Cert Prep: Microsoft Azure Administrator (AZ-104) (Cloud Academy)

Question 1

Your Chief Technology officer wants to manage the Azure Virtual Machine (VM) infrastructure by establishing a baseline, high-level standard of quality for all the resources in your environment.

What tool can be used to implement this request?
Select one answer

A. VM Access extension
B. Azure VM agent extension
C. PowerShell DSC
D. Bitlocker

Answer 1

C. PowerShell DSC

Explanation:
Configuration Management deals with establishing a baseline, high-level standard of quality for all the resources in your environment. In this scenario, you will want to maintain the highest level of quality and serviceability of your virtual machines. There are several Configuration Management options in the Portal. PowerShell Desired State Configuration is one such tool. Different Configuration Management tools have different ways of implementing this desired state file, however, most tools are based on industry standards such as MOF or the Managed Object Format (MOF).

Question 2

A company needs to connect their on-premise data center to Azure. They want to have a dedicated connection and at the same time want to have a failover connection. They don’t mind having a drop in latency when it comes to the failover connection. They also have around 500+ employees who will need to use this connection. Which of the following connection types would you use?

A. Site-to-Site for the main and failover connection.
B. Site-to-Site for the main and Point-to-Site for the failover connection.
C. ExpressRoute for the main connection and Site-to-Site for the failover connection.
D. Site-to-Site for the main and ExpressRoute for the failover connection.

Answer 2

C. ExpressRoute for the main connection and Site-to-Site for the failover connection.

Explanation:
An ExpressRoute connection behaves like a dedicated connection between your on-premise data center and Azure. You can establish multiple connections between your on-premise data center and Azure. In the failover connection, since the company does not mind a drop in latency, they can opt for a Site-to-Site VPN connection. This type of model is often used for a primary and failover connection from on-premise data centers and Azure.

Question 3

Your company has resources in both Azure Infrastructure as a Service (IaaS) and on-premises architectures. You have an existing Azure Files Network File System version 4.1 (NFSv4.1). You have been asked to migrate the local-redundant storage (LRS) to zone-redundant storage (ZRS).

You want to maintain maximum control over the migration, and it must be completed by a date specified by management.

You need to select a supported method to complete the migrations.

What should you do?

A. Request a live migration.
B. Perform the migration using PowerShell.
C. Perform a manual migration.
D. Perform the migration via the Azure portal.

Answer 3

C. Perform a manual migration.

Explanation:
A manual migration from LRS to ZRS is the method for migrating Azure File Network File System version 4.1 NFSv4.1 shares in this scenario. A manual migration provides more flexibility and control than a conversion. You can use this option if you need the migration to be complete by a specific date, or if conversion is not supported for your scenario. Manual migration is also useful when moving a storage account to another region. See Move an Azure Storage account to another region for more details.

You must perform a manual migration if:

You want to migrate your storage account to a different region.
Your storage account is a block blob account.
Your storage account includes data in the archive tier and rehydrating the data is not desired.

You should not request a live migration in this scenario because Azure Files NFSv4.1 share migrations are not supported.

It is not possible to perform the migration from LRS to ZRS using PowerShell because it supports only LRS to GRS and LRS to RA-GRS migrations.

The Azure Portal supports LRS migrations to geo-redundant (GRS) and read-access geo-redundant (RA-GRS) storage.

Question 4

A company’s app hosted in Azure is using the App Service. They want this app to interface with another application in another domain. Which of the below configurations will make this possible?

A. Enable CORS for the App Service.
B. Enable Autoscale for the App Service.
C. Enable OAuth for the App Service.
D. Enable API Definition for the App Service.

Answer 4

A. Enable CORS for the App Service.

Explanation:
App Service offers support for Cross Origin Resource Sharing (CORS), which enables JavaScript clients to make cross-domain calls to APIs that are hosted in API apps. App Service lets you configure CORS access to your API without writing any code in your API.

Question 5

A company needs to connect their on-premise data centers to Azure. They have huge workloads that need to regularly transfer between on premise data centers and Azure. The company wants to avoid sending data over the public internet for security reasons. Which of the following connections should the company opt for to establish this connection?

A. Create a Site-to-Site connection
B. Create a Point-to-Site connection
C. Create an ExpressRoute connection
D. Create a VNet-to-VNet connection

Answer 5

C. Create an ExpressRoute connection

Explanation:
An ExpressRoute connection behaves like a dedicated connection between your on-premise data center and Azure. The Site-to-Site and Point-to-Site connections have to traverse the internet, and hence are not ideal when you have high workloads that need to be transferred between the on-premise and Azure location.

Question 6

Which of the following statements correctly describes the difference between role-based access controls (RBAC) and resource locks?

