage Sync Service
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob
storage and Azure Files by shipping disk drives to an Azure datacenter.
Note:
1. Azure File Storage

2. Azure Blob Storage
 a virtual machine
 Azure SQL Database
 Azure Data Factory
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

Question 79
DRAG DROP
You have an Azure subscription that contains an Azure file share.
You have an on-premises server named Server1 that runs Windows Server 2016.
You plan to set up Azure File Sync between Server1 and the Azure file share.
You need to prepare the subscription for the planned Azure File Sync.
Which two actions should you perform in the Azure subscription? To answer, drag the
appropriate actions to the correct targets. Each action may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.
Solution:

Explanation:
First action: Create a Storage Sync Service

The deployment of Azure File Sync starts with placing a Storage Sync Service resource into a
resource group of your selected subscription.
Second action: Install the Azure File Sync agent

The Azure File Sync agent is a downloadable package that enables Windows Server to be
synced with an Azure file share.
Reference:
Question 80
HOTSPOT
You have an Azure subscription that contains the file shares shown in the following table.
You have the on-premises file shares shown in the following table.
You create an Azure file sync group named Sync1 and perform the following actions:
 Add share1 as the cloud endpoint for Sync1.

 Add data1 as a server endpoint for Sync1.
 Register Server1 and Server2 to Sync1.

Solution:
Explanation:
Box 1: No
A sync group must contain one cloud endpoint, which represents an Azure file share and one
or more server endpoints.
Box 2: Yes
Data2 is located on Server2 which is registered to Sync1.
Box 3: No
Data3 is located on Server3 which is not registered to Sync1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-
guide?tabs=azure-portal%2Cproactive-portal#create-a-sync-group-and-a-cloud-endpoint

Question 81
HOTSPOT
following table:
You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts and which Log Analytics workspaces can you use for the Azure
Backup reports of Vault1? To answer, select the appropriate options in the answer area.

Solution:
Explanation:
Box 1: storage1, storage2, and storage3

The location and subscription where this Log Analytics workspace can be created is
independent of the location and subscription where your vaults exist.
Box 2: Analytics3
Vault1 and Analytics3 are both in West Europe.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports

Question 82
HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following
exhibit.

Solution:
Explanation:
Box 1: contoso104 only

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage
account.
Box 2: contoso101, contoso102, and contos103 only
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-premium-
fileshare?tabs=azure-portal

Question 83
HOTSPOT
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:
To answer, select the appropriate options in the answer area.

Solution:
Explanation:
Box 1: Will have no access

The IP 193.77.134.1 does not have access on the SAS.
Box 2: Will have read, write, and list access

The net use command is used to connect to file shares.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-
signature-part-1
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-
explorer?tabs=windows

Question 84
You have two Azure virtual machines named VM1 and VM2. You have two Recovery Services
vaults named RSV1 and RSV2.
VM2 is backed up to RSV1.
You need to back up VM2 to RSV2.
○ From the RSV1 blade, click Backup items and stop the VM2 backup
○ From the RSV2 blade, click Backup. From the Backup blade, select the backup
for the virtual machine, and then click Backup
● From the VM2 blade, click Disaster recovery, click Replication settings, and
then select RSV2 as the Recovery Services vault
○ From the RSV1 blade, click Backup Jobs and export the VM2 job
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
Question 85
You have a general-purpose v1 Azure Storage account named storage1 that uses locally-
redundant storage (LRS).
You need to ensure that the data in the storage account is protected if a zone fails. The
solution must minimize costs and administrative effort.
○ Create a new storage account.

