Az 300

Get
Success in Passing Your
Certification Exam at first attempt!
Copyright © CertBus.com, All Rights Reserved.
All our exam practice questions and answers are only for our product buyers to get prepared for their
coming certification examinations. Any unauthorized sharing is forbidden. It may cause the suspending
of ones account, membership and product update if there is a violation of this rule.
CERTBUS
/ \
t V
YOUR NEXT PURCHASE

V
V /
w w w x e r t b u s . com
Congratulations! You can visit www.certbus.com and

use your Order Number(Start with a capital letter K)
as the coupon code to enjoy 20% off on Next Order.
www.CertBus com .
CERTBUS
Vendor: Microsoft
Exam Code: AZ-300
Exam Name: Microsoft Azure Architect Technologies
Q&As: 322 (There are 12 parts in the dump, 322 questions in total.)
Testlet 1
Case Study: 1Label Maker app

Requirements
Data
You identify the following requirements for data management and manipulation:
• Order data is stored as non relational JSON and must be queried using Structured Query Language
(SQL).
• Changes to the Order data must reflect immediately across all partitions. All reads to the Order data must
fetch the most recent writes.
Security
You have the following security requirements:
• Users of Coho Winery applications must be able to provide access to documents, resources, and
applications to external partners.
• External partners must use their own credentials and authenticate with their organization's identity
management solution.
• External partner logins must be audited monthly for application use by a user account administrator to
maintain company compliance.
• Storage of e-commerce application settings must be maintained in Azure Key Vault.
• E-commerce application sign-ins must be secured by using Azure App Service authentication and Azure
Active Directory (AAD).
• Conditional access policies must be applied at the application level to protect company content.
• The LabelMaker application must be secured by using an AAD account that has full access to all
namespaces of the Azure Kubernetes Service (AKS) cluster.
Label Maker app

Azure Monitor Container Health must be used to monitor the performance of workloads that are deployed
to Kubernetes environments and hosted on Azure Kubernetes Service (AKS).
You must use Azure Container Registry to publish images that support the AKS deployment.
Architecture
Azur Key V«uh
*
t
Customef E -Comroeice Web App A/ure functions Covrx 06
(H - Commerce Checkout AP » ) (Ocdeis*Data)
i t Omm
Azure
Storage
(logs)
i
A
logic App
m®n
»»
AKS Cluster
( LabelMaket Application )
Partner API App
(Order Workflow )
(Logsl
Issues
Calls to the Printer API App fail periodically due to printer communication timeouts.
Printer communication timeouts occur after 10 seconds. The label printer must only receive up to 5
attempts within one minute.
The order workflow fails to run upon initial deployment to Azure.
Order.json
Relevant portions of the app fries are shown below Line numbers are induced for reference only. This
JSON file contains a representation of the data for an order that includes a single item.
Order.Json
•i{
02 "id" : l #
03 "CGitOwers'* ; {
{
0% "fawi lyNaaie " : “Ooe" #
06 " ivtnhaae " ; "John"

[ f
07 'custoatrid " s 5
>
09 3'
10 "lineiteas ” :[
11 {
12 "f ulflllibl« _qu ntity
# “ :l .
13 "id* ; t,
14
IS
-
"price : “ 199.99 ,
"productid " t 7513594,
-
lb
17
"quantity* : I,
_
,ircs sbippingn : true
“raqL
.
1*
19
"Jb" : "$K Ml N" p
"title " ; "Surface Go"
#
-
30 "vendor * : "Microsoft "
#
21 nai
IB
t "SurfM( Gfl BGB " , -
t
23 "tw linfi" ; [
<
24
25
26
"title* :
"price*
-
-
State T** ,
: "5.90s # -
27
28 }
srate i 0.«
*
29 )*
30 "totaled £«c aunt " ! "0.00“' ,
31 " diicowntâllocationi" s (
32 {
33
34
- aaiount" : *5,043*
“ discount _ appllc «tion

#
_ indexi> ; 2
35 )
36 i
rr }
» 1*
3»
40
--
address" 1 {
itete" : HMY* ,
*cou«ityH : “Manhattan *
41
42
*s
-
}
City" 1 "NV"
t
** }
QUESTION 1
You need to access user claims in the e-commerce web app. What should you do first?
A. Write custom code to make a Microsoft Graph API call from the e commerce web app.
B. Assign the Contributor RBAC role to the e-commerce web app by using the Resource Manager create
role assignment API
C. Update the e-commerce web app to read the HTTP request header values.
D. Using the Azure CU, enable Cross-origin resource sharing (CORS) from the e- commerce checkout
API to the e-commerce web
Correct Answer: A
Explanation
Explanation/Reference:
QUESTION 2
You need to deploy a new version of the Label Maker application.
Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Actions
I ——
Create an alias of the image with the fully qualified path to the
registry .
Create an alias of the image with the a new build number
Build a new application image by using dockethle

© ©
Download the image to your local computer
Log in to the registry and push image. © ©

Build a new application image by using rmbuild
Restart the cluster
Correct Answer:
i J
Actions
' !•'
Create an alias of the image with the fully qualified path to the
registry . Create an alias of the image with the fully qualified path to the
Create an alias of the image with the a new build number

.
registry
Build a new application image by using dockerhle
Download the image to your local computer

log n to the rrgistry and push mgr
©
Log in to the registry and push image.
Build a new application image by using msbuikl L

Restart thr duster ©
Restart the duster
Explanation
Create an alias of the image with fully qualified path to the registry Log in to the registry and push image
Restart the cluster.
Testlet 1
Case Study: 2Background

Requirements
You are a developer for Proseware, Inc. You are developing an application that applies a set of
governance policies for Proseware's internal services, external services, and applications. The application
will also provide a shared Horary for common functionality.
Policy service
You develop and deploy a stateful ASP.NET Core 21 web application named Policy service to an Azure
App Service Web App. The application reacts to events from Azure Event Grid and performs policy actions
based on those events.
The application must include the Event Grid Event ID field in all Application Insights telemetry.
Policy service must use Application Insights to automatically scale with the number of policy actions that it
is performing.
Policies
Log policy
All Azure App Service Wet) Apps must write logs to Azure Blob storage. All tog files should be saved to a
container named logdrop. Logs must remain in the container for 15 days.
Authentication events
Authentication events are used to monitor users signing in and signing out All authentication events must
be processed by PoScy service Sign outs must be processed as quickly as possible
Policy Lib
You have a shared library named Policy Lib that contains functionality common to all ASP.NET Core web
services and applications. The Policy Lib library must:
• Exclude non-user actions from Application Insights telemetry.
• Provide methods that allow a web service to scale itself.
• Ensure that scaling actions do not disrupt application usage.
Other
Anomaly detection service
You have an anomaly detection service that analyzes log information for anomalies. It is implemented as
an Azure Machine learning model. The model is deployed as a web service.
If an anomaly is detected, an Azure Function that emails administrators is called by using an HTTP
WebHook.
Hearth monitoring
All web applications and services have health monitoring at the /health service endpoint
Issues
Policy loss
When you deploy Policy service, policies may not be applied if they were m the process of being applied
during the deployment.
Performance issue
When under heavy load, the anomaly detection service undergoes slowdowns and rejects connections.
Notification latency
Users report that anomaly detection emails can sometimes arrive several minutes after an anomaly is
detected.
App code
EventGridController.cs
Relevant portions of the app files are shown below. Line numbers are included for reference only and
include a two-character prefix that denotes the specific file to which they belong.
.c*
EG®1 public dm EventGridController : Controller
EG82 { ’
IN
EG84
EG®5
public static Asynclocal<string > Eventld
public IActionResult Process([Fronflody] string events3son)
{
-
new AsyncLocal < strlng >()j
Em var events • JArray.Parse(events3son)j

EG87
EG08 foreach (var fevent in events)
EG09 {
EGie Eventld .Value 0event[*Id*). ToString();
.Contains(“ providers/Microsoft.Storage"))
if ( event[** toplc ’* J .ToStrlng()
EG11
EG12
EG13
{ ^
SendToAnoaalyDetectionService(0event(“data" J("ur 1"). ToString());
EG14 )
EG15
EG16 (
EG17 «ing(#event[“subJecf).ToStrinf());
EG18 )
( 019 )
EG20 t ill
EG21 > resource)
EG22 private void En*urelogging(string
EG2 3 {
EG2A
,>
EG25
CG26 private async Task SendToAnoaalyOetectionService
(string uri)
EG27 {
EG28 var content • GetlogOata(ori);
EG29
EG30 (
var scoreRequest new
- &
EG31
EG32
EG33
(
Inputs
{
-
new Dietionary < string. List < Dictionary < string, string > > >()
EG34 "inputl “,
EG 35 new List < Dictionaryestring, string >>()
EG36 {
EG37 new Dietionary <string # string(
> )
EG38 <
EG39 (
EGA * "logcontent" . content
E641 )
EG42 )
EG43 }
EG*4 >a
EGAS >.
);
GlobalPar ters
- new Dietionary < string, string >()( )
EGAS var result • it (new HttpClient() .

) PostAs3sonAsync(" a a •", scoreRequest);
EGA9 var rawModelResult • it result.Content.ReadAsStringAsync();
EGS#
EGS1
EGS2
var oodelResult
-
30bject.Parse(rawModelResult);
if (BodelResult[Mnotifya].HasValues)
{
EGS3
EGSA >
EGSS )
EGS6 private (string n , string resoureeGroup ) ParseResoureeId(string resourceld)
EGS7 (
EGS8
EG59 )
EG68 private string GetlogData(string uri)
EG61 (
EG62 . ..
EG63 }
EGGA static string BlobStoreAccountSAS(string contalnerNeae)
EGGS (
EG6*
EG67 )
EG68 )
LoginEvent.cs
Line numbers are included for reference only and
Relevant portions of the app files are shown below.
fic file to which they belong.
include a two-character prefix that denotes the speci
LogifiEvefit.es
LEVI public class login vent
*
LE 2 {
*
Lt 3
*
Lt04 public string subject { get; set; }
lfG5 public DateTlme eventTiwe { get; set; }
LE06 public Diet ionary < strlog, strings date ( get ; set} }
LW7 public string SerlaUit()
UM {
UM return IsonConvert 5eriaUreObject(this);
LE10
l ll }
QUESTION 1
Service.
You need to meet the scaling requirements for Policy
What should you store in Azure Redis Cache?
A. ViewState
B. HttpContext.tems
C. Session state
D. TempData
Correct Answer: C
Explanation
QUESTION 2
You need to resolve a notification latency issue.
answer presents part of the solution.
Which two actions should you perform? Each correct
NOTE: Each correct selection is worth one point.

mption plan.
A. Ensure that the Azure Function is set to use a consu
B. Set Always On to false
C. Set Always On to true
ce plan.
D. Ensure that the Azure Function is using an App Servi
Correct Answer: AC
Explanation
QUESTION 3
llef.es to ensure that the tag policy applies to all
You need to add code at line EG15 in EventGndContro
services.
the appropriate code segments to the correct
How should you complete the code? To answer, drag
than once, or not at all. You may need to drag the
locations. Each code segment may be used once, more
Split bar between panes or scroll to view content.

Select and Place:
Code segments Answer Area

tome
if (
ft -
#* vent [
< ..
" data " J( *
code segment • ].
ToStrinf ) code segment
—
[event Type u
#event ( "data ” }[ *
code segment ) . ToStrlnf ( ) "Microsoft . t«eb / si ? M / «rlte ”
Succeeded )
operationName
resour ceProvider
Correct Answer:
Code segments Answer Area
status
* 1
i *
.(
# v »nt (
u
J[ - eventType J . toStrinjO ~ - resourceProvider
Succeeded
#eve« t [ - data ” )[ ” [ topic ) .ToStrlnf ( ) " Microsof t . taeb / sitrs / «r ire ”
)
Explanation
QUESTION 4
You need to ensure that the solution can meet the scaling requirements for Policy Service.
Which Azure Application Insights data model should you use?
A. an Application Insights trace

B. an Application Insights metric
C. an Application Insights dependency
D. an Application Insights event
Correct Answer: B
Explanation
QUESTION 5
You need to ensure that the Policy service can implement the policy actions.
Which code segment should you insert at line EG07 in EventGridController.cs?
A if (HctpConttxt.
••» 5Ufc dipt lOCV tl
*
.Hcidtri[ai »j
")
vm&z -
i Yp *~) - Flr »tOrO «f*ult ()
i
return new JsonResult. tr ev.
(
.
V 4li.daiuoinRespor se * events ( 0 ] ['valudsti. icCcdt" )
)>;
)
B if ( events[0]["eventType"].ToString {) = = "SubscriptionValidation")
{
return new JsonResult (new
{
validationResponse = events[0]["validationCode"]
});
}
C if (HttpContext.Request.Headers["aeg-event-type"].FirstOrDefault ( ) =
"SubscriptionValidation")
{
return new JsonResult( new
{
validationResponse = events[0]["data"]["validationCode"]
});
)
D if ( events[0]["subject"].ToString () = = "SubscriptionValidation")
{
return new JsonResult ( new
{
validationResponse = events[0]["data"]["validationCode"]
}>;
}
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: C
Explanation
Testlet 1
Case Study: 3
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle
and New York.
The Montreal office has 2.000 employees. The Seattle office has 1,000 employees- The New York office
has 200 employees.
AH the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain
named contoso.onmicrosoftc.om. The tenant uses the PI pricing tier.
Existing Environment
The network contains an Active Directory forest named contoso.com. All domain controllers are configured
as DNS servers and host the contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each
department has an organizational unit (OU) that contains all the accounts of that respective department. All
the user accounts have the department attribute set to their respective department. New users are added
frequently.
Contoso.com contains a user named User 1.
AlI the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be
configured as a VPN device.
All infrastructure servers are virtualized. The visualization environment contains the servers in the following
table.
Role
Server! VMWare vCenter server
Server? Hyper - V host
Contoso uses two web applications named App1 and App2. Each instance on each web application
requires 1 GB of memory. The Azure subscription contains the resources in the following table.
Name to*
VNctl Virtual network
s/m Virtual machine
ViM4 Virtual machine
The network security team implements several network security groups (NSGs)
Planned Changes
Contoso plans to implement the following changes:
• Deploy Azure ExpressRoute to the Montreal office.
• Migrate the virtual machines hosted on Server1 and Server2 to Azure.
• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
• Migrate App1 and App2 to two Azure web apps named WebApp1and WebApp2.
Technical Requirements
Contoso must meet the following technical requirements:
• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale
up to five instances.
• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in
the Montreal office.
• Ensure that routing information is exchanged automatically between Azure and the routers in the
Montreal office.
• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com.
• Connect the New York office to VNet1 over the Internet by using an encrypted connection
• Create a workflow to send an email message when the settings of VM4 are modified.
• Create a custom Azure role named Role1 that is based on the Reader role
• Minimize costs whenever possible.
QUESTION 1
You need to meet the technical requirement for VM4.
What should you create and configure?
A. an Azure Event Hub

B. an Azure Notification Hub
C. an Azure Logic App
D. an Azure Service Bus
Correct Answer: A
Explanation
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-
party resources. These resources can publish those events to an Azure event grid. In turn, the event grid
pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a
subscriber, your logic app can wait for those events from the event grid before running automated
workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
QUESTION 2
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Answer Area
From the Azure portal Create an ExpressRoute circuit only.

Create a virtual network gateway only.
Create a virtual network gateway and a local network gateway.
-
Create an ExpressRoute circuit and an on premises data gateway.
Create a virtual network gateway and an on-premises data gateway.
In the New York office: Deploy ExpressRoute.

Deploy a DirectAccess serv er.
Implement a Web Application Proxy .
--
Configure a site to site \ PN connection.
Correct Answer:
Answer Area
From the Azure portal Create an ExpressRoute circuit only.

Create a \irtual network gateway only.
Create a \irtual network gateway and a local network gateway.
Create an ExpressRoute circuit and an on-premises data gateway.
Create a \irtual network gateway and an on-premises data gateway.
In the New York office: Deploy ExpressRoute.

Deploy a DirectAccess server.
Implement a Web Application Proxy.
Configure
w - -
a site to site VPN connection.
Explanation
Box 1: Create a virtual network gateway and a local network gateway.
Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises
network through a VPN appliance. For more information, see Connect an on-premises network to a
Microsoft Azure virtual network. The VPN gateway includes the following elements:
Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible
for routing traffic from the on-premises network to the VNet.
Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the
cloud application to the on-premises network is routed through this gateway.
Connection. The connection has properties that specify the connection type (IPSec) and the key shared
with the on-premises VPN appliance to encrypt traffic.
Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various
requirements, described in the Recommendations section below.
Box 2: Configure a site-to-site VPN connection

On premises create a site-to-site connection for the virtual network gateway and the local network
gateway.
On- premises network Gateway subnet Web tier Business tier Data tier
Gateway
VPN
Gateway 5 VM
5 VM
51 VM
g® 51 VM
51VM
5 VM
5 VM
5 VM
5 VM
Management subnet
5VM
NSG
Jumpbox
Virtual network
<•••>
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not go over the internet.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
Testlet 1
Topic 4, Case Study: 4Overview

A . Datum Corporation is a financial company that has two main offices in New York and Los Angeles. A.
Datum has a subsidiary named Fabrikam, Inc that share, Los Angeles office.
A . Datum is conducting an initial deployment. of Azure services to host new line-of business applications
and is preparing to migrate its existing on-premises workloads to Azure.
A Datum uses Microsoft Exchange Online (or email
On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure.
All the virtual machines and members of an Active Directory forest named adatum.com and run Windows
Server 2016.
The New York office uses an IP address space of 10.0.0.0/16 The Los Angeles office uses an IP address
space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit
that provides access to Azure services and Microsoft Online Services.
Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.
Azure Environment
You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources
shown in the following table.
Name Type Azure Region

ASRV1 Azure Site Recovery vault East US
ASRV 2 Azure Site Recovery vault West US
ASE1 Azure App Service East US
Environment
AG1 Azure Application East US
Gateway (internal)
AG 2 Azure Application West US
Gateway (Internet-facing)
ER1 ExpressRoute circuit East US

ER 2 ExpressRoute circuit West US
AG1 has two backend pools named Pool 11 and Pool12. AG2 has two backend pools named Pool21 and
Pool22.
Requirements
Planned Changes
A. Datum plans to migrate the virtual machines from the New York office to the East US Azure rec-on by
using Azure Site Recovery.
Infrastructure Requirements
A. Datum identifies the following infrastructure requirements:
• A new web app named App1 that will access third-parties for credit card processing must be deployed
• A newly developed API must be implemented as an Azure function named App2. App2 will use a blob
storage trigger. App2 must process new blobs immediately.
• The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the
VMware virtual machines to Azure.
• The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be
identified,
• All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
• AG1must load balance incoming traffic in the following manner
• http://corporate.adatum.com/video/* will be load balanced across Pool11.
• http://corporate.adatum.com/images/* will be load balanced across Pool 12.
• AG2 must load balance incoming traffic in the following manner.
• http://www.adatum.com will be load balanced across Pool21.
• http://www.fabnkam.com will be load balanced across Pool22.
• ERl must route traffic between the New York office and the platform as a service (PaaS) services in the
East US Azure region, as long as ER1 is available.
• ER2 must route traffic between the Los Angeles office and the PaaS services in the West US region, as
long as ER2 is available.
• ERl and ER2 must be configured to fail over automatically
Application Requirements
App2 must be able to connect directly to the private IP addresses of the Azure virtual machines. App2 will
be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.
Pricing Requirements
A . Datum identities the following pricing requirements:
• The cost of App1 and App2 must be minimized.
• The transactional charges of Azure Storage accounts must be minimized.
QUESTION 1
You need to configure AG1.
What should you create?
A. a basic routing rule

B. a multi-site listener
C. a basic listener
D. a URL path-based routing rule
Correct Answer: D
Explanation
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-url- route-portal
QUESTION 2
You need to prepare the New York office infrastructure for the migration of the on-premises virtual
machines to Azure.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list
of actions to the answer area and arrange them in the correct order.
Select and Place:

Actions Answer Area
From VM1, deploy a virtual machine.
.
From the ASRV1 blade in the Azure
portal, select a protection goal.
From an Azure portal, download the OVF

file .
From VM1. resister the configuration

7 W Xs
server.
From VM1, comiect to the collector

virtual machine.
Correct Answer:
Actions Answer Area
.
From the ASRV1 blade in the Azure
portal, select a protection goal.
From an Azure portaL download the OVF

file.
From VM1. deploy a virtual machine.
From VM1. register the configuration

server.
From VM1. comiect to the collector

virtual machine.
Explanation
https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial
QUESTION 3
You need to configure the Azure ExpressRoute circuits.
How should you configure Azure ExpressRoute routing? To answer, drag the appropriate configurations to
the correct locations. Each Configuration may be used once, more than once, or not at all. You may need
to drag the split bar between panes or scroll to view content
Select and Place:
Configurations Answer Area
Use BGF communities to configure Routing from A.Datum to Azure:

BGP's Local Preference.
Routing from Microsoft Online Services to
1 st BGP to append the private AS A.Datum:
numbers to the advertised prefixes.
Use BGP to append the public AS

Correct Answer:
Configurations Answer Area

Routing from A Datum to Azure: Use BGP to append the private AS
Use BGP communities to configure numbers to the advertised prefixes.
BGF's Local Preference.
Routing from Microsoft Online Services to
Use BGP to append the public AS
A.Datum:
Explanation
Azure compute services, namely virtual machines (IaaS) and cloud services (PaaS), that are deployed
within a virtual network can be connected through the private peering domain. The private peering domain
is considered to be a trusted extension of your core network into Microsoft Azure.
Services such as Azure Storage, SQL databases, and Websites are offered on public IP addresses. You
can privately connect to services hosted on public IP addresses, including VIPs of your cloud services,
through the public peering routing domain. You can connect the public peering domain to your DMZ and
connect to all Azure services on their public IP addresses from your WAN without having to connect
through the internet.
References:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings
QUESTION 4
You need to implement App2 to meet the application requirements.
What should you include in the implementation? To answer, select the appropnate options in the answer
area.
Hot Area:
App Semce plan pricing tier v

Isolated
Shared
Standard
Enabled feature: v
Always On
Auto Swap
Web Sockets
Correct Answer:
App Semce plan pricing tier v
Isolated
Shared
Standard
Enabled feature: v
Always On
Auto Swap
Web Sockets
Explanation
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/ https://docs.microsoft.com/en-us/
azure/azure-functions/functions-scale
QUESTION 5
HOTSPOT
You need to provision the resources in Azure to support the virtual machine that will be migrated from the
New York office.
What should you include in the solution? To answer, select the appropriate options in the answer area.
Hot Area:
Answer Area
IP address space of the virtual network

10.0 0.0/ 16
10.10 . 0.0/16
10 20 0.0/ 16
Storage account kind :

Blob storage
Storage ( general purpose v1)
StorageV2 (general purpose v2)
Correct Answer:
Answer Area
IP address space of the virtual network

10.0 . 0.0/ 16
10.10 . 0.0/16
10.20. 0.0/ 16
Storage account kind :

Blob storage
Storage ( general purpose v1 )
StorageV2 (general purpose v2)
Explanation
QUESTION 6
DRAG DROP
You need to identify the appropriate sizes for the Azure virtual machines.
Which five actions should you perform in sequence? To answer, move the appropriate actions from the list
Select and Place:

Actions Answer Area
From the Azure portal, create

an Azure Migrate assessment.

an Azure Migrate project.
From VM1, connect to the collector

virtual machine and run the Azure
Site Recovery deployment planner.
From the Azure portal, download

an OVA file.

Migrate Collector.
From Microsoft Download Center,

download the Azure Site Recovery
deployment planner
From VM1 . run the Deploy OVF

Template wizard.
Correct Answer:
Actions Answer Area

an Azure Migrate project.
From the Azure portal, download

an OVA file.
From VM1, connect to the collector From VM1. run the Deploy OVF
virtual machine and run the Azure Template wizard.
Site Recovery deployment planner.

Migrate Collector.

an Azure Migrate assessmen:.
From fylicrosoft Download Center,

download the Azure Site Recovery 1
deployment planner
Explanation
References:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware
Testlet 1
Case Study
Background
Best For You Organics Company is a global restaurant franchise that has multiple locations. The company
wants to enhance user experiences and vendor integrations. The company plans to implement automated
mobile ordering and delivery services.
Best For You Organics hosts an Azure web app at the URL https://www.bestforyouorganics.com. Users
can use the web app to browse restaurant location, menu items, nutritional information, and company
information. The company developed and deployed a cross-platform mobile app.
Requirements
Chatbot
You must develop a chatbot by using the Bot Builder SDK and Language Understanding Intelligence
Service (LUIS). The chatbot must allow users to order food for pickup or delivery.
The chatbot must meet the following requirements:
Ensure that chatbot is secure by using the Bot Framework connector. Use natural language processing
and speech recognition so that users can interact with the chatbot by using text and voice. Processing
must be server- based.
Alert users about promotions at local restaurants. Enable users to place an order for delivery or pickup by
using their voice. Greet the user upon sign-in by displaying a graphical interface that contains action
buttons.
The chatbot greeting interface must match the formatting of the following example:
John Doe
Sun, Aug 26, 2018
Welcome to Best For You Organics Company!