A. Resource locks apply a restriction across all users and roles
B. RBAC applies a restriction across all users and roles
C. Resource locks apply a restriction to users only
D. RBAC applies a restriction to roles only.

Answer 6

A. Resource locks apply a restriction across all users and roles

Explanation:
Unlike RBAC, management locks apply a restriction across all users and roles.

Question 7

When running multiple environments of a given Azure App Service application, what deployment slot option allows you to test configuration elements and ensure that your application works as expected before being pushed to production?

A. Swap with Preview
B. Staging Swap
C. Check ‘Slot Setting’ box
D. Swap App Settings

Answer 7

A. Swap with Preview

Explanation:
Swap with preview, or multi-phase swap, simplify validation of slot-specific configuration elements, such as connection strings. For mission-critical workloads, you want to validate that the app behaves as expected when the production slot’s configuration is applied, and you must perform such validation before the app is swapped into production. Swap with preview is what you need.

Question 8

Which Azure tool is a cloud-based, command-line service for copying and migrating data between Azure Storage accounts?

A. AzCopy
B. Import/Export Service
C. Azure Data Box
D. Azure Storage Explorer

Answer 8

A. AzCopy

Explanation:
AzCopy is a Windows command-line utility. There are multiple uses for AzCopy. For example, you can copy data into your Blob storage account from your existing general-purpose storage accounts. Additionally, you can upload data from your on-premises storage devices into your Blob storage account.

Question 9

Your manager has asked for advice on how best to fire off a console app that will nightly pick up some files that are uploaded to a Web App hosted on App Service and add them to Blob Storage. Cost and management effort are a concern.

Given what you know, which service would work best?

A. WebJobs
B. Azure Logic Apps
C. Azure Functions
D. Azure Automation

Answer 9

A. WebJobs

Explanation:
While there are multiple answers that would work, the answer that would be considered the “best” is the use of WebJobs.

WebJobs will have access to the files on the servers without any additional configuration. That will keep management and cost down.

Question 10

How would you download the Azure Resource Manager (ARM) template for multiple existing Azure resources?

A. If those resources are in the same resource group, go to that resource group in the Azure Portal, select the resources, and export the template.
B. It’s not possible to download an ARM template for multiple existing resources.
C. Export the ARM template for each resource in the Azure Portal, and then concatenate them into a single ARM template.
D. If those resources are in the same subscription, go to that subscription in the Azure Portal, select the resources, and export the template.

Answer 10

A. If those resources are in the same resource group, go to that resource group in the Azure Portal, select the resources, and export the template.

Explanation:
In the Azure Portal, you can export an ARM template from either a resource group or a resource. The exported template is a “snapshot” of the current state of the resource group. You can export an entire resource group or specific resources within that resource group.

Question 11

What major directory roles are available in Azure AD? (Choose 3 answers)

A. User
B. Global Administrator
C. Guest
D. Limited Administrator

Answer 11

A. User
B. Global Administrator
D. Limited Administrator

Explanation:
Administrator and Guest are not Directory roles in Azure AD. User, Global Administrator, and Limited Administrator are the three major Directory roles in Azure AD. Limited Administrator can be broken out into various types of “sub-administrators.”

Question 12

Your organization wants to connect two Azure networks using an Azure VPN Gateway. Which connection method can you implement to meet this requirement?

A. An Azure Hybrid network
B. An Azure Accelerated Network
C. A VNet Peering connection
D. A VNet-to-VNet connection

Answer 12

D. A VNet-to-VNet connection

Explanation:
VNet Peering is an Azure-to-Azure connection which does not have to use VPN Gateways for connectivity across Azure VNets. If you did want to use Azure VPN Gateways, like in the case of on-premises connectivity, you can still do this between two Azure networks in what’s called a VNet-to-VNet connection. VNet-to-VNet connectivity utilizes the Azure VPN gateways to connect two or more virtual networks together securely with IPsec/IKE S2S VPN tunnels.

Question 13

You have begun migrating your existing applications from on-premise servers to resources on an Azure Virtual Network. The on-premise network and Azure are currently connected via ExpressRoute. You need to ensure the ExpressRoute connection is healthy at all times. What Network Watcher service can you utilize to monitor the connection?

A. Connection Monitor (formerly Network Performance Monitor)
B. Traffic Analytics
C. VPN Troubleshoot
D. Connection Monitor (Classic)

Answer 13

A. Connection Monitor (formerly Network Performance Monitor)

Explanation:
The new Connection Monitor (formerly the Network Performance Monitor service) is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.

Please note that Azure also has a legacy service that is also named Connection Monitor, but this has been changed to Connection Monitor Classic.

Question 14

Question 14
Question
INCORRECT
You skipped the question, recorded as incorrect.