○ Configure object replication rules.
● Upgrade the account to general-purpose v2.
○ Modify the Replication setting of storage1.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Question 86
You have an Azure subscription that contains the storage accounts shown in the following
table.
You plan to manage the data stored in the accounts by using lifecycle management rules.
To which storage accounts can you apply lifecycle management rules?
○ storage1 only
○ storage1 and storage2 only
○ storage3 and storage4 only
● storage1, storage2, and storage3 only
○ storage1, storage2, storage3, and storage4
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-
concepts?tabs=azure-portal
Question 87
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
○ 80
○ 443
● 445
○ 3389
Explanation:
Server Message Block (SMB) is used to connect to an Azure file share over the internet. The
SMB protocol requires TCP port 445 to be open.
Incorrect Answers:
A: Port 80 is required for HTTP to a web server
B: Port 443 is required for HTTPS to a web server
D: Port 3389443 is required for Remote desktop protocol (RDP) connections
Reference:

Deploy and manage Azure compute resources (69 questions)

Case study

Overview
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices
in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New
York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a
domain named litware.onmicrosoft.com. The tenant uses the Premium P1 pricing tier.
The network contains an Active Directory forest named litware.com. All domain controllers are
configured as DNS servers and host the litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology
departments. Each department has an organizational unit (OU) that contains all the accounts
of that respective department. All the user accounts have the department attribute set to
their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can
be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in
Litware uses two web applications named App1 and App2. Each instance on each web
application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs)
Requirements
Planned Changes
Litware plans to implement the following changes:
 Deploy Azure ExpressRoute to the Montreal office.

 Migrate the virtual machines hosted on Server1 and Server2 to Azure.
 Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
 Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Litware must meet the following technical requirements:
 Ensure that WebApp1 can adjust the number of instances automatically based on the
load and can scale up to five instances.
 Ensure that VM3 can establish outbound connections over TCP port 8080 to the
applications servers in the Montreal office.
 Ensure that routing information is exchanged automatically between Azure and the
routers in the Montreal office.
 Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department
only.
 Ensure that webapp2.azurewebsites.net can be accessed by using the name
app2.litware.com.
 Connect the New York office to VNet1 over the Internet by using an encrypted
connection.
 Create a workflow to send an email message when the settings of VM4 are modified.

 Create a custom Azure role named Role1 that is based on the Reader role.
 Minimize costs whenever possible.
Question 161
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
○ Diagram in VNet1
○ Diagnostic settings in Azure Monitor
○ Diagnose and solve problems in Traffic Manager profiles
○ The security recommendations in Azure Advisor
● IP flow verify in Azure Network Watcher
Explanation:
Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications
servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If
the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen, IP flow verify helps administrators
quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview

Question 92
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the
System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You
add the Microsoft Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor
and specify the Log Analytics workspace as the source.
○ Yes
● No
Explanation:
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring
Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

Question 93
Solution: You create an Azure Log Analytics workspace and configure the data settings. You
install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify
the Log Analytics workspace as the source.
● Yes
○ No
Explanation:
Alerts in Azure Monitor can identify important information in your Log Analytics repository.
They are created by alert rules that automatically run log searches at regular intervals, and if
results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and
workloads of virtual machines in Azure, other cloud providers, and on-premises. It collects
data into a Log Analytics workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response

Question 94
All virtual machines run Windows Server 2016.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
You plan to restore the backup to a different virtual machine.
You need to restore the backup to VM2.
○ From VM1, install the Windows Server Backup feature.

● From VM2, install the Microsoft Azure Recovery Services Agent.
○ From VM1, install the Microsoft Azure Recovery Services Agent.
○ From VM2, install the Windows Server Backup feature.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server

Question 95
HOTSPOT
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that
will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the
answer area.

Solution:

Question 96
following table.
VM1 connects to a virtual network named VNET2 by using a network interface named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
● Yes
○ No
Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it
to must exist in the same location, here West US, also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Question 97
following table.
Solution: You create NIC2 in RG2 and Central US.
○ Yes
● No
Explanation:
Reference:

Question 98
following table.
Solution: You create NIC2 in RG2 and West US.
● Yes
○ No
Explanation:
Reference:

Question 99
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks.
○ Yes
● No
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Question 100
Solution: From Azure Cloud Shell, you run the kubectl client.
● Yes
○ No
Reference:

Question 101
Solution: From Azure CLI, you run azcopy.
○ Yes
● No
Reference:
Question 102
Solution: You create an Azure storage account and configure shared access signatures (SASs).
You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and
specify the storage account as the source.
○ Yes
● No
Explanation:
Instead: You create an Azure Log Analytics workspace and configure the data settings. You

Reference:

Question 103
HOTSPOT
You have an Azure subscription named Subscription1. Subscription1 contains the resources in
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1
uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in
VM1.
You need to move the custom application to VNet2. The solution must minimize administrative
effort.
Which two actions should you perform? To answer, select the appropriate options in the
answer area.

