Design Identity, Governance, and Monitoring Solutions

Question 1

You are working for a global company operating in East US, Central US, North Europe, West Europe, East Asia, and Southeast Asia. The company plans to use the Azure Monitor solution to centralize log storage. In order to store the log data in the Azure Monitor solution, the company has the following requirements:

• To minimize administrative overhead
• To minimize costs
• To conform to specific regional compliance requirements
• To provide regional data sovereignty

You need to identify the minimum number of log analytics workspaces to fulfill the requirements.

How many workspaces should you identify?

Answer 1

3 (One per geography to conform to regional compliance and data sovereignty)

Question 2

Are tags on a resource group inherited to newly created resources?

Answer 2

No.

Question 3

Can tags be applied to management groups?

Answer 3

No

Question 4

At what levels can tags be applied?

Answer 4

Subscriptions, Resource Groups, Resources

You cannot apply tags at management group levels. You can apply Azure Policies that manage resource tags at management group levels.

Question 5

How can you apply tags at the management group level?

Answer 5

By using Azure Policies that manage resource tags at the management group levels.

Question 6

You decide to use tagging to organize your Azure resources.

You need to make sure that new resources are tagged as soon as possible and that manual tagging is not required.

What should you do?

Answer 6

You should create an Azure policy to apply tagging when you create new resources. An Azure policy can be predefined and applied to all new resources.

Question 7

What is the impact to resources of unassigning a Blueprint?

Answer 7

All blueprint resource locking is removed when you unassign a blueprint.

This is the only impact to resources and resource groups in the blueprint’s scope. New resources will remain in place, updates to existing resources are maintained, and RBAC role assignments do not change. Resources remain in place, but they are no longer protected by the blueprint.

Question 8

Can Azure AD sign-in logs be routed to Azure Storage for archiving?

Answer 8

Yes.

This is useful for storing logs longer than 90 days, which is the default numer of days Activity Log events are stored on the Azure platform.

Question 9

What is required to enable Azure AD activity logs in Azure Monitor?

Answer 9

A Log Analytics workspace

Question 10

What should you recommend to automatically remove users from groups that they no longer need to be in?

Answer 10

Access review

You should recommend access review. Access review can be performed once or periodically and you can configure who should perform the review, either the group owner or the group members themselves. At the end of the evaluation period, users who no longer need membership, can be automatically removed from the group. Based on the configuration, users for whom review is not performed can also be removed from the group automatically.

Question 11

Is access granted to a VM passed on to applications run on the VM?

Answer 11

Yes

This can be useful when hosting several applications on the same VM to minimize management of access to cloud resources.

Question 12

Can you specify managed identity as part of an ARM template?

Answer 12

Yes

You can specify managed identity assignments as part of an ARM template. You can assign a system-assigned managed identity, one or more user-assigned managed identities, or both. For example, you could include the following in your ARM template to create and assign a system-assigned managed identity:

“identity” : {
“type” : “SystemAssigned”
}

User-assigned managed identities must be explicitly created before they can be assigned to a resource.

Question 13

How many system-assigned managed identifies can a VM have?

Answer 13

1

Question 14

How many user-assigned managed identities can a VM have?

Answer 14

Multiple

Question 15

our Azure organizational hierarchy has one management group with two subscriptions and four resource groups in each subscription. You plan to implement Azure policies to help you organize and manage resources in your organization.

You plan to implement a custom policy to:

• Restrict the types of virtual machines (VMs) that can be deployed.
• Apply any current tags on resource groups to new resources when they are created.

You need to determine the minimum number of custom policies and policy assignments required.

Minimum number of custom policies?

Minimum number of policy assignments?

Answer 15

1 & 1

To assign the custom policy to the management group, you need to create a minimum of one custom policy and make one policy assignment. Only one policy is needed because you can include multiple policy rules in the custom policy to meet the policy requirements. Policies applied at a hierarchical level are automatically inherited; therefore, applying the policy at the management group applies the policies to the subscriptions and resources groups.

Question 16

You are designing the monitoring solution for a microservice solution hosted in an Azure Kubernetes Service (AKS) cluster.

You need to recommend a monitoring solution that meets the following requirements:

• Measure the memory consumption of cluster nodes.
• Monitor the health of pods and deployments.
• Create alerts when persistent volumes are more than 80% full.
• Visualize the metrics and dashboards within the Azure Portal.

What should you recommend?

Answer 16

You should recommend Container insights. You can use Container insights to monitor workloads running Kubernetes-based solutions in Azure. You can monitor and create alerts for all components in the cluster, including node memory and processor usage, pod and deployment health, and persistent volume usage. You can access the Container insights dashboards and metrics within the Azure Portal or integrate them with external monitoring tools, such as Prometheus or Grafana.

Question 17

You are designing an internal Platform-as-a-Service (PaaS) solution with the following components:

• An Azure Kubernetes Service (AKS) cluster named Aks1 to host multiple microservices.
• A virtual machine scale set named Vmss1 to process background tasks.
• An Azure key vault named Vault1 to store secrets.
• A blob storage account named Storage1 to store blob files.

All components should use your company’s Azure Active Directory (Azure AD) tenant as the main identity provider.

What should you use to grant permissions to Aks1 and Vmss1 to access the secrets in Vault1 and files in Storage1 using a single identity principal?

Answer 17

User-assigned managed identities

Question 18

You have an Active Directory domain in sync with Azure Active Directory (Azure AD). There are multiple applications deployed on-premises and users authenticate using integrated Windows authentication when accessing the applications from the on-premises network. Some users are working remotely and need to access these applications.

You need to recommend a solution so that remote users can use Azure AD to access the applications.

Which two elements should you configure? Each correct answer presents part of the solution.

Answer 18

You should configure an Azure enterprise application for your on-premises applications. Enterprise applications in Azure AD allow you to manage applications for authentication and authorization scenarios. You can provide the endpoints to the enterprise application of the on-premises applications to manage access and security, and monitor usage. It can also be used to provide access to other third-party applications like Box, Office 365 etc., from the pre-integrated gallery of applications.

You should also configure Azure AD Application Proxy in order to provide access for remote users to the on-premises applications. The users can log in through their Azure AD account instead of via Windows authentication. Once the on-premises application has been configured as an enterprise application, you need to configure the pre-authentication step, where you can select Azure AD. So, whenever the users from outside the network try to access the application, they will be redirected to the Azure AD authentication page and then they can log in to access the application. Users who are accessing the applications from the on-premises network will still continue to use Windows authentication to access the application.

Question 19

Can backups of Key Vaults be restored to a different region?

Answer 19

No

Question 20

Are KeyVault contents replicated to a second region in the same geography?

Answer 20

Yes, as long as they’re part of the same subscription.

Question 21

You are designing a monitoring strategy for an Azure SQL Database. The performance data must be collected from the database and visualized in a dashboard.

You need to minimize programming effort.

Which logging target should you specify in the design?

Answer 21

You should choose Azure SQL Analytics, which offers a performance dashboard for Azure SQL databases. You simply add the solution to your Azure dashboard, which is a minimal programming effort.