You are a start-up company currently hosting two small web applications, Web App 1 and Web App 2, on Azure Web Apps. Your Web Apps run on three instances on a Basic app service plan. You need to manage both web apps to meet the following requirements:

Allow Web App 1 to scale from 5-8 instances based on application workload, as traffic for this web app is growing.
Maintain Web App 2 on three separate instances, as this application is also growing more popular. However, Web App 2 does not require scaling capabilities yet.

What steps would be most cost-effective and meet your application requirements?

A. Move Web App 1 to a separate Standard app service plan. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics. Keep your existing Basic app service plan for Web App 2.
B. Scale up to a Premium app service plan. Leave Web App 2 as it is currently configured. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics.
C. Move Web App 1 to a separate Premium app service plan. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics. Scale your Basic app service plan down to a Shared service plan for Web App 2.
D. Move Web App 1 to a separate Premium app service plan. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics. Scale up your existing service plan from Basic to Standard for Web App 2.

Answer 14

A. Move Web App 1 to a separate Standard app service plan. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics. Keep your existing Basic app service plan for Web App 2.

Explanation:
App Service plans are containers for the apps that you deploy in App Service. App Service plans are offered in different tiers, with more functionality provided by higher, more expensive tiers. The following list highlights some of the distinctions between the available tiers:

Free (Windows only): Run a small number of apps for free
Shared (Windows only): Run more apps and provides support for custom domains
Basic: Run unlimited apps and scale up to three instances with built-in load balancing
Standard: The first tier that is recommended for production workloads. It scales up to ten (10) instances with Autoscaling support and VNet integration to access resources in your Azure virtual networks without exposing them to the internet
Premium: Scale up to 20 instances and additional storage over the standard tier
Isolated: Scale up to 100 instances, runs inside of an Azure Virtual Network isolated from other customers, and supports private access use cases

Question 15

A client has an Azure Site-to-Site (S2S) connection between an on-premises location and an Azure virtual network (VNet) using a RouteBased Azure VPN gateway. This client has a requirement for all Internet-bound traffic from virtual machines (VMs) on their Azure VNet to be routed back to the on-premises location for auditing. Which of the following solutions would best meet the requirement?

A. Create Point-to-Site (P2S) connections between the VMs and client machines at the on-premises location
B. Configure forced tunneling to route Internet-bound traffic from the VMs to the on-premises location
C. Create another S2S connection between the on-premises location and VNet using a PolicyBased VPN gateway
D. Add the “GatewaySubnet” to a network security group (NSG) with a rule to disallow all internet bound traffic

Answer 15

B. Configure forced tunneling to route Internet-bound traffic from the VMs to the on-premises location

Explanation:
Forced tunneling can be used with Azure S2S connections and RouteBased (not PolicyBased) VPN gateways to route Internet-bound traffic from a VNet to an on-premises location for inspection and auditing. According to Microsoft recommendations, the “GatewaySubnet” should not be part of an NSG.

Question 16

What does placing your virtual machines into an availability set accomplish regarding failures or outages?

A. It limits the impact of potential physical hardware failures.
B. It prevents hardware failures.
C. It may limit the impact of network outages in the future.
D. It protects your application from failures, power outages or anything else.

Answer 16

A. It limits the impact of potential physical hardware failures.

Explanation:
Placing two or more VMs in an availability set provides redundancy for them, and limits the impact of potential physical hardware failures.

Question 17

Five developers in your company need to be able to connect to several application tier VMs. Your management team is concerned about security and doesn’t want everyone to have access to all of the VMs. Which of the following network connections would be best in this scenario?

A. A point-to-site VPN
B. A point-to-point VPN
C. A site-to-site VPN
D. An ExpressRoute connection

Answer 17

A. A point-to-site VPN

Explanation:
Point-to-site VPNs allow you to connect a single client to a virtual network. You can create multiple point-to-site VPNs to assist in these types of situations, and for just a few connections this makes for a viable option. However, once you need a large number of connections, you’ll want to consider a site-to-site VPN.

Question 18

To specify that one resource must be created before another resource, what element do you need to use in an Azure Resource Manager (ARM) template?

A. linked
B. prerequisite
C. required
D. dependsOn

Answer 18

D. dependsOn

Explanation:
Within your Azure Resource Manager template (ARM template), the dependsOn element enables you to define one resource as dependent on one or more other resources.

Question 19

Which standalone application provides a graphical interface for working with Azure Storage data on a Windows, OS X, or Linux machine?

A. Microsoft Azure Storage Emulator
B. Microsoft Azure Storage Explorer
C. Windows Performance Monitor
D. IOSTAT

Answer 19

B. Microsoft Azure Storage Explorer

Explanation:
Microsoft Azure Storage Explorer (Preview) is a free, standalone app from Microsoft that enables you to work graphically with Azure Storage data on Windows, OS X, and Linux. It also provides several ways to connect to your storage account (e.g., by subscription or through the storage emulator).