Solution:
Explanation:
We cannot just move a virtual machine between networks. What we need to do is identify the
disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the
target virtual network and then attach the original disk to it.
Reference:
https://blogs.technet.microsoft.co
m/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-
virtual-network-vnet/#migrate-an-azure-vm-between-vnets

Question 104
You download an Azure Resource Manager template based on an existing virtual machine. The
template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent
the password from being stored in plain text.
What should you create to store the password?
● an Azure Key Vault and an access policy

○ an Azure Storage account and an access policy
○ a Recovery Services vault and a backup policy
○ Azure Active Directory (AD) Identity Protection and an Azure policy
Explanation:
You can use a template that allows you to deploy a simple Windows VM by retrieving the
password that is stored in a Key Vault. Therefore, the password is never put in plain text in the
template parameter file.
Reference:
https://azure.microsoft.com/en-us/resou
rces/templates/101-vm-secure-password/

Question 105
HOTSPOT
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area.

Solution:
Explanation:
Box 1: ASP1 ASP3

Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it's in.
Box 2: ASP1
ASP.NET apps can be hosted on Windows only.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-
linux
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#

Question 106
HOTSPOT
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the
following exhibit.

Solution:
Explanation:
Box 1: 6 virtual machines

The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or
higher. The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are
added.
Box 2: 2 virtual machnes

The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or
lower. The initial instance count is 4 and thus cannot be reduced to 0 as the minimum
instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azu
re/azure-monitor/platform/autoscale-overview
https://docs.microsoft.com/en-us/azure/azure-moni
tor/platform/autoscale-best-practices
https://docs.microsoft.com/en-us/azure/azure-monitor/
platform/autoscale-common-scale-patterns
Question 107
You plan to automate the deployment of a virtual machine scale set that uses the Windows
Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web
server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
○ Upload a configuration script

○ Create an automation account
○ Create an Azure policy
● Modify the extensionProfile section of the Azure Resource Manager template
● Create a new virtual machine scale set in the Azure portal
Explanation:
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC)
extension handler. Virtual machine scale sets provide a way to deploy and manage large
numbers of virtual machines, and can elastically scale in and out in response to load. DSC is
used to configure the VMs as they come online so they are running the production software.
Reference:
https://docs.micr
osoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc

Question 108
HOTSPOT
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named
Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run? To answer, select the appropriate options in the answer
area.
Solution:
Explanation:
To install kubectl locally, use the az aks install-cli command:
az aks install-cli
Reference:

Question 109
DRAG DROP
You onboard 10 Azure virtual machines to Azure Automation State Configuration.
You need to use Azure Automation State Configuration to manage the ongoing consistency of
the virtual machine configurations.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the
correct orders you select.
Solution:

Explanation:
Step 1: Upload a configuration to Azure Automation State Configuration.

Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.

A DSC configuration defining that state must be compiled into one or more node
configurations (MOF document), and placed on the Automation DSC Pull Server.
Step 3: Assign the node configuration
Then: Check the compliance status of the node

Each time Azure Automation State Configuration performs a consistency check on a managed
node, the node sends a status report back to the pull server. You can view these reports on
the page for that node.
On the blade for an individual report, you can see the following status information for the
corresponding consistency check:
The report status — whether the node is "Compliant", the configuration "Failed", or the node is
"Not Compliant"
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

Question 110
You have an Azure Resource Manager template named Template1 that is used to deploy an
Azure virtual machine.
Template1 contains the following text:
The variables section in Template1 contains the following text:
"location": "westeurope"
The resources section in Template1 contains the following text:
You need to deploy the virtual machine to the West US location by using Template1.
What should you do?
● Modify the location in the resources section to westus