How can we help you today?
Specials: Chicken Marsala
Order Pickup Order Delivery
Vendor API
Vendors receive and provide updates for the restaurant inventory and delivery services by using Azure API
Management hosted APIs. Each vendor uses their own subscription to access each of the APIs.
APIs must meet the following conditions:
API usage must not exceed 5,000 calls and 50,000 kilobytes of bandwidth per hour per vendor.
If a vendor is nearing the number of calls or bandwidth limit, the API must trigger email notifications to the
vendor.
API must prevent API usage spikes on a per-subscription basis by limiting the call rate to 100 calls per
minute.
The Inventory API must be written by using ASP.NET Core and Node.js. The API must be updated to
provide an interface to Azure SQL Database objects must be managed by using code.
The Delivery API must be protected by using the OAuth 2.0 protocol with Azure Active Directory (Azure
AD) when called from the Azure web app. You register the Delivery API and web app in Azure AD. You
enable OAuth 2.0 in the web app. The delivery API must update the Products table, the Vendor
transactions table, and the Billing table in a single transaction.
The Best For You Organics Company architecture team has created the following diagram depicting the
expected deployments into Azure:
Aiure Active
-> Language
5>
Directory B 2C
< Underetandmg
©
/
<& {} Delivery API
A
D * Azure App Service
*
Mobil# App
© t
API Menegement External Vendor
*
5>
Azure Bot Service
0
Speech API Pi
Azure SOL
Application Insight d t b «e Inventory API
* ** *
Architecture
Issues
Delivery API
The Delivery API intermittently throws the following exception:
"System.Data.Entity.Core.EntityCommandExecutionException: An error occurred while executing the

command definition. See the inner exception for details. -- >System.Data.SqlClient.SqlException: A
transport-level error has occurred when receiving results from the server. (provider: Session Provider,
error: 19 ?Physical connection is not usable)"
Chatbot greeting
The chatbot's greeting does not show the user's name. You need to debug the chatbot locally.
Language processing
Users report that the bot fails to understand when a customer attempts to order dishes that use Italian
names.
App code
Relevant portions of the app files are shown below. Line numbers are included for reference only and
include a two-character prefix that denotes the specific file to which they belong.
Startup.es
SU01 namespace DeliveryApi
SO02 {
SD03 public class Startup
S004 {
SD05 public Startup(IConfiguration configuratron)
SU06 {
SO07 Configuration = configuration;
SUOS >
5009 public IConfiguration Configuration { get; >
5010 public void ConfigureService(IServiceCollection services)
SOU <
5012 .AddDbContext<?.estaurantsContext>(opt =>
services
5013 opt. UseSqlServer (Configuration.GetSection("Connectionstrings")
["RestaurantDatabase" ] ,
S014 sqlServerOptionsAction: sqlCptions =>
SU15 {
SU16
5017 > ));
5018 services.AddMvc()
SOI9 .SetCompatibilityVersion(CompatibilityVersion.Version 2 1);
5020 >
5021 public void Configure(IApplicationBuilder app)
5022 {
5023 app.OseMvc();
5024 >
5025 }
5026 >
Background
Best For You Organics Company is a global restaurant franchise that has multiple locations. The company
wants to enhance user experiences and vendor integrations. The company plans to implement automated
mobile ordering and delivery services.
QUESTION 1
Note: This question is part of a series of questions that present the same scenario. Each question in the
series contains a unique solution. Determine whether the solution meets the stated goals.
You need to meet the vendor notification requirement.
Solution: Update the Delivery API to send emails by using a Microsoft Office 365 SMTP server.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer: B
Explanation
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto- configure-notifications
QUESTION 2
You need to resolve the delivery API error.
What should you do?
A. Implement simple retry by using the EnableRetryOnFailure feature of Entity Framework.

B. Implement exponential backoff by using the EnableRetryOnFailure feature of Entity Framework.
C. Implement a Circuit Breaker pattern by using the EnableRetryOnFailure feature of Entity Framework.
D. Invoke a custom execution strategy in Entity Framework.
Correct Answer: B
Explanation
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-develop-error-messages
QUESTION 3
You need to debug the user greeting issue.
What should you use?
A. Azure Application Insights

B. Bot Framework Emulator
C. Bot Framework Channel Inspector
D. Bot Connector service
E. Azure Compote Emulator
Correct Answer: A
Explanation
QUESTION 4
You need to meet the security requirements.
A. HTTP Strict Transport Security (HSTS)

B. Direct Line API
C. Multi-Factor Authentication (MFA)
D. Bot Framework Portal
E. Bot Framework authentication
Correct Answer: E
Explanation
QUESTION 5
Solution: Configure notifications in the Azure API Management instance.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 6
You need to implement the purchase requirement.
What should you do?
A. Use the Bot Framework REST API conversation operations to send the user's voice and the Speech
Service API to recognize intents.
B. Use the Direct Line REST API to send the user's voice and the Speech Service API to recognize
intents.
C. Use the Speech Service API to send the user's voice and the Bot Framework REST API conversation
operations to recognize intents.
D. Use the Bot Framework REST API attachment operations to send the user's voice and the Speech
Service API to recognize intents.
Correct Answer: A
Explanation
QUESTION 7
Solution: Create and apply a custom outbound Azure API Management policy.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 8
Solution: Update the Delivery API to send emails by using a cloud-based email service.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 9
You need to update the Inventory API.
Which development tools should you use? To answer, select the appropriate options in the answer area.
Hot Area:
AfJO NO
Qrv Toot F 11 Eily ErtfrtU'wcJflt O& re

^< jpmcTH WO D .TLl V-TVKO-S
rethnofai
W^ HIrw
^
OrM
P ^ IJITMW IW*.I
f r^ J* 'int
.
Correct Answer:
ADC NR »
tntily mif 'woit
Drvpi&pn»rni
fetlyBtesqw
Tool
VVO
-
F i t r i l y p f irrU wciU
[ ? ,i» 8J S» rvKW
dr ?
Wamm x.
L ' jll Jb-H'!* Iir'.l
Explanation
4 i '» #
ADO.N El
t rrtrty F r ^ miMt
I>pvpk»prntnf Tool E niffy frame* walk Cun *
T ^thnoJogy WCf Dal i Sentcos
Mad !finl
X'
*
DJUfc+v* r»fM
QUESTION 10
You need to resolve the language processing issue.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of
actions to the answer area and arrange them on the correct order.
Select and Place:
Publish the LUIS app
Add new utterances and entities
Add new intents
Create a new LUIS app
Train the LUIS app
Add nannes for Italian cuisine to Azure Search
Add the Azure Search provider to the boot
Correct Answer:
Add new utterances and entities Create a new LUIS app
Add new intents Train the LUIS app
Publish the LUIS app
Add names for Italian cuisine to Azure Search
Add the Azure Search provider to the boot
Explanation
Testlet 1
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this
exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in
the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other questions
in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers
and to make changes before you move to the next section of the exam. After you begin a new section, you
cannot return to this section.
To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to
explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. If the case
study has an All Information tab, note that the information displayed is identical to the information
displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to
return to the question.
Overview
Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each
office has 5.000 users.
Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The
functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated
connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message:
"Licenses not assigned. License agreement failed for one user."
You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who
will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in
Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:
1. Default Azure system routes that will be the only routes used to route traffic
2. A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
3. A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
4. A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote
gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network
to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows
Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company's departments:
Web administrators will deploy Azure web apps for the marketing department. Each web app will be
added to a separate resource group. The initial configuration of the web apps will be identical. The web
administrators have permission to deploy web apps to resource groups.
During the testing phase, auditors in the finance department must be able to review all Azure costs
from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless
SSO) when accessing resources in Azure.
QUESTION 1
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office
B. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
C. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office
D. Join the client computers in the Miami office to Azure AD
E. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the
Miami office.
Correct Answer: BE
Explanation
B: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or
Pass-through Authentication, and can be enabled via Azure AD Connect.
E: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD
URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://
autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Azure AD connect does not port 8080. It uses port 443.
C: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
D: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be
Azure AD Joined.
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD
Seamless SSO) when accessing resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to
Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-
start
QUESTION 2
Which blade should you instruct the finance department auditors to use?
A. Partner information
B. Cost analysis
C. Resource providers
D. Invoices
Correct Answer: D
Explanation
You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature
may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in
Open.
1. Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click
Invoices then Email my invoice.
40 Pay- As- You Go - - Invoices _ X
Gf Otdef invoice! E3 Send my m*o*e

Stsrch (Ctrl* ) Amount excludes non- Microsoft services.
Search to nUe/ <frmt

0 Overview
6 ULING PfWOO CHARGf DATC AMOUNT (USD) INVOlCr
;£ Access control pAM)
12/12/2016-1/11/ 2017 1/18/2017 0.00 Not available
X DâgnoNe and solve problem
*
11/12/2016-12/11/2016 12/18/2016 000 Not av ;abte
*
ftLUMj
10/12/2016-11/11/2016 11/18/ 2016 000 Not evitable
(J) Invoices
9/12/2016-10/11/2016 10/18/2016 000
-
Not ava able
0 Cost analyse
8/12/ 2016-9/11/2016 9/18/2016 000 Not av <* able
Q External services
2. Click Opt in and accept the terms.
Scenario: During the testing phase, auditors in the finance department must be able to review all Azure
costs from the past week.
References:
https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date
Testlet 1
Case Study
in this case study.

Overview
and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office
has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso created a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain
named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.
frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following
table.
Name Role Contains virtual machine
Server! VMWare vCenter server VM1
Server 2 Hyper - V-host VM2
requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNetl Virtual network
VM3 Virtual machine
VM4 Virtuaf machine
The network security team implements several network security groups (NSGs).
Requirements
Planned Changes
1. Deploy Azure ExpressRoute to the Montreal office

2. Migrate the virtual machine hosted on Server1 and Server2 to Azure
3. Synchronize on-premises Active Directory to Azure Active Directory (Azure AD)
4. Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements
1. Ensure that WebApp1 can adjust the number of instances automatically based on the load and can
scale up to five instances
2. Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in
the Montreal office
3. Ensure that routing information is exchanged automatically between Azure and the routers in the
Montreal office
4. Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only
5. Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
6. Connect the New York office to VNet1 over the Internet by using an encrypted connection
7. Create a workflow to send an email message when the settings of VM4 are modified
8. Create a custom Azure role named Role1 that is based on the Reader role
9. Minimize costs whenever possible
QUESTION 1
You need to configure a host name for WebApp2.
What should you do first?
A. In Azure AD, add contoso.com as a custom domain name

B. In the public DNS zone of contoso.onmicrosoft.com, add an NS record
C. In Azure AD, add webapp2.azurewebsites.net as a custom domain name
D. In the public DNS zone of contoso.com, add a CNAME record
Correct Answer: C
Explanation
Scenario: Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
When you create a Cloud Service, Azure assigns it to a subdomain of cloudapp.net. For example, if your
Cloud Service is named "contoso", your users will be able to access your application on a URL like http://
contoso.cloudapp.net. Azure also assigns a virtual IP address.
However, you can also expose your application on your own domain name, such as contoso.com.
References:
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal
QUESTION 2
Which pricing tier should you recommend for WebApp?
A. D1
B. P1v2
C. S1
D. B1
Correct Answer: C
Explanation
Standard supports up to 10 instances, and would be enough as the Standard plan includes auto scale that
can automatically adjust the number of virtual machine instances running to match your traffic needs.
Scenario: Ensure that WebApp1 can adjust the number of instances automatically based on the load and
can scale up to five instances
Incorrect Answers:
D: Basic supports only up to 3 instances.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Testlet 1
Case Study
in this case study.

Overview
ADatum Corporation is a financial company that has two main offices in New York and Los Angeles.
ADatum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office.
ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and
is preparing to migrate its existing on-premises workloads to Azure.
ADatum uses Microsoft Exchange Online for email.
On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the
virtual machines are members of an Active Directory forest named adatum.com and run Windows Server
2016.
The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address
space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit
that provides access to Azure services and Microsoft Online Services. Routing is implemented by using
Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.
Azure Environment
You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources
shown in the following table.
Name Type Azure region
ASRV1 Azure Site Recovery vault East US
ASRV2 Azure Site Recovery vault West US
ASE 1 Azure App Service Environment East US
AG1 Azure Application Gateway ( internal ) East US
AG2 Azure Application Gateway (Internet- West US
facing )
ER1 ExpressRoute circuit East US
ER2 ExpressRoute circuit West US
AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and
Pool22.
Requirements
Planned Changes
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by
Infrastructure Requirements
ADatum identifies the following infrastructure requirements:

- A new web app named App1 that will access third-parties for credit card processing must be deployed.
- A newly developed API must be implemented as an Azure function named App2. App2 will use a blob
storage trigger. App2 must process new blobs immediately.
- The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the
VMware virtual machines to Azure.
- The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be
identified.
- All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
- AG1 must load balance incoming traffic in the following manner:
- http://corporate.adatum.com/video/* will be load balanced across Pool11.
- http://corporate.adatum.com/images/* will be load balanced across Pool12.
- http://www.adatum.com will be load balanced across Pool21.
- http://fabrikam.com will be load balanced across Pool22.
- ER1 must route traffic between the New York office and platform as a service (PaaS) services in the
East US Azure region, as long as ER1 is available.
- ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as
long as ER2 is available.
- ER1 and ER2 must be configured to fail over automatically.
Application Requirements
App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2
will be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.
Pricing Requirements
ADatum identifies the following pricing requirements:
- The cost of App1 and App2 must be minimized

- The transactional charges of Azure Storage accounts must be minimized
QUESTION 1
What should you create to configure AG2?
A. multi-site listeners
B. URL path-based routing rules
C. basic routing rules
D. an additional public IP address
E. basic listeners
Correct Answer: A
Explanation
Explanation:
- http://www.adatum.com will be load balanced across Pool21.
- http://fabrikam.com will be load balanced across Pool22.
You need to configure an Azure Application Gateway with multi-site listeners to direct different URLs to
different pools.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
Testlet 1
Case study
in this case study.

Overview
and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office
has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain
named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.
frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following
table.
Name Role Contains virtual machine
Server! VMWare vCenter server VM1
Server 2 Hyper - V-host VM2
requires 1GB of memory.
The Azure subscription contains the resources in the following table.
Name Type
VNetl Virtual network
VM3 Virtual machine
VM4 Virtuaf machine
The network security team implements several network security groups (NSGs).
Planned Changes
1. Deploy Azure ExpressRoute to the Montreal office.

2. Migrate the virtual machines hosted on Server1 and Server2 to Azure.
3. Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
4. Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical requirements
1. Ensure that WebApp1 can adjust the number of instances automatically based on the load and can
scale up to five instances.
2. Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in
the Montreal office.
3. Ensure that routing information is exchanged automatically between Azure and the routers in the
Montreal office.
4. Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
5. Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
6. Connect the New York office to VNet1 over the Internet by using an encrypted connection.
7. Create a workflow to send an email message when the settings of VM4 are modified.
8. Create a custom Azure role named Role1 that is based on the Reader role.
9. Minimize costs whenever possible.
QUESTION 1
You need to recommend a solution to automate the configuration for the finance department users. The
solution must meet the technical requirements.
What should you include in the recommendation?
A. an Azure logic app and the Microsoft Identity Management (MIM) client
B. Azure AD Identity Protection
C. dynamic groups and conditional access policies
D. Azure AD B2C
Correct Answer: C
Explanation
Explanation:
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users,
specific applications, or other conditions.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
QUESTION 2
HOTSPOT
You need to prepare the environment to implement the planned changes for Server2.
Hot Area:
Answer Area
From the Azure portal:

Create an Azure Migrate project
Create a Recovery Sendees vault
Upload a management certificate
Create an Azure Import/Export job
On Senrer 2:
Enable Hyper-V Replica
Install the Azure File Sync asent
r
Create a collector virtual machine

'
Configure Hyper-V storage migration

Install the Azure Site Recovery Provider
Correct Answer:
Answer Area
From the Azure portal:

Create a Recovery Sendees vault
Upload a management certificate
Create an Azure Import/Export job
On Senrer2:
Enable Hyper-V Replica
Install the Azure File Sync asent
f
Create a collector virtual machine

Configure Hyper-V storage migration
Install the Azure Site Recovery Provider
Explanation
Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal.
Box 2: Install the Azure Site Recovery Provider

Azure Site Recovery can be used to manage migration of on-premises machines to Azure.
Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
QUESTION 3
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
A. Diagram in VNet1
B. Diagnostic settings in Azure Monitor
C. IP flow verify in Azure Network Watcher
D. Diagnose and solve problems in Traffic Manager profiles
E. the security recommendations in Azure Advisor
Correct Answer: C
Explanation
Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the
Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists
of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security
group, the name of the rule that denied the packet is returned. While any source or destination IP can be
chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and
from or to the on-premises environment.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
QUESTION 4
HOTSPOT
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the
answer area.
Hot Area:
Answer Area
-Name " Reader " |

Find- RoleCapability ConvertFrom-Json
Get- AzureADDirectoryRole ConvertFrom-String
Get - AzureRmRoleAssignment ConvertTo-Json
Get-AzureRmRoleDefinition ConvertTo- Xml
Correct Answer:
Answer Area
- Name " Reader " |

Find- RoleCapability ConvertFrom-Json
Get-AzureADDirectoryRole ConvertFrom-String
Get - AzureRmRoleAssignment ConvertTo-Json
Get-AzureRmRoleDefinition ConvertTo- Xml
Explanation
Testlet 1
Case Study
in this case study.

Overview
Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each
office has 5.000 users.
Active Directory Environment

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The
functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated
connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue

Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who
will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in
Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:
- Default Azure system routes that will be the only routes used to route traffic
- A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
- A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
- A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote
gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network
to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows
Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company's departments:
- Web administrators will deploy Azure web apps for the marketing department. Each web app will be
added to a separate resource group. The initial configuration of the web apps will be identical. The web
- During the testing phase, auditors in the finance department must be able to review all Azure costs from
the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless
SSO) when accessing resources in Azure.
QUESTION 1
HOTSPOT
You are evaluating the connectivity between the virtual machines after the planned implementation of the
Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer Area
Statements Yes No
The virtual machines on Subnetl will be able to connect to the virtual machines on Subnet3. o o
The virtual machines on ClientSubnet will be able to connect to the Internet. O O
The virtual machines on Subnets and Subnet4 will be able to connect to the Internet o o
Correct Answer:
Answer Area
Statements Yes No
The virtual machines on Subnetl will be able to connect to the virtual machines on Subnet3. O O
The virtual machines on ClientSubnet will be able to connect to the Internet. O O
The virtual machines on Subnets and Subnet4 will be able to connect to the Internet o O
Explanation
Once the VNets are peered, all resources on one VNet can communicate with resources on the other
peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on
Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect
to each other.
All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore
VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on
Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/networking/networking-overview#internet-connectivity
QUESTION 2
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as
quickly as possible.
list of actions to the answer area and arrange them in the correct order.
Select and Place:

Actions Answer Area
From the Automation script blade of
the resource group, click the
Parameters tab.

the resource group, click Add to
library
From the Templates service, select the

template, and then share the template
to the web administrators. © ©
Create a resource group, and then
deploy a web app to the resource
group .
© ©
From the Automation Accounts
service, add an automation account.

the resource group, click Deploy
Correct Answer:
Actions Answer Area

From the Automation script blade of From the Automation Accounts
the resource group, click the
Parameters tab. service, add an automation account
From the Automation script blade of From the Automation script blade of
the resource group, click Add to the resource group, dick Add to
library library
From the Templates service, select the

to the web administrators. © From the Templates service, select the
to the web administrators.
©
Create a resource group, and then
deploy a web app to the resource
group .
© ©
From the Automation Accounts
service, add an automation account.

the resource group, click Deploy
Explanation
Step 1:
First you create a storage account using the Azure portal.
Step 2:
Select Automation options at the bottom of the screen. The portal shows the template on the Template tab.
Add the storage account to the library.
Step 3:
Share the template.
Scenario: Web administrators will deploy Azure web apps for the marketing department. Each web app will
be added to a separate resource group. The initial configuration of the web apps will be identical. The web
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-quickstart-create-
templates-use-the-portal
QUESTION 3
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
A. From the Directory role blade, modify the directory role

B. From the Groups blade, invite the user accounts to a new group
C. From the Profile blade, modify the usage location
D. https://www.certbus.com/az-300.html
Correct Answer: C
Explanation
Explanation:
License cannot be assigned to a user without a usage location specified.
Scenario: Licensing Issue

QUESTION 4
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.local
C. humongousinsurance.com
D. humongousinsurance.onmicrosoft.com
Correct Answer: C
Explanation
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.
The initial domain name cannot be changed or deleted, but you can add your corporate domain name to
Azure AD as well. For example, your organization probably has other domain names used to do business
and users who sign in using your corporate domain name. Adding custom domain names to Azure AD
allows you to assign user names in the directory that are familiar to your users, such as
‘alice@contoso.com.’ instead of 'alice@domain name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each
office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure
AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
Testlet 1
Mix Questions A
QUESTION 1
You have an Azure subscription named Subscription1 that is used by several departments at your
company. Subscription1 contains the resources in the following table.
Name Type
Storagel Storage account
RG 1 Resource group
Containerl Blob container
Sharel File share
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named
Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. Container1
B. VM1
C. Storage2
D. RG1
Correct Answer: D
Explanation
QUESTION 2
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a
different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named
VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named
VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
A. Modify the IP address space of VNet2.

B. Move VM1 to Subscription2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Correct Answer: C
Explanation
QUESTION 3
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of
Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from
untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor
authentication when authenticating from untrusted locations.
What should you do?
A. From the Azure portal, modify session control of Policy1.

B. From multi-factor authentication page, modify the user settings.
C. From multi-factor authentication page, modify the service settings.
D. From the Azure portal, modify grant control of Policy1.
Correct Answer: D
Explanation
QUESTION 4
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1.
VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity
of VM1.
A. From the Azure portal, modify the Access control (IAM) settings of RG1.
B. From the Azure portal, modify the Policies settings of RG1.
C. From the Azure portal, modify the Access control (IAM) settings of VM1.
D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
QUESTION 5
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD
Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to
sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.
You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
A. From on-premises network, deploy Active Directory Federation Services (AD FS).
B. From Azure AD, add and verify a custom domain name.
C. From on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options.
Correct Answer: B
Explanation
QUESTION 6
You have an Active Directory forest named contoso.com.
You install and configure AD Connect to use password hash synchronization as the single sign-on(SSO)
method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not
display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?
A. From Azure PowerShell, run Start-AdSyncSycnCycle 璓olicyType Initial.

B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
C. From Synchronization Service Manager, run a full import.
D. Run Azure AD Connect and disable staging mode.
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-operations
QUESTION 7
You have an Azure subscription that contains 100 virtual machines.
You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Microsoft Azure Storage Explorer, view the Account Management properties.
B. From Azure Cost Management, create a Cost Management report.
C. From the Azure portal, configure the Advisor recommendations.
D. From Azure Cost Management, open the Optimizer tab and create a report.
Correct Answer: D
Explanation
QUESTION 8
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off,
restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
A. three rules and three action groups

B. one rule and one action group
C. three rules and one action group
D. one rule and three action groups
Correct Answer: C
Explanation
QUESTION 9
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016
Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server
components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Upload a configuration script.

B. Create an automation account.
C. Create a new virtual machine scale set in the Azure portal.
D. Create an Azure policy.
E. Modify the extensionProfile section of the Azure Resource Manager template.
Correct Answer: CE
Explanation
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
QUESTION 10
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a
less expensive offering.
Which blade should you use?
A. Customer insights
B. Monitor
C. Advisor
D. Metrics
Correct Answer: C
Explanation
References:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
QUESTION 11
An app uses a virtual network with two subnets. One subnet is used for the application server. The other
subnet is used for a database server. A network virtual appliance (NVA) is used as a firewall.
Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database
server that stores sensitive data. A Border Gateway Protocol (BGP) route is used for the traffic to the on-
premises database server.
You need to recommend a method for creating the user-defined route.
Which two options should you recommend? Each correct answer presents a complete solution.

A. For the virtual network configuration, use a VPN.
B. For the next hop type, use virtual network peering.
C. For the virtual network configuration, use Azure ExpressRoute.
D. For the next hop type, use a virtual network gateway.
Correct Answer: AC
Explanation
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
QUESTION 12
You manage a solution in Azure that consists of a single application which runs on a virtual machine (VM).
Traffic to the application has increased dramatically.
The application must not experience any downtime and scaling must be dynamically defined.
You need to define an auto-scale strategy to ensure that the VM can handle the workload.
Which three options should you recommend? Each correct answer presents a complete solution.
A. Deploy application automatic vertical scaling.