Question 20

You want to create an alert for a virtual machine (VM) named VM1 that will be fired when the VMs central processing unit (CPU) usage is greater than 95 percent for at least 10 minutes for action group 1.

Which of the following command parts should be placed in the blanks below?

az monitor metrics alert ______ -n A1 -g RG1 – __________ “avg Percentage CPU > 95”
– __________ 10m – action AG1

A. create, condition, window-size
B. list, description, action
C. show, scopes, evaluation-frequency
D. create, description, name

Answer 20

A. create, condition, window-size

Explanation:
You should use the az monitor metrics alert “create” command to create the metric-based rule, the “condition” parameter to specify the condition that triggers the rule, and the “window-size” option to define a time window in which the value of the condition is aggregated.

“List” lists alert rules.

“Description” creates a free-text description of the rule.

“Action” defines an action group associated with an alert and is already defined as “AG1” in this example.

“Show” refers to showing a specific alert rule.

“Scopes” defines an action group associated with an alert.

“Evaluation-frequency” defines the frequency at which measured values are calculated.

“Name” assigns a name to the rule.

Question 21

Your IT consulting business has recently partnered with two other businesses in different regions of the country. Each of your three offices has resources deployed in Microsoft Azure cloud.

Although you plan to eventually merge your separate offices into a single Azure AD tenant, you would like to connect several VNets in your separate subscriptions beforehand with your existing, separate Azure AD tenants in place.

What Azure solution is the easiest way to accomplish this?

A. Create VNet peering connection
B. Create Virtual Network Gateways
C. Create a DNS zone with split-horizon view
D. Create a VNet-to-VNet VPN

Answer 21

A. Create VNet peering connection

Explanation:
Microsoft Azure has steadily increased the compatibility of VNet Peering connections so that the previous generation solution, known as either Virtual Network Gateways or VPN Gateways, are used for in fewer scenarios now. VNet Peering connections can now connect VNets within separate subscriptions also within separate Azure AD tenants.

Question 22

The following is a subsection of an ARM template to deploy a Windows VM. In order to create the network interface you need a public IP Address and a Virtual Network. Which of the answers below belong in the dependsOn array to accomplish that objective?
…
{
“apiVersion”: “2016-03-30”,
“type”: “Microsoft.Network/networkInterfaces”,
“name”: “[variables(‘nicName’)]”,
“location”: “[resourceGroup().location]”,
“dependsOn”: [
____FILL_IN_THE_BLANK____
“[resourceId(‘Microsoft.Network/virtualNetworks/’, variables(‘virtualNetworkName’))]”
],
…

A. “[resourceId(‘Microsoft.Network/publicIPAddresses/’, variables(‘publicIPAddressName’))]”,
B. “[resourceId(‘Microsoft.Network/networkInterfaces/’, variables(‘nicName’))]”
C.”[reference(variables(‘publicIPAddressName’)).dnsSettings.fqdn]”
D. “[resourceId(‘Microsoft.Storage/storageAccounts/’, variables(‘storageAccountName’))]”,

Answer 22

A. “[resourceId(‘Microsoft.Network/publicIPAddresses/’, variables(‘publicIPAddressName’))]”,

Explanation:
The dependsOn property of a resource will allow you to delay the creation of a resource until another exists.

Question 23

You need to back up a VM using Azure Backup immediately, so you need to create a Recovery Service Vault. The general steps are listed below, in no particular order.

Assign a backup policy to the VM
Configure replication redundancy level.
Manually initiate the first backup.
Assign a resource group and location.
Configure the backup policy.

Which answer numerically lists the steps to back up a virtual machine in the correct order?

A. 4-2-5-1-3
B. 4-5-1-2-3
C. 2-5-1-4-3
D. 5-1-2-4-3

Answer 23

A. 4-2-5-1-3

Explanation:
The correct order of execution is:

Assign a resource group and location.
Configure replication redundancy level.
Configure the backup policy.
Assign a backup policy to the VM.
Manually initiate the first backup.

Question 24

You want to evaluate Blob storage as a possible storage solution. However, you’re not sure if your data needs a hot or cool storage tier. Which tool can analyze your existing storage account, to gather data about your storage consumption and access patterns?

A. Azure Storage Analytics
B. Cloud Explorer
C. Azure Blob Monitoring Agent
D. This is done automatically and all metrics are located in the $MetricsCapacityBlob table

Answer 24

A. Azure Storage Analytics

Explanation:
Azure Storage Analytics performs logging and provides metrics data for your existing storage account.

Question 25

You would like to implement a Hub-and-Spoke VNet peering connection between two existing VNets in the East US region, (VNet 1 and VNet2), without using a network virtual appliance. You want resources in VNet1 and VNet2 to be able to communicate.