○ Select West US during the deployment
○ Modify the location in the variables section to westus
Question 111
You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
● From Plan1, scale up the App Service plan

○ From webapp1, modify the Application settings
○ From webapp1, add a custom domain
○ From Plan1, scale out the App Service plan

Explanation:
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable
multiple deployment slots.
If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that
indicates the supported tiers for enabling staged publishing. At this point, you have the option
to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual
machines (VMs), custom domains and certificates, staging slots, autoscaling, and more.
Incorrect:
Scale out: Increase the number of VM instances that run your app. You can scale out to as
many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
Question 112
You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned
Azure maintenance.
What should you create?
○ one virtual machine scale set that has 10 virtual machines instances
○ one Availability Set that has three fault domains and one update domain
● one Availability Set that has 10 update domains and one fault domain
○ one virtual machine scale set that has 12 virtual machines instances
Explanation:
An update domain is a logical group of underlying hardware that can undergo maintenance or
be rebooted at the same time. As you create VMs within an availability set, the Azure platform
automatically distributes your VMs across these update domains. This approach ensures that
at least one instance of your application always remains running as the Azure platform
undergoes periodic maintenance.
Reference:
http://www.thatlazyadmin.com/azure-fault-update-domains/

Question 113
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and
specify VM1 as the source
○ Yes
● No
Explanation:
Instead: You create an Azure Log Analytics workspace and configure the data settings. You
Reference:

Question 114
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure
Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
○ Yes
● No
Explanation:
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en
-us/azure/virtual-machines/windows/redeploy-to-new-node

Question 115
Solution: From the Redeploy blade, you click Redeploy.
● Yes
○ No
Explanation:
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and
then powers it back on, retaining all your configuration options and associated resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Question 116
Solution: From the Update management blade, you click Enable.
○ Yes
● No
Explanation:
Reference:
Question 117
You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named www.contoso.com to webapp1.
● Create a DNS record

○ Add a connection string
○ Upload a certificate.
○ Stop webapp1.
Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
Reference:
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

Question 118
VM1 connects to VNET1.
You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
○ Yes
● No
Explanation:
Instead you should delete VM1. You recreate VM1, and then you add the network interface for
VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network
(VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's
created, but you cannot change the VNet.
Reference:
https://docs.microsoft.c
o
m/en-us/azure/virtual-machines/windows/network-overview

Question 119
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for
VM1 and connect it to VNET2.
● Yes
○ No
Explanation:
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Question 120
Solution: You turn off VM1, and then you add a new network interface to VM1.
○ Yes
● No
Explanation:
Instead you should delete VM1. You recreate VM1, and then you add the network interface for
VM1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Question 121
HOTSPOT
You have an Azure subscription named Subscription1 that contains the quotas shown in the
following table.
You deploy virtual machines to Subscription1 as shown in the following table.
You plan to deploy the virtual machines shown in the following table.

Solution:
Explanation:
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the
different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. VM20 and VM1
are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

Question 122
HOTSPOT
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-
USE2 as shown in the following exhibit.
You add 14 virtual machines to WEBPROD-AS-USE2.

Solution:
Explanation:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four
update domains will have two VMs and six update domains will have one VM. Only one update
domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in
each fault domain. A rack failure will affect one fault domain so 7 VMs will be offline.
Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
Question 123
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP
addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Cluster1?
● 131.107.2.1
○ 10.0.10.11
○ 172.17.7.1
○ 192.168.10.2
Question 124
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize
Azure costs.
○ five Azure Application Gateways

● one App Service plan
○ 10 App Service plans
○ one Azure Traffic Manager
○ one Azure Application Gateway
Explanation:
You create Azure web apps in an App Service plan.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

Question 125
HOTSPOT
You plan to deploy an Azure container instance by using the following Azure Resource
Manager template.
on the information presented in the template.

Solution:
Question 126
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-
of-business application that is available 24 hours a day. VM1 has one network interface and
one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
 Change the size to D8s v3.