B. Create a VM availability set.
C. Create a VM scale set.
D. Deploy application automatic horizontal scaling.
E. Deploy a custom auto-scale implementation.
Correct Answer: CDE

Explanation
QUESTION 13
You are implementing authentication for applications in your company. You plan to implement self-service
password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution.
A. Short Message Service (SMS) messages

B. Azure AD passwords
C. Email addresses
D. Security questions
E. App passwords
Correct Answer: AB
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 14
Note: This question is part of series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have more
than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions
will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in
separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the
virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Explanation
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to
do this with both ASM and ARM resources using Azure resource lock.
References:
https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-
lock-to-control-your-azure-resources/
QUESTION 15
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named
RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 16
Solution: From the Subscription blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 17
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 18
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer
presents part of the solution.
A. a dataset CSV file

B. an XML manifest file
C. a driveset CSV file
D. a PowerShell PS1 file
E. a JSON configuration file
Correct Answer: AC
Explanation
A: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to
import a file or folder or both, add entries in the dataset.csv file
C: Modify the driveset.csv file in the root folder where the tool resides.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
QUESTION 19
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Correct Answer: C
Explanation
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port
445 is blocked.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
QUESTION 20
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
O Refresh Move HD Delete
»M»M» .
Resource group (crungei Address space
Production 102.0.0/16
Location DNS servers
West US Azure provided DNS service
Subscription fchang#)
Production subscription
Subscription ID
-
14d26092 - 8e42 -4ea7 b770 - 9dcef70fb1ea
Tags (ctung«)
Click here to add tags
A
Connected devices
P
DEVICE TYPE IP AOORfSS SUBNET
No results.
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address
space of 10.2.0.0/16.
You need to create the peering.
A. Add a gateway subnet to VNet1.

B. Create a subnet on VNet1 and VNet2
C. Modify the address space of VNet1
D. Configure a service endpoint on VNet2
Correct Answer: C
Explanation
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that
VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to
change the address space for VNet1.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-
constraints
QUESTION 21
You have an Azure tenant that contains two subscriptions named Subscription1 and Subscription2.
In Subscription1, you deploy a virtual machine named Server1 that runs Windows Server 2016. Server1
uses managed disks.
You need to move Server1 to Subscription2. The solution must minimize administration effort.
A. Create a new virtual machine in Subscription2

B. In Subscription2, create a copy of the virtual disk
C. Create a snapshot of the virtual disk
D. From Azure PowerShell, run the Move-AzureRmResource cmdlet
Correct Answer: D
Explanation
To move existing resources to another resource group or subscription, use the Move-AzureRmResource
cmdlet.
References:
https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-move-resources#move-
resources
QUESTION 22
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit.
(Click the Exhibit tab.)
Question [ Exhibit
Settings for VMT on LON - HOST! X
VMl < * o
. .
St H irdv» irc
ii Add Hardwire
BIOS
—
« I Integration Services
-
Select the services that you went Hyper V to offer to this virtual rwtne. To use the
services you select, they must be supported by the guest operating system
hen *T>
Examc es of services that nvght not be evon the guest operatng system ndude
9 Secvnty
»r - Cm« dr atdas
*
Volume Shadow Copy Sevtw and operabng system shutdown
Memory Services
P
* O Processor
^ Operating system shutdown
Trr>» synchronyabcn
d irocesaos Date Exchange
a ICC Coct/ oHer O P3 Heartbeat
Herd Orrce P'* Backup ( volume shadow copy)
* VM| vfxS
*
['
Guest services
ICC Conercder I
DVD Orrve
He
SCSI Corrfroftev
• 14 Network Adapter
*NFTi
• i, Network Adapter
VTCTJ
V cc* t1
II cc*12
Q Diskette Orrve
Mn
St Hvnrtocmml
*
I Name
Vf'tl
*~
lr V Services
Seme services offered
> -
’Ihedports
Pioddett
C Cancel
*
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
A. the processor
B. the memory
C. Integration Services
D. the hard drive
E. the network adapters
Correct Answer: D
Explanation
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must
prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD
file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can
convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to
fixed-sized.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?
toc=azure virtual-machines windows toc.json
QUESTION 23
You have an Azure policy as shown in the following exhibit.
SCOPE
* Scope ilw>n more about setting the scope)

S^Cisoiotior.
E '.elusions
Subscription ' CentoscRG I
BASICS
* Pal cy de* n &o »'

'
’
.
Net :* ec -escijrcef. pes
Assignment name O
Net s OA =c ' esoorce types ]
Assignment ID-
' S utscT ' set - o- s- 5enbSd-Z ' to6-ce3b- AceC- ao3 ~ -9f5311beersbb -
p r e c e s M•crasofr Auth 3 ' <zat > o - co ’ ic -ssgrrnerts 0e6n:-36tP#SSA.f5-tacEae2aS
Description
?—
Assigned by
-
: :onxoso com
admin1:
PARAMETERS
" Not avowed - esouTCc -

t pes O
^
K ’ crosoftSq sen e^ s 1
.
What is the effect of the policy?

A. You can create Azure SQL servers in any resource group within Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
Correct Answer: B
Explanation
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of
ContosoRG1
QUESTION 24
You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual
machines.
Your company has three cost centers named Manufacturing, Sales, and Finance.
You need to associate each virtual machine to a specific cost center.
What should you do?
A. Add an extension to the virtual machines

B. Modify the inventory settings of the virtual machine
C. Assign tags to the virtual machines
D. Configure locks for the virtual machine
Correct Answer: C
Explanation
References:
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
QUESTION 25
You have an Azure subscription that contains two storage accounts named storagecontoso1 and
storagecontoso2. Each storage account contains a queue service, a table service, and a blob service.
You develop two apps named App1 and App2. You need to configure the apps to store different types of
data to all the storage services on both the storage accounts.
How many endpoints should you configure for each app?
A. 2
B. 3
C. 6
D. 12
Correct Answer: A
Explanation
Each app needs a service endpoint in each Storage Account.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
QUESTION 26
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3.
VNet2 contains a virtual appliance named VM2 that operates as a router.
You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.
You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.
You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution.
A. On the peering connections, allow forwarded traffic

B. Create a route filter
C. On the peering connections, allow gateway transit
D. Create route tables and assign the table to subnets
E. On the peering, use remote gateways
Correct Answer: CE
Explanation
Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network
and want to allow traffic from the peered virtual network to flow through the gateway.
The peered virtual network must have the Use remote gateways checkbox checked when setting up the
peering from the other virtual network to this virtual network.
References:
constraints
QUESTION 27
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs).
A monitoring solution on a different network will need access to the VMs inside the scale set.
You need to define public access to the VMs.
Solution: Deploy a standalone VM that has a public IP address to the virtual network.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 28
Solution: Implement an Azure Load Balancer.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 29
Solution: Design a scale set to automatically assign public IP addresses to all VMs.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 30
You are developing an app that references data which is sharded across multiple Azure SQL databases.
The app must guarantee transactional consistency for changes across several different sharding key
values.
You need to manage the transactions.
What should you implement?
A. Elastic database transactions with horizontal partitioning.

B. Distributed transactions coordinated by Microsoft Distributed Transaction Coordinator (MSDTC).
C. Server-coordinated transactions from .NET application.
D. Elastic database transactions with vertical partitioning.
Correct Answer: A
Explanation
References:
https://docs.microsoft.com/mt-mt/azure/sql-database/sql-database-elastic-transactions-overview?
view=azurermps-6.13.0
QUESTION 31
You are developing a speech-enabled home automation control bot.
The bot interprets some spoken words incorrectly.
You need to improve the spoken word recognition for the bot.
A. The Skype for Business Channel and use scorable dialogs for improving conversation flow.
B. The Web Chat Channel and Speech priming using a Bing Speech Service and LUIS app.
C. The Skype Channel and use scorable dialogs for improving conversation flow.
D. The Cortana Channel and use scorable dialogs for improving conversation flow.
Correct Answer: B
Explanation
QUESTION 32
A company is migrating an existing on-premises third-party website to Azure. The website is stateless.
The company does not have access to the source code for the website. They do not have the original
installer.
The number of visitors at the website varies throughout the year. The on-premises infrastructure was
resized to accommodate peaks but the extra capacity was not used.
You need to implement a virtual machine scale set instance.
What should you do?
A. Use an autoscale setting to scale instances vertically

B. Create 100 autoscale settings per resource
C. Scale out by one instance when the average CPU usage of one of the instances is over 80 percent
D. Use Azure Monitor to create autoscale settings using custom metrics
E. Use an autoscale setting with unlimited maximum number of instances
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-custom-metric
QUESTION 33
Your company is developing an e-commerce Azure App Service Web App to support hundreds of
restaurant locations around the world.
You are designing the messaging solution architecture to support the e-commerce transactions and
messages. The solution will include the following features:
Feature Requirement
Shoppmg • Items in a shoppmg cart must be processed by an Azure Function within a
Cart specified number of minutes. Failure to process should move the items to a
failed state for processing by a separate Azure Function
• Shoppmg cart transactions must not be lost and fault conditions must be
processed separately
• -
Shoppmg cart transactions must be read by the inventory and sales systems
for further processing
Inventory' • Items sent to the inventory system must run a separate workflow for each
Distribution item that includes warehouse , shipping, and order processing updates
• Inventory uses Azure Blob storage to store inventory items and related
information
• Inventory' is processed by using an Azure Logic App
Restaurant • Restaurants stream millions of daily events from all locations
Telemetry • Restaurant data should be captured m Azure Blob storage for conditional
processing
• Restaurant event data should expire after 24 hours
You need to design a solution for the Inventory Distribution feature.
A. Azure Service Bus

B. Azure Relay
C. Azure Event Grid
D. Azure Event Hub
Correct Answer: A
Explanation
Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service Bus is
most commonly used to decouple applications and services from each other, and is a reliable and secure
platform for asynchronous data and state transfer.
One common messaging scenario is Messaging: transfer business data, such as sales or purchase orders,
journals, or inventory movements.
Incorrect Answers:
B: The Azure Relay service enables you to securely expose services that run in your corporate network to
the public cloud.
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
QUESTION 34
You are responsible for mobile app development for a company. The company develops apps on Windows
Mobile, IOS, and Android.
You plan to integrate push notifications into every app.
You need to be able to send users alerts from a backend server.
Which two options can you use to achieve this goal? Each correct answer presents a complete solution.
A. Azure Web App

B. Azure Mobile App Service
C. Azure SQL Database
D. Azure Notification Hubs
E. a virtual machine
Correct Answer: BD
Explanation
The Mobile Apps client enables you to register for push notifications with Azure Notification Hubs.
The following platforms are supported:

Xamarin Android releases for API 19 through 24 (KitKat through Nougat)
Xamarin iOS releases for iOS versions 8.0 and later
Universal Windows Platform
Windows Phone 8.1
Windows Phone 8.0 except for Silverlight applications
References:
https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-how-to-use-client-
library
QUESTION 35
You download an Azure Resource Manager template based on an existing virtual machine. The template
will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password
from being stored in plain text.
What should you create to store the password?
A. an Azure Key Vault and an access policy.

B. an Azure Storage account and an access policy.
C. Azure Active Directory (AD) Identity Protection and an Azure policy.
D. a Recovery Services vault and a backup policy.
Correct Answer: A
Explanation
QUESTION 36
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.
You need to enable two-step verification for Azure users.
What should you do?
A. Create an Azure AD conditional access policy.

B. Configure a playbook in Azure Security Center.
C. Enable Azure AD Privileged Identity Management.
D. Install an MFA Server.
Correct Answer: A
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
QUESTION 37
You have a Recovery Service vault that you use to test backups. The test backups contain two protected
virtual machines.
You need to delete the Recovery Services vault.
A. From the Recovery Service vault, delete the backup data

B. Modify the disaster recovery properties of each virtual machines
C. Modify the locks of each virtual machine
D. From the Recovery Service vault, stop the backup of each backup item
Correct Answer: D
Explanation
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to
delete a vault, but can't, the vault is still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this
menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.
Servnes iwjft
M
0 .
Si=f?Trt 'Ojrf « V it O Refresh
SROFfCUD ITEMS * BACKUP MANAGEMENT TYPE BACKUP HEM COUNT
. Ifiackup items
ii Azure Storage CAzure Tiles ?
I
5 Replicated items Azure Backup Server 3
MA4AGE
ISQL JiiAzvifrVM 1
Azure Backup AgerU 1

site Kecovety infrastructure
2 EkKk;up infrastructure
IAzure VrxtuaJ MflcNnff 1
PM
Recovery Plans {Site Renr /=Fy ?
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
QUESTION 38
You have the Azure virtual machines shown in the following table.
Name Azure region

VM 1 West Europe
VM. 2 West Europe
VMB North burope
VM4 North Europe
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.

A. Create a new backup policy

B. Create a new Recovery Services vault
C. Configure the extensions for VM3 and VM4
D. Create a storage account
Correct Answer: B
Explanation
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of
data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can
use Recovery Services vaults to hold backup data for various Azure services
References:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
QUESTION 39
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a
new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Directory role blade, modify the directory role

B. From the Licenses blade, assign a new license
C. From the Groups blade, invite the user account to a new group
Correct Answer: A
Explanation
Assign a role to a user
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the
directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles
from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-
azure-portal
QUESTION 40
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?
A. From the Azure portal, configure the portal settings

B. From the Azure portal, change the directory
C. From Azure Cloud Shell, run Set-AzureRmContext
D. From Azure Cloud Shell, run Set-AzureRmSubscription
Correct Answer: B
Explanation
Change the subscription directory in the Azure portal.
The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure
Active Directory (AAD), is now available in Azure portal. It used to be available only to Service Admins with
Microsoft accounts, but now it's available to users with AAD accounts as well.
To get started:
1. Go to Subscriptions.
2. Select a subscription.
3. Select Change directory.
Incorrect Answers:
C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current
session. The context includes tenant, subscription, and environment information.
References:
https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-portal/
QUESTION 41
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@contoso.com ad an administrator on all the computers that will be
joined to the Azure AD domain.
What should you configure in Azure AD?
A. Providers from the MFA Server blade

B. General settings from the Groups blade
C. Device settings from the Devices blade
D. User settings from the Users blade
Correct Answer: D
Explanation
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following
security principles to the local administrators group on the device:
The Azure AD global administrator role
The Azure AD device administrator role
The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the
Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined
devices.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
QUESTION 42
You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure
Backup.
You delete VM1.
You need to remove the backup data stored for VM1.

A. Delete the storage account

B. Stop the backup
C. Modify the backup policy
D. Delete the Recovery Services vault
Correct Answer: C
Explanation
Azure Backup provides backup for virtual machines -- created through both the classic deployment model
and the Azure Resource Manager deployment model -- by using custom-defined backup policies in a
Recovery Services vault. With the release of backup policy management, customers can manage backup
policies and model them to meet their changing requirements from a single window. Customers can edit a
policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their
compliance requirements.
Incorrect Answers:
D: You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try
to delete a vault, but can't, the vault is still configured to receive backup data.
References:
https://azure.microsoft.com/en-in/updates/azure-vm-backup-policy-management/
QUESTION 43
You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to
Subscription1.
You need to monitor the metrics and the logs of VM1.
A. the AzurePerformanceDiagnostics extension

B. Linux Diagnostic Extension (LAD) 3.0
C. Azure Analysis Services
D. Azure HDInsight
Correct Answer: A
Explanation
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install
the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring
and diagnostics data to be retrieved from the VM.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring
QUESTION 44
You have two Azure virtual machines named VM1 and VM2.
You have two Recovery Services vaults named RSV1 and RSV2. VM2 is protected by RSV1.
You need to use RSV2 to protect VM2.
A. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine,
and then click Backup
B. From the RSV1 blade, click Backup items and stop the VM2 backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the
Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Correct Answer: C
Explanation
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
QUESTION 45
You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1
and a virtual machine named VM1 that runs Windows Server 2016.
Storageaccount1 contains the disk files for VM1.
You apply a ReadOnly lock to RG1.
What can you do from the Azure portal?
A. Start VM1
B. Upload a blob to storageaccount1
C. View the keys of storageaccount1
D. generate an automation script for RG1
Correct Answer: C
Explanation
ReadOnly allows authorized users to read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader
role.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
QUESTION 46
You have an Azure App Service API that allows users to upload documents to the cloud with a mobile
device. A mobile app connects to the service by using REST API calls.
When a new document is uploaded to the service, the service extracts the document metadata. Usage
statistics for the app show significant increases in app usage.
The extraction process is CPU-intensive. You plan to modify the API to use a queue.
You need to ensure that the solution scales, handles request spikes, and reduces costs between request
spikes.
What should you do?
A. Configure a CPU Optimized virtual machine (VM) and install the Web App service on the new instance.
B. Configure a series of CPU Optimized virtual machine (VM) instances and install extraction logic to
process a queue.
C. Move the extraction logic into an Azure Function. Create a queue triggered function to process the
queue.
D. Configure Azure Container Service to retrieve items from a queue and run across a pool of virtual
machine (VM) nodes using the extraction logic.
Correct Answer: C
Explanation
QUESTION 47
You create a social media application that users can use to upload images and other content.
Users report that adult content is being posted in an area of the site that is accessible to and intended for
young children.
You need to automatically detect and flag potentially offensive content. The solution must not require any
custom coding other than code to scan and evaluate images.
A. Bing Visual Search

B. Bing Image Search
C. Custom Vision Search
D. Computer Vision API
Correct Answer: D
Explanation
QUESTION 48
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the
following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
Name Azure region Policy

RG1 West Europe Policy 1
RG2 North Europe -• otic.- Z
RGB hr-ance Central Policy 3
You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
B. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
C. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
D. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
Correct Answer: D
Explanation
You can move an app to another App Service plan, as long as the source plan and the target plan are in
the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot
change an App Service plan's region.
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
QUESTION 49
You create the following Azure role definition.
{
"Name": "Role1",
"Id": "80808080-8080-8080-8080-808080808080",
IsCustom : false,
"Description": "",
"Actions" : [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read"],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}
You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part of
solution.
A. IsCustom
B. DataActions
C. Id
D. AssignableScopes
E. Description
Correct Answer: AD
Explanation
Part of example:
"IsCustom": true,
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role can be
used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId3}"
]
}
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
QUESTION 50
You have an Azure App Service named WebApp1.
You plan to add a WebJob named WebJob1 to WebApp1.
You need to ensure that WebJob1 is triggered every 15 minutes.
What should you do?
A. Change the Web.config file to include the 1-31 1-12 1-7 0*/15* CRON expression
B. From the properties of WebJob1, change the CRON expression to 0*/15****.
C. Add a file named Settings.job to the ZIP file that contains the WebJob script. Add the
1-31 1-12 1-7 0*/15* CRON expression to the JOB file
D. Create an Azure Automation account and add a schedule to the account. Set the recurrence for the
schedule
Correct Answer: B
Explanation
You can enter a CRON expression in the portal or include a settings.job file at the root of your WebJob .zip
file, as in the following example:
{
"schedule": "0 */15 * * * *"
}
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-create
QUESTION 51
You have an on-premises virtual machine named VM1 configured as shown in the following exhibit.
r Settings for VMT on ION- HOST! X
VMl v « ;o
ft HardWdf c Integration Services
§* Add Hardware
BIOS
services
-
Select the service that you want Hyper V to offer to this wtoal machine. To use the
*
you select , they must be supported by the guest operating system.
Boc from >2 *
9 Security
* Examples of services that might not be available on the guest operating system ndude
Vok ne Shadow Copy Service and operatng system shutdown.
Key Storage CW» *» dbattod *
Services
*
Memory
0 Operatng system shutdown
O Processor 0 Tre synchronization
9 processors 0 Data Exchange
© m ICC Controier 0 0 Heartbeat
HardOrrve 0 Backup (vok*ne shadow copy )
~
VMl vWr [ ] Guest services

© ICC Controter 1
DVDOrrve
Nent
CJ SCSI Control
Network Adapter
#
Vf£7|
& 4 Network. Adapter
VNtT2
V COM I
No* e -
V COM 2
Wore
Q Diskette Drtve
None
ft Management
I
VMl
3 Integration Set vices
Some services offered
a Checkponts
Production v
or Cancel
VM is started.
You need to create a new virtual machine image in Azure from VM1.
Which three actions should you perform before you create the new image? Each correct answer presents
part of the solution.
A. Remove the Backup (volume shadow copy) integration service

B. Generalize VM1
C. Run Add-AzureRmVhd and specify a blob service container as the destination
D. Run Add-AzureRmVhd and specify a file share as the destination
E. Reduce the amount of memory to 16 GB
Correct Answer: ABC

Explanation
Sysprep removes all your personal account and security information, and then prepares the machine to be
used as an image.
The Add-AzureRmVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage
account as fixed virtual hard disks.
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/add-azurermvhd?view=azurermps-
6.13.0
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource
QUESTION 52
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named
Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group
named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource
group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
A. Yes
B. No
Correct Answer: B
Explanation
The DevTest Labs User role lets you connect, start, restart, and shutdown your virtual machines in your
Azure DevTest Labs.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
QUESTION 53
named Dev.
group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.

A. Yes
B. No
Correct Answer: B
Explanation
The Logic App Contributor role lets you read, enable and disable logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
QUESTION 54
named Dev.
group.
Solution: On Dev, you assign the Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: A
Explanation
The Contributor role lets you manage everything except access to resources. It allows you to create and
manage resources of all types, including creating Azure logic apps.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
QUESTION 55
A company backs up data to on-premises servers at their main facility. The company currently has 30 TB
of archived data that infrequently used. The facility has download speeds of 100 Mbps and upload speeds
of 20 Mbps.
You need to securely transfer all backups to Azure Blob Storage for long-term archival. All backup data
must be sent within seven days.
Solution: Backup data to local disks and use the Azure Import/Export service to send backups to Azure
Blob Storage.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 56
of 20 Mbps.
Solution: Create a file share in Azure Files. Mount the file share to the server and upload the files to the file
share. Transfer the files to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 57
of 20 Mbps.
Solution: Use the Set-AzureStorageBlobContent Azure PowerShell command to copy all backups
asynchronously to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 58
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server
2016 and hosts 10 virtual machines that run Windows Server 2016.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery.
You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1.
You need to add Host1 to ASR1.
What should you do?
A. Download the installation file for the Azure Site Recovery Provider.
Download the storage account key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
B. Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.
Install the Azure Site Recovery Provider on Host1 and register the server.
C. Download the installation file for the Azure Site Recovery Provider.
Download the storage account key.
Install the Azure Site Recovery Provider on Host1 and register the server.
D. Download the installation file for the Azure Site Recovery Provider.
Download the vault registration key.
Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
Correct Answer: B
Explanation
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
QUESTION 59
You plan to migrate an on-premises Hyper-V environment to Azure by using Azure Site Recovery. The
Hyper-V environment is managed by using Microsoft System Center Virtual Machine Manager (VMM).
The Hyper-V environment contains the virtual machines in the following table:
Name Operating OS disk size BitLocker Generation
system ( OS) Drive
Encryption
( BitLocker )
enabled on 05
disks.
DC1 Windows 500 GB No 2
Server 2016
FS1 Ubuntu 16.04 200 GB No 2
LTS
CA1 Windows 1TB Yes 1
Server 2012 R2
SQL1 Windows 200 GB No 1
Server 2016
Which virtual machine can be migrated by using Azure Site Recovery?
A. FS1
B. CA1
C. DC1
D. SQL1
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-requirements
QUESTION 60
You have an Azure subscription named Subscription1 that contains two Azure networks named VNet1 and
VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site
VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to
VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2
from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Select Allow gateway transit on VNet1.

B. Download and re-install the VPN client configuration package on Client1.
C. Enable BGP on VPNGW1.
D. Select Allow gateway transit on VNet2.
Correct Answer: B
Explanation
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
QUESTION 61
You have a Microsoft SQL Server Always On availability group on Azure virtual machines.
You need to configure an Azure internal load balancer as a listener for the availability group.
What should you do?
A. Create an HTTP health probe on port 1433.

B. Set Session persistence to Client IP.
C. Set Session persistence to Client IP and protocol.
D. Enable Floating IP.
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-
alwayson-int-listener
QUESTION 62
You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?
A. an app password, a text message that contains a verification code, and a verification code sent from
the Microsoft Authenticator app
B. a phone call, a text message that contains a verification code, and a notification or a verification code
sent from the Microsoft Authenticator app
C. a phone call, an email message that contains a verification code, and a text message that contains an
app password
D. an app password, a text message that contains a verification code, and a notification sent from the
Microsoft Authenticator app
Correct Answer: B
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 63
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises
network.
What should you configure?
A. the default for all the roles in Azure AD Privileged Identity Management
B. an Azure AD Identity Protection user risk policy
C. an Azure AD Identity Protection sign-in risk policy
D. the multi-factor authentication service settings
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
QUESTION 64
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1
is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
Reader
Security Admin
Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Assign User1 the Owner role for VNet1.

