Best Exam Practice Material for Microsoft AZ-104 Exam Q&A

1. You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs.

You have a line-of-business app named App1 that runs on several Azure virtual machine.

The virtual machines run Windows Server 2016.

You need to ensure that the connections to App1 are spread across all the virtual machines.

What are two possible Azure services that you can use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

2. You have an Azure subscription named Subscription1 that contains a virtual network named VNet 1. VNet1 is in a resource group named RG 1.

Subscription1 has a user named User 1. User1 has the following roles:

- Reader

- Security Admin

- Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

3. Case Study 4 - ADatum



Overview

ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office.

ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises workloads to Azure.

ADatum uses Microsoft Exchange Online for email.



Existing Environment

On-Premises Environment

The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory forest named adatum.com and run Windows Server 2016.

The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.

The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft Online Services. Routing is implemented by using Microsoft peering.

The New York office has a virtual machine named VM1 that has the vSphere console installed.



Azure Environment

You provision the Azure infrastructure by using the Azure portal.

The infrastructure contains the resources shown in the following table.





AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.



Requirements

Planned Changes

ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.



Infrastructure Requirements

ADatum identifies the following infrastructure requirements:

✑ A new web app named App1 that will access third-parties for credit card processing must be deployed.

✑ A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately.

✑ The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.

✑ The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.

✑ All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.

✑ AG1 must load balance incoming traffic in the following manner:

- http://corporate.adatum.com/video/* will be load balanced across Pool1 1.

- http://corporate.adatum.com/images/* will be load balanced across Pool12.

✑ AG2 must load balance incoming traffic in the following manner:

- http://www.adatum.com will be load balanced across Pool2 1.

- http://fabrikam.com will be load balanced across Pool22.

✑ ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available.

✑ ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available.

✑ ER1 and ER2 must be configured to fail over automatically.



Application Requirements

App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network.

Inbound and outbound communications to App1 must be controlled by using NSGs.



Pricing Requirements

ADatum identifies the following pricing requirements:

✑ The cost of App1 and App2 must be minimized

✑ The transactional charges of Azure Storage accounts must be minimized



You need to configure AG 1.

What should you create?

4. Case Study 1 - Humongous Insurance



Overview

Existing Environment

Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.

Each has 5000 users.



Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.

The functional level of the forest is Windows Server 2012.

You recently provisioned an Azure Active Directory (Azure AD) tenant.



Network Infrastructure

Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Each office has several link load balancers that provide access to the servers.



Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.



Licensing Issue

You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.



Requirements

Planned Changes

Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.



Planned Azure AD Infrastructure

The on-premises Active Directory domain will be synchronized to Azure AD.

All client computers in the Paris office will be joined to an Azure AD domain.



Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:

✑ Default Azure system routes that will be the only routes used to route traffic

✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.



Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.



Department Requirements

Humongous Insurance identifies the following requirements for the company's departments:

✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.

✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.



Authentication Requirements

Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.



You need to resolve the Active Directory issue.

What should you do?

5. You have an Azure subscription named Subscription 1.

You have a virtualization environment that contains the virtualization servers in the following table.





The virtual machines are configured as shown in the following table.





All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).

You plan to use Azure Site Recovery to migrate the virtual machines to Azure .

Which virtual machines can you migrate? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

6. You have the Azure resources shown on the following exhibit.





You plan to track resource usage and prevent the deletion of resources.

To which resources can you apply locks and tags? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

7. From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.





What caused AlexW to be blocked?

8. You have an Azure subscription that contains two resource groups named RG1 and RG2. RG2 does not contain any resources.

RG1 contains the resources in the following table.





Which resource can you move to RG2?

9. Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).

You need to configure an Azure internal load balancer as a listener for the availability group.

Solution: You create an HTTP health probe on port 1433.

Does the solution meet the goal?

10. You have an Azure subscription named Subscription1 that contains the resources shown in the following table.





You create virtual machines in Subscription1 as shown in the following table.





You plan to use Vault1 for the backup of as many virtual machines as possible.

Which virtual machines can be backed up to Vault1?

11. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company registers a domain name of contoso.com.

You create an Azure DNS named contoso.com and then you add an A record to the zone for a host named www that has an IP address of 13 1. 107. 1. 10.

You discover that Internet hosts are unable to resolve www.contoso.com to the 13 1. 107. 1. 10 IP address.