 Add a 500-GB managed disk.
 Add the Puppet Agent extension.
 Enable Desired State Configuration Management.
Which change will cause downtime for VM1?

Solution:
Explanation:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the
Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher
numbers, because lower numbers have higher priority. Once traffic matches a rule, processing
stops. As a result, any rules that exist with lower priorities (higher numbers) that have the
same attributes as rules with higher priorities are not processed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question 147
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual
machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure
datacenter becomes unavailable.
What should you deploy?
○ all three virtual machines in a single Availability Zone

○ all virtual machines in a single Availability Set
● each virtual machine in a separate Availability Zone
○ each virtual machine in a separate Availability Set
Explanation:
Use availability zones to protect from datacenter level failures.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
Question 148
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
○ operating system
● administrator username
○ virtual machine size
○ resource group
Explanation:
When deploying a virtual machine from a template, you must specify:
 the Resource Group name and location for the VM

 the administrator username and password
 an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
Question 149
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs
a financial reporting app named App1 that does not support multiple active instances.
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the
end of each month.
What task should you include in the runbook?
○ Add the Azure Performance Diagnostics agent to VM1.

○ Modify the VM size property of VM1.
○ Add VM1 to a scale set.
○ Increase the vCPU quota for the subscription.
● Add a Desired State Configuration (DSC) extension to VM1.

Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration
Question 150
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a
virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
○ Deployment Center in Azure App Service

● A Desired State Configuration (DSC) extension
○ the New-AzConfigurationAssignment cmdlet
○ a Microsoft Intune device configuration profile
Explanation:
Azure virtual machine extensions are small packages that run post-deployment configuration
and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an
existing virtual machine, which installs a Nginx webserver.
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
Note:
1. a Desired State Configuration (DSC) extension

2. Azure Custom Script Extension
 the Publish-AzVMDscConfiguration cmdlet

 Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-
configuration

Question 151
HOTSPOT
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in
the following exhibit.

Solution:
Explanation:
Box 1: 10.244.0.0/16
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your
network environment. This range includes any on-premises network ranges if you connect, or
plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN
connection.
This address range must be large enough to accommodate the number of nodes that you
expect to scale up to. You can't change this address range once the cluster is deployed if you
need more addresses for additional nodes.
Box 2: 10.0.0.0/16
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet

Question 152

HOTSPOT
You have the App Service plan shown in the following exhibit.
The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.

Solution:
Explanation:
Box 1: 5
The maximum 5 will kept as the CPU Usage >= 30.

Box 2: 3
As soon as the average CPU usage drops below 30%, the count will decrease by 1. After the 5
minute cool-down it will decrease by another 1, reaching 3.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-
schedule
Question 153
You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was
deployed using default drive settings.
You sign in to VM1 as a user named User1 and perform the following actions:
 Create files on drive C.

 Create files on drive D.
 Modify the screen saver timeout.
 Change the desktop background.
You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?

○ the modified screen saver timeout
○ the new desktop background
● the new files on drive D
○ the new files on drive C

Question 154
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the
exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual
machines.
What should you modify on VM1?
○ the memory
○ the network adapters
● the hard drive
○ the processor
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-
template
Question 157
You have an Azure web app named App1. App1 has the deployment slots shown in the
following table:
In webapp1-test, you test several changes to App1.
You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing
performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
○ Redeploy App1
● Swap the slots
○ Clone App1
○ Restore the backup of App1
Explanation:
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and
destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment
by swapping back.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

Question 158
HOTSPOT
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual
machines VM1 and VM2. VM1 and VM2 run Windows Server 2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the
answer area.

Solution:
Explanation:
Note: The new VM must be in the same region.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
Question 159
You plan to back up an Azure virtual machine named VM1.
You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
○ VM1 is stopped.
● VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe)
installed.
○ VM1 has an unmanaged disk.
○ A Recovery Services vault is unavailable.
Explanation:
The Warning state indicates one or more issues in VM’s configuration that might lead to
backup failures and provides recommended steps to ensure successful backups. Not having
the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in
this class of issues.
Reference:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/
Question 160
Solution: From the Overview blade, you move the virtual machine to a different resource
group.
○ Yes
● No
Explanation:
Reference:

Configure and manage virtual networking (84 questions)

Case study

Overview
Requirements
Planned Changes

only.
app2.litware.com.
connection.