You have deployed VNet3 in the East US region that will serve as a hub between the other VNets. VNet1 and VNet2 should be able to communicate with each other through VNet3 using a VPN virtual network gateway.

Which VNet peering connections should be configured to allow gateway transit?

A. All peering connections between the hub and spokes
B. No peering connections
C. Only peering connections directed to VNet3 as the hub
D. Only peering connections directed to VNet1 and VNet2 as the spokes

Answer 25

C. Only peering connections directed to VNet3 as the hub

Explanation:
Suppose you have several spokes that need to connect with each other. In that case, you’ll run out of possible peering connections quickly, because the number of virtual network peerings per virtual network is limited. (For more information, see Networking limits. In this scenario, consider using user-defined routes (UDRs) to force traffic destined to a spoke to be sent to Azure Firewall or a network virtual appliance acting as a router at the hub. This change will allow the spokes to connect to each other.

Question 26

Your subscription includes an Azure resource group named Resource Group1 with the following resources:

vNet1 with a CIDR block 10.0.0.0/24 and vNet2 with a CIDR block 10.0.1.0/24
There is a peering connection between vNet1 and vNet2
vNet1 contains Subnet1 with CIDR range 10.0.0.32/27
Subnet1 in vNet1 contains 2 Azure virtual machines with the following IP addresses
    VM1 (10.0.0.35)
    VM2 (10.0.0.36)

You must implement a new peering connection between vNet1 and vNet3. However, the vNet3 CIDR block (10.0.0.32/27) that overlaps with the CIDR block of Subnet 1.

What steps will you need to complete in order before you can create a peering connection between vNet1 and vNet3?

Delete the peering connection between vNet1 and vNet2.
Terminate VM1 and VM2 virtual machines.
Delete Subnet1.
Modify the vNet1 CIDR block.

Terminate VM1 and VM2 virtual machines.
Delete Subnet1.
Modify the vNet1 CIDR block.

Delete the peering connection between vNet1 and vNet2.
Terminate VM1 and VM2 virtual machines.
Delete Resource Group1.

Terminate VM1 and VM2 virtual machines.
Delete Resource Group1.
Delete Subnet1.

Answer 26

Delete the peering connection between vNet1 and vNet2.
Terminate VM1 and VM2 virtual machines.
Delete Subnet1.
Modify the vNet1 CIDR block.

Explanation:
Once you have created a peering connection between two VNets, you cannot edit the address ranges for either VNet. If you need to edit the address range for any reason, you need to delete the peering connection first.

If you need to remove IP addresses from your CIDR block that are currently assigned to a subnet, the subnet needs to be deleted first, and for a subnet to be deleted, it needs to be empty.
Bookmark

Question 27

You have successfully containerized your application within an Azure Container Registry, created an image of your application and pushed it into the container registry. You have also created an AKS cluster. Now you want to deploy the containerized application onto your AKS cluster.

Which three steps do you need to complete? (Choose 3 answers)

A. Get credentials to authenticate kubectl commands sent to the Kubernetes cluster.
B. Create a manifest file declaring the required Kubernetes resources.
C. Create the resources in the cluster
D. Create a service principal to allow your cluster to interact with Azure resources

Answer 27

A. Get credentials to authenticate kubectl commands sent to the Kubernetes cluster.
B. Create a manifest file declaring the required Kubernetes resources.
C. Create the resources in the cluster

Explanation:
You would need to complete all of the following steps in order to deploy your application to an AKS cluster except for creating a service principal. This step must already be completed in order for your AKS cluster to be provisioned and ready to host your application. You can also have AKS create a service principal for you using Azure CLI or Azure Portal.

Question 28

Which Azure service can provide performance metrics of not only solutions deployed on Azure, but also solutions hosted on-premise as well as Google Cloud and Amazon Web Services?

A. Azure Application Insights
B. Azure Monitor
C. Azure Log Analytics
D. Azure Network Watcher

Answer 28

A. Azure Application Insights

Explanation:
Application Insights can monitor Azure deployments, as well as applications deployed within GCP, AWS and on-premise.

Question 29

You have several VMs and the traffic to them needs to be filtered through a custom firewall virtual appliance. Which of the following is the best way to direct traffic through the virtual appliance before it reaches your virtual machines?

A. User-defined routes
B. Network security groups
C. Azure Traffic Manager
D. Azure Application Gateway

Answer 29

A. User-defined routes

Explanation:
A user-defined route will allow you to filter traffic through a virtual appliance.

Question 30

You have a Linux Azure Container Group with a Single Container Instance named myCon2. The container instance uses a Docker image that has an application that uses the local file system to store users’ data. Persistent storage is required to support the application.

You want to configure interactive persistent storage for myCon2.

Which of these should you use?

