Attempt 2

Question 1 of 50
You plan to create 100 new users by using the Bulk create users operation in the Azure Active
Directory admin center.
You need to create a CSV file that contains the user information.
Which attributes should you specify in the CSV file for each user?
Your Answer
 <code>displayName, userPrincipalName, passwordProfile,</code> and
<code>accountEnabled</code>
This answer is correct.
Correct Answer
 <code>displayName, userPrincipalName, passwordProfile,</code> and
<code>accountEnabled</code>
When you use the Bulk create users operation, you must specify four things: the display name,
the UPN, the initial password, and whether the account is enabled or disabled. All other fields
are optional.
Bulk create users in the Azure Active Directory portal - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
Your Azure AD tenant and on-premises Active Directory domain contain multiple users.
You need to configure self-service password reset (SSPR) password writeback functionality. The
solution must minimize costs and include the on-premises domain.
Which Azure AD edition should you use?
Your Answer
 Azure AD Premium P1
Correct Answer
 Azure AD Premium P1
Only Azure AD Premium P1 and P2 support SSPR, but Azure AD Premium P1 is the lower cost
option.
Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn
Question 3 of 50
You have the following resource groups, management groups, and Azure subscriptions:
 Two resource groups named RG1 and RG2 that are associated with a subscription
named 111-222-333 and a management group named MG1
 Two resource group named RG10 and RG11 that are associated with a subscription
 Two resource group named RG11 and RG12 that are associated with a subscription
Which role should you assign to a user to ensure that the user can view all the resources in the
subscriptions?
Your Answer
 the Contributor role for MG1 and MG2
This answer is incorrect.
Correct Answer
 the Reader role for MG1 and MG2
Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user
access to all resources is to assign a role at the management group level.
Steps to assign an Azure role - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 4 of 50
You have an Azure subscription.
An administrator manages access to resources at the resource group level. The assignment
process is automated by running the following PowerShell script nightly.
$rg = "RG1"
$RoleName = "CustomRole1"
$Role = Get-AzRoleDefinition -Name $RoleName
New-AzRoleAssignment -SignInName user1@contoso.com `
-RoleDefinitionName $Role.Name `
-ResourceGroupName $rg
User1 is unable to access the RG1 resource group. You discover that the script fails to complete
for new users.
You run Get-AzRoleDefinition | Format-Table -Property Name, Id and receive the following
information:
Name: Custom Role 1, ID: 111-222-333
Name: Owner, ID: 222-333-444
Name: Contributor, ID: 333-444-555
Name: Reader, ID: 666-777-888
What should you change in the script to ensure that the script does not fail in the future?
Your Answer
 <code>$Role = Get-AzRoleAssignment -Name $RoleName </code>
Correct Answer
 <code>$RoleName = "111-222-333" </code>
You should use the ID of the role in case the role name was changed to prevent such a change
from breaking the script.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Question 5 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
 Manage containers within the storage accounts.
 View account keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
 Storage Blob Data Contributor
Correct Answer
 Storage Account Contributor
Storage Account Contributor allows the management of storage accounts. It provides access to
the account key, which can be used to access data via Shared Key authorization. Storage Blob
Data Contributor grants permissions to read, write, and delete Azure Storage containers and
blobs. Reader allows you to view all resources but does not allow you to make any changes.
Owner grants full access to manage all resources, including the ability to assign roles in Azure
RBAC.
Azure built-in roles - Azure RBAC | Microsoft Learn
Question 6 of 50
You have an Azure subscription that contains an Azure AD tenant. The tenant contains a user
named User1.
You need to assign User1 a role that allows the user to create and manage all types of resources
in the subscription. The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
 Contributor
Correct Answer
 Contributor
Users with the Contributor role can create and manage all types of resources but cannot delegate
new access to other users. Users with the Reader role can view existing Azure resources but
cannot perform any action against them. Users with the API Management Service Contributor
role can only manage API Management services and APIs. Users with the Owner role provides
full access to all resources, including the right to delegate access to others.
Azure built-in roles - Azure RBAC | Microsoft Learn
Question 7 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a
virtual machine that runs daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75
percent of the allocated budget.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
 From Cost Management + Billing, modify the Budgets settings.
 Create an action group of type Runbook, and then select Stop VM as
an action.
Correct Answer
 From Cost Management + Billing, modify the Budgets settings.
 Create an action group of type Runbook, and then select Stop VM as
an action.
You must go to Cost Management + Billing, and then Budgets to edit the budget associated with
the resource group resources. You must also create a new action group of the Runbook type, and
then choose Stop VM as an action. The cost analysis will not stop the virtual machine from
running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Configure subscriptions - Training | Microsoft Learn
Question 8 of 50
You have an Azure subscription that contains 150 virtual machines.
You plan to create an Azure Policy definition named Policy1 that has the resource provider mode
set to indexed.
You need to identify the tools used to perform the task.
Which two tools can you use? Each correct answer presents a complete solution.
Your Answer
 Azure Cloud Shell
 Azure Command-Line Interface (CLI)
Correct Answer
 Azure Cloud Shell
 Azure Command-Line Interface (CLI)
Based on the resource type, the resource manager mode supported values are set to either all or
indexed. You must use either Azure CLI or Azure Cloud Shell to set this value in a policy
definition. Resource graphs allow queries to resources and not to create policy definitions. The
Azure portal does not allow you to set a specific mode.