Question 246
HOTSPOT
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.

Solution:
Explanation:
Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-
premises network through a VPN appliance. For more information, see Connect an on-
premises network to a Microsoft Azure virtual network. The VPN gateway includes the
following elements:
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted
connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute
partner. This connection is private. Traffic does not go over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/re
ference-architectures/hybrid-networking/vpn
 Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet.
It is responsible for routing traffic from the on-premises network to the VNet.
 Local network gateway. An abstraction of the on-premises VPN appliance. Network
traffic from the cloud application to the on-premises network is routed through this
gateway.
 Connection. The connection has properties that specify the connection type (IPSec) and
the key shared with the on-premises VPN appliance to encrypt traffic.
 Gateway subnet. The virtual network gateway is held in its own subnet, which is subject
to various requirements, described in the Recommendations section below.
Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local
network gateway.

Case study

Overview
maintains.
following:
 File servers
tiers:
 A SQL database
 A web front end
only.
Requirements
Planned Changes

project.

User Requirements
AD.
subscription.

Question 247
HOTSPOT
You need to recommend a solution for App1. The solution must meet the technical
requirements.
What should you include in the recommendation? To answer, select the appropriate options in
the answer area.
Solution:
Explanation:
This reference architecture shows how to deploy VMs and a virtual network configured for an
N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the
following three tiers:
 A SQL database
 A web front end
only.
Technical requirements include:

Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-
server

Question 248
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
● Create an incoming security rule for port 443 from the Internet. Associate the
NSG to the subnet that contains the web servers.
○ Create an outgoing security rule for port 443 from the Internet. Associate the NSG
to the subnet that contains the web servers.
○ Create an incoming security rule for port 443 from the Internet. Associate the
NSG to all the subnets.
○ Create an outgoing security rule for port 443 from the Internet. Associate the NSG
to all the subnets.
Explanation:
Incoming and the web server subnet only, as users access the web front end by using HTTPS
only.
Note Scenario: You have a public-facing application named App1. App1 is comprised of the
following three tiers:
 A SQL database
 A web front end
only.

Question 162
HOTSPOT
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an
IP address space of 10.0.0.0/16 and contains the subnets in the following table:
Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.

Solution:
Question 163
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are
configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the
virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
○ Floating IP (direct server return) to Enabled

○ Floating IP (direct server return) to Disabled
○ a health probe
● Session persistence to Client IP and Protocol
Explanation:
With Sticky Sessions when a client starts a session on one of your web servers, session stays
on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session
persistence to Client IP.

On the following image you can see sticky session configuration:
Note:
There are several versions of this question in the exam. The question can have other incorrect
answer options, including the following:
1. Idle Time-out (minutes) to 20

2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

Question 164
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following
table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow
inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1
uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
 Priority: 100
 Name: Rule1
 Port: 3389
 Protocol: TCP
 Source: Any
 Destination: Any
 Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.

Solution:

Question 165
HOTSPOT
You have a virtual network named VNET1 that contains the subnets shown in the following
table:
You have two Azure virtual machines that have the network configurations shown in the
following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-
zone

Question 199
HOTSPOT
VMSS1 is set to VM (virtual machines) orchestration mode.
You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the

Solution:
Explanation:
Box 1: RG1, RG2, or RG3
The resource group stores metadata about the resources. When you specify a location for the
resource group, you're specifying where that metadata is stored.
Box 2: West US only
Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM – Virtual machine instances added to the scale set are based on the scale set
configuration model. The virtual machine instance lifecycle - creation, update, deletion - is
managed by the scale set.
VM (virtual machines) – Virtual machines created outside of the scale set can be explicitly
added to the scaleset.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Question 200

HOTSPOT
You have an Azure subscription that contains three virtual networks named VNET1, VNET2,
and VNET3.
Peering for VNET1 is configured as shown in the following exhibit.