A. Azure secret volume
B. Azure file share
C. Azure blob storage
D. Azure table storage

Answer 30

B. Azure file share

Explanation:
By default, Azure Container Instances are stateless. If the container is restarted, crashes, or stops, all of its state is lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. As shown in this article, Azure Container Instances can mount an Azure file share created with Azure Files. Azure Files offers fully managed file shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol. Using an Azure file share with Azure Container Instances provides file-sharing features similar to using an Azure file share with Azure virtual machines.

Question 31

There are several mission-critical network connections between Azure IaaS Virtual Machines and Azure service endpoints in your Azure production environment. The connection health between these VMs and Azure endpoints needs to be continuously, automatically checked, and provide an alert if specific metrics approach unhealthy thresholds.

Which Azure Network Watcher feature would be ideal in this case?

A. Connection Troubleshoot
B. IP Flow Verify
C. Connection Monitor
D. Traffic Analytics

Answer 31

C. Connection Monitor

Explanation:
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint. For example, you might have a web server VM that communicates with a database server VM. Someone in your organization may, unknown to you, apply a custom route or network security rule to the web server or database server VM or subnet.

Question 32

An Azure subscription named Subscription 1 contains three resource groups named Development, Test, and Production. Two users, Thomas and Guy, are assigned to an Azure Active Directory group named Group 1.

All members of Group 1 can perform all read and write operations on all virtual machines in the Development and Test resource groups. However, they are prevented from performing any operations on virtual machines in the Production resource group through NotActions.

Guy is also assigned a second custom resource role, called ProductionVM_Review. The ProductionVM_Review role allows him to perform all read operations on all virtual machines in the Production resource group.

If Guy tries to perform a programmatic read operation on all virtual machines within Subscription 1, which of the following outcomes will occur?

A. Azure Active Directory will allow the operation on all virtual machines.
B. Azure Active Directory will allow the operation on virtual machines for the Development and Test resource groups only.
C. Azure Active Directory will allow the operation on virtual machines for the Production resource group only.
D. Azure Active Directory will deny the operation on all virtual machines.

Answer 32

A. Azure Active Directory will allow the operation on all virtual machines.

Explanation:
Guy has two assigned roles that apply to him, where the NotActions of one role contradict the Actions of the other. So which wins?

Actions overrule NotActions, so Guy will be able to perform the read operation on all virtual machines, including those in the Production resource group.

Question 33

Which statement regarding best practices to address transient errors in Azure Storage is incorrect?

A. Retrying the failed operation is recommended.
B. Azure Storage Emulator is useful for debugging your storage service in a simulated environment.
C. Unbound parallelism in requests can cause your application to error or fail.
D. The linear approach is recommended in favor of an exponential backoff approach in addressing these error types.

Answer 33

D. The linear approach is recommended in favor of an exponential backoff approach in addressing these error types.

Explanation:
The linear approach will retry the same request over and over again with a fixed time duration between attempts, or worse, no delay at all, which can and often will have the effect of swamping an already overburdened service with additional requests.

At best, the continued stress will cause the service to take longer to recover; at worst, it will fall over in the face of a request load it simply can’t handle. A better solution is to use an exponential backoff strategy where retries occur a fixed number of times with an increasing delay placed between each subsequent request.

Question 34

Your company is migrating to the cloud and wants to replicate its on-premises network in Azure. The company plans to use Azure Virtual Networks to place resources in virtual networks and subnets.

You are working on the design for the company IP address schema and need to map out which ranges can be assigned to the HR department.

The HR department has a subnet with an address range of 10.3.0.0/16.

Which IP address can be dynamically assigned to the HR department?

A. 10.3.0.2
B. 10.3.255.254
C. 10.3.255.255
D. 10.3.0.1

Answer 34

B. 10.3.255.254

Explanation:
Any address in the range of 10.3.04 through 10.3.255.254 is available for assignment.

Question 35

Which statements regarding resource tagging is false? (Choose 2 answers)

A. Tagging a resource requires write access permission for the resource type.
B. Tags to a resource group are inherited by resources within the group
C. Tags cannot be applied to Azure Classic deployment resources.
D. After a resource group has been tagged, any new resources added to the resource group inherit the resource group’s tags.

Answer 35

B. Tags to a resource group are inherited by resources within the group
D. After a resource group has been tagged, any new resources added to the resource group inherit the resource group’s tags.

Explanation:
Tags added to a resource group are not inherited by resources within the group, and will not be inherited by new resources added to the resource group.

Question 36

INCORRECT
You skipped the question, recorded as incorrect.

You have specified auto scaling rules for an image processing application hosted on virtual machines. The application receives messages from Azure storage queues when images need to be processed.