B. Assign User1 the Network Contributor role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the
Contributor role for Subscription1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1.
Correct Answer: A
Explanation
QUESTION 65
You are building a custom Azure function app to connect to Azure Event Grid.
You need to ensure that resources are allocated dynamically to the function app. Billing must be based on
the executions of the app.
What should you configure when you create the function app?
A. the Windows operating system and the App Service plan hosting plan
B. the Docker container and an App Service plan that uses the B1 pricing tier
C. the Windows operating system and the Consumption plan hosting plan
D. the Docker container and an App Service plan that uses the S1 pricing tier
Correct Answer: C
Explanation
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale
QUESTION 66
You have an Azure Service Bus.
You need to implement a Service Bus queue that guarantees first-in-first-out (FIFO) delivery of messages.
What should you do?

A. Enable partitioning
B. Enable duplicate detection
C. Set the Lock Duration setting to 10 seconds
D. Enable sessions
E. Set the Max Size setting of the queue to 5 GB
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus-
queues-compared-contrasted
QUESTION 67
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a
virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises
computer.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Add a service endpoint to VNet1.

B. Add a public IP address space to VNet1.
C. Create a route-based virtual network gateway.
D. Reset GW1.
E. Delete GW1.
F. Add a connection to GW1.
Correct Answer: CE
Explanation
QUESTION 68
You have an Azure subscription that contains the resources shown in the following table.
Name Type Address space

VNET 1 Virtual network 10.1.1.0/ 24
Subnet 1 Subnet 10.11 , 0/ 24
VM1 Virtual machine Not applicable
Subnet1 is on VNET1. VM1 connects to Subnet1.
You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
A. Modify the address space used by VNET1.

B. Modify the address space used by Subnet1.
C. Create a subnet named GatewaySubnet on VNET1.
D. Create a local network gateway.
E. Delete Subnet1.
Correct Answer: AE
Explanation
QUESTION 69
A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and
Azure-based VMs communicate using ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails.
Failover connections must use the Internet and must not require Multiprotocol Label Switching (MPLS)
support.
You need to recommend a solution that provides continued operations.
What should you recommend?
A. Set up a second ExpressRoute connection.

B. Increase the bandwidth of the existing ExpressRoute connection.
C. Increase the bandwidth for the on-premises internet connection.
D. Set up a VPN connection.
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/
expressroute-vpn-failover
QUESTION 70
You have a web app named WebApp1 that uses an Azure App Service plan named Plan1. Plan1 uses the
D1 pricing tier and has an instance count of 1.
You need to ensure that all connections to WebApp1 use HTTPS.
A. Scale up Plan1.
B. Modify the connection strings for WebApp1.
C. Scale out Plan1.
D. Disable anonymous access to WebApp1.
Correct Answer: A
Explanation
The D1 (Shared) pricing tier does not support HTTPS.
QUESTION 71
You have an Azure subscription that contains an Azure Service Fabric cluster and a Service Fabric
application named FabricApp.
You develop and package a Service Fabric application named AppPackage. AppPackage is saved in a
compressed folder named AppPackage.zip.
You upload AppPackage.zip to an external store.
You need to register AppPackage in the Azure subscription.

6.35 inch
A. Run the New-ServiceFabricApplication cmdlet.

B. Repackage the application in a file named App.sfpkg.
C. Create a new Service Fabric cluster.
D. Copy AppPackage.zip to a blob storage account.
Correct Answer: B
Explanation
References:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-package-apps#create-an-sfpkg
QUESTION 72
You develop an entertainment application where users can buy and trade virtual real estate. The
application must scale to support thousands of users.
The current architecture includes five Azure virtual machines (VM) that connect to an Azure SQL Database
for account information and Azure Table Storage for backend services. A user interacts with these
components in the cloud at any given time.
Routing Service ?Routes a request to the appropriate service and must not persist data across sessions.
Account Service ?Stores and manages all account information and authentication and requires data to
persist across sessions
User Service ?Stores and manages all user information and requires data to persist across sessions.
Housing Network Service ?Stores and manages the current real-estate economy and requires data to
persist across sessions.
Trade Service ?Stores and manages virtual trade between accounts and requires data to persist across
sessions.
Due to volatile user traffic, a microservices solution is selected for scale agility.
You need to migrate to a distributed microservices solution on Azure Service Fabric.
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for each component.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 73
sessions.
Solution: Create a Service Fabric Cluster with a stateless Reliable Service for Routing Service. Create
stateful Reliable Services for all other components.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 74
sessions.
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for Routing Service. Deploy a
Guest Executable to Service Fabric for each component.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 75
You create an Azure Time Series Insights event handler. You need to send data over the network as
efficiently as possible and optimize query performance.
What should you do?

A. Create a query plan
B. Send all properties
C. Use a Tag ID
D. Use reference data
Correct Answer: D
Explanation
References:
https://docs.microsoft.com/en-us/azure/time-series-insights/how-to-shape-query-json
QUESTION 76
You are creating an IoT solution using Azure Time Series Insights.
You configure the environment to ensure that all data for the current year is available.
What should you do?
A. Add a disaster recovery (DR) strategy.

B. Set a value for the Data retention time setting.
C. Change the pricing tier.
D. Create a reference data set.
Correct Answer: D
Explanation
QUESTION 77
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database

B. Azure SQL Database
C. Azure File Storage
D. Azure Data Lake Store
Correct Answer: C
Explanation
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and
Azure Files by shipping disk drives to an Azure datacenter.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
QUESTION 78
You have an Azure subscription that contains the resources in the following table.
Type
Resource group
Store 1 \zure Storage account
Synd Azure File Sync
Store1 contains a file share named Data. Data contains 5,000 files.
You need to synchronize the files in Data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Download an automation script

B. Create a sync group
C. Install the Azure File Sync agent on Server1
D. Create a container instance
E. Register Server1
Correct Answer: BCE

Explanation
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an
Azure file share
Step 2 (E): Register Server1.

Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between
your server (or cluster) and the Storage Sync Service.
Step 3 (B): Create a sync group and a cloud endpoint.

A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync
with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and
one or more server endpoints. A server endpoint represents a path on registered server.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
QUESTION 79
You plan to back up an Azure virtual machine named VM1.
You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
A. VM1 does not have the latest version of WaAppAgent.exe installed

B. A Recovery Services vault is unavailable
C. VM1 has an unmanaged disk
D. VM1 is stopped
Correct Answer: A
Explanation
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures
and provides recommended steps to ensure successful backups. Not having the latest VM Agent installed,
for example, can cause backups to fail intermittently and falls in this class of issues.
References:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/
QUESTION 80
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named
VM1. You have a computer Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named Interface1 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
vm 11 34 Interfacel
r Network Interface: Interfacel Effective security rules Topology o

Virtual network/subnet: VMRD-unei/defauh -
Public IP IP2 Private IP: 10.0.0.6
-
Accelerated networking. Disabled
INBOUND PORT RULES O
security group VM 1 -nsg (attached to network

° Network
interface: Inrerface 1)
Add inbound
Impacts 0 subnets. 2 network interfaces
PRJORJTY NAME PORT PROTOCOL SOURCE DESTINA... ACTION
1000 :> default - allow -... 3369 TCP Any Any CJ Allow •••
65000 AHowVnetlnBound Any Any VirtualN... VirtualN... Z> Allow •••
65001 AllowAzureLoadB... Any Any AzureLo... Any Allow ...

65500 DenyAIIInBound Any Any Any Any O Deny
OUTBOUND PORT RULES a

Network security group VM 1 - nsg ( attached to network Add outbound
interface: Interface 1 )
Impacts 0 subnets 2 network interfaces
PRIORITY NAME PORT PROTOCOL SOURCE DESTINA... ACTION
65000 AllowVnetOutBo... Any Any VirtualN... VirtualN... O Allow •••
65001 AllowintemetOuf ... Airy Any Any Internet <5 Allow •••
65500 DenyAilOutBound Any Any Any Any O Deny •••

From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
A. Attach a network interface

B. Start VM1
C. Delete the DenyAllOutBound outbound port rule
D. Delete the DenyAllInBound inbound port rule
Correct Answer: B
Explanation
Incorrect Answers:
A: The network interface has already been added to VM.
C: The Outbound rules are fine.
D: The inbound rules are fine. Port 3389 is used for Remote Desktop.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Processing stops once traffic matches a rule. As a result, any
rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher
priorities are not processed.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 81
You are designing an Azure solution.
The solution must meet the following requirements:
Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules
Provide SSL offloading capabilities
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?
A. server-level firewall rules

B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Load Balancer
Correct Answer: B
Explanation
If you require "SSL offloading", application layer treatment, or wish to delegate certificate management to
Azure, you should use Azure's layer 7 load balancer Application Gateway instead of the Load Balanacer.
Incorrect Answers:
D: Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided.
References: https://docs.microsoft.com/en-us/azure/application-gateway/overview
QUESTION 82
sessions.
Solution: Deploy a Windows container to Azure Service Fabric for each component.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 83
You have an Azure subscription that contains the storage accounts shown in the following table.
Name Contains
Stoiagecomosol A blob service and a table seivice
StoragecontosQ 2 A blob service anc a file service
Storagecontoso 3 A queue seivice
Stoi ageconiosQ 4
'
A fife service ana a queue service
Stofagecontosc 5 A table service
You enable Azure Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Azure ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution.
A. storagecontoso1
B. storagecontoso2
C. storagecontoso3
D. storagecontoso4
E. storagecontoso5
Correct Answer: AE
Explanation
Example:
Storage Threat Detection is available for the Blob Service.
> p*odsr Aawced Threat Protection (pcev w)

H<yne
*v*nthv23 •
*
| prodsravanthv23 * Advanced Threat Protection (preview )
1«
0$M X
r
Events
• Storage bo o^r
Settings
orev en Storage Threat Detect on 5 tva
tartr Arj'eSecj tyCentr
' -
aoe tor tre Roo se<vce Stc/ ty arts are rlaQrateo
ano ^r oesentDyr a to swWcroton K> ~^
Aflsar«c Threat Protect on (prtvmfl o
Access <e>s ON OFF
$ COPS
A Corffljretor
A Encrypt on
/ S^rec access sgnat ê
d f TA # saÔv /tua '•etvioncs
0 Aovanceo Threat Protect on p.
n State wttftt (pwe*

M ‘ Prooertes
References:
https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-storage-now-in-public-
preview/
QUESTION 84
series contains a unique solution.
Determine whether the solution meets the stated goals.
You have the following resource groups:

_ “
UL Comments
This resource group is located in the West Central US region and
contains a single virtual machine named DevServer
DetfServerJffefGentralUS
DevServet is connected to a private subnet in an Azure Virtual
Network that has no internet access,
This resource group is located in the East US region and contains a
virtual machine named DevWorkstation.
Worfcstation.ELastUs DevWorkstation 15 connected to a subnet in a Virtual Network and is

configured with a public IP address , A network security group has
been configured to allow public incoming remote desktop protocol
[RDP) connections to the DevWorfcstatrpn.
Developers must connect to DevServer only through DevWorkstation. To maintain security, DevServer
must not accept connections from the internet.
You need to create a private connection between the DevWokstation and DevServer.
Solution: Configure a public IP address on DevServer_WestCentral. Configure the Network Security Group
to allow all incoming ports.
A. Yes
B. NO
Correct Answer: A
Explanation
QUESTION 85
You are developing an Azure Durable Function instance. You need to add a delay by using a durable
timer.
What type of function should you use?
A. Orchestrator
B. web hook
C. Client
D. Activity
Correct Answer: D
Explanation
QUESTION 86
series contains a unique solution that might meet the stated goals.
Some question sets might have more than on correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result these questions
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription1 named
Subscription1. Adatum contains a group named Developers. Subscnpbon1 contains a resource group
named Dev.
group.
Solution: On Subscription1, you assign the logic App Operator role to the Developers group.
A. Yes
B. NO
Correct Answer: B
Explanation
QUESTION 87
You plan to develop an Azure Stream Analytics job that ingests streaming data from legacy, SaaS, and
cloud applications. The data will be u data analysis.
You need to select Azure resources to handle the data input and output for the solution
Which resources should you use?
A. Input Event Hub, output: Event Hub

B. Input Blobs, output: loT Hub
C. Input loT Hub, output: Service Bus
D. Input Service Bus, output: lot Hub
Correct Answer: D
Explanation
QUESTION 88
of 20 Mbps.
Solution: Use the Set-AzureStorageBlobContent Azure PowerShell command to copy all backups
asynchronously to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 89
You need to implement a Service Bus queue that guarantees first-in-first-out (FIFO) delivery of messages.
What should you do?
A. Enable partitioning
B. Enable duplicate detection
C. Set the Lock Duration setting to 10 seconds
D. Enable sessions
E. Set the Max Size setting of the queue to 5 GB
Correct Answer: D
Explanation
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and- service-bus-
queuescompared-contrasted
QUESTION 90
DevServei WestCenUalUS This resource group is located in the West Central US region and contains a single virtual machine (VM)
named DevServer.
DevServef is connected to a private subnet in an Azure V

iff
_ Network that has no internet access.
WOf s1aU>n EastUS
* This resource group is located in the East US region and uns a VM named DevWorkstation.
DevWorkstation is connected to a subnet in a Virtual Network and is configured with a public IP address. A
network security group has been configured to allow public incoming remote desktop protocol (
RDP)
connections to the DevWorkstation.
Developers must connect to Dev Server only through Dev Workstation. To maintain security, Dev Server
must not accept connections from the internet. You need to create a private connection between the Dev
Workstation and Dev Server.
Dev Workstation using their private IP addresses.
A. Yes
B. NO
Correct Answer: A
Explanation
QUESTION 91
You are developing a .NET Core on –premises application that updates multiple Azure SQL Database
instances. The application must log all update commands attempted to a separate Azure SQL Database
instance named AuditDb. You define an outer Transaction Scope with a loop enumerate and run the SQL
commands on each customer database connection and an inner Transaction Scope to record all
transactions attempted within the outer Transaction Scope to the AuditDb database
You need to develop a method to perform the updates to the databases. The solution must meet the
following requirements.
* Ml wuirii to th# MfcUUM

* dMAtwif JMM W ^ tMWtorttoftl rwu il OUlft iMHVti IhMt MiK
* l*
* tf
cm
jutrmM
VMUMVO to Htr
* V W N T O ' (VHMM *
ixs ui v
- the outn Itoiuvti IMA imiNt Iv mlksl tm, v
T T W u s t o w t m vMUKoox onfy ihoWiM iMhvMMHmwi iv U IITHMM
* V «K ^ h'l Itliiit W s ltlisl ton Mu ’- U toMtn tldl ilwr . ' ^
* S M li «m nmM ^ Mi \h+
* * *
Which Transaction Scope Option values should you use?
A. Required for Customer Tran Scope Option and Required for Audit Tran Scope Option
B. Requires New for Customer Tran Scope Option and Suppress for Audit Tran Scope Option
C. Suppress for Customer Tran Scope Option and Suppress for Audit Tran Scope Option
D. Requires New for the Customer Tran Scope Option and Requires New for the Audit Tran Scope Option
Correct Answer: A
Explanation
QUESTION 92
You are developing an Azure web application to store and archive patient medical records in Azure. You
need to configure data storage to meet the following policies:
• Ensure that you can configure a retention period for patient records.
• Archived data must be readable.
• Archived data must not be modified or deleted.
Which Azure storage service should you use?
A. Azure Tables
B. Azure Blobs
C. Azure Queues
D. Azure Files
Correct Answer: A
Explanation
QUESTION 93
You are developing an internal website for employee to view sensitive data. The website uses Azure
Directory (AAD) for authentication.
You need to implement multifactor authentication for the website.
What should you do? Each correct answer presents part of the solution. NOTE: Each connect selection is
worth one point.
A. Upgrade to Azure AD premium.

B. In Azure ACL enable application pages.
C. Configuration the website to user Azure AD B2C.
D. In Azure AD conditional access enable the baseline policy.
E. In Azure AD create a new conditional access policy.
Correct Answer: CE
Explanation
QUESTION 94
You are developing an ASP.NET web application that you will deploy to Azure.
The solution must meet the following requirements:
• Store user session state by using only serializable data types.

• Provide customizable caching of session data.
• Support scaling out the number of web hosts-
• Maximize performance.
Which solution meets these requirements?
A. Clustered Azure Redis Cache

B. ASP.NET Output Cache provider for Azure Redis Cache
C. in-memory session state provider
D. SQL Server session state provider
Correct Answer: B
Explanation
QUESTION 95
You have an Azure subscription that contains a virtual network named VNet1. VNet1 has two subnets
named Subnet1 and Subnet2. VNet1 is in the West Europe Azure region. The subscription contains the
virtual machines in the following table.
Ham Connected to
VM1
* i
Suboetl
VM2 Subnetl
VM3 Subneti
You need to deploy an application gateway named AppGW1 to VNet1. What should you do first?
A. Add a load balancer.

B. Add a virtual network.
C. Add a subnet
D. Create a network security group (NSG).
Correct Answer: C
Explanation
QUESTION 96
You have an Azure Active Directory (Azure AD) tenant named contosodoud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
A. PTR
B. TXT
C. NSEC3
D. DNSKEY
Correct Answer: B
Explanation
QUESTION 97
DevServec _ W«tCentratUS This resource group is located in the West Central US region and contains a smgle virtual machine (VM)
named DevServer
DevServer is connected to a private subnet in an Azure Virtual Network that has no internet access.
WoricstaUooLastUS This resource group is located in the East US region and contains a virtual machine named DevWorkstation.
DevWorkstation is connected to a subnet in a Visual Network and is configured with a public IP address. A
network security group has been configured to allow public incoming remote desktop protocol (RDP)
connections to the DevWorkstation.
Developers must connect to Dev Server only through Dev Workstation. To maintain security, DevS erver
must not accept connections from the internet. You need to create a private connection between the Dev
Workstation and Dev St Solution: Configure an IP address on each subnet within the same address space.
A. Yes
B. NO
Correct Answer: B
Explanation
QUESTION 98
A company is developing a solution that allows smart refrigerators to send temperature information to a
central location.
The solution must receive and store messages until they can be processed. You create an Azure Service
Bus instance by providing a name, pricing tier, subscription, resource group, and location.
You need to complete the configuration.
Which Azure CU or PowerShell command should you run?

A
-AzurHtaS^rviceBusQueue
- ResourceGroupName fridge
spaceMawe fridge ns-
- rg
• fridge- q
- EnablePartitioning $False
B.
•z group create
fridge - rg
-- -
location fridge loc
c.
-
New Azuri esourceGroup
-Name fridge rg -
-Location fridge - loc
D.
C
-
tionString $(az servicebus namespace authorization - rule keys list
- -resource - group fridge -rg
- -fridge - ns fridge - ns
RootManageSharedAccessKey
- -query primaryConnectionString -- output tsv)
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: D
Explanation
QUESTION 99
You have a Microsoft SQL Server Always On availability group on Azure virtual machines.
You need to configure an Azure internal load balancer as a listener for the availability group.
What should you do?
A. Create an HTTP health probe on port 1433.

B. Set Session persistence to Client IP.
C. Set Session persistence to Client IP and protocol.
D. Enable Floating IP.
Correct Answer: D
Explanation
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines- windows-portal-sql-
alwayson-int-listener
QUESTION 100
From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.
Blocfe/unblock users
Blocked users
•tr ? ' - Ilr l
|
— ——
if ' .
"T r i| 1« .
ij ijh ii > r ti
‘ - _
« i i i j i| l| !li4hJii
!
Vtt* PUASON r?Ati ACHON
W iff M 565 xfi 32 5l 4, OnM icrosoh.c Dm

t »||
‘ |1 !
| -
I | '! ,
Lost phone 06/14/201B 6:26 « PM
““
What caused AlexW to be blocked?
A. The user account password expired.

B. The user reported a fraud alert when prompted for additional authentication.
C. An administrator manually blocked the user.
D. The user entered an incorrect PIN four times within 10 minutes.
Correct Answer: C
Explanation
QUESTION 101
You have an Azure solution that uses Multi-Factor Authentication for added security when users are
outside of the office. The usage model has been set to Per Authentication.
Your company acquires another company and adds the new staff to Azure Active Directory (Azure AD).
New staff members must use Multi-Factor Authentication.
You need to change the usage model to Per Enabled User.
A. Create a new Multi-Factor Authentication provider and reconfigure the usage model.
B. Create a new Multi-Factor Authentication provider with a backup from the current Multi-Factor
Authentication provider data.
C. Use the Azure portal to change the current usage model.
D. Use Azure CLI to change the current usage model.
Correct Answer: B
Explanation
Since it is not possible to change the usage model of an existing provider as it is right now, you have to
create a new one and reactivate your existing server with activation credentials from the new provider.
References:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
QUESTION 102
Your network contains an Active Directory forest named fabrikam.com. The forest contains two child
domains named corp.fabrikam.com and research.fabrikam.com.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named
contoso.com.
You install Azure AD Connect and sync all the on-premises user accounts to the Azure AD tenant. You
implement seamless single sign-on (SSO).
You plan to change the source of authority for all the user accounts in research.fabrikam.com to Azure AD.
You need to prevent research.fabrikam.com from resyncing to Azure AD.
Solution: You use the Azure AD Connect wizard.
A. Yes
B. No
Correct Answer: B
Explanation
Instead you should customize the default synchronization rule.
Note: The Synchronization Service Manager UI is used to configure more advanced aspects of the sync
engine and to see the operational aspects of the service.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule
QUESTION 103
Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant.
You deploy Azure AD Connect and configure pass-through authentication?
Your Azure subscription contains several web apps that are accessed from the Internet.
You plan to enable Azure Multi-Factor Authentication (MFA) for the Azure tenant.
You need to recommend a solution to prevent users from being prompted for Azure MFA when they
access the web apps from the on-premises network.
A. a site-to-site VPN between the on-premises network and Azure

B. an Azure policy
C. an Azure ExpressRoute circuit
D. trusted IPs
Correct Answer: D
Explanation
QUESTION 104
contoso.com.
Solution: From the Azure Active Directory admin center, you delete a custom domain.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 105
contoso.com.
Solution: You use Active Directory Domains and Trusts from a computer joined to fabrikam.com.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 106
You have an Azure subscription named Subscription"!. Subscription! contains a resource group named
RG1. RGT contains resources that were deployed by using templates.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 107
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What following action should you do?
A. From the Azure portal, change the directory.

B. From the Azure portal, configure the portal settings.
C. From Azure Cloud Shell, run Set-AzureRmContext.
D. From Azure Cloud Shell, run Set-AzureRmSubscription.
Correct Answer: A
Explanation
QUESTION 108
Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company’s help desk reports an increase in calls from users who receive MFA requests while they
work from the company’s main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?
A. From Azure Active Directory (Azure AD), configure organizational relationships.

B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Conditional access in Azure Active Directory (Azure AD), create a named location.
Correct Answer: B
Explanation
QUESTION 109
You have an Azure subscription that contains the virtual networks shown in the following table.
Name Address space Location Number of Azure virtual machines
VNET1 10.1.0.0/16 West US 100
VNET2 172.16 .0.0/ 16 East US 400
You need to recommend a connectivity solution that will enable the virtual machines on VNET1 and
VNET2 to communicate through the Microsoft backbone infrastructure.
Which of following should you include in the recommendation?
A. Azure ExpressRoute
B. peering
C. a site-to-site VPN
D. a point-to-site VPN
Correct Answer: B
Explanation
Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the
virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the
peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed
between virtual machines in the same virtual network, through private IP addresses only. Azure supports:
1. VNet peering - connecting VNets within the same Azure region
2. Global VNet peering - connecting VNets across Azure regions
References:
QUESTION 110
You create a custom role in Azure by using the following Azure Resource Manager template.
{
"Name"; "Rolel" ,
11
I d" : "80888888 - 8888 - 8889 - 880888888888 " ,
" IsCustom " : true,
"Description" : "Rolel Description",
"Actions" : [
"Microsoft ,Storage / */read"
f
"Microsoft,Network/*/read",
"Microsoft Compute /*/read ",
*
"Microsoft . Compute/virtualMachines/start/ action",

"Microsoft ,Compute /virtualMachines/ restart /action",
"Microsoft.Anthorization/ */ read" r
"Microsoft . ResourceHealth / availabilityStatuses / read",
"Microsoft . Resources/ subscriptions/ resourceGroups/ read"
"Microsoft . Insights/alertRules/ *" ,
"Microsoft , Insights/diagnosticSettings/* fT ,
"Microsoft - Support/*"
J
"NotActious ": [] ,
"DataActions": [] r
"NotDataActions" : [] ,
"AssignableScopes" : [
"/subscriptions/981dd 4bc-8cf 4 - 46 fc-9513-0c599648M 4b
J
I
You assign the role to a user named User1.
Which action can User1 perform?
A. Delete virtual machines.