You need to resolve the name resolution issue.

Solution: You modify the name server at the domain register.

Does this meet the goal?

12. You have an Azure subscription named Sub 1.

You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.





You need to recommend a networking solution to meet the following requirements:

- Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.

- Protect the web servers from SQL injection attacks.

Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point

13. You are the global administrator for an Azure Directory (Azure AD) tenant named adatum.com.

You need to enable two-step verification for Azure users.

What should you do?

14. You are troubleshooting a performance issue for an Azure Application Gateway.

You need to compare the total requests to the failed requests during the past six hours .

What should you use?

15. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.

Does this meet the goal?

16. You plan to use Azure Network Watcher to perform the following tasks:

Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.

Task2: Validate outbound connectivity from an Azure virtual machine to an external host.

Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

17. Case Study 3 - Contoso, Ltd





Overview

Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.

All the resources used by Litware are hosted on-premises.

Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.



Existing Environment

The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.

Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.

Litware.com contains a user named User1.

All the offices connect by using private links.

Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.

All infrastructure servers are virtualized.



The virtualization environment contains the servers in the following table.





Litware uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.

The Azure subscription contains the resources in the following table.





The network security team implements several network security groups (NSGs).



Planned Changes

Litware plans to implement the following changes:

• Deploy Azure ExpressRoute to the Montreal office.

• Migrate the virtual machines hosted on Server1 and Server2 to Azure.

• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).

• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.



Technical requirements

Litware must meet the following technical requirements:

• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.

• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

• Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.

• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.

• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.

• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.

• Create a workflow to send an email message when the settings of VM4 are modified.

• Create a custom Azure role named Role1 that is based on the Reader role.

• Minimize costs whenever possible.



You need to meet the connection requirements for the New York office.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

18. You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.

You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

19. You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.

You purchase 10 Azure AD Premium P2 licenses for the tenant.

You need to ensure that 10 users can use all the Azure AD Premium features.

What should you do?

20. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal?

21. You have two Azure subscriptions named Sub1 and Sub2. Sub1 is in a management group named MG 1. Sub2 is in a management group named MG2.

You have the resource groups shown in the following table.





You have the virtual machines shown in the following table.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic. NOTE Each correct selection is worth one point.

22. Case Study 2 - Contoso, Ltd



Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.



Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.



Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

- Move all the tiers of App1 to Azure.

- Move the existing product blueprint files to Azure Blob storage.

- Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.



Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.



User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Admin1 must receive email alerts regarding service outages.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.



You need to move the blueprint files to Azure.

What should you do?

23. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it As a result these questions will not appear in the review screen.

Your company registers a domain name of contoso.com.

You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 13 1. 107. 1. 10. You discover that Internet hosts are unable to resolve www.contoso.com to the 13 1. 107. 1. 10 IP address. You need to resolve the name resolution issue.

Solution: You create a PTR record for www in the contoso.com zone.

Does this meet the goal?

24. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Network Watcher, you create a connection monitor.

Does this meet the goal?

25. Your company has an Azure subscription that includes a Recovery Services vault.

You want to use Azure Backup to schedule a backup of your company's virtual machines (VMs) to the Recovery Services vault.

Which of the following VMs can you back up? Choose all that apply.

26. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company registers a domain name of contoso.com.

You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 13 1. 107. 1. 10.

You discover that Internet hosts are unable to resolve www.contoso.com to the 13 1. 107. 1. 10 IP address.

You need to resolve the name resolution issue.

Solution: You modify the name servers at the domain registrar.

Does this meet the goal?

27. You have an Azure subscription.

You enable multi-factor authentication for all users.

Some users report that the email applications on their mobile device cannot connect to their Microsoft Exchange Online mailbox. The users can access Exchange Online by using a web browser and from Microsoft Outlook 2016 on their computer.

You need to ensure that the users can use the email applications on their mobile device.

What should you instruct the users to do?

28. Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises Active Directory domain.

You have a server named DirSync1 that is configured as a DirSync server.

You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.

Solution: You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller.

Does the solution meet the goal?

29. You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.

What should you create to store the password?

30. You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.





You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.





You need to identify the minimum number of alert rules and action groups required for the planned monitoring.

How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

31. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.





VM1 connects to a virtual network named VNET2 by using a network interface named NIC 1.

You need to create a new network interface named NIC2 for VM 1.