The virtual machines are grouped into a scale set with the following Scale Out rules:

Scale out one VM if CPU utilization is above 60 percent.
Scale out two VMs if CPU utilization is above 80 percent.
Scale out one VM if disk writes per second reach 65 percent capacity.
Scale out two VMs if disk writes per second reach 85 percent capacity.
Scale out one VM if the message queue length reaches more than 700.
Scale out two VMs if the message queue reaches more than 1000.

The following Scale In rules are also applied:

Scale in one VM if CPU utilization drops below 35 percent.
Scale in two VMs if CPU utilization drops below 20 percent.
Scale in one VM if your message queue has fewer than 100 messages.

The app’s CPU utilization is currently at 30 percent, and the message queue contains 735 messages.

Based on these metrics, what auto scaling action(s) will your application perform?

A. It will scale out one virtual machine.
B. It will scale up one virtual machine.
C. It will scale in one virtual machine.
D. It will scale down one virtual machine.

Answer 36

A. It will scale out one virtual machine.

Explanation:
First and foremost, scale-out operations always have priority over scale-in operations. Anytime that multiple scale-out operations conflict with one another, the rule that takes precedence will be the one that initiates the largest increase in the number of instances. When it comes to scale-in conflicts, the rule that initiates the smallest decrease in the number of instances will take precedence. So, it will scale out one virtual machine due to the number of messages in the message queue.

Question 37

You have a large amount (100 TB) of archival data that needs to be retained for several years, due to compliance requirements. You determined that Azure Storage is the best data storage solution for this dataset. Your office is connected to the internet over a low bandwidth connection that is heavily utilized. What Azure storage tool could help you move this data to Azure?

A. Azure Storage Explorer
B. Azure CLI / Azure PowerShell
C. AzCopy
D. Azure Import/Export

Answer 37

D. Azure Import/Export

Explanation:
The Azure Import/Export service allows you to securely transfer large amounts of data to Azure blob storage by shipping hard disk drives to an Azure data center. You can also use this service to transfer data from Azure blob storage to hard disk drives and ship to your on-premises site. This service is suitable in situations where you want to transfer several terabytes (TB) of data to or from Azure, but uploading or downloading over the network is infeasible due to limited bandwidth or high network costs.

Question 38

You need to configure Network Watcher’s Network Performance Manager to monitor a hybrid network connection via ExpressRoute. Several steps are listed below. Which choice lists the required configuration steps in the correct order? (Note that all steps listed below are not necessary to configure an ExpressRoute Monitor.)

Configure to use ICMP
Configure to use TCP
Select ExpressRoute Peerings to Monitor
Run “EnableRules” PowerShell script on all VMs with installed Log Analytics Agent
Run “EnableRules” PowerShell script on NPM Monitoring VM
Connect or create an Azure Log Analytics workspace
Select related ExpressRoute Subscription and Initiate discovery
Install Azure Log Analytics agent on one or more VMs in each related subnet
Select related networks and nodes
Add Network Performance Monitor rules

A. 6 - 8 - 4 - 2 - 7 - 3
B. 6 - 2 - 7 - 3 - 9 - 10
C. 6 - 8 - 5 - 1 - 7 - 3
D. 6 - 1 - 8 - 4 - 9 - 10

Answer 38

A. 6 - 8 - 4 - 2 - 7 - 3

Explanation:
The correct order of operations to create an ExpressRoute Monitor is:

Connect or create an Azure Log Analytics workspace
Install Azure Log Analytics agent on one or more VMs in each related subnet
Run “EnableRules” PowerShell script on all VMs with installed Log Analytics Agent
Configure to use TCP
Select related ExpressRoute Subscription and Initiate discovery
Select ExpressRoute Peerings to Monitor

Question 39

Which Microsoft Azure Active Directory solution should you use to enable a cloud identity management solution for your consumer-facing web and mobile applications?

A. Azure Active Directory B2C
B. Azure Active Directory
C. Azure Active Directory Domain Services
D. Azure MFA

Answer 39

A. Azure Active Directory B2C

Explanation:
In the past, application developers who wanted to sign up and sign in consumers to their applications would have written their own code. And they would have used on-premises databases or systems to store usernames and passwords. Azure Active Directory B2C offers developers a better way to integrate consumer identity management into their applications with the help of a secure, standards-based platform and a rich set of extensible policies. When you use Azure Active Directory B2C, your consumers can sign up for your applications by using their existing social accounts (Facebook, Google, Amazon, LinkedIn) or by creating new credentials (email address and password, or username and password); we call the latter “local accounts.”

Question 40

Several Azure resources that you own were recently deleted from a production environment.

Your company’s IT staff includes several hundred people, including temporary staff whose roles and authorized permissions quickly change from project to project.

As an Azure Resource Owner at a resource group scope, what steps are you authorized to take to best prevent deletion of Azure resources deployed in production environments, and resources deployed in the future?