B. Create resource groups.
C. Create virtual machines.
D. Create support requests
Correct Answer: D
Explanation
QUESTION 111
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which port should be open between the home computers and the data file share?
A. 80
B. 128
C. 1024
D. 445
Correct Answer: D
Explanation
QUESTION 112
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their changed to a less expensive
offering.
Which Wade should you use?Use the drop-down menus to select the answer choice that
completes
A. Metrics
B. Monitor
C. Customer insights
D. Advisor
Correct Answer: D
Explanation
QUESTION 113
You have an Azure subscription that contains the resource groups shown in the following table.
Name Region
RG1 East US
RG2 West US
The subscription contains the storage accounts shown in the following table.
Name Resource group Location Account kind

Storage 1 RG1 West US BlobStorage
Storages RG2 West US Storage (general purpose v1)
Storage 3 RG1 East US Storage V2 (general purpose v2 }
You create a Recovery Services vault named Vault1 in RG1 in the West US location.
You need to identify which storage accounts can be used to archive the diagnostics logs of Vault1.
Which storage accounts should you identify?
A. Storage1 only
B. Storage2 only
C. Storage3 only
D. Storage1 or Storage2 only
E. Storagel1 or Storage3 only
Correct Answer: DE
Explanation
QUESTION 114
A company plans to use third-party application software to perform complex data analysis processes. The
software will use up to 500 identical virtual machines (VMs) based on an Azure Marketplace VM image.
You need to design the infrastructure for the third-party application server. The solution must meet the
following requirements:
The number of VMs that are running at any given point in time must change when the user workload
changes.
When a new version of the application is available in Azure Marketplace it must be deployed without
causing application downtime.
Use VM scale sets.
Minimize the need for ongoing maintenance.
Which WebJob type should you recommend
Which two technologies should you recommend? Each correct answer presents part of the solution.
A. single storage account

B. autoscale
C. single placement group
D. managed disks
Correct Answer: BD
Explanation
QUESTION 115
You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1.
An administrator plans to manage Clus1 from an Azure AD-joined device.
You need to ensure that the administrator can deploy the YAML application manifest file for a container
application.
You install the Azure CLI on the device.
Which command should you run next?
A. kubectl get nodes

B. az aks install-cli
C. kubectl apply -f appl.yaml
D. az aks get-credentials --resource-group RG1 --name Clus1
Correct Answer: C
Explanation
kubectl apply -f appl.yaml applies a configuration change to a resource from a file or stdin.
Incorrect Answers:
A: kubectl get nodes gets a list of all nodes.
B: az aks install-cli download and install the Kubernetes command-line tool.
D: az aks get-credentials gets access credentials for a managed Kubernetes cluster
References:
https://kubernetes.io/docs/reference/kubectl/overview/
https://docs.microsoft.com/en-us/cli/azure/aks
QUESTION 116
Solution: Use Remote Desktop Protocol (RDP) to connect to the VM in the scale set.
A. Yes
B. No
Correct Answer: A
Explanation
Instead, deploy a standalone VM that has a public IP address to the virtual network.
QUESTION 117
You have an Azure subscription that contains the virtual networks shown in the following table.
Number of Azure virtual

Name Address space Location
machines
VNET 1 10.1 . 0.0/ 16 West US 100
VNET2 172.16 .0.0/16 East US 400
You need to recommend a connectivity solution that will enable the virtual machines on VNET1 and
VNET2 to communicate through the Microsoft backbone infrastructure.
A. Azure ExpressRoute
B. peering
C. a site-to-site VPN
D. a point-to-site VPN
Correct Answer: B
Explanation
Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the
virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the
peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed
between virtual machines in the same virtual network, through private IP addresses only. Azure supports:
1. VNet peering - connecting VNets within the same Azure region
2. Global VNet peering - connecting VNets across Azure regions
References:
QUESTION 118
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1.

What should you do?
A. From Diagnostic settings for VM1, configure the performance counters to include network counters.
B. From the VM1 blade, configure Connection troubleshoot.
C. From the VM1 blade, install performance diagnostics and run advanced performance analysis
D. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
Correct Answer: C
Explanation
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or
Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues
and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk
space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the
performance analysis, and collects one or more of the traces, as listed in the following sections. Use this
scenario to troubleshoot complex issues that require additional traces. Running this scenario for longer
periods will increase the overall size of diagnostics output, depending on the size of the VM and the trace
options that are selected.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics
QUESTION 119
Name Region
RG1 East US
RG2 West US
The subscription contains the storage accounts shown in the following table.
Name Resource group Location Account kind

Storage 1 RG1 West US BlobStorage
Storage 2 RG2 West US Storage (general purpose v1)
Storage 3 RG1 East US Storage V2 (general purpose v2)
You create a Recovery Services vault named Vault1 in RG1 in the West US location.
You need to identify which storage accounts can be used to archive the diagnostics logs of Vault1.
Which storage accounts should you identify?
A. Storage1 only
B. Storage2 only
C. Storage3 only
D. Storage1 or Storage2 only
E. Storage1 or Storage3 only
Correct Answer: DE
Explanation
The same region.
QUESTION 120
You create a custom role in Azure by using the following Azure Resource Manager template.
{
"Nasie":"Rolel"
"Id": "68888888 - 8888 - 8888 - 888888888888",
"IsCustom" : true;
"Description" : "Rolel Description",
"Actions" : [
"Microsoft , Storage /*/read",
"Microsoft . Compute/* /read",
"Microsoft . Compute /virtualMachines/s tart/ action",
"Microsoft . Compute /virtualMachines/ restart/action",
"Microsoft , Authorization/ */ read",
"Microsoft - ResourceHealth /availabilityStatuses/ read",
"Microsoft .Resources/subscriptions/resourceGroups/ read",
"Microsoft . Insights/alertRules/ *",
"Microsoft . Insights/diagnosticSettings/*",
"Microsoft . Support/*"
),
"NotActions": [] ,
"DataActions": [] ,
"NotDataActions" : [} ,
"AssignableScopes" : [
"/subscriptions/98 ldd 4 bc-8cf 4 - 46 fc- 95 l 3-0c599648b 44 b
]
I
You assign the role to a user named User1.
Which action can User1 perform?
A. Delete virtual machines.

B. Create resource groups.
C. Create virtual machines.
D. Create support requests.
Correct Answer: D
Explanation
The "Microsoft.Support/*" operation will allow the user to create support tickets.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
QUESTION 121
A company plans to use third-party application software to perform complex data analysis processes. The
software will use up to 500 identical virtual machines (VMs) based on an Azure Marketplace VM image.
You need to design the infrastructure for the third-party application server. The solution must meet the
1. The number of VMs that are running at any given point in time must change when the user workload
changes.
2. When a new version of the application is available in Azure Marketplace it must be deployed without
causing application downtime.
3. Use VM scale sets.
4. Minimize the need for ongoing maintenance.
Which two technologies should you recommend? Each correct answer presents part of the solution.
A. single storage account

B. autoscale
C. single placement group
D. managed disks
Correct Answer: BD
Explanation
QUESTION 122
contoso.com.
Solution: From the Azure Active Directory admin center, you delete a custom domain.
A. Yes
B. No
Correct Answer: B
Explanation
Note:
To delete a custom domain name, you must first ensure that no resources in your directory rely on the
domain name. You can't delete a domain name from your directory if:
1. Any user has a user name, email address, or proxy address that includes the domain name.
2. Any group has an email address or proxy address that includes the domain name.
3. Any application in your Azure AD has an app ID URI that includes the domain name.
References:
QUESTION 123
You have an Azure solution that uses Multi-Factor Authentication for added security when users are
outside of the office. The usage model has been set to Per Authentication.
Your company acquires another company and adds the new staff to Azure Active Directory (Azure AD).
New staff members must use Multi-Factor Authentication.
You need to change the usage model to Per Enabled User.
A. Create a new Multi-Factor Authentication provider and reconfigure the usage model.
B. Create a new Multi-Factor Authentication provider with a backup from the current Multi-Factor
Authentication provider data.
C. Use the Azure portal to change the current usage model.
D. Use Azure CLI to change the current usage model.
Correct Answer: B
Explanation
Since it is not possible to change the usage model of an existing provider as it is right now, you have to
create a new one and reactivate your existing server with activation credentials from the new provider.
References:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
QUESTION 124
contoso.com.
Solution: You use the Synchronization Service Manager.
A. Yes
B. No
Correct Answer: B
Explanation
References:
QUESTION 125
Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant.
You deploy Azure AD Connect and configure pass-through authentication?
Your Azure subscription contains several web apps that are accessed from the Internet.
You plan to enable Azure Multi-Factor Authentication (MFA) for the Azure tenant.
You need to recommend a solution to prevent users from being prompted for Azure MFA when they
access the web apps from the on-premises network.
A. a site-to-site VPN between the on-premises network and Azure

B. an Azure policy
C. an Azure ExpressRoute circuit
D. trusted IPs
Correct Answer: D
Explanation
The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or
federated tenant. The feature bypasses two-step verification for users who sign in from the company
intranet. The feature is available with the full version of Azure Multi-Factor Authentication, and not the free
version for administrators.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips
QUESTION 126
contoso.com.
Solution: You use the Azure AD Connect wizard.

A. Yes
B. No
Correct Answer: B
Explanation
References:
QUESTION 127
contoso.com.
Solution: You use Active Directory Domains and Trusts from a computer joined to fabrikam.com.
A. Yes
B. No
Correct Answer: B
Explanation
Note:
To delete a custom domain name, you must first ensure that no resources in your directory rely on the
domain name. You can't delete a domain name from your directory if:
1. Any user has a user name, email address, or proxy address that includes the domain name.
2. Any group has an email address or proxy address that includes the domain name.
3. Any application in your Azure AD has an app ID URI that includes the domain name.
References:
QUESTION 128
Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company's help desk reports an increase in calls from users who receive MFA requests while they
work from the company's main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?
A. From Azure Active Directory (Azure AD), configure organizational relationships.

B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Conditional access in Azure Active Directory (Azure AD), create a named location.
Correct Answer: B
Explanation
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to consider
configuring some of the available settings. One of the most important features is a trusted IPs list. This will
allow you to whitelist a range of IPs for your network. This way, when users are in the office, they will not
get prompted with MFA, and when they take their devices elsewhere, they will. Here's how to do it:
Log in to your Azure Portal.

Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.
References:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/
QUESTION 129
You create several Azure virtual machines in Subscription1. All of the virtual machines belong to the same
virtual network.
You have an on-premises Hyper-V server named Server1. Server1 hosts a virtual machine named VM1.
You plan to replicate VM1 to Azure.
You need to create additional objects in Subscription1 to support the planned deployment.
Which three objects should you create? Each correct answer presents part of the solution.
A. Hyper-V site
B. Azure Recovery Services Vault
C. storage account
D. replication policy
E. Azure Traffic Manager instance
F. endpoint
Correct Answer: ABD

Explanation
QUESTION 130
messages. The e-commerce application has the following features and requirements:
Feature Requirement
Shopping * Items in a shopping cart must be processed by an Azure Function within a
* Shopping cart transactions must not be lost and fault conditions must be
proc essed separately
* Shopping cart transactions must be read by the inventory and sales systems
Inventory * Items sent to the inventors" system must run a separate workflow for each
Distribution item that includes warehouse, shipping , and order processing updates
* Inventory uses Azure Blob storage to store inventory items and related
information
* Inventory is processed by using an Azure Logic App
Restaurant * Restaurants stream millions of daily events from all locations
Telemetry * Restaurant data should be captured in .Azure Blob storage for conditional
processing
* Restaurant event data should expire after 24 hours
You need to choose the Azure messaging solution to support the Shopping Cart feature.
Which Azure service should you use?
A. Azure Service Bus

B. Azure Relay
C. Azure Event Grid
D. Azure Event Hub
Correct Answer: A
Explanation
Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service Bus is
most commonly used to decouple applications and services from each other, and is a reliable and secure
platform for asynchronous data and state transfer.
One common messaging scenario is Messaging: transfer business data, such as sales or purchase orders,
journals, or inventory movements.
Incorrect Answers:
B: The Azure Relay service enables you to securely expose services that run in your corporate network to
the public cloud.
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
QUESTION 131
You have an Azure subscription that contains the storage accounts shown in the following table.
Name Account kind Size
contosostoragel Genera] Purpose vl 15 TB
contosostorage2 General Purpose vl 1 IB
contosostorage 3 General Purpose v 2 15 TB
Conto $ ostorage4 General Purpose v 2 1 TB
contosostorage 5 blobstorage 5 TB
All storage accounts contain blobs only.
You need to implement several lifecycle management rules for all storage accounts.
A. Upgrade contosostorage1 and contosostorage2 to General Purpose V2 accounts.

B. Move 5 TB of blob data from contosostorage3 to contosostorage4.
C. Move 5 TB of blob data from contosostorage1 to contosostorage2.
D. Recreate contosostorage5 as General Purpose V2 account.
Correct Answer: A
Explanation
Microsoft recommends that you use a general-purpose v2 storage account for most scenarios. You can
easily upgrade a general-purpose v1 or an Azure Blob storage account to a general-purpose v2 account
with no downtime and without the need to copy data.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-scalability-targets
QUESTION 132
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center
and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity
Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You consent to Azure AD Privileged Identity Management (PIM).
A. Yes
B. No
Correct Answer: A
Explanation
PIM essentially helps you manage the who, what, when, where, and why for resources that you care
about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables
you to manage, control, and monitor access to important resources in your organization. This includes
access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or
Microsoft Intune.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
QUESTION 133
Solution: You assign the Global administrator role to Admin1.
A. Yes
B. No
Correct Answer: B
Explanation
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care
References:
QUESTION 134
Solution: You purchase an Azure Directory Premium P2 license for contoso.com.
A. Yes
B. No
Correct Answer: B
Explanation
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care
References:
QUESTION 135
You have a resource group named RG1 that contains the following:
1. A virtual network that contains two subnets named Subnet1 and Subnet2
2. An Azure Storage account named contososa1
3. An Azure firewall deployed to Subnet2
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
A. Deploy an Azure firewall to Subnet1.

B. Remove the Azure firewall.
C. Implement a virtual network service endpoint.
D. Create a stored access policy for contososa1.
Correct Answer: C
Explanation
Virtual Network (VNet) service endpoints extend your virtual network private address space and the
identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your
critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service
always remains on the Microsoft Azure backbone network.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
QUESTION 136
Your company has the groups shown in the following table.
Group Number of members
Managers 10
Sales 100
Dev el opm ent 15
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named
contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the
Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?
A. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.

B. Purchase an Azure AD Premium P1 license for each user in the Managers group.
C. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
D. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
Correct Answer: B
Explanation
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise
Mobility + Security (EMS) license.
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-enable
QUESTION 137
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
Name Operating system Location

VM 1 Windows Server 2012 R 2 East US
VM 2 Windows Server 2016 East US
VM 3 Windows Server 2019 West US
VM4 Ubuntu Server 18.04 East US
You create an Azure key vault named Vault1 in the East US location.
You need to identify which virtual machines can enable Azure Disk Encryption by using Vault1.
Which virtual machines should you identify?
A. VM2 and VM3 only

B. VM1, VM2, and VM4 only
C. VM1, VM2, and VM3 only
D. VM3 only
Correct Answer: B
Explanation
Your key vault and VMs must reside in the same Azure region and subscription.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
QUESTION 138
You create a new Azure subscription. You create a resource group named RG1. In RG1, you create the
resources shown in the following table.
Name Type
VKET1 Virtual network
VM1 Virtual machine
GWSN1 Gateway subnet
VPNGWl Virtual network gateway
You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the
solution.
A. a site-to-site connection
B. a VPN gateway
C. a VNet-to- VNet connection
D. a local network gateway
E. a point-to-site configuration
Correct Answer: ABD

Explanation
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual
network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a
local network gateway, located on-premises that has an externally facing public IP address assigned to it.
Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises
VPN device.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-
portal
QUESTION 139
You have an on-premises file server named Server1 that runs Windows Server 2019.
You manage Server1 by using Windows Admin Center.
You need to ensure that if Server1 fails, you can recover the data from Azure.
Solution: From the Azure portal, you create a Recovery Services vault. On VM1, you install the Azure
Backup agent and you schedule a backup.
A. Yes
B. No
Correct Answer: B
Explanation
Instead use Azure Storage Sync service and configure Azure File.
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility,
performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server
into a quick cache of your Azure file share.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
QUESTION 140
Solution: You create a Recovery Services vault and configure a backup by using Windows Server Backup.
A. Yes
B. No
Correct Answer: B
Explanation
References:
QUESTION 141
Solution: You create an Azure Storage account and an Azure Storage Sync service. You configure Azure
File Sync for Server1.
A. Yes
B. No
Correct Answer: A
Explanation
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard
Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-
premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached on
Windows Servers with Azure File Sync for fast access near where the data is being used.
Azure file shares can be used to:
Replace or supplement on-premises file servers:

Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS
devices. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure file
shares wherever they are in the world. Azure file shares can also be replicated with Azure File Sync to
Windows Servers, either on-premises or in the cloud, for performance and distributed caching of the data
where it's being used.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-
portal
QUESTION 142
messages. The e-commerce application has the following features and requirements:
Feature Requirement
Shopping * Items in a shopping cart must be processed by an Azure Function within a
* Shopping cart transactions must not be lost and fault conditions must be
processed separately
* Shopping cart transactions must be read by the inventory and sales systems
Inventory * Items sent to the inventory system must run a separate workflow for each
Distribution item that includes warehouse, shipping, and order processing updates
* Inventory uses Azure Blob storage to store inventory items and related
information
• Inventory is processed by using an Azure Logic App
Restaurant • Restaurants stream millions of daily events from all locations
Telemetry • Restaurant data should be captured in Azure Blob storage for conditional
processing
• Restaurant event data should expire after 24 hours
You need to choose the Azure messaging solution to support the Restaurant Telemetry feature.
Which Azure service should you use?
A. Azure Relay
B. Azure Event Grid
C. Azure Event Hub
D. Azure Service Bus
Correct Answer: C
Explanation
Azure Event Hubs is a big data pipeline. It facilitates the capture, retention, and replay of telemetry and
event stream data. The data can come from many concurrent sources. Event Hubs allows telemetry and
event data to be made available to a variety of stream-processing infrastructures and analytics services. It
is available either as data streams or bundled event batches. This service provides a single solution that
enables rapid data retrieval for real-time processing as well as repeated replay of stored raw data. It can
capture the streaming data into a file for processing and analysis.
It has the following characteristics:

1. low latency
2. capable of receiving and processing millions of events per second
3. at least once delivery
Note: Comparison of services

Service Purpose Type When to use
Event Reactive programming Event distribution React to status changes

Grid (discrete)
Event Big data pipeline Event streaming Telemetry and distributed data
Hubs (series) streaming
Service High -value enterprise Message Order processing and financial

Bus messaging transactions
References:
https://docs.microsoft.com/en-us/azure/event-grid/compare-messaging-services
QUESTION 143
A company is migrating an existing on-premises third-party website to Azure. The website is stateless.
The company does not have access to the source code for the website. They have the original installer.
The number of visitors at the website varies throughout the year. The on-premises infrastructure was
resized to accommodate peaks but the extra capacity was not used.
You need to implement a virtual machine scale set instance.
What should you do
A. Use a webhook to log autoscale failures.

B. Use an autoscale setting to scale instances vertically.
C. Use only default diagnostics metrics to trigger autoscaling
D. Use an autoscale setting to define more profiles that have one or more autoscale rules.
Correct Answer: C
Explanation
In-guest VM metrics with the Azure diagnostics extension
The Azure diagnostics extension is an agent that runs inside a VM instance. The agent monitors and saves
performance metrics to Azure storage. These performance metrics contain more detailed information
about the status of the VM, such as AverageReadTime for disks or PercentIdleTime for CPU. You can
create autoscale rules based on a more detailed awareness of the VM performance, not just the
percentage of CPU usage or memory consumption.
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-
overview
QUESTION 144
You have an Azure Cosmos DB database that contains a container named Container1. The partition key
for Container1 is set to /day. Container1 contains the items shown in the following table.
Name Content
Iteml {
"id": " 1",
"day": "Mon",
"value" : "10"
)
Item2 {
"id": "2",
"day": "Mon",
"value" : "15"
)
Item3 {
"id": J w
"day": "Tue",
"value" : "10"
}
Item4 {
"id": "4",
"day": "Wed",
"value" : "15"
I
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
.
SEI ECT day
WHERE value - "10
You set the EnableCrossPartitionQuery property to False.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 145
Name Content
Iteml
"id": "1",
"day": "Mon",
"value" : "10"
>
Item2 {
"id": "2",
"day": "Men",
"value" : "15"
}
Item3 i
"id": "3",
"day": "Tue",
"value" : "10"
1
Item4 i
"id": "4",
"day": "Wed",
"value" : "15"
}
SELECT day FROM c

WHERE c.value =
"10" OR c.value "15"
You set the EnableCrossPartitionQuery property to True.
A. Yes
B. No
Correct Answer: B
Explanation
QUESTION 146
Name Content
Itern1 {
"id": "1",
"day": "Mon",
"value" : "10"
}
Item2 {
"id": "2",
"day": "Mon",
"value" : "15"
}
Item3 {
"id": "3",
"day": "Tue",
"value" : "10"
}
Item4 {
"id": "4",
"day": "Wed",
"value" : "15"
}
SELECT id FROM c
WHERE c.day = "Mon"
You set the EnableCrossPartitionQuery property to True.
A. Yes
B. No
Correct Answer: A
Explanation
QUESTION 147
Name Content
Iteml (
‘id": "1",
'
"day": "Mon",
lValne" : "10"
J
item 2 f
"id": "2" ,
"day": "Men",
"valje" : "15"
}
item3 {
"id": "3",
"day": "Tue",
"value" : "10"
}
Item 4 [
"id": "d",
"day": "Wed",
"value" : "15"
I
SELECT id FROM c
.
WHERE c d a y = " Mon ” OR c d a y . " Tue "
You set the EnableCrossPartitionQuery property to False.
A. Yes
B. No
Correct Answer: B
Explanation
Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery
property is set to true, it will return Item1, Item2, and Item3.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where
https://docs.microsoft.com/en-us/dotnet/api/
microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure-dotnet
QUESTION 148
You have an Azure SQL database named DB1.
You plan to create the following four tables in DB1 by using the following code.
Table L
CREATE TABLE Table!

(
Studentld INT IDENTITY PRIMARY KEY,
Personld INT REFERENCES Table 4 ( Personld ),
Email NVARCHAR { 256 )
)
Table!.
CREATE TABLE Table 2
(
Studentld INT REFERENCES Table! ( Studentld ),
Courseld INT REFERENCES Table 3 (Courseld ),
Grade DECIMALS, 2 ) CHECK ( Grade < 100 , 00),
Attempt TINYINT
-
)
Table 3.

(
Courseld INT IDENTITY PRIMARY KEY,
Name NVARCHAR ( 50) NOT NULL,
Teacher NVARCHAR ( 256 ) NOT NULL
)
Tabled

t
Personld INT IDENTITY PRIMARY KEY,
FirstName NVARCHAR(128 ) NOT NULL,
MiddleInitial NVARCHAR ( 10),
LaStName NVARCHAR ( 128 ) NOT NULL,
DateOfBirth DATE NOT NULL
)
You need to identify which table must be created last.
What should you identify? To answer, select the appropriate options in the answer area.
A. Table1
B. Table2
C. Table3
D. Table4
Correct Answer: B
Explanation
Table1 references Table4. Therefore Table4 must be created before Table1.
Table2 references Table1 and Table3. Therefore Table1 and Table3 must be created before Table2.
Note: FOREIGN KEY REFERENCES is a constraint that provides referential integrity for the data in the
column or columns. FOREIGN KEY constraints require that each value in the column exists in the
corresponding referenced column or columns in the referenced table. FOREIGN KEY constraints can
reference only columns that are PRIMARY KEY or UNIQUE constraints in the referenced table or columns
referenced in a UNIQUE INDEX on the referenced table.
Incorrect Answers:
A: Table1 is referenced by Table2 and should be crated before Table2.
C: Table3 is referenced by Table2 and should be crated before Table2.
D: Table4 is referenced by Table1 and should be crated before Table1.
Reference:
https://docs.microsoft.com/en-us/sql/t-sql/statements/create-table-transact-sql?view=sql-server-ver15
QUESTION 149
Name Region
RG1 West US
RG2 West US
RG3 East US
You have the Azure SQL servers shown in the following table.
Name Region In resource group

Sqll West US RG1
Sql2 East US RG2
Sql3 West US RG3
Sql4 West US RG1
You create an Azure SQL database named DB1 on Sql1 in an elastic pool named Poo11.
You need to create an Azure SQL database named DB2 in Poo11.
Where should you deploy DB2?
A. Sql1
B. Sql2
C. Sql3
D. Sql4
Correct Answer: A
Explanation
The databases in an elastic pool are on a single Azure SQL Database server and share a set number of
resources at a set price.
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool
QUESTION 150
You need to ensure that if Server1 fails, you can recover Server1 files from Azure.
Solution: You register Windows Admin Center in Azure and configure Azure Backup.
A. Yes
B. No
Correct Answer: B
Explanation
Reference:
QUESTION 151
Your company has an office in Seattle.
You have an Azure subscription that contains a virtual network named VNET1.
You create a site-to-site VPN between the Seattle office and VNET1.
VNET1 contains the subnets shown in the following table.