Solution: You create NIC2 in RG2 and Central US.

Does this meet the goal?

32. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You configure a custom policy definition, and then you assign the policy to the subscription.

Does this meet the goal?

33. Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates. You have been informed that the VMs will be included in a single availability set.

You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.

Which of the following is the value that you should configure for the platformUpdateDomainCount

property?

34. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:





User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.

Solution: You instruct User1 to create the user accounts.

Does that meet the goal?

35. You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VMet1 contains one subnet named Subnet 1.

Subnet1 is associated to a network security group (NSG) named NSG 1. Subnet1 contains a basic internal load balancer named ILB 1. ILB1 has three Azure virtual machines in the backend pool.

You need to collect data about the IP addresses that connects to ILB 1. You must be able to run interactive queries from the Azure portal against the collected data.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

36. You have an Azure subscription that contains the resources shown in the following table.





You need to create a network interface named NIC 1.

In which location can you create NIC1?

37. You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.

Subscription1 is associated to Tenant 1. Multi-factor authentication (MFA) is enabled for all the users in Tenant 1.

You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant 1.

What should you do first?

38. Drag and Drop

You have an on-premises file server named Server1 that runs Windows Server 2016.

You have an Azure subscription that contains an Azure file share.

You deploy an Azure File Sync Storage Sync Service, and you create a sync group.

You need to synchronize files from Server1 to Azure.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

39. You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.

Subscription1 contains a virtual machine named VM 1.

You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.

What should you do first?

40. Case Study 2 - Contoso, Ltd



Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.



Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.



Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

- Move all the tiers of App1 to Azure.

- Move the existing product blueprint files to Azure Blob storage.

- Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.



Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.



User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Admin1 must receive email alerts regarding service outages.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.



You need to meet the user requirement for Admin 1.

What should you do?

41. You have web app in the West US, Central US and East US Azure regions.

You have the App plans shown in the following table.





You plan to create an additional App Service plan named ASPs that will use the Linux operating system.

You need to identify in which of the currently used locations you can deploy ASPs.

What should you recommend?

42. You have an Azure subscription named Subscription 1.

In Subscription1, you create an alert rule named Alert 1.

The Alert1 action group is configured as shown in the following exhibit.





Alert1 alert criteria triggered every minute.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

43. You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:





Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

44. You have a deployment template named Template1 that is used to deploy 10 Azure web apps.

You need to identify what to deploy before you deploy Template 1. The solution must minimize Azure costs.

What should you identify?

45. You have an Azure subscription that contains a storage account named storageacct1234 and two users named User1 and User2.

You assign User1 the roles shown in the following exhibit.





Which two actions can User1 perform? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

46. Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource Manager (ARM) templates.

You have been informed that the VMs will be included in a single availability set.

You are required to make sure that the ARM template you configure allows for as many VMs as possible to remain accessible in the event of fabric failure or maintenance.

Which of the following is the value that you should configure for the platformFaultDomainCount property?

47. Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.

One of the VMs is backed up every day using Azure Backup Instant Restore.

When the VM becomes infected with data encrypting ransomware, you decide to recover the VM's files.

Which of the following is TRUE in this scenario?

48. You have the App Service plans shown in the following table.





You plan to create the Azure web apps shown in the following table.





You need to identify which App Service plans can be used for the web apps.

What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

49. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You deploy an Azure Kubernetes Service (AKS) cluster named AKS 1.

You need to deploy a YAML file to AKS 1.

Solution: From Azure CLI, you run azcopy.

Does this meet the goal?

50. You have an Azure DNS zone named adatum.com.

You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.

What should you do?

51. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.

Does this meet the goal?

52. You are troubleshooting a performance issue for an Azure Application Gateway.

You need to compare the total requests to the failed requests during the past six hours.

What should you use?

53. You have an Azure subscription named Subscription1 that is used be several departments at your company.

Subscription1 contains the resources in the following table:





Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment.

From which blade can you view the template that was used for the deployment?

54. You have an Azure Migrate project that has the following assessment properties:

✑ Target location: East US

✑ Storage redundancy: Locally redundant

✑ Comfort factor: 2.0

✑ Performance history: 1 month

✑ Percentile utilization: 95th

✑ Pricing tier: Standard

✑ Offer: Pay as you go

You discover the following two virtual machines:

✑ A virtual machine named VM1 that runs Windows Server 2016 and has 10 CPU cores at 20 percent utilization

✑ A virtual machine named VM2 that runs Windows Server 2012 and has four CPU cores at 50 percent utilization

How many CPU cores will Azure Migrate recommend for each virtual machine? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

55. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription 1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.