A. Automate an Azure AD Connect sync on a weekly basis. Institute conditional access requirements for all authorized devices, and require MFA based on role.
B. Assign a resource lock to each deployed resource you own and include resource locks for your resources in production environment ARM templates.
C. Update the Azure resource policy to each resource you own and include the policy for your resources in production environment ARM templates.
D. Update the Azure resource policies for all resources that directly handle ARM templates to prevent accidental resource deletion.

Answer 40

B. Assign a resource lock to each deployed resource you own and include resource locks for your resources in production environment ARM templates.

Explanation:
To correctly answer this question, you should have a basic understanding of common roles in Microsoft Azure, the scope of actions those roles can perform, and what each service or mechanism involved in the question can accomplish.

As a Resource Owner, you would not necessarily be able to change policy or implement locks at the subscription level. You are also not likely to be able to institute more stringent requirements in Azure AD to require conditional access and MFA.

You can assign resource policies to your current resources, and include them in templates, but this will not actually prevent resource deletion. Resource locks are the only tool at your disposal to address the problem directly with your level of authority.

Question 41

Your company has virtual machines hosted in Azure as well as on premise, and needs to share files across the virtual machines. Which storage option would best meet this requirement?

A. Store the files using Blob storage.
B. Store the files using File storage.
C. Store the files using Table storage.
D. Store the files using Queue storage.

Answer 41

B. Store the files using File storage.

Explanation:
Azure File storage is specifically meant for File shares, in contrast to other storage services. The Azure File service exposes file shares using the standard SMB 2.1 protocol. Even files from on-premise locations can be copied to the Azure file storage service and subsequently can be accessed by the virtual machines hosted in Azure.

Question 42

Your organization has a custom line-of-business (LOB) application that uses several Azure resources. All of the LOB application resources are in the same resource group.

You want to create a template for the resource group currently being used by the LOB application.

What should you do?

A. Use the Get-AzResourceGroupDeployment cmdlet.
B. Use the Export-AzResrouceGroup cmdlet.
C. Use the Save-AzResourceGroupDeploymentTemplate cmdlet.
D. Use the Get-AzResourceGroupDeploymentOperation cmdlet.

Answer 42

C. Use the Save-AzResourceGroupDeploymentTemplate cmdlet.

Explanation:
You should use the Save-AzResourceGroupDeploymentTemplate cmdlet because it saves a resource group deployment template to a JSON file, as in the following example:

Save-AzResourceGroupDeploymentTemplate -DeploymentName “TestDeployment” -ResourceGroupName “TestGroup”

This command gets the deployment template from TestDeployment and saves it as a JSON file in the current directory so that it can be reused for the target resources needed for the LOB application.

You should not use the Get-AzResourceGroupDeployment cmdlet because it returns the deployment history for a resource group.

You should not use the Export-AzResrouceGroup cmdlet because it will export all resources in the resource group as a template.

You should not use the Get-AzResourceGroupDeploymentOperation cmdlet because this command returns all operations performed during a deployment.
Bookmark
Learn more: https://learn.microsoft.com/en-us/powershell/module/az.resources/save-azresourcegroupdeploymenttemplate?view=azps-9.2.0

Question 43

Which Azure Storage service is designed for large-scale, offline data migration intended to help businesses migrate their data onto the Azure cloud?

A. AzCopy
B. Azure Data Box
C. Azure Storage Explorer
D. StorSimple

Answer 43

B. Azure Data Box

Explanation:
The Microsoft Azure Data Box cloud solution lets you send terabytes of data into Azure in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device. Each storage device has a maximum usable storage capacity of 80 TB and is transported to your data center through a regional carrier. The device has a rugged casing to protect and secure data during the transit.

Question 44

As your company’s IT Security Manager, you want to integrate security monitoring services on corporate virtual and on-premise hardware such as employee laptops, virtual machines, mobile devices and so on. To address your company’s concerns, you are reviewing Microsoft Defender for Cloud capabilities.

Microsoft Defender for Cloud can monitor which of the following types of computers?

A. Azure-hosted virtual machines with Windows and Linux operating systems
B. Azure-hosted virtual machines with Windows and Linux operating systems, and non-Azure virtual machines with Windows operating systems
C. Azure-hosted virtual machines with Windows and Linux operating systems, and on-premise computers with Windows operating systems
D. Azure-native virtual machines, non-Azure virtual machines, and on-premise computers with Windows and Linux operating systems

Answer 44

D. Azure-native virtual machines, non-Azure virtual machines, and on-premise computers with Windows and Linux operating systems

Explanation:
Microsoft Defender for Cloud can monitor virtual machines in the Azure Cloud and virtual machines hosted outside of the Azure cloud, as well as on-premise computers. Endpoint protection integrates with Linux and Windows operating systems.