Name EP address space
Subnet! 10.1.1.0 /24
GatewaySubnet 10.1.200.0/28
A. a route for Subnet1 That uses the virtual network gateway as the next hop
B. a route for GatewaySubnet that uses the virtual network gateway as the next hop
C. a route for GatewaySubnet that uses the local network gateway as the next hop
D. a route for Subnet1 that uses The local network gateway as the next hop
Correct Answer: B
Explanation
Mix Questions B
QUESTION 1
You have a task that includes a WebJob that should run continuously. The WebJob Log exhibit shows the
text that is displayed when the WebJob runs. (Click the WebJob Log tab.)
Continuous WebJob Details

Pending restart
Run commons: WebJo! I > >; > '
Toggle Output
Refreshed a moment ago. refresh or download
[OS IS 2018 i ":2S:24 > e013ed :SYS INFO] Run script ' WebJabl .exe’ with script host -
'WindowsScriptHo & r
08/ 13/ 2013 l :2S:24 > eQ 13ed :SYS INFO ]Status changed to Running
"
;0S/ l 8/201S 17:23:25 > eOl 3ed:INFO] WebJob Started'

[08/1S/ 201S 17:23:25 > e0 l 3ed:SYS INFO] Status changed to Success
OS 13/ 20 IS 1 23:25 > e013ed:SYS INFO] Process went down waiting for 60 seconds
"
08/18/ 20 IS 17:23:25 > e013ed:SYS INTOJ Status changed to PendingRestart
The WebJob is configured as shown in the WebJob Configuration exhibit. (Click the WebJob Configuration
tab.)
WebApp0909 - WebJobs
App Service
Q
/D Search (Ctrl* /)
^ Add Refresh Logs ffl| Delete Properties
SETTINGS
Authentication / Authorization WebJobs
| Application Insights WebJobs pro\ide an easy way to run scripts or programs as

backgr ound processes in the context of your app.
M Managed service identify
NAME TYPE STATUS SCHEDULE
& Backups
WebJobl Continuous Pending Restart o/a

CB Custom domains
0 SSL certificates
Networking
Scale up (App Service plan)
!' j? Scale out (App Service plan)
£i WebJobs
The WebJob is not functioning as expected. The WebJob Code exhibit has a comment that shows where
code should be added. (Click the WebJob Code tab.)
You need to identify any issues with the WebJob. For each of the following statements, select Yes if the
statement is true. Otherwise, select No.
Hot Area:
Yes No
The WebJob will run continuously as the code is written. o o

The text WebJob Setup Srarting will output to the WebJob Logs. o o
The timer elapsed code will be invoked and run at least once . o o
The WebJob settings are properly configured in the Azure portal. o o
Correct Answer:
Yes No
The WebJob will run continuously as the code is written. o o

The text WebJob Setup Srarting will output to the WebJob Logs. o o
The timer-elapsed code will be invoked and run at least once . o o
The WebJob settings are properly configured in the Azure portal. o o
Explanation
QUESTION 2
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To
answer, select the appropriate options in the answer area.
Hot Area:
Minimum number of network interfaces : V
5
10
15
20
Minimum number of network security groups : V
5
10
Correct Answer:
Minimum number of network interfaces: V
5
10
15
20
Minimum number of network security groups

:
5
10
Explanation
QUESTION 3
ains the following resources:
You have an Azure subscription that cont
• a virtual network named VNet1
• a replication policy named ReplPoHcy1
lt1
• a Recovery Services vault named Vau
acco unt nam ed Stor age1
• an Azu re Stor age runs Windows Server
have an Ama zon Web Serv ices (AW S) EC2 virtual machine named VM1 that
You
2016.
You need to migrate VM1 to VNet1 by ropriate actions from the
in sequence? To answer, move the app
Which three actions should you perform r
nge them in the correct orde
list of actions to the answer area and arra
Select and Place:
Actions Answer Are*
Install Azure Site Recovery Unified Setup
Enable Windows PowerSheH remoting on VM1.
Enable replication for VML
Deploy an EC 2 virtual machine as a configuration server.
Correct Answer:
Actions
Answer Area
Install Azure S»te Recovery Unified Setup
replication for VMi.
Windows ôwerShefl remoting on VM1.
Deploy an EC2 virtual machine as a configuration

Create an Azure Migrate prqect server.
Explanation
QUESTION 4
You are creating a CU script that creates an Azure web app and related services in Azure App Service.
The web app uses the following variables:
Variable name Value

Saltrepo https : // github . com / Contps / web -a pp
frwebapp Wet> app 1103
You need to automatically deploy code from GitHub to the newly created web app.
How should you complete the script? To answer, select the appropriate options in the answer area.
Hot Area:
VI-
at group create - - location - - n 6HF ayRr -s ûrtri rcii
* . î
-
‘ «
M lirrSiaitprinnc - - rrswrce - groop eyReyoirrc (fcroup
- • ihi fill
*
II wfcbipp
p wiiMfli pimcfigtf
* j -*- « tapF' dfrftjoyna*il
ai qrauc Mlete
J u-r b * Mu - ^cioarce - group yRe

*ijorce6 ip
?: web ® d at ; « «
*
12 appMf«CB' plan circle
ail efcapp drplej mti ! 4
*
MI group delete
rt Sfc«rt JsiUffjM - frin i maitcr

* ^ ^ I
-— hji -rlegrgi^r-
-
4webap9«i!
I
gA don iptreoo
*.
- plan is rtappneni
* *
-
.
- rrwHirtf p wp mfi>
*<* rtH*p
.
- -repc - i »l Ig-lifjc . r*
1
.
flrl dorrf Sy i-ep<i
- mam
lP n SwTfeapFnamp
**
Correct Answer:
HL group crrjtr
''l o c i t l m - - nufcr a
^^ - k0 u «Lec>6foop
ii webapp
¥
' “flaw 3«clifrppn*»c ‘ - iJrs«rt # -*ro4ip -
yRttteirf cctrDiip
- ik »|B E
|
« appwfvK.# plan crc-at*

-
U « *PP diploma* *
*
*i q*auB MW*
-
J: wrtaps e»a1t ^ S^bl pfifM*#
^ - -
r*Mr*rrt group ayfcfiwwCraup
K app«frt <TB pljn fiftal*

j
-
: scfci p 3 DIPICYMMI
f qrqup SfflftB
l - -r*ffcp 3T|3iMt O "tKl^Cti mil Hr

Lv = : ^ ^ ud
^ - rrlegribar- kvfb*pp*i #*f
^. ^v
rrwu ^ i - d i , rLrrt^fi
-ptan Iwrfc-^ p^
grttiut Sy - pn i #
jni#
Explanation
QUESTION 5
Fourth Coffee has an ASP.Net Core web app that runs in Docker. The app is mapped to the
www.fourthcoffee.com domain.
Fourth Coffee is migrating this application to Azure.
You need to provision an App Service Web App to host this docker image and map the custom domain to
the App Service web app.
A resource group named FourthCofeePublicWebResourceGroup has been created in the WestUS region
that contains an App Service Plan named AppServiceLinuxDockerPlan.
Which order should the CLI commands be used to develop the solution? To answer, move all of the Azure
CLI commands from the list of commands to the answer area and arrange them in the correct order.
Select and Place:

Azure CL I commands Answer Area
az webapp contig container set
-SdockerHubContainerPath
docker-custom- image-name
--resource
name SappName
-group
fourthCofYcePublicWebRcsourceGroup
az webapp create
— name SappName
-resource
plan AppSemceLinuxDockerPlan
-fourthCofYeePublicWebResourceGroup
-group
#/bin/bash
appName="FourthCofeePublicWebSrandomH
location="WestUS"
dockerHubContainerPath =HFourthCofee /publicwe
fqdn=whttp://fourthcolee.comw>\v'ww.fourth
—
az webapp config hostname add
-
webapp name SappName
-fourthCofTeePublicWebResourceGroup \
resource-group
-hostname Sfqdn
Correct Answer:
Azure CL I commands Answer Area
# /bin/bash
-
appName TouithCofeePubl icWebSrandom"
location ="WestUSw
dockerHubContainerPath^FourthCofee'publicwe
fqdn="htlp://fourthcofee.conr>www.fourth
az webapp create
-plan
name SappName
— AppServiceLinuxDockerPlan
-fourthCoffeePublicVVebResourceGroup
resource-group
az webapp config hostname add

—
-
-
webapp name SappName
-
resource group
—
fourthCoffeePublicWebResourceGroup \
hostname Sfqdn
az webapp contig container set

— - - -
docker custom image name
SdockerHubContainerPath
-—
name SappName
-
resource group
fourthCoffeePublicWebResourceGroup
Explanation
QUESTION 6
You are creating an app that uses Event Grid to connect with other services. Your app’s event data will be
sent to a serverless function that checks compliance. This function is maintained by your company.
You write a new event subscription at the scope of your resource. The event must be invalidated after a
specific period of time.
You need to configure Event Grid to ensure security.
What should you implement? To answer, select the appropriate options in the answer area.
Hot Area:
Authentication Type
V
WebHook event delivery
SAS tokens
Key authentication
JWT token
V
Topic publishing
ValidationCodc handshake
ValidationURL handshake
Management Access Control
Correct Answer:
Authentication Type
V
WebHook event delivery'
SAS tokens
Key authentication
JWT token
V
Topic publishing
ValidationCodc handshake
VaiidationURL handshake
Management Access Control
Explanation
https://docs.microsoft.com/en-us/azure/event-grid/security-authentication
QUESTION 7
You maintain an existing Azure SQL Database instance. Management of the database is performed by an
external party. Ail cryptographic keys are stored in an Azure Key Vault.
You must ensure that the external party cannot access the data in the SSN column of the Person table Will
each protection method meet the requirement? To answer, drag the appropriate responses to the correct
protection methods. Each response may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point
Select and Place:

Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/security/azure-database-security-overview
QUESTION 8
You create a queue named Queue1. Queue1 is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic. NOTE: Each correct selection is worth one point
Hot Area:
Correct Answer:
Explanation
QUESTION 9
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named
Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as
shown in the Access control exhibit. (Click the Exhibit tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click
the Exhibit tab.)
For each of the following statement, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Hot Area:
Correct Answer:
Explanation
QUESTION 10
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the
following table:
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator
named Admin1 creates an Azure virtual machine VM1 in RG1. VM1 uses a disk named Disk1 and
connects to VNet1. Admin1 then installs a custom application in
VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 11
You are developing a solution that requires serverless code execution in Azure.
The solution has two functions that must run in a specific order.
You need to ensure that the second function can use the output from the first function.
How should you complete the code? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 12
Your company develops a bot that uses QnA Maker knowledge bases and Language Understanding
Intelligence Services (LUIS). You create the QnA Maker service, knowledge bases, and the LUIS app.
The bot application must use LUIS to determine which QnA Maker knowledge base to use.
You need to integrate LUIS with the QnA Maker knowledge bases and maximize the effectiveness for
selecting the QnA Maker knowledge bases before testing the bot.
Select and Place:

Correct Answer:
Explanation
QUESTION 13
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory
(Azure AD) tenant named adatum.onmicrosoft.com Adatum.com contains the user accounts in the
following table.
Adatum.onmiaosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege. Which
user accounts should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
User1
UserD
QUESTION 14
HOTSPOT
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: User1 and User3 only.
The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them.
Box 2: User1 and User2 only

The Security Admin role: In Security Center only: Can view security policies, view security states, edit
security policies, view alerts and recommendations, dismiss alerts and recommendations.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
QUESTION 15
You need to create a conditional access policy that requires all users to use multi-factor authentication
when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings to the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 16
You develop software solutions for a web services company. You have the following code.
(Line numbers are for reference only.)
You need to implement an immediate response customer support solution for the company's website. For
each of the following statements, select, Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Explanation
QUESTION 17
You are developing a back-end Azure App Service that scales based on the number of messages
contained in a Service Bus queue.
A rule already exists to scale up the App Service when the average queue length of unprocessed and valid
queue messages is greater than 1000.
You need to add a new rule that will continuously scale down the App Service as long as the scale up
condition is not met.
How should you configure the Scale rule? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 18
You are developing an Azure Function that will be triggered using a webhook from an external application.
The Azure Function will receive JSON data in the body of the request.
Calling applications send an account ID as part of the URL. The number at the end of the URL is an
integer. The format for the URL resembles the following: /api/account/1
The Azure Function must accept all incoming requests without requiring keys or tokens.
You need to complete the attributes for the Azure Function.
Hot Area:
Correct Answer:
Explanation
QUESTION 19
Contoso. Ltd. hosts the following ASP.NET workloads in Azure:
Users of the Sales software report mismatches between shown inventory at the time of sale and actual
availability. Transactions across the two systems result in inconsistent reads and writes. You encapsulate
Sales order creation and Inventory status updates in elastic transactions.
You need to recommend changes to code and the databases to support transactions.
Which actions should you recommend? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 20
DRAG DROP
You develop a web app that uses the tier D1 app service plan by using the Web Apps feature of Microsoft
Azure App Service.
Spikes in traffic have caused increases in page load times.
You need to ensure that the web app automatically scales when CPU load is about 85 percent and
minimize costs.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct
orders you select.
Select and Place:

Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-get-started
QUESTION 21
DRAG DROP
You have an on-premises network that includes a Microsoft SQL Server instance named SQL1.
You create an Azure Logic App named App1.
You need to ensure that App1 can query a database on SQL1.
Select and Place:
Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection
QUESTION 22
HOTSPOT
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
information presented in the graphic.
Hot Area:
Correct Answer:
Explanation
Box 1: always
Endpoint status is enabled.
Box 2: Never
After you configure firewall and virtual network settings for your storage account, select Allow trusted
Microsoft services to access this storage account as an exception to enable Azure Backup service to
access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-with-azure-
storage-firewalls-and-virtual-networks/
QUESTION 23
You are developing a SMS-based testing solution. The solution sends users a question by using SMS.
Early responders may qualify for prizes.
Users must respond with an answer choice within 90 seconds. You must be able to track how long it takes
each user to respond. You create a durable Azure Function named SendSmsQuizQuestion that uses
Twilio to send messages.
You need to write the code for MessageQuiz.
Hot Area:
Correct Answer:
Explanation
QUESTION 24
You have a cloud solution that uses an Azure Functions consumption plan to scale hundreds of processes.
A portion of the code is shown below. (L.ne numbers are included for reference only.)
Hot Area:
Correct Answer:
Explanation
QUESTION 25
You are creating a bot for a company by using QnA Maker.
You need to ensure that the company can update the bot without third-party assistance.
What should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/cognitive-services/qnamaker/overview/overview
QUESTION 26
Your company has offices in New York and Los Angeles.
You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a
site-to-site VPN connection to VNet1.
Each network uses the address spaces shown in the following table:
You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office.
Hot Area:
Correct Answer:
Explanation
QUESTION 27
You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the
following table.
Subscription1 contains a virtual network VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named N1C3. IP forwarding is enabled on
NIC3. Routing is enabled on VM3. You create a route table
named RT1. RT1 is associated to Subnet1 and Subnet2 and contains the routes in the following table.
You apply RT1 to Subnet1
Hot Area:
Correct Answer:
Explanation
QUESTION 28
You are creating a collaborative image hosting platform as an ASP.NET MVC web application. Users add,
update, and modify images on the platform. Images are stored in Azure Blob storage.
More than one user at a time must be able to modify the same image.
You need to implement optimistic concurrency for uploading images.
Select and Place:

Correct Answer:
Explanation
QUESTION 29
You have an Azure subscription named Subscription 1.
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit.
To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
will have no access
will have read-only access
QUESTION 30
You have an Azure Storage accounts as shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
QUESTION 31
You are developing a rating service for books that runs on Azure Service Fabric. One of the services uses
reliable collections that update the ratings of a book.
Testers report that the ratings are not updated when the code is run.
You need to implement the code to ensure that ratings are updated in the collection.
You have the following class:
How should you complete the code? To answer, drag the appropriate code segments to the correct
locations. Each code segment may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
Select and Place:

Correct Answer:
Explanation
QUESTION 32
You are developing a workflow solution using Azure technologies.
What should you implement to meet each requirement? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 33
A company provides web app hosting services for customers.
You have a set of App Service Plans available to deploy resources for new projects. The available service
tiers are shown in the Service Tiers exhibit. (Click the Service Tiers tab.)
You must provision resources for the projects as shown in the Projects exhibit. (Click the Projects tab.)
The Adventure Works a project requires the use of deployment slots as shown in the Deployment Slots
exhibit. (Click the Deployment Slots tab.)
You need to determine where to deploy resources for each project.
Hot Area:
Correct Answer:
Explanation
QUESTION 34
You develop an IoT solution by using Nodejs. The solution is ready to deploy to the production
environment.
You must implement the device twin capabilities of Azure IoT Hub. You must register a sensor named
Sensor00. The IoT Hub name is Hub01.
You need to register the endpoint with ContosoHub01 so that you can configure them from your solution.
Which four commands should you use to develop the solution? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Explanation
az extension add --name azure-cli-iot-ext
QUESTION 35
HOTSPOT
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following
exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The
initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.
Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The
initial instance count is 4 and thus cannot be reduced to 0 as the minimum instances is set to 2. Instances
are only added when the CPU threshold reaches 80%.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
QUESTION 36
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue
support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer
area.
Hot Area:
Correct Answer:
Explanation
QUESTION 37
An application that you manage has several web front-end instances. Each web front end communicates
with a set of back-end worker processes by using an Azure queue. You are developing code for the worker
processes. You have a function named DoWork0 that handles d3ta processing tasks.
You need to develop code for the worker processes that meets the following requirements:
• Property access an item from the queue and be resistant to failure.
• Run on multiple background processes.
• Ensure that items are available to other workers two minutes after a worker process fails.
• Ensure that messages regarding failed processes are logged to the console.
How should you complete the code? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Hot Area:
Correct Answer:
Explanation
QUESTION 38
A company has the following offices:
The company plans to expand its network to the cloud. You identify the following requirements:
• Location1 requires a dynamic pool of virtual machines (VMs) for offsite computations
• Employees from Location1must be able to connect to VMs through a virtual network to start tasks and
check results.
• Servers from Location2 must privately and continuously back up all data to Azure. The process will
require up to 1 Gbps bandwidth.
You need to configure the hybrid solution.
Which connection types should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 39
You are developing a Docker/Go using Azure App Service Web App for Containers. You plan to run the
container in an App Service on Linux. You identify a Docker container image to use.
None of your current resource groups reside in a location that supports Linux. You must minimize the
number of resource groups. You need to create the application and perform an initial deployment required.
Which three Azure CLI commands should you use to develop the solution? To answer, move the
appropriate commands from the list of commands to the answer area and arrange them in the correct
order.
Select and Place:

Correct Answer:
Explanation
az group create
az appservice plan create
az webapp create
QUESTION 40
You arc developing an application that consists of an ASP.NET Core Web API website and a WebJob that
starts automatically and runs continuously. You are building the deployment process for the application.
You need to ensure that both the website and the WebJob are deployed.
How should you structure the deployment folders? To answer, drag the appropriate path segments to the
correct locations. Each path segment may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.
Select and Place:

Correct Answer:
Explanation
QUESTION 41
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of
@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the
list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
QUESTION 42
You are developing a stateful service to deploy lo Azure Service Fabric. You plan to implement the
RunAsync method.
You need to implement the methods to interface with an instance of the IReliable dictionary interface to
increment a count each time the service is called- The first time the service is called, you must initialize the
count to 1 if it does not yet exist and then update it by one each time it is called.
Which three methods should you run in sequence? To answer, move the appropriate methods from the list
of methods to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Explanation
QUESTION 43
You plan to create a Docker image that runs an ASP.NET Core application named ContosoApp. You have
a setup script named setupScript.ps1 and a series of application files including ContosoApp.dll.
You need to create a Dockerfile document that meets the following requirements:
Call setupScript.ps1 when the container is built.
Run ContosoApp.dll when the container starts.
The Dockerfile document must be created in the same folder where ContosoApp.dll and setupScript.ps1
are stored.
Which four commands should you use to develop the solution? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Explanation
QUESTION 44
You are developing a web app that uses a REST interface to connect to Azure Storage with HTTPS. This
app uploads and streams video content that can be accessed from anywhere in the world.
You have different storage requirements for each part of the app. A hierarchical namespace must be
created.
Which storage services should you implement? To answer, select the appropriate services to the correct
actions. Each service may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
Select and Place:

Correct Answer:
Explanation
QUESTION 45
You have peering configured as shown in the following exhibit
information presented m the graphic.
Hot Area:
Correct Answer:
Explanation
QUESTION 46
You have an on-premises network that you plan to connect to Azure by using a site-to-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16.
VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
orders you select.
Select and Place:
Correct Answer:
Explanation
QUESTION 47
You have an Azure subscription named Subscription1. Subscription1 contains the virtual networks in the
following table:
Subscription1 contains the virtual machines in the following table:
The firewalls on all the virtual machines are configured to allow all ICMP traffic.
You add the peerings in the following table:
Hot Area:
Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networksportal
QUESTION 48
SIMULATION
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser
address bar.
When you are finished performing all the tasks, click the `Next' button.
Note that you cannot return to the lab once you click the `Next' button. Scoring occur in the background
while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some
functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter
how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You
can use as much time as you would like to complete each lab. But, you should manage your time
appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the
time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able
to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Your company plans to store several documents on a public website.
You need to create a container named bios that will host the documents in the storagelod8322489 storage
account. The solution must ensure anonymous access and must ensure that users can browse folders in
the container.
What should you do from the Azure portal?
Correct Answer: explanation

Explanation
Correct Answer: See explanation below.
Azure portal create public container
To create a container in the Azure portal, follow these steps:
Step 1: Navigate to your new storage account in the Azure portal.
Step 2: In the left menu for the storage account, scroll to the lob service section, then select Blobs.
Select the + Container button.
Type a name for your new container: bios
Set the level of public access to the container: Select anonymous access.
Step 3: Select OK to create the container.
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal
QUESTION 49
SIMULATION
address bar.
Overview
time provided.
To start the lab
Your company plans to host in Azure the source files of several line-of-business applications.
You need to create an Azure file share named corpsoftware in the storagelod8322489 storage account.
The solution must ensure that corpsoftware can store only up to 250 GB of data.

Explanation
Step 1: Go to the Storage Account blade on the Azure portal:
Step 2: Click on add File Share button:
Step 3: Provide Name (storagelod8322489) and Quota (250 GB).
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share
QUESTION 50
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to back up all the Azure virtual machines in your Azure subscription at 02:00 Coordinated
Universal Time (UTC) daily.
You need to prepare the Azure environment to ensure that any new virtual machines can be configured
quickly for backup. The solution must ensure that all the daily backups performed at 02:00 UTC are stored
for only 90 days.
What should you do from your Recovery Services vault on the Azure portal?

Explanation
Task A: Create a Recovery Services vault (if a vault already exists skip this task, go to Task B below)
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery
Services and click Recovery Services vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location
Task B.
B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section,
click Backup, then on the Getting Started with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the
Backup Goal blades opens when you click Backup on the Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Virtual Machine, and click OK.
B4. Finish the Wizard.

Task C. create a backup schedule
C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft
Azure Backup.
C2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6.In the Select Items to Backup page, click Next.

On the Specify Backup Schedule page, specify
Schedule a backup every: day
At the following times: 2.00 AM
C7. On the Select Retention Policy page, set it to 90 days, and click Next.
C8. Finish the Wizard.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault
QUESTION 51
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to connect several virtual machines to the VNET01-USEA2 virtual network.
In the Web-RGlod8322489 resource group, you need to create a virtual machine that uses the
Standard_B2ms size named Web01 that runs Windows Server 2016. Web01 must be added to an
availability set.

Explanation
Step 1: Choose Create a resource in the upper left-hand corner of the Azure portal.
Step 2: In the Basics tab, under Project details, make sure the correct subscription is selected and then
choose Web-RGlod8322489 resource group
Step 3: Under Instance details type/select:

Virtual machine name: Web01
Image: Windows Server 2016
Size: Standard_B2ms size
Leave the other defaults.

Step 4: Finish the Wizard
QUESTION 52
SIMULATION
address bar.
Overview
time provided.
To start the lab
You recently created a virtual machine named Web01.
You need to attach a new 80-GB standard data disk named Web01-Disk1 to Web01.

Explanation
Add a data disk
Step 1: In the Azure portal, from the menu on the left, select Virtual machines.
Step 2: Select the Web01 virtual machine from the list.
Step 3: On the Virtual machine page, , in Essentials, select Disks.

Step 4: On the Disks page, select the Web01-Disk1 from the list of existing disks.
Step 5: In the Disks pane, click + Add data disk.
Step 6: Click the drop-down menu for Name to view a list of existing managed disks accessible to your
Azure subscription. Select the managed disk Web01-Disk1 to attach:
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/attach-disk-portal
QUESTION 53
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to allow connections between the VNET01-USEA2 and VNET01-USWE2 virtual networks.
You need to ensure that virtual machines can communicate across both virtual networks by using their
private IP address.
The solution must NOT require any virtual network gateways.