Does this meet the goal?

56. You need to create a bar chart that shows the number of distinct computers that have sent heartbeats each week.

How should you complete the Log Analytics query? To answer, select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.

57. You have an Azure subscription named Subscription1 that contains the resources shown in the following table:





You plan to configure Azure Backup reports for Vault 1.

You are configuring the Diagnostics settings for the AzureBackupReports log.

Which storage accounts and which Log Analytics workspaces can you use for the Azure Backup reports of Vault1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

58. You have an Azure virtual machine named VM1 that connects to a virtual network named VNet 1.

VM1 has the following configurations:

✑ Subnet: 10.0.0.0/24

✑ Availability set: AVSet

✑ Network security group (NSG): None

✑ Private IP address: 10.0.0.4 (dynamic)

✑ Public IP address: 40.90.219.6 (dynamic)

You deploy a standard, Internet-facing load balancer named slb 1.

You need to configure slb1 to allow connectivity to VM 1.

Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

59. You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription.

You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA).

Which of the following should you use to create the virtual machine?

60. Case Study 3 - Contoso, Ltd



Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.

All the resources used by Contoso are hosted on-premises.

Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses adomain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.



Existing Environment

The network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.

Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.

Contoso.com contains a user named User 1.

All the offices connect by using private links.

Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.

All infrastructure servers are virtualized.



The virtualization environment contains the servers in the following table.





Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.

The Azure subscription contains the resources in the following table.





The network security team implements several network security groups (NSGs).



Planned Changes

Litware plans to implement the following changes:

• Deploy Azure ExpressRoute to the Montreal office.

• Migrate the virtual machines hosted on Server1 and Server2 to Azure.

• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).

• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.



Technical requirements

Litware must meet the following technical requirements:

• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.

• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.

• Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.

• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.

• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.

• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.

• Create a workflow to send an email message when the settings of VM4 are modified.

• Create a custom Azure role named Role1 that is based on the Reader role.

• Minimize costs whenever possible.



You need to implement Role 1.

Which command should you run before you create Role1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

61. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription 1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Dev, you assign the Logic App Contributor role to the Developers group.

Does this meet the goal?

62. You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.

You need to grant user management permissions to a local administrator in each office.

What should you use?

63. You have an Azure subscription that contains the virtual machines shown in the following table:





VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.

Subnet1 and Subnet2 are in a virtual network named VNET 1.

The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.

NSG2 uses the default rules and the following custom incoming rule:

✑ Priority: 100

✑ Name: Rule1

✑ Port: 3389

✑ Protocol: TCP

✑ Source: Any

✑ Destination: Any

✑ Action: Allow

NSG1 is associated to Subnet 1. NSG2 is associated to the network interface of VM2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

64. Case Study 5 - Contoso, Ltd



Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.



Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.



The Azure AD tenant contains the users shown in the following table.







Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.







User1 manages the resources in RG1. User4 manages the resources in RG2.

Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table







No network security groups (NSGs) are associated to the network interfaces or the subnets.

Sub1 contains the storage accounts shown in the following table.







Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.





✑ Associate NSG1 to the network interface of VM1.

✑ Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.





✑ Associate NSG2 to VNET1/Subnet2.



Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.



You need to identify which storage account to use for the flow logging of IP traffic from VM5.

The solution must meet the retention requirements.

Which storage account should you identify?

65. SIMULATION



Overview

The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.



Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.



Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.



Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.



To start the lab

You may start the lab by clicking the Next button.

You plan to connect several virtual machines to the VNET01-USEA2 virtual network.

In the Web-RGlod8095859 resource group, you need to create a virtual machine that uses the Standard_B2ms size named Web01 that runs Windows Server 2016. Web01 must be added to an availability set.



What should you do from the Azure portal?

66. You have an Azure subscription that contains the resources shown in the following table.





All virtual machines run Windows Server 2016.

On VM1, you back up a folder named Folder1 as shown in the following exhibit.





You plan to restore the backup to a different virtual machine.

You need to restore the backup to VM2.

What should you do first?