How can packets be routed between the virtual networks? To answer, select the appropriate
Solution:
Explanation:
Box 1. VNET2 and VNET3
Box 2: VNET1
Gateway transit is disabled.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Question 201
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure
virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer
named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from
Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
○ Yes
● No
Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate
installed. You generate a client certificate from the self-signed root certificate, and then export
and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Question 202
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure
virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer
named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from
Computer2.
Solution: You join Computer2 to Azure Active Directory (Azure AD)
○ Yes
● No
Explanation:
A client computer that connects to a VNet using Point-to-Site must have a client certificate
installed.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Question 203
You have an Azure subscription that contains 10 virtual networks. The virtual networks are
hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the
subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080
between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
○ Yes
● No

Question 204
You have an Azure subscription named Subscription1. Subscription1 contains a virtual
machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to
the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit
tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the
connection fails.
You need to establish a Remote Desktop connection to VM1.
○ Change the priority of the RDP rule

○ Attach a network interface
○ Delete the DenyAllInBound rule
● Start VM1
Explanation:
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops.
RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question 205
You have the Azure virtual machines shown in the following table.
A DNS service is installed on VM1.
You configure the DNS servers settings for each virtual network as shown in the following
exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS
service on VM1.
What should you do?
○ Configure a conditional forwarder on VM1

○ Add service endpoints on VNET1
○ Add service endpoints on VNET2 and VNET3
● Configure peering between VNET1, VNET2, and VNET3
Explanation:
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network.
The virtual networks appear as one for connectivity purposes. The traffic between virtual
machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure
services over an optimized route over the Azure backbone network. Endpoints allow you to
secure your critical Azure service resources to only your virtual networks. Service Endpoints
enables private IP addresses in the VNet to reach the endpoint of an Azure service without
needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-
overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Question 206

HOTSPOT
You have an Azure subscription that contains the Azure virtual machines shown in the
following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in
You run Azure Network Watcher as shown in the following exhibit.

You run Network Watcher again as shown in the following exhibit.


Solution:
Explanation:
Box 1: No
It limits traffic to VM2, but not VM1 traffic.
Box 2: Yes
Yes, the destination is VM2.
Box 3: No
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-
connection-monitor-in-all-public-regions/

Monitor and back up Azure resources (15 questions)

Case study

Overview
Requirements
Planned Changes

only.
app2.litware.com.
connection.

Question 264
HOTSPOT
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate
Solution:
Question 265
You need to recommend a solution to automate the configuration for the finance department
users. The solution must meet the technical requirements.
What should you include in the recommendation?
○ Azure AD B2C
● dynamic groups and conditional access policies
○ Azure AD Identity Protection
○ an Azure logic app and the Microsoft Identity Management (MIM) client

Explanation:
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance
department only.
The recommendation is to use conditional access policies that can then be targeted to groups
of users, specific applications, or other conditions.
Reference:
https://docs.microsoft.com/en-us/azure/a
ctive-directory/authentication/howto-mfa-userstates

Question 249

HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that
contains the users shown in the following table.
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset
exhibit. (Click the Password Reset tab.)
You configure the authentication methods for password reset as shown in the Authentication
Methods exhibit. (Click the Authentication Methods tab.)


Solution:
Explanation:
Box 1: No
Two methods are required.
Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: Yes
As a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.co
m/en-us/azure/active-directory/authentication/quickstart-sspr
https://docs.microsoft.com/en-us
/azure/active-directory/authentication/active-directory-passwords-faq

Question 250
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company’s security policy states that all personal devices and corporate-owned devices
must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home
network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?
○ Assign the User administrator role to User1.