Explanation
Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the
virtual networks appear as one, for connectivity purposes.
Peer virtual networks

Step 1. In the Search box at the top of the Azure portal, begin typing VNET01-USEA2. When VNET01-
USEA2 appears in the search results, select it.
Step 2. Select Peerings, under SETTINGS, and then select + Add, as shown in the following picture:
Step 3. Enter, or select, the following information, accept the defaults for the remaining settings, and then
select OK.
Name: myVirtualNetwork1-myVirtualNetwork2 (for example)
Subscription: elect your subscription.
Virtual network: VNET01-USWE2 - To select the VNET01-USWE2 virtual network, select Virtual network,
then select VNET01-USWE2. You can select a virtual network in the same region or in a different region.
Now we need to repeat steps 1-3 for the other network VNET01-USWE2:
Step 4. In the Search box at the top of the Azure portal, begin typing VNET01- USEA2. When VNET01-
USEA2 appears in the search results, select it.
Step 5. Select Peerings, under SETTINGS, and then select + Add.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
QUESTION 54
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to host several secured websites on Web01.
You need to allow HTTPS over TCP port 443 to Web01 and to prevent HTTP over TCP port 80 to Web01.

Explanation
You can filter network traffic to and from Azure resources in an Azure virtual network with a network
security group. A network security group contains security rules that allow or deny inbound network traffic
to, or outbound network traffic from, several types of Azure resources.
A network security group contains security rules that allow or deny inbound network traffic to, or outbound
network traffic from, several types of Azure resources.
Step A: Create a network security group

A1. Search for and select the resource group for the VM, choose Add, then search for and select Network
security group.
A2. Select Create.
The Create network security group window opens.
A3. Create a network security group

Enter a name for your network security group.
Select or create a resource group, then select a location.
A4. Select Create to create the network security group.
Step B: Create an inbound security rule to allows HTTPS over TCP port 443
B1. Select your new network security group.
B2. Select Inbound security rules, then select Add.

B3. Add inbound rule
B4. Select Advanced.

From the drop-down menu, select HTTPS.
You can also verify by clicking Custom and selecting TCP port, and 443.
B5. Select Add to create the rule.
Repeat step B2-B5 to deny TCP port 80
B6. Select Inbound security rules, then select Add.
B7. Add inbound rule
B8. Select Advanced.

Clicking Custom and selecting TCP port, and 80.
B9. Select Deny.
Step C: Associate your network security group with a subnet

Your final step is to associate your network security group with a subnet or a specific network interface.
C1. In the Search resources, services, and docs box at the top of the portal, begin typing Web01. When
the Web01 VM appears in the search results, select it.
C2. Under SETTINGS, select Networking. Select Configure the application security groups, select the
Security Group you created in Step A, and then select Save, as shown in the following picture:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
QUESTION 55
SIMULATION
address bar.
Overview
time provided.
To start the lab
Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255.
You need to ensure that only devices from the on-premises network can connect to the rg1lod8322490n1
storage account.

Explanation
Correct Answer: See solution below.
Step 1: Navigate to the rg1lod8322490n1 storage account.
Step 2: Click on the settings menu called Firewalls and virtual networks.
Step 3: Ensure that you have elected to allow access from 'Selected networks'.
Step 4: To grant access to an internet IP range, enter the address range of 131.107.2.0 to 131.107.2.255
(in CIDR format) under Firewall, Address Ranges.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
QUESTION 56
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to store media files in the rg1lod8322490 storage account.
You need to configure the storage account to store the media files. The solution must ensure that only
users who have access keys can download the media files and that the files are accessible only over
HTTPS.

Explanation
We should create an Azure file share.
Step 1: In the Azure portal, select All services. In the list of resources, type Storage Accounts. As you
begin typing, the list filters based on your input. Select Storage Accounts.
On the Storage Accounts window that appears.
Step 2: Locate the rg1lod8322490 storage account.
Step 3: On the storage account page, in the Services section, select Files.
Step 4: On the menu at the top of the File service page, click + File share. The New file share page drops
down.
Step 5: In Name type myshare. Click OK to create the Azure file share.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-portal
QUESTION 57
SIMULATION
address bar.
Overview
time provided.
To start the lab
Another administrator attempts to establish connectivity between two virtual networks named VNET1 and
VNET2. The administrator reports that connections across the virtual networks fail.
You need to ensure that network connections can be established successfully between VNET1 and
VNET2 as quickly as possible.

Explanation
You can connect one VNet to another VNet using either a Virtual network peering, or an Azure VPN
Gateway.
To create a virtual network gateway
Step 1: In the portal, on the left side, click +Create a resource and type 'virtual network gateway' in search.
Locate Virtual network gateway in the search return and click the entry. On the Virtual network gateway
page, click Create at the bottom of the page to open the Create virtual network gateway page.
Step 2: On the Create virtual network gateway page, fill in the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the
gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to
open the 'Choose a virtual network' page. Select the VNet. If you don't see your VNet, make sure the
Location field is pointing to the region in which your virtual network is located.
Gateway subnet address range: You will only see this setting if you did not previously create a gateway
subnet for your virtual network. If you previously created a valid gateway subnet, this setting will not
appear.
Step 4: Select Create New to create a Gateway subnet.

Step 5: Click Create to begin creating the VPN gateway. The settings are validated and you'll see the
"Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes.
You may need to refresh your portal page to see the completed status.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-
portal?
QUESTION 58
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to configure VM1 to be accessible from the internet.
You need to add a public IP address to the network interface used by VM1.

Explanation
You can add private and public IP addresses to an Azure network interface by completing the steps that
follow.
Step 1: In Azure portal, click More services > type virtual machines in the filter box, and then click Virtual
machines.
Step 2: In the Virtual machines pane, click the VM you want to add IP addresses to. Click Network
interfaces in the virtual machine pane that appears, and then select the network interface you want to add
the IP addresses to. In the example shown in the following picture, the NIC named myNIC from the VM
named myVM is selected:
Step 3: In the pane that appears for the NIC you selected, click IP configurations.
Step 4: Click Create public IP address.

Step 5: In the Create public IP address pane that appears, enter a Name, select an IP address assignment
type, a Subscription, a Resource group, and a Location, then click Create, as shown in the following
picture:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal
QUESTION 59
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to allow RDP connections over TCP port 3389 to VM1 from the Internet. The solutions must
prevent connections from the Internet over all other TCP ports.

Explanation
Step 1: Create a new network security group
Step 2: Select your new network security group.
Step 3: Select Inbound security rules. Under Add inbound security rule, enter the following
Destination: Select Network security group, and then select the security group you created previously.
Destination port ranges: 3389
Protocol: Select TCP
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
QUESTION 60
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to migrate a large amount of corporate data to Azure Storage and to back up files stored on old
hardware to Azure Storage.
You need to create a storage account named corpdata8548984n1, in the corpdatalod8548984 resource
group. The solution must meet the following requirements:
- corpdata8548984n1 must be able to host the virtual disk files for Azure virtual machines
- The cost of accessing the files must be minimized
- Replication costs must be minimized

Explanation
Step 1: In the Azure portal, click All services. In the list of resources, type Storage Accounts. As you begin
typing, the list filters based on your input. Select Storage Accounts.
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select corpdatalod8548984.

Step 5: Enter a name for your storage account: corpdata8548984n1
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios)
General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver
the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction
prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)

Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RA-GRS
provides read-only access to the data in the secondary location, in addition to geo-replication across two
regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account
QUESTION 61
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to move backup files and documents from an on-premises Windows file server to Azure Storage.
The backup files will be stored as blobs.
You need to create a storage account named corpdata8548984n2. The solution must meet the following
requirements:
- Ensure that the documents are accessible via drive mappings from Azure virtual machines that run
Windows Server 2016
- Provide the highest possible redundancy for the documents
- Minimize storage access costs

Explanation
Step 1: In the Azure portal, click All services. In the list of resources, type Storage Accounts. As you begin
typing, the list filters based on your input. Select Storage Accounts.
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select Create New. Create a new Resource
Step 5: Enter a name for your storage account: corpdata8548984n2
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios)
General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver
the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction
prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)

Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RA-GRS
provides read-only access to the data in the secondary location, in addition to geo-replication across two
regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account
QUESTION 62
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to deploy two Azure virtual machines named VM1003a and VM1003b based on an Ubuntu
Server image. The deployment must meet the following requirements:
- Provide a Service Level Agreement (SLA) of 99.95 percent availability

- Use managed disks

Explanation
Step 1: Open the Azure portal.
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your
images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1003a as the name for the first Virtual
machine.The user name and password entered here will be used to log in to the virtual machine. When
complete, select OK. You can create the new VM in an existing resource group, or choose Create new to
create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type
filter.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to
start the virtual machine deployment.
Repeat the procedure for the second VM and name it VM1003b.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed
QUESTION 63
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to deploy an Azure virtual machine named VM1004a based on an Ubuntu Server image, and
then to configure VM1004a to meet the following requirements:
- The virtual machines must contain data disks that can store at least 15 TB of data
- The data disk must be able to provide at least 2,000 IOPS
- Storage costs must be minimized

Explanation
Step 1: Open the Azure portal.
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your
images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1004a as the name for the first Virtual
machine.The user name and password entered here will be used to log in to the virtual machine. When
complete, select OK. You can create the new VM in an existing resource group, or choose Create new to
create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type
filter.To support 15 TB of data you would need a Premium disk.
Step 7: Under Settings, make changes as necessary and select OK.

Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to
start the virtual machine deployment.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed
QUESTION 64
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to create 100 Azure virtual machines on each of the following three virtual networks:
- VNET1005a
- VNET1005b
- VNET1005c
All the network traffic between the three virtual networks will be routed through VNET1005a.
You need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect
to other virtual machines by using their private IP address. The solutions must NOT require any virtual
gateways and must minimize the number of peerings.
What should you do from the Azure portal before you configuring IP routing?

Explanation
Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears.
Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then
click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1005a
Address space: 10.0.0.0/16

Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: Repeat steps 3-5 for VNET1005b (10.1.0.0/16, 10.1.0.0/24), and for VNET1005c 10.2.0.0/16,
10.2.0.0/24).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
QUESTION 65
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to deploy several Azure virtual machines and to connect them to a virtual network named
VNET1007.
You need to ensure that future virtual machines on VNET1007 can register their name in an internal DNS
zone named corp8548984.com. The zone must NOT be hosted on a virtual machine.
What should you do from Azure Cloud Shell?
To complete this task, start Azure Cloud Shell and select PowerShell (Linux), Click Show Advanced
settings, and then enter corp8548984n1 in the Storage account text box and File1 share text box. Click
Create storage, and then complete the task.

Explanation
Step 1: Launch Cloud Shell from the top navigation of the Azure portal.
Step 2: Select PowerShell
When you start the Azure Cloud Shell for the first time, you will be prompted to create a storage account in
order to associate a new Azure File Share to persist files across sessions.
Step 3: Click Show Advanced settings.

Step 4: Enter corp8548984n1 in the Storage account text box and File1 share text box. Click Create
storage.
Step 5: Enter the following command at the powershell command prompt:

New-AzDnsZone -Name "corp8548984.com"
-ResourceGroupName "mycloudshell"
-ZoneType Private
-RegistrationVirtualNetworkId VNET1007
Note: A DNS zone is created by using the New-AzDnsZone cmdlet with a value of Private for the
ZoneType parameter.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-powershell
https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart-powershell
https://docs.microsoft.com/en-us/powershell/module/az.dns/new-azdnszone?view=azps-1.5.0
QUESTION 66
SIMULATION
address bar.
Overview
time provided.
To start the lab
Another administrator reports that she is unable to configure a web app named corplod8548987n3 to
prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address. The
solution must minimize Azure-related costs.

Explanation
Step 1:
Find and select application corplod8548987n3:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
To add an IP restriction rule to your app, use the menu to open Network>IP Restrictions and click on
Configure IP Restrictions
Step 3:
Click Add rule
You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective
immediately.
Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
QUESTION 67
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to add a deployment slot named staging to an Azure web app named
corplod@lab.LabInstance.Idn4. The solution must meet the following requirements:
- When new code is deployed to staging, the code must be swapped automatically to the production slot.
- Azure-related costs must be minimized.

Explanation
Step 1:
Locate and open the corplod@lab.LabInstance.Idn4 web app.
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
Open your app's resource blade and Choose the Deployment slots option, then click Add Slot.
Step 3:
In the Add a slot blade, give the slot a name, and select whether to clone app configuration from another
existing deployment slot. Click the check mark to continue.
The first time you add a slot, you only have two choices: clone configuration from the default slot in
production or not at all.
References:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing
QUESTION 68
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to deploy an application gateway named appgw1015 to load balance internal IP traffic to the
Azure virtual machines connected to subnet0.
You need to configure a virtual network named VNET1015 to support the planned application gateway.

Explanation
Step 1:
Click Networking, Virtual Network, and select VNET1015.
Step 2:
Click Subnets, and Click +Add on the VNET1015 - Subnets pane that appears.
Step 3:
On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
Step 4:
Locate subnet0 and add it.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-
portal
QUESTION 69
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to connect a virtual network named VNET1017 to your on-premises network by using both an
Azure ExpressRoute and a site-to-site VPN connection.
You need to prepare the Azure environment for the planned deployment. The solutions must maximize the
IP address space available to Azure virtual machines.
What should you do from the Azure portal before you create the ExpressRoute and the VPN gateway?

Explanation
We need to create a Gateway subnet
Step 1:
Go to More Services > Virtual Networks
Step 2:
Then click on the VNET1017, and click on subnets. Then click on gateway subnet.
Step 3:
In the next window define the subnet for the gateway and click OK
It is recommended to use /28 or /27 for gateway subnet.
As we want to maximize the IP address space we should use /27.
References:
https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpn-
gateway-between-azure-and-on-premise/
QUESTION 70
SIMULATION
address bar.
Overview
how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not
timed separately, and this exam may have more than one lab that you must complete. You can use as
much time as you would like to complete each lab. But, you should manage your time appropriately to
ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
To start the lab

You need to create a virtual network named VNET1008 that contains three subnets named subnet0,
subnet1, and subnet2. The solution must meet the following requirements:
Connections from any of the subnets to the Internet must be blocked

Connections from the Internet to any of the subnets must be blocked
The number of network security groups (NSGs) and NSG rules must be minimized

Explanation
Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears.
Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then
click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1008
Address space: 10.0.0.0/16
Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: In the portal, you can create only one subnet when you create a virtual network. Click Subnets (in
the SETTINGS section) on the Create virtual network (classic) pane that appears.
Click +Add on the VNET1008 - Subnets pane that appears.
Step 6: Enter subnet1 for Name on the Add subnet pane. Enter 10.0.1.0/24 for Address range. Click OK.
Step 7: Create the third subnet: Click +Add on the VNET1008 - Subnets pane that appears. Enter subnet2
for Name on the Add subnet pane. Enter 10.0.2.0/24 for Address range. Click OK.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
QUESTION 71
SIMULATION
address bar.
Overview
how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not
timed separately, and this exam may have more than one lab that you must complete. You can use as
much time as you would like to complete each lab. But, you should manage your time appropriately to
ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
To start the lab

You need to create a function app named corp8548987n1 that supports sticky sessions. The solution must
minimize the Azure-related costs of the App Service plan.

Explanation
Step 1:
Select the New button found on the upper left-hand corner of the Azure portal, then select Compute >
Function App.
Step 2:
Use the function app settings as listed below.
App name: corp8548987n1
Hosting plan: Azure App Service plan (required for sticky sessions)
Pricing tier of the App Service plan: Shared compute: Free
Step 3:
Select Create to provision and deploy the function app.
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal
QUESTION 72
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to create a web app named corp8548987n2 than can be scaled horizontally. The solution must
use the lowest possible pricing tier for the App Service plan.

Explanation
Step 1:
In the Azure Portal, click Create a resource > Web + Mobile > Web App.
Step 2:
Use the Webb app settings as listed below.
Web App name: corp8548987n2
Hosting plan: Azure App Service plan
Pricing tier of the Pricing Tier: Standard
Change your hosting plan to Standard, you can't setup auto-scaling below standard tier.
Step 3:
Select Create to provision and deploy the Web app.
References:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-
app-in-an-ase
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/
QUESTION 73
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to deploy an application gateway named appgw1015 to meet the following requirements:
Load balance internal IP traffic to the Azure virtual machines connected to subnet0.
Provide a Service Level Agreement (SLA) of 99,99 percent availability for the Azure virtual machines.

Explanation
Step 1:
Click New found on the upper left-hand corner of the Azure portal.
Step 2:
Select Networking and then select Application Gateway in the Featured list.
Step 3:
Enter these values for the application gateway:
appgw1015 - for the name of the application gateway.
SKU Size: Standard_V2
The new SKU [Standard_V2] offers autoscaling and other critical performance enhancements.
Step 4:
Accept the default values for the other settings and then click OK.
Step 5:
Click Choose a virtual network, and select subnet0.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-portal
QUESTION 74
SIMULATION
address bar.
Overview
time provided.
To start the lab
You need to deploy an Azure load balancer named ib1016 to your Azure subscription. The solution must
meet the following requirements:
Support the load balancing of IP traffic from the Internet to Azure virtual machines connected to VNET1016
\subnet0.
Provide a Service Level Agreement (SLA) of 99,99 percent availability for the Azure virtual machines.
Minimize Azure-related costs.
To complete this task, you do NOT need to wait for the deployment to complete. Once the deployment
starts in Azure, you can move to the next task.

Explanation
Step 1:
On the top left-hand side of the screen, click Create a resource > Networking > Load Balancer.
Step 2:
In the Create a load balancer page enter these values for the load balancer:
myLoadBalancer - for the name of the load balancer.
Internal - for the type of the load balancer.
Basic - for SKU version.
Microsoft guarantees that apps running in a customer subscription will be available 99.99% of the time.
VNET1016\subnet0 - for subnet that you choose from the list of existing subnets.
Step 3: Accept the default values for the other settings and click Create to create the load balancer.
QUESTION 75
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to prevent users from accidentally deleting blob data from Azure.
You need to ensure that administrators can recover any blob data that is deleted accidentally from the
storagelod8322489 storage account for 14 days after the deletion occurred.

Explanation
Task A: Create a Recovery Services vault (if a vault already exists skip this task, go to Task B below)
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery
Services and click Recovery Services vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location
Task B. Create a backup goal

B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section,
click Backup, then on the Getting Started with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the
Backup Goal blades opens when you click Backup on the Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Blob Storage, and click OK.
B4. Finish the Wizard.
Task C. create a backup schedule

C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft
Azure Backup.
C2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6.In the Select Items to Backup page, click Next.

On the Specify Backup Schedule page, specify Schedule a backup every day, and click Next.
C7. On the Select Retention Policy page, set it to 14 days, and click Next.
C8. Finish the Wizard.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault
QUESTION 76
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to protect on-premises virtual machines and Azure virtual machines by using Azure Backup.
You need to prepare the backup infrastructure in Azure. The solution must minimize the cost of storing the
backups in Azure.

Explanation
First, create Recovery Services vault.
Step 1: On the left-hand menu, select All services and in the services list, type Recovery Services. As you
type, the list of resources filters. When you see Recovery Services vaults in the list, select it to open the
Recovery Services vaults menu.
Step 2: In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.
Step 3: In the Recovery Services vault menu, for example,
Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription. If you have additional subscriptions, you could choose
another subscription for the new vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't
exist, select Create new and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
References:
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale
QUESTION 77
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to grant the members of a new Azure AD group named corp8548987 the rights to delegate
administrative access to any resource in the resource group named corp8548987.
You need to create the Azure AD group, and then to assign the correct role to the group. The solution must
use the principle of least privilege and minimize the number of role assignments.

Explanation
Step 1:
Click Resource groups from the menu of services to access the Resource Groups blade
Step 2:
Click Add (+) to create a new resource group. The Create Resource Group blade appears. Enter
corp8548987 as the Resource group name, and click the Create button.
Step 3:
Select Create.
Your group is created and ready for you to add members.
Now we need to assign a role to this resource group scope.
Step 4:
Choose the newly created Resource group, and Access control (IAM) to see the current list of role
assignments at the resource group scope. Click +Add to open the Add permissions pane.
Step 5:
In the Role drop-down list, select a role Delegate administration, and select Assign access to: resource
group corp8548987
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-azure-marketplace-
resource-group.html
QUESTION 78
SIMULATION
address bar.
Overview
time provided.
To start the lab
You plan to create several virtual machines in different availability zones, and then to configure the virtual
machines to load balanced connections from the internet.
You need to create an IP address resource named ip1006 to support the planned load balancing solution.
The solution must minimize costs.

Explanation
We should create a public IP address.
Step 1: At the top, left corner of the portal, select + Create a resource.
Step 2: Enter public ip address in the Search the Marketplace box. When Public IP address appears in the
search results, select it.
Step 3: Under Public IP address, select Create.
Step 4: Enter, or select values for the following settings, under Create public IP address, then select
Create:
Name: ip1006
SKU: Basic SKU
IP Version: IPv6
IP address assignment: Dynamic
Subscription: Select appropriate
Resource group: Select appropriate
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address
QUESTION 79
HOTSPOT
You have Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address
space of 10.0.0.0/16 and contains the subnets in the following table.
Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 80
HOTSPOT
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
- Replicates synchronously
- Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer
area.
Hot Area:
Correct Answer:
Explanation
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single
region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)

ZRS only support GPv2.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
QUESTION 81
HOTSPOT
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on
NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2.
Hot Area:
Correct Answer:
Explanation
IP forwarding enables the virtual machine a network interface is attached to:
Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations
assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network
interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that
receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it
has multiple network interfaces or a single network interface attached to it.
Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3,
VM3 can connect to VM1.
Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to
connect to VM2 via VM3.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
https://www.quora.com/What-is-IP-forwarding
QUESTION 82
HOTSPOT
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1: add an address space
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a
private IP address from a range that you specify, based on the address space of the subnet they are
connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a network interface

The 10.2.1.0/24 network exists. We need to add a network interface.
References:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-pportal
QUESTION 83
HOTSPOT
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the
following table.
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to
VNet2. The adatum.com zone is configured is shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1: No
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to
a private zone as a registration virtual network. VM5 does not belong to the registration virtual network
though.
Box 2: No
Forward DNS resolution is supported across virtual networks that are linked to the private zone as
resolution virtual networks. VM5 does belong to a resolution virtual network.
Box 3: Yes
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS
resolution against the zone works from any of the virtual machines within the registration virtual network.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
QUESTION 84
HOTSPOT
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual
machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace
image.
You need to complete the storageprofile section of the template.
How should you complete the storageProfile section? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Explanation
...
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
},
...
References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
QUESTION 85
HOTSPOT
Your company has a virtualization environment that contains the virtualization hosts shown in the following
table.
The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct Answer:
Explanation
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
QUESTION 86
HOTSPOT
You have an Azure subscription that contains multiple resource groups. You create an availability set as
shown in the following exhibit.
You deploy 10 virtual machines to AS1.
Hot Area:
Correct Answer:
Explanation
Box 1: 6
Two out of three update domains would be available, each with at least 3 VMs.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same
time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs across
these update domains. This approach ensures that at least one instance of your application always
remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions-and-availability
QUESTION 87
HOTSPOT
You have a virtualization environment that contains the virtualization servers in the following table.
The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct Answer:
Explanation
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-requirements
QUESTION 88
HOTSPOT
You are designing a virtual network to support a web application. The web application uses Blob storage to
store large images. The web application will be deployed to an Azure App Service Web App.
You have the following requirements:
Secure all communications by using Secured Socket layer (SSL)

SSL encryption and decryption must be processed efficiently to support high traffic load on the web
application
Protect the web application from web vulnerabilities and attacks without modification to backend code
Optimize web application responsiveness and reliability by routing HTTP request and responses to the
endpoint with the lowest network latency for the client.
You need to configure the Azure components to meet the requirements.
Hot Area:
Correct Answer:
Explanation
Box 1: Azure application Gateway
Azure Application Gateway supports end-to-end encryption of traffic. Application Gateway terminates the
SSL connection at the application gateway. The gateway then applies the routing rules to the traffic, re-
encrypts the packet, and forwards the packet to the appropriate back-end server based on the routing
rules defined. Any response from the web server goes through the same process back to the end user.
Box 2: Azure Security Center

Azure Security Center is a unified infrastructure security management system that strengthens the security
posture of your data centers, and provides advanced threat protection across your hybrid workloads in the
cloud - whether they're in Azure or not - as well as on premises.
Box 3: Azure Traffic Manager