67. You have an Azure subscription that contains the virtual networks shown in the following table.





The subscription contains the private DNS zones shown in the following table.





You add virtual network links to the private DNS zones as shown in the following table.





For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

68. You plan to use the Azure Import/Export service to copy files to a storage account.

Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

69. You have an Azure subscription that contains the resources shown in the following table.





VMSS1 is set to VM (virtual machines) orchestration mode.

You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS 1.

Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

70. You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.

You need to enable two-step verification for Azure users.

What should you do?

71. Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.

The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.

You have created some PowerShell scripts to automate the configuration of newly created VMs.

You plan to create several new VMs.

You need a solution that ensures the scripts are run on the new VMs.

Which of the following is the best solution?

72. Your on-premises network contains a VPN gateway.

You have an Azure subscription that contains the resources shown in the following table.





You need to ensure that all the traffic from VM1 to storage! travels across the Microsoft backbone network.

What should you configure?

73. Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that is configured for hybrid coexistence with the on-premises Active Directory domain.

The tenant contains the users shown in the following table.





Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com.

Which users should you enable for Azure MFA?

74. You have five Windows Server 2008 R2 physical servers. The servers satisfy all requirements for failover protection using Azure Site Recovery (ASR). ASR is correctly configured and active.

You need to ensure that only 10 minutes of data is lost in the event of an incident by using the minimum amount of effort.

Which PowerShell cmdlet should you run?

75. You sign up for Azure Active Directory (Azure AD) Premium.

You need to add a user named [email protected] as an administrator on all the computers

that will be joined to the Azure AD domain.

What should you configure in Azure AD?

76. You have an Azure Active Directory (Azure AD) tenant named adatum.com.

Adatum.com contains the groups in the following table.





You create two user accounts that are configured as shown in the following table.





To which groups do User1 and User2 belong? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

77. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the resources shown in the following table.





VM1 connects to VNET 1.

You need to connect VM1 to VNET2.

Solution: You move VM1 to RG2, and then you add a new network interface to VM 1.

Does this meet the goal?

78. You have an Azure subscription.

You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.

How should you complete the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

79. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Performance Monitor, you create a Data Collector Set (DCS).

Does this meet the goal?

80. You have an Azure web app named App 1.

App1 has the deployment slots shown in the following table:





In webapp1-test, you test several changes to App 1.

You back up App 1.

You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues. You need to revert to the previous version of App1 as quickly as possible.

What should you do?

81. You have an Azure Storage account named storage 1.

You have an Azure Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.

You need to ensure that App1 and App2 can read blobs from storage 1.

The solution must meet the following requirements:

- Minimize the number of secrets used.

- Ensure that App2 can only read from storage1 for the next 30 days.

What should you configure in storage1 for each app? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

82. You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:

✑ Name: VM1

✑ Location: West US

✑ Connected to: VNET1

✑ Private IP address: 10.1.0.4

✑ Public IP addresses: 52.186.85.63

✑ DNS suffix in Windows Server: Adatum.com

You create the Azure DNS zones shown in the following table.





You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.

Which zones should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

83. You purchase a new Azure subscription named Subscription 1.

You create a virtual machine named VM1 in Subscription 1.

VM1 is not protected by Azure Backup.

You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

84. You have an Azure subscription that contains a virtual machine named VM 1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.

You plan to make the following changes to VM1:

- Change the size to D8s v3.

- Add a 500-GB managed disk.

- Add the Puppet Agent extension.

- Enable Desired State Configuration Management.

Which change will cause downtime for VM1?

85. You have an Azure subscription that contains the resources shown in the following table.





VM1 and VM2 run a website that is configured as shown in the following table.





LB1 is configured to balance requests to VM1 and VM2.

You configure a health probe as shown in the exhibit. (Click the Exhibit tab.)





You need to ensure that the health probe functions correctly.

What should you do?

86. You need to configure Azure Backup to back up the file shares and virtual machines.

What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

87. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure virtual machine named VM 1. VM1 was deployed by using a custom Azure Resource Manager template named ARM 1. json.

You receive a notification that VM1 will be affected by maintenance.

You need to move VM1 to a different host immediately.

Solution: From the Overview blade, you move the virtual machine to a different resource group.

Does this meet the goal?

88. You have an app named App1 that runs on an Azure web app named webapp 1.

The developers at your company upload an update of App1 to a Git repository named Git 1.