● From the Device settings blade, modify the Maximum number of devices per
user setting.
○ Create a point-to-site VPN from the home network of User1 to Azure.
○ From the Device settings blade, modify the Users may join devices to Azure
AD setting.
Explanation:
The Maximum number of devices setting enables you to select the maximum number of
devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to
add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long
as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can
join devices to Azure AD. Options are All, Selected and None. The default is All.
Reference:
https://docs.microsoft.com/en-us
/azure/active-directory/devices/device-management-azure-portal
http://techgenix.com/pros-and-cons-azure-ad
-join/

Question 251
● Yes
○ No
Explanation:
Reference:
Question 252
You have an existing Azure subscription that contains 10 virtual machines.
You need to monitor the latency between your on-premises network and the virtual machines.
○ Service Map
○ Connection troubleshoot
● Network Performance Monitor
○ Effective routes

Explanation:
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps
you monitor network performance between various points in your network infrastructure. It
also helps you monitor network connectivity to service and application endpoints and monitor
the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations,
multiple data centers, and branch offices and mission-critical multitier applications or
microservices. With Performance Monitor, you can detect network issues before users
complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

Question 253
DRAG DROP
You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises Windows Server 2016 computer as
quickly as possible.
Which four actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.

Solution:
Explanation:
Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer
Generate and download script to browse and recover files:
Step 4: Copy the files using File Explorer!

After the disks are attached, use Windows File Explorer to browse the new volumes and files.
The restore files functionality provides access to all files in a recovery point. Manage the files
via File Explorer as you would for normal files.
Step 1-3 below:

To restore files or folders from the recovery point, go to the virtual machine and perform the
following steps:
1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of
virtual machines, select the virtual machine to open that virtual machine's dashboard.
2. In the virtual machine's menu, select Backup to open the Backup dashboard.
3. In the Backup dashboard menu, select File Recovery.
The File Recovery menu opens.

Box 1: 6
5 latest daily recovery points, which includes the weekly backup from the previous Sunday,
plus the monthly recovery point.
Box 2: 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-
471c4d422e94/daily-monthly-yearly-recovery-points-and-storage-
used?forum=windowsazureonlinebackup


az-104_12july21 (1)

Uploaded by

Copyright:

Available Formats

az-104_12july21 (1)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

az-104_12july21 (1)

Uploaded by

Copyright:

Available Formats

Reference Solution for

Microsoft Azure Administrator

This file was created using VCE Simulator from Avanset.com

Licensed to Trainings vmware trainings.vmware@gmail.com

To start the case study

Contoso plans to implement the following changes to the infrastructure:

 Move all the tiers of App1 to Azure.

Contoso must meet the following technical requirements:

 Move all the virtual machines for App1 to Azure.

Contoso identifies the following requirements for users:

3 Licensed to Trainings vmware

4 Licensed to Trainings vmware

6 Licensed to Trainings vmware

What should you do?

○ From the Azure Active Directory blade, modify the Groups

7 Licensed to Trainings vmware

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User2 to create the user accounts.

Does that meet the goal?

8 Licensed to Trainings vmware

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User4 to create the user accounts.

Does that meet the goal?

9 Licensed to Trainings vmware

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User3 to create the user accounts.

Does that meet the goal?

10 Licensed to Trainings vmware

NOTE: Each correct selection is worth one point.

11 Licensed to Trainings vmware

What should you do first?

○ From contoso.com, modify the Organization relationships settings.

12 Licensed to Trainings vmware

NOTE: Each correct selection is worth one point.

● a Microsoft 365 group that uses the Assigned membership type

13 Licensed to Trainings vmware

14 Licensed to Trainings vmware

User3 is the owner of Group1.

Group2 is a member of Group1.

15 Licensed to Trainings vmware

NOTE: Each correct selection is worth one point.

16 Licensed to Trainings vmware

17 Licensed to Trainings vmware

You create the Azure policies shown in the following table:

NOTE: Each correct selection is worth one point.

18 Licensed to Trainings vmware

19 Licensed to Trainings vmware

What is the effect of the policy?

20 Licensed to Trainings vmware

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.

NOTE: Each correct selection is worth one point.

21 Licensed to Trainings vmware

VNET1: Department: D1, and Label:Value1 only.

VNET2: Label:Value1 only.

22 Licensed to Trainings vmware