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to
services across global Azure regions, while providing high availability and responsiveness.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
QUESTION 89
HOTSPOT
You have Azure Storage accounts as shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-
purpose v1 (GPv1) accounts, and Blob storage accounts.
General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs,
files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only
block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the
latest features or the lowest per gigabyte pricing.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
QUESTION 90
HOTSPOT
You have an on-premises data center and an Azure subscription. The data center contains two VPN
devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway
subnet.
You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN
gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is
longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network
gateways required in Azure? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: 4
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as
shown in the diagram below.
Box 2: 2
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned
maintenance or unplanned disruption that happens to the active instance, the standby instance would take
over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
Box 3: 2
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
QUESTION 91
HOTSPOT
Your company hosts multiple website by using Azure virtual machine scale sets (VMSS) that run Internet
Information Server (IIS).
All network communications must be secured by using end to end Secure Socket Layer (SSL) encryption.
User sessions must be routed to the same server by using cookie-based session affinity.
The image shown depicts the network traffic flow for the web sites to the VMSS.
Use the drop-down menus to select the answer choice that answers each question.
Hot Area:
Correct Answer:
Explanation
Box 1: Public
The following example shows site traffic coming from both ports 8080 and 8081 and being directed to the
same backend pools.
Box 2: Application Gateway

You can create an application gateway with URL path-based redirection using Azure PowerShell.
Box 3: Path-based redirection and Websockets
References:
https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/tutorial-url-redirect-powershell
QUESTION 92
HOTSPOT
You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection s worth one point.
Hot Area:
Correct Answer:
Explanation
QUESTION 93
HOTSPOT
You network contains an Active Directory domain named adatum.com and an Azure Active Directory
(Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.
Adatum.onmicrosoft.com contains the user accounts in the following table.
You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: User5
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials

Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These
credentials are only used during the installation and are not used after the installation has completed. The
Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set
in all domains.
Box 2: UserA
Azure AD Global Admin credentials are only used during the installation and are not used after the
installation has completed. It is used to create the Azure AD Connector account used for synchronizing
changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-
permissions
QUESTION 94
HOTSPOT
Your company runs several Windows and Linux virtual machines (VMs).
You must design a solution that implements data privacy, compliance, and data sovereignty for all storage
uses in Azure. You plan to secure all Azure storage accounts by using Role-Based Access Controls
(RBAC) and Azure Active Directory (Azure AD).
You need to secure the data used by the VMs.
Which solution should you use? To answer, select the appropriate solutions in the answer area.
Hot Area:
Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/security/security-storage-overview
QUESTION 95
HOTSPOT
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named
VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web
server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Processing stops once traffic matches a rule, as a result, any
rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher
priorities are not processed.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 96
HOTSPOT
In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as shown in
the following exhibit.
Alert1 alert criteria is triggered every minute.
Hot Area:
Correct Answer:
Explanation
Box 1: 60
One alert per minute will trigger one email per minute.
Box 2: 12
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular
phone number, email address or device. Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:

SMS: No more than 1 SMS every 5 minutes.
Voice: No more than 1 Voice call every 5 minutes.
Email: No more than 100 emails in an hour.
Other actions are not rate limited.
References:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/monitoring-and-diagnostics/monitoring-
overview-alerts.md
QUESTION 97
HOTSPOT
You have an Azure subscription named Subscription1 that contains the resources in the following table.
A web server runs on VM1 and VM2.
When you request a webpage named Page1.htm from the Internet, LB1 balances the web requests to VM1
and VM2., and you receive a response.
On LB1, you have a rule named Rule1 as shown in the Rule1 exhibit. (Click the Exhibit tab.)
You have a health probe named Probe1 as shown in the Probe1 exhibit. (Click the Exhibit tab.)
Hot Area:
Correct Answer:
Explanation
Box 1: No
Session Persistence is None.
Box 2: Yes
Web requests uses the HTTP protocol, not the TCP protocol.
Box 3: No
Note: Azure Load Balancer provides health probes for use with load-balancing rules. Health probe
configuration and probe responses determine which backend pool instances will receive new flows. You
can use health probes to detect the failure of an application on a backend instance. You can also generate
a custom response to a health probe and use the health probe for flow control to manage load or planned
downtime. When a health probe fails, Load Balancer stops sending new flows to the respective unhealthy
instance.
References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
QUESTION 98
DRAG DROP
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Select and Place:

Correct Answer:
Explanation
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an
Azure file share
Step 2: Register Server1.

Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between
your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint

Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync
with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and
one or more server endpoints. A server endpoint represents a path on registered server.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
QUESTION 99
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription
contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Select and Place:
Correct Answer:
Explanation
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After
you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each
resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource
group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the
current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
1. You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you
add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the
filters and Download if you want to export the view to a Comma-Separated Values (.csv) file.
Box 3: Download the usage report
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
QUESTION 100
DRAG DROP
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual
machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on
VNet1 and VNet2 can communicate.
Select and Place:

Correct Answer:
Explanation
Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space once a
virtual network is peered with another virtual network. To add or remove address ranges, delete the
peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
QUESTION 101
DRAG DROP
You maintain an existing Azure SQL Database instance. Management of the database is performed by an
external party. All cryptographic keys are stored in an Azure Key Vault.
You must ensure that the external party cannot access the data in the SSN column of the Person Table.
Will each protection method meet the requirement? To answer, drag the appropriate responses to the
correct protection methods.
Each response may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
Select and Place:
Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/security/azure-database-security-overview
QUESTION 102
DRAG DROP
You have a web app named MainApp. You are developing a triggered App Service background task by
using the WebJobs SDK.
This task automatically invokes a function in the code whenever any new data is received in a queue.
You need to configure the services.
Which service should you use for each scenario? To answer, drag the appropriate services to the correct
scenarios. Each service may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-compare-logic-apps-ms-flow-webjobs
QUESTION 103
DRAG DROP
You are developing Azure WebJobs.
You need to recommend a WebJob type for each scenario.
Which WebJob type should you recommend? To answer, drag the appropriate WebJob types to the
correct scenarios. Each WebJob type may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Explanation
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-create#webjob-types
QUESTION 104
DRAG DROP
You are designing a solution to secure a company's Azure resources. The environment hosts 10 teams.
Each team manages a project and has a project manager, a virtual machine (VM) operator, developers,
and contractors.
Project managers must be able to manage everything except access and authentication for users. VM
operators must be able to manage VMs, but not the virtual network or storage account to which they are
connected. Developers and contractors must be able to manage storage accounts.
You need to recommend roles for each member.
What should you recommend? To answer, drag the appropriate roles to the correct employee types. Each
role may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
Select and Place:
Correct Answer:
Explanation
QUESTION 105
DRAG DROP
You have an Azure subscription that contains an Azure Service Bus named Bus1.
Your company plans to deploy two Azure web apps named App1 and App2. The web app will create
messages that have the following requirements:
Each message created by App1 must be consumed by only a single consumer.

Each message created by App2 will consumed by multiple consumers.
Which resource should you create for each web app? To answer, drag the appropriate resources to the
correct web apps. Each resource may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Explanation
QUESTION 106
DRAG DROP
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of
data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions form the list of actions to the
answer area and arrange them in the correct order.
orders you select.
Select and Place:

Correct Answer:
Explanation
At a high level, an import job involves the following steps:
Step 1: Attach an external disk to Server1 and then run waimportexport.exe

Determine data to be imported, number of drives you need, destination blob location for your data in Azure
storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.

Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job

Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import job.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
QUESTION 107
You are planning data security for Azure resources.
You need to ensure that the data meets the following requirements:
Data in Azure SQL databases that is at rest, in transit, and in use must be encrypted.
The confidentiality of code on virtual machines must be protected while the code is being processed.
Which feature should you use for each requirement? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 108
You need to use an Azure logic app to receive a notification when an administrator modifies the settings of
a virtual machine in a resource group named RG1.
Which three components should you create next in the Logic Apps Designer? To answer, move the
appropriate components from the list of components to the answer area and arrange them in the correct
order.
Select and Place:

Correct Answer:
Explanation
QUESTION 109
You have an Azure subscription that includes an Azure key vault named Vault1.
You create the Azure virtual machines shown in the following table.
You enable Azure Disk Encryption for all the virtual machines and use the –VolumeType All parameter.
You add data disks to the virtual machines as shown in the following table.
Hot Area:
Correct Answer:
Explanation
QUESTION 110
You plan to deploy two Azure web apps that have the requirements shown in the following table.
You need to select the App Service plans for the web apps. The solution must minimize costs.
Which App Service plan should you select for each web app? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 111
HOTSPOT
You have peering configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1: vNET6 only
Box 2: Modify the address space

The virtual networks you peer must have non-overlapping IP address spaces.
References:
constraints
QUESTION 112
HOTSPOT
You plan to deploy two Azure web apps that have the requirements shown in the following table.
You need to select the App Service plans for the web apps. The solution must minimize costs.
Which App Service plan should you select for each web app? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct Answer:
Explanation
Reference:
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/
QUESTION 113
HOTSPOT
You have an Azure Service Bus and a queue named Queue1. Queue1 is configured as shown in the
following exhibit.
Hot Area:
Correct Answer:
Explanation
QUESTION 114
DRAG DROP
You need to use an Azure logic app to receive a notification when an administrator modifies the settings of
a virtual machine in a resource group named RG1.
Which three components should you create next in the Logic Apps Designer? To answer, move the
appropriate components from the list of components to the answer area and arrange them in the correct
order.
Select and Place:
Correct Answer:
Explanation
Step 1: an Azure Event Grid trigger
First add an Event grid trigger that monitors the resource group for your virtual machine.
Step 2: a conditional control

To run your logic app workflow only when a specific event happens, add a condition that checks for virtual
machine "write" operations.
Step 3: an action
Now add an action so that you get an email when the specified condition is true.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
QUESTION 115
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
You need to deploy a load-balancing solution for two Azure web apps named App1 and App2 to meet the
1. App1 must support command injection protection.

2. App2 must be able to use a static public IP address.
3. App1 must have a Service Level Agreement (SLA) of 99.99 percent.
Which resource should you use as the load-balancing solution for each app? To answer, select the
appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: AGW1
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of
your web applications from common exploits and vulnerabilities. Web applications are increasingly
targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site
scripting are among the most common attacks.
Box 2: ELB1
Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP
addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure
services with an IP address assigned to the resource.
Note: In Azure Resource Manager, a public IP address is a resource that has its own properties. Some of
the resources you can associate a public IP address resource with are:
Virtual machine network interfaces
Internet-facing load balancers
VPN gateways
Application gateways
References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm
QUESTION 116
HOTSPOT
You are planning data security for Azure resources.
You need to ensure that the data meets the following requirements:
1. Data in Azure SQL databases that is at rest, in transit, and in use must be encrypted.
2. The confidentiality of code on virtual machines must be protected while the code is being processed.
Which feature should you use for each requirement? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Explanation
SQL Databases: Transparent Data Encryption (TDE)
Azure SQL Database currently supports encryption at rest for Microsoft-managed service side and client-
side encryption scenarios.
Support for server encryption is currently provided through the SQL feature called Transparent Data
Encryption. Once an Azure SQL Database customer enables TDE key are automatically created and
managed for them. Encryption at rest can be enabled at the database and server levels.
Virtual machine code: Azure confidential compute

Azure confidential computing protects your data while it’s in use. It is the final piece to enable data
protection through its lifecycle whether at rest, in transit, or in use. It is the cornerstone of Microsoft's
‘Confidential Cloud’ vision, which aims to make data and code opaque to the cloud provider.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
https://azure.microsoft.com/en-us/blog/protect-data-in-use-with-the-public-preview-of-azure-confidential-
computing/
QUESTION 117
HOTSPOT
Your organization has developed and deployed several Azure App Service Web and API applications. The
applications use Azure SQL Database to store and retrieve data. Several departments have the following
requests to support the applications:
You need to recommend the appropriate Azure service for each department request.
What should you recommend? To answer, configure the appropriate options in the dialog box in the
answer area.
Hot Area:
Correct Answer:
Explanation
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql
QUESTION 118
HOTSPOT
You have an Azure subscription that includes an Azure key vault named Vault1.
You create the Azure virtual machines shown in the following table.
You enable Azure Disk Encryption for all the virtual machines and use the -VolumeType All parameter.
You add data disks to the virtual machines as shown in the following table.
Hot Area:
Correct Answer:
Explanation
Premium and standard, but not basic, account types support disk encryption.
Disk encryption requires managed disks.
References:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
QUESTION 119
HOTSPOT
You have an Azure subscription that contains the storage account shown in the following table.
Hot Area:
Correct Answer:
Explanation
Box 1: No
Azure Files supports two storage tiers: premium and standard. Standard file shares are created in general
purpose (GPv1 or GPv2) storage accounts and premium file shares are created in FileStorage storage
accounts.
You cannot create Azure file shares from Blob storage accounts or premium general purpose (GPv1 or
GPv2) storage accounts. Standard Azure file shares must created in standard general purpose accounts
only and premium Azure file shares must be created in FileStorage storage accounts only. Premium
general purpose (GPv1 and GPv2) storage accounts are for premium page blobs only.
Box 2: Yes
Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS.
Along with the three copies of your data stored within a single region, a further three copies are stored in
the twinned Azure region. So using GRS means you get all the features of the LRS storage within your
primary zone, but you also get a second LRS data storage in a neighbouring Azure region. This data is
updated asynchronously, so there is a small lag between the 2 data sets, but for most cases this is
acceptable.
Box 3: Yes
Blob Storage Standard can be used both LRS and GRS.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq
https://www.skylinesacademy.com/blog/2019/7/31/azure-storage-replication
https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
QUESTION 120
HOTSPOT
You create and save an Azure Resource Manager template named Template1 that includes the following
four sections.
Section1.
Section2.
Section3.
Section4.
You deploy Template1.
Hot Area:
Correct Answer:
Explanation
QUESTION 121
HOTSPOT
RG1 contains the virtual machines shown in the following table.
RG2 contains the virtual machines shown in the following table.
All the virtual machines are configured to use premium disks and are accessible from the Internet.
VM1 and VM2 are in an availability set named AVSET1. VM3 and VM4 are in the same availability zone
and are in an availability set named AVSET2. VM5 and VM6 are in different availability zones.
Hot Area:
Correct Answer:
Explanation
Box 1: Yes
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we
[Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of
the time.
Box 2: No
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.
Box 3: Yes
VM5 and VM6 are in different availability zones.
For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in
the same Azure region, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one
instance at least 99.99% of the time.
References:
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
QUESTION 122
HOTSPOT
You play to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager template.
You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Within your template, the dependsOn element enables you to define one resource as a dependent on one
or more resources. Its value can be a comma-separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources:
Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more resources.
The resource depends on two other resources:
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-create-
templates-with-dependent-resources
QUESTION 123
HOTSPOT
You plan to create a virtual machine as shown in the following exhibit.

Hot Area:
Correct Answer:
Explanation
Box 1: is guaranteed to remain the same
OS disk type: Premium SSD
Premium SSD Managed Disks are high performance Solid State Drive (SSD) based Storage designed to
support I/O intensive workloads with significantly high throughput and low latency. With Premium SSD
Managed Disks, you can provision a persistent disk and configure its size and performance characteristics.
Box 2: secure enclaves

Virtual machine size: Standard_DC2s
DC-series virtual machines are a new family of VMs to protect the confidentiality and integrity of your data
and code while it's processed in Azure through the use of secure enclaves.
Incorrect:
Not dm-crypt: Azure Disk Encryption helps protect and safeguard your data to meet your organizational
security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature
of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs).
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/series/
QUESTION 124
HOTSPOT
A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs to the
VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance
required.
What should you recommend? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
1. (Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by
deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common
when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or
ExpressRoute connection.
2. Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises
Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.

This architecture is more common when the on-premises network and the Azure virtual network (VNet) are
connected by a VPN or ExpressRoute connection.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/
QUESTION 125
HOTSPOT
You have an Azure web app named App1 that has the following configurations:
1. The app runs on three instances.

2. The minimum number of instances is one.
3. The maximum number of instances is five.
You create the following autoscale rules for App1:
1. Decrease the instance count by one when the CPU percentage is less than 30.
2. Decrease the instance count by one when the memory percentage is less than 50.
3. Increase the instance count by one when the CPU percentage is greater than 80.
4. Increase the instance count by one when the memory percentage is greater than 75.
You expect App1 to be utilized as shown in the following table.

You need to identify the maximum number of instances that will be used by App1 during the expected
periods of utilization.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
On scale out, autoscale runs if any rule is met. On scale-in, autoscale requires all rules to be met.
Therefore, the web app will scale out but will never scale back in because there is no time where the CPU
is less than 30% AND the memory is less than 50%.
QUESTION 126
HOTSPOT
Your network contains an Active Directory domain that is synced to Azure Active Directory (Azure AD) as
shown in the following exhibit.
You have a user account configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Explanation
Box 1: No
Password writeback is disabled.
Note: Having a cloud-based password reset utility is great but most companies still have an on-premises
directory where their users exist. How does Microsoft support keeping traditional on-premises Active
Directory (AD) in sync with password changes in the cloud? Password writeback is a feature enabled with
Azure AD Connect that allows password changes in the cloud to be written back to an existing on-
premises directory in real time.
Box 2: No
Box 3: Yes
Yes, there is an Edit link for Location Info.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
QUESTION 127
HOTSPOT
You plan to deploy an app that has a web front end and an application tier.
You need to recommend a load balancing solution that meets the following requirements:
Internet to web tier:

- Provides URL-based routing
- Supports connection draining
- Prevents SQL injection attacks
Web tier to application tier:
- Provides port forwarding
- Supports HTTPS health probes
- Supports an availability set as a backend pool
Which load balancing solution should you recommend for each tier? To answer, select the appropriate
options in the answer area.
Hot Area:
Correct Answer:
Explanation
Box 1: An Azure Application Gateway that has a web application firewall (WAF)
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of
your web applications from common exploits and vulnerabilities. Web applications are increasingly
targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site
scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC). It offers Secure Sockets Layer
(SSL) termination, cookie-based session affinity, round-robin load distribution, content-based routing,
ability to host multiple websites, and security enhancements.
Box 2: An internal Azure Standard Load Balancer

The internet to web tier is the public interface, while the web tier to application tier should be internal.
Note: When using load-balancing rules with Azure Load Balancer, you need to specify a health probes to
allow Load Balancer to detect the backend endpoint status.
Health probes support the TCP, HTTP, HTTPS protocols.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
QUESTION 128
HOTSPOT
From Azure Cosmos DB, you create the containers shown in the following table.
You add the following item to Container1.

You plan to add items to Azure Cosmos DB as shown in the following table.
You need to identify which items can be added successfully to Container1 and Container2.
What should you identify for each container? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Explanation
QUESTION 129
DRAG DROP
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You install a line-to-business application on VM1.
You need to create an Azure virtual machine by using VM1 as a custom image.
Select and Place:

Correct Answer:
Explanation
Step 1: Run sysprep.exe on VM1.
If a template, or system image is used, System administrators must run the Sysprep tool to clear the SID
information. The Sysprep tool is usually one of the last tasks performed by a system administrator when
building a server image/template, that way each clone of the template will generalize a new unique SID for
every server image copied from the template and will prepare the server for a first time boot.
The end result is a System template that functions as a new unique build every time it is deployed.
Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized
To create an image, the VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set the
state of the VM as generalized with Set-AzVm so that the Azure platform knows the VM is ready for use a
custom image
Step 3: Create a virtual machine scale set

Now create a scale set with New-AzVmss that uses the -ImageName parameter to define the custom VM
image created in the previous step.
References:
https://thesolving.com/server-room/when-and-how-to-use-sysprep/
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-use-custom-image-powershell
QUESTION 130
DRAG DROP
You have virtual machines (VMs) that run a mission-critical application.
You need to ensure that the VMs never experience down time.
What should you recommend? To answer, drag the appropriate solutions to the correct scenarios. Each
solution may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
Select and Place:
Correct Answer:
Explanation
Box 1: Scale set
A virtual machine scale set allows you to deploy and manage a set of identical, autoscaling virtual
machines.
Box 2: Availability Set

An Availability Set is a logical grouping capability for isolating VM resources from each other when they're
deployed. Azure makes sure that the VMs you place within an Availability Set run across multiple physical
servers, compute racks, storage units, and network switches. If a hardware or software failure happens,
only a subset of your VMs are impacted and your overall solution stays operational. Availability Sets are
essential for building reliable cloud solutions.
Box 3: Fault domain

A fault domain is a logical group of underlying hardware that share a common power source and network
switch, similar to a rack within an on-premises datacenter. As you create VMs within an availability set, the
Azure platform automatically distributes your VMs across these fault domains. This approach limits the
impact of potential physical hardware failures, network outages, or power interruptions.
Incorrect Answers:
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same
time.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-create-vmss
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
QUESTION 131
HOTSPOT
Your company has an Azure Container Registry named Registry1.

You have an Azure virtual machine named Serverl that runs Windows Server 2019.
From Serverl, you create a container image named image1.
You need to add image1 to Registry1.
Which command should you run on Server1? To answer, select the appropriate options in the answer
area.
Hot Area:
Correct Answer:
Explanation
An Azure container registry stores and manages private Docker container images, similar to the way
Docker Hub stores public Docker images. You can use the Docker command-line interface (Docker CLI)
for login, push, pull, and other operations on your container registry.
Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli
https://docs.docker.com/engine/reference/commandline/push/
QUESTION 132
You have an Azure web app named App1 that contains the following autoscale conditions. The default
auto created scale condition has a scale mode that has Scale to a specific instance count set to 2.
Scale condition 1 has the following configurations:
* Scale mode: Scale to a specific instance count

* Instance count 3
* Schedule: Specify start/end dates
* Start date: August 1. 2019.06:00
* End date: September 1.2019, 18:00
Scale condition 2 has the following configurations:
* Scale mode: Scale to a specific instance count

* Instance count 4
* Schedule: Repeat specific days
* Repeat every: Monday
* Start time: 06:00
* End time: 18:00
Scale condition 3 has the following configurations.
Hot Area:
Correct Answer:
Explanation
QUESTION 133
You have an Azure subscription that contains the Azure SQL servers shown in the following table.
The subscription contains the elastic pool shown in the following table.
The subscription contains the Azure SQL databases shown in the following table.
Hot Area:
Correct Answer:
Explanation
About CertBus.com
As a professional IT exam study guide provider, CertBus.com provides our
candidates with the most accurate and high quality IT exam training material.
Cisco Citrix CompTIA Check Point

EMC EXIN HP Juniper
LPI Nortel Oracle VMware
and so on, you can find all kinds of exam questions, study guides, practice tests here.
Our aim is to be your assistance on your way to be successful in your IT certifications.
We provide our customers with the 100% Pass Guaranteed or Full Refund.
We spare no efforts to help you to pass any IT Certification exams at the first try.
Do not hesitate to contact us if you need any help on the products, payments or
questions about IT exams.
You can reach us on:

https://www.certbus.com/contact-us.html
We will get in touch with you in 24 hours. You satisfactory is the recognition for us.
You could rely upon us anytime you need help. We are at your service.
Guarantee & Policy | Privacy & Policy | Terms & Conditions
Any charges made through this site will appear as Global Simulators Limited.
All trademarks are the property of their respective owners.
Copyright © CertBus.com, All Rights Reserved.

Az 300

Uploaded by

Copyright:

Available Formats

Az 300

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Az 300

Uploaded by

Copyright:

Available Formats

Get

Copyright © CertBus.com, All Rights Reserved.

YOUR NEXT PURCHASE

Congratulations! You can visit www.certbus.com and

Exam Code: AZ-300

Exam Name: Microsoft Azure Architect Technologies

Case Study: 1Label Maker app

Label Maker app

06 " ivtnhaae " ; "John"

“ discount _ appllc «tion

Which three actions should you perform in sequence?

Select and Place:

Build a new application image by using dockethle

Log in to the registry and push image. © ©

Restart the cluster

Create an alias of the image with the a new build number

Build a new application image by using dockerhle

Download the image to your local computer

Build a new application image by using msbuikl L

Case Study: 2Background

Em var events • JArray.Parse(events3son)j

EGAS var result • it (new HttpClient() .

What should you store in Azure Redis Cache?

NOTE: Each correct selection is worth one point.

NOTE: Each correct selection is worth one point.

Code segments Answer Area

Code segments Answer Area

A. an Application Insights trace

What should you create and configure?

A. an Azure Event Hub

NOTE: Each correct selection is worth one point.

From the Azure portal Create an ExpressRoute circuit only.

In the New York office: Deploy ExpressRoute.

From the Azure portal Create an ExpressRoute circuit only.

In the New York office: Deploy ExpressRoute.

Box 2: Configure a site-to-site VPN connection

Topic 4, Case Study: 4Overview

Name Type Azure Region

ER1 ExpressRoute circuit East US

What should you create?

A. a basic routing rule

Select and Place:

From VM1, deploy a virtual machine.

From an Azure portal, download the OVF

From VM1. resister the configuration

From VM1, comiect to the collector

Actions Answer Area

From an Azure portaL download the OVF

From VM1. deploy a virtual machine.

From VM1. register the configuration

From VM1. comiect to the collector

NOTE: Each correct selection is worth one point.

Select and Place:

Configurations Answer Area

Use BGF communities to configure Routing from A.Datum to Azure:

Use BGP to append the public AS

Configurations Answer Area

NOTE: Each correct selection is worth one point.

App Semce plan pricing tier v

Gf Otdef invoice! E3 Send my moe