Webapp1 has the deployment slots shown in the following table.





You need to ensure that the App1 update is tested before the update is made available to users.

Which two actions should you perform? Each correct answer presents part of the solution.

89. Your company has an Azure subscription named Subscription 1. The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.

You manage Server1 and Subscription1 from Server2.

Server2 has the following tools installed:

✑ The DNS Manager console

✑ Azure PowerShell

✑ Azure CLI 2.0

You need to move the adatum.com zone to Subscription 1. The solution must minimize administrative effort.

What should you use?

90. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Subscription 1. Subscription1 contains a resource group named RG 1. RG1 contains resources that were deployed by using templates.

You need to view the date and time when the resources were created in RG 1.

Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.

Does this meet the goal?

91. You have an Azure Active Directory (Azure AD) tenant.

You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.

Which three settings should you configure? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

92. You have an Azure subscription that contains the resources in the following table.





VM1 and VM2 are deployed from the same template and host line-of-business applications.

You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)





You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.

What should you do?

93. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure virtual machine named VM 1. VM1 was deployed by using a custom Azure Resource Manager template named ARM 1. json.

You receive a notification that VM1 will be affected by maintenance.

You need to move VM1 to a different host immediately.

Solution: From the Redeploy blade, you click Redeploy.

Does this meet the goal?

94. You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.





You assign an Azure policy that has the following settings:

✑ Scope: Sub1

✑ Exclusions: Sub1/RG1/VNET1

✑ Policy definition: Append a tag and its value to resources

✑ Policy enforcement: Enabled

✑ Tag name: Tag4

✑ Tag value: value4

You assign tags to the resources as shown in the following table.





For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

95. You have an Active Directory forest named contoso.com.

You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.

You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.

You need to ensure that the synchronization completes successfully.

What should you do?

96. You have an Azure subscription named Subscription 1.

Subscription1 contains the resources in the following table.





VNet1 is in RG 1. VNet2 is in RG2. There is no connectivity between VNet1 and Vnet2.

An administrator named Admin1 creates an Azure virtual machine named VM1 in RG 1.

M1 uses a disk named Disk1 and connects to VNet 1. Admin1 then installs a custom application in VM 1.

You need to move the custom application to Vnet2.

The solution must minimize administrative effort.

Which two actions should you perform? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

97. You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.

You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library 1.

You need to create groups for the users. The solution must ensure that the groups are deleted

automatically after 180 days.

Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

98. You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet 1. VNet1 contains a gateway subnet.

You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

99. Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the multi-factor authentication page to alter the user settings.

Does the solution meet the goal?

100. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure web app named App 1. App1 runs in an Azure App Service plan named Plan 1. Plan1 is associated to the Free pricing tier.

You discover that App1 stops each day after running continuously for 60 minutes.

You need to ensure that App1 can run continuously for the entire day.

Solution: You change the pricing tier of Plan1 to Shared.

Does this meet the goal?

101. You have an Azure subscription that contains the resources in the following table.





Subnet1 is associated to VNet 1. NIC1 attaches VM1 to Subnet 1.

You need to apply ASG1 to VM 1.

What should you do?

102. You have an Azure subscription that contains the resources in the following table:





In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2.

The adatum.com zone is configured as shown in the following exhibit:





For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

103. Case Study 1 - Humongous Insurance



Overview

Existing Environment

Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.

Each has 5000 users.



Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.

The functional level of the forest is Windows Server 2012.

You recently provisioned an Azure Active Directory (Azure AD) tenant.



Network Infrastructure

Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Each office has several link load balancers that provide access to the servers.



Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.



Licensing Issue

You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.



Requirements

Planned Changes

Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.



Planned Azure AD Infrastructure

The on-premises Active Directory domain will be synchronized to Azure AD.

All client computers in the Paris office will be joined to an Azure AD domain.



Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:

✑ Default Azure system routes that will be the only routes used to route traffic

✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.



Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.



Department Requirements

Humongous Insurance identifies the following requirements for the company's departments:

✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.

✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.



Authentication Requirements

Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.



Drag and Drop

You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

104. Case Study 2 - Contoso, Ltd



Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.



Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.



Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

- Move all the tiers of App1 to Azure.

- Move the existing product blueprint files to Azure Blob storage.

- Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.



Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.



User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Admin1 must receive email alerts regarding service outages.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.



You need to recommend a solution for App 1. The solution must meet the technical requirements .

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

105. You have an Azure subscription named Subscription 1.

You enable Azure Active Directory (AD) Privileged Identity Management.

From Azure AD Privileged Identity Management, you configure the Global Administrator role for the Azure Active Directory (Azure AD) tenant as shown in the Role settings exhibit. (Click the Exhibit tab.)





From Azure AD Privileged Identity Management, you configure the global administrators as shown in the Members exhibit. (Click the Exhibit tab.)





User2 activates the Global Administrator role on July 16, 2018, at 10:00, as shown in the Activation exhibit. (Click the Exhibit tab.)





For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

106. You have the Azure virtual machines shown in the following table.





You have a Recovery Services vault that protects VM1 and VM2.

You need to protect VM3 and VM4 by using Recovery Services.

What should you do first?

107. You have a registered DNS domain named contoso.com.

You create a public Azure DNS zone named contoso.com.

You need to ensure that records created in the contoso.com zone are resolvable from the internet.

What should you do?

108. Your company's local environment consists of a single Active Directory Domain Services (AD DS) domain.

You plan to offer your users single sign-on (SSO) access to Azure-hosted software-as-a-service (SaaS) applications that use Azure Active Directory (Azure AD) authentication. The tenant's current domain name is companycom.onmicrosoft.com.

You need to configure Azure AD to use company.com, the organization's owned public domain name.

What should you do?

109. You have an Azure subscription that contains the following resources:

- 100 Azure virtual machines

- 20 Azure SQL databases

- 50 Azure file shares

You need to create a daily backup of all the resources by using Azure Backup.

What is the minimum number of backup policies that you must create?

110. You need to create an Azure Storage account that meets the following requirements:

- Minimizes costs

- Supports hot, cool, and archive blob tiers

- Provides fault tolerance if a disaster affects the Azure region where the account resides

How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

111. You have an Azure Storage accounts as shown in the following exhibit.





Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

112. You have an Azure web app named WebApp1 that runs in an Azure App Service plan named ASP 1. ASP1 is based on the D1 pricing tier.

You need to ensure that WebApp1 can be accessed only from computers on your on-premises network.

The solution must minimize costs.

What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

113. You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace image.

You need to complete the storageProfile section of the template.

How should you complete the storageProfile section? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

114. You have a virtual network named VNet1 that has the configuration shown in the following exhibit.





Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

115. You have an Azure subscription that contains the resource groups shown in the following table.





RG1 contains the resources shown in the following table.





RG2 contains the resources shown in the following table.





You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG 1.

Which resources should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

116. You have an Azure subscription that contains three virtual networks named VNet1, VNet2, VNet3.

VNet2 contains a virtual appliance named VM2 that operates as a router. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.

You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.

You need to provide connectivity between VNet1 and VNet3 through VNet2.

Which two configurations should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

117. You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.

You need to delete the Recovery Services vault.

What should you do first?

118. You have an Azure subscription that contains the resources in the following table.





Store1 contains a file share named data. Data contains 5,000 files.

You need to synchronize the files in the file share named data to an on-premises server named Server 1.

Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

119. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.

The effective network security configurations for VM2 are shown in the following exhibit.





You discover that connections to App1 from 13 1. 107.100.50 over TCP port 443 fail.

You verify that the Load Balancer rules are configured correctly.

You need to ensure that connections to App1 can be established successfully from 13 1. 107.100.50 over TCP port 443.

Solution: You delete the BlockAllOther443 inbound security rule.

Does this meet the goal?

120. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure web app named App 1. App1 runs in an Azure App Service plan named Plan 1. Plan1 is associated to the Free pricing tier.

You discover that App1 stops each day after running continuously for 60 minutes.

You need to ensure that App1 can run continuously for the entire day.

Solution: You add a continuous WebJob to App 1.

Does this meet the goal?

121. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Subscription 1. Subscription1 contains a resource group named RG 1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG 1.

Solution: From the RG1 blade, you click Automation script.

Does this meet the goal?

122. You have an Azure subscription that contains a virtual network named VNet 1.

VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table:





Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT 1.

You need to route all inbound traffic from the VPN gateway to VNet1 through VM 1.

How should you configure RT1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

123. You create an App Service plan named Plan1 and an Azure web app named webapp 1.

You discover that the option to create a staging slot is unavailable.

You need to create a staging slot for Plan 1.

What should you do first?

124. You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet 1.

You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet 1.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

125. You have an Azure subscription that contains the resources shown in the following table.





You need to perform the tasks shown in the following table.





Which tasks can you perform by using Azure Storage Explorer?

126. Your company has a main office in London that contains 100 client computers.

Three years ago, you migrated to Azure Active Directory (Azure AD).

The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.

A remote user named User1 is unable to join a personal device to Azure AD from a home network.

You verify that User1 was able to join devices to Azure AD in the past.

You need to ensure that User1 can join the device to Azure AD.

What should you do?

127. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure virtual machine named VM1 that runs Windows Server 2016.

You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.

Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM 1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.

Does this meet the goal?

128. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to

return to it. As a result, these questions will not appear in the review screen.

You have an Azure virtual machine named VM 1. VM1 was deployed by using a custom Azure Resource Manager template named ARM 1. json.

You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.

Solution: From the Redeploy blade, you click Redeploy.

Does this meet the goal?

129. Your company has a Microsoft Azure subscription.

The company has datacenters in Los Angeles and New York.

You are configuring the two datacenters as geo-clustered sites for site resiliency.

You need to recommend an Azure storage redundancy option.

You have the following data storage requirements:

- Data must be stored on multiple nodes.

- Data must be stored on nodes in separate geographic locations.

- Data can be read from the secondary location as well as from the primary location.

Which of the following Azure stored redundancy options should you recommend?

130. You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace 1.

You need to view the error event from a table named Event.

Which query should you run in Workspace1?

131. You create an Azure web app named WebApp 1.

WebApp1 has the autoscale settings shown in the following exhibit.









The scale out and scale in rules are configured to have a duration of 10 minutes and a cool down time of five minutes.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

132. You create an Azure VM named VM1 that runs Windows Server 2019.

VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)





You need to enable Desired State Configuration for VM 1.

What should you do first?

133. Your VMware vSphere on-premises infrastructure hosts 600 virtual machines (VMs). Your company is planning to move all of these VMs to Azure. You are asked to provide information about the resources that will be needed in Azure to host all of the VMs.

All VMs hosted in your on-premise infrastructure are based on Windows Server 2012 R2 or newer and RedHat Enterprise Linux 7.0 or newer.

You conduct the initial migration assessment and get a message that some virtual machines are conditionally ready for Azure.

You need to find the cause of this message.

What are two reasons why are you might get this message on some VMs? Each correct answer presents part of the solution.

134. You have an Azure subscription. All users are enabled for multi-factor authentication (MFA).

You need to ensure that the users can lock out their own account if they receive an unsolicited MFA request from Azure.

Which MFA settings should you configure?

135. SIMULATION



Overview

The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.



Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.



Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.



Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.



To start the lab

You may start the lab by clicking the Next button.

You recently created a virtual machine named Web0 1.

You need to attach a new 80-GB standard data disk named Web01-Disk1 to Web0 1.



What should you do from the Azure portal?

136. You create a virtual machine scale set named Scale 1.

Scale1 is configured as shown in the following exhibit.





Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

137. Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model.

After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication.

To achieve this, the Per Enabled User setting must be set for the usage model.

Solution: You reconfigure the existing usage model via the Azure portal.

Does the solution meet the goal?

138. You have the Azure virtual machines shown in the following table:





You have a Recovery Services vault that protects VM1 and VM2.

You need to protect VM3 and VM4 by using Recovery Services.

What should you do first?

139. You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have two external partner organizations named fabrilcam.com and litwareinc.com.

FabtAam.com is configured as a connected organization.

You create an access package as shown in the Access package exhibit. (Click the Access package lab.)

You configure the external user lifecycle settings as shown in the Lifecycle exhibit. (Click the lifecycle tab)

For each of the following statements, select Yes if the statement is true Otherwise, select No Note: Each correct selection is worth one point.

140. You have an Azure subscription that contains a user account named User 1.

You need to ensure that User1 can assign a policy to the tenant root management group.

What should you do?

141. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet 1. The point-to-site connection uses a self-signed certificate.

From Azure, you download and install the VPN client configuration package on a computer named Computer2.

You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.

Solution: You modify the Azure Active Directory (Azure AD) authentication policies.

Does this meet the goal?