Configure Azure Policy - Training | Microsoft Learn
Details of the policy definition structure - Azure Policy | Microsoft Learn
Question 9 of 50
You have an Azure policy.
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft Defender for
Cloud Regulatory and Compliance.
To which definition section should you add remediation information for Policy1?
Your Answer
 policyRule
Correct Answer
 metadata
You must use the RemediationDescription field in the metadata section from properties to
specify a custom recommendation. The remaining options are Azure policies, but do not allow
specific custom remediation information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Configure Azure Policy - Training | Microsoft Learn
Question 10 of 50
You have an Azure AD tenant and several offices.
You need to assign permissions to the administrator of each office to manage the users in their
respective office.
What should you use to manage the permissions?
Your Answer
 administrative units
Correct Answer
 administrative units
You can have administrative units and assign the administrators privilege over each unit. You
can have one unit for each office. Azure tags are name-value pairs that are used to organize
resources in the Azure portal. Azure identity management secures access to resources and
protects applications and data at the front gate. Azure Policy is a service that allows you to create
polices that enforce and control the properties of a resource.
Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 11 of 50
You need to create an Azure Storage account that meets the following requirements:
 Stores data in multiple Azure regions
 Supports reading the data from primary and secondary regions
Which type of storage redundancy should you use?
Your Answer
 read-access geo-redundant storage (RA-GRS)
Correct Answer
 read-access geo-redundant storage (RA-GRS)
Since you must ensure that data can be read from a secondary region, you must choose read-
access geo-redundant storage (RA-GRS).
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 12 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder
named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
 <code>Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -
recursive </code>
 <code>Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -
Container " corpimages" </code>
Correct Answer
 <code>Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -
recursive </code>
 <code>Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -
Container " corpimages" </code>
The AzCopy command allows you to copy all files to a storage account. You then use Get-
ChildItem with the path parameter, recurse to select everything, and then use the Set-
AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 13 of 50
You have an Azure subscription that contains the following StorageV2 (general purpose v2)
storage accounts:
 store1 is a Premium account that uses geo-redundant storage (GRS) replication.
 store2 is a Standard account that uses locally-redundant storage (LRS) replication.
 store3 is a Premium account that uses read-access geo-redundant storage (RA-
GRS) replication
 store4 is a Premium account that uses RA-GRS replication.
You need to identify which storage account can be converted to zone-redundant replication
(ZRS) for live migration.
Which storage account should you identify?
Your Answer
 store1
Correct Answer
 store2
Only zone-redundant replication (ZRS) supports StorageV2, FileStorage, and BlockBlobStorage
accounts. Live migration is not supported for read-access geo-redundant storage (RA-GRS) and
only standard storage accounts can be used.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 14 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
 Hierarchical namespace: Disabled
 Default access tier: Hot
 Blob public access: Enabled
 Blob soft delete: Enabled (7 days)
 Container soft delete: Enabled (7 days)
 Versioning: Disabled
 Change feed: Enabled
 NFS v3: Disabled
 Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
 Hierarchical namespace
Correct Answer
 Versioning
Versioning must be enabled for both the source and destination accounts. In this scenario,
versioning is currently disabled.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 15 of 50
You create an Azure Data Box Import/Export job from the Azure portal.
You package and ship a disk to an Azure datacenter.
You need to ensure that the data is imported into Azure.
What should you do next?
Your Answer
 Update the job to include tracking information.
Correct Answer
 Update the job to include tracking information.
The only task that is left to be done is to add tracking information to the job. All other tasks have
already been completed as part of creating the initial job.
The Import/Export service is a way to migrate data to Azure by shipping physical disks that
contain data to an Azure datacenter. When you create the job, you must create the journal first,
upload the journal, and then specify the storage account to which the journal will be uploaded.
Once you create the job, you must physically ship the disks to the Azure datacenter. After
creating the job, you have two weeks to update the job to include the tracking information from
the shipping carrier. If you do not fill in the tracking information, the job will be cancelled, and
the data will not be imported into Azure.
Tutorial to transfer data to Azure Files with Azure Import/Export | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 16 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos. Users reported
that 99 percent of the assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the
solution.
Your Answer
 <code>Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -
EnableLargeFileShare </code>
 <code>Update-AzRmStorageShare -ResourceGroupName RG1 -Name -
StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400 </code>
Correct Answer
 <code>Set-AzStorageAccount -ResourceGroupName RG1 -Name Storage1 -
EnableLargeFileShare </code>
 <code>Update-AzRmStorageShare -ResourceGroupName RG1 -Name -
StorageAccountName Storage1 -Name Share1 -QuotaGiB 102400 </code>
You must enable the storage account to support large files and update the storage account quota
to 102,400 GB. You do not need to change the type of storage account, and you are updating the
existing share.
Question 17 of 50
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in Azure.
Which outbound port should you allow from the secure location?
Your Answer
 80
Correct Answer
 445
For accessing the file share, port 445 must be open. Port 5671 is used to send health information
to Azure AD. It is recommended, but not required, in the latest versions. Port 80 is used to
download certificate revocation lists (CRLs) to verify TLS/SSL certificates. Port 443 is used to
sync with Azure AD.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn
Configure Azure Storage security - Training | Microsoft Learn
Question 18 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
 Archive
Correct Answer
 Archive
Archive is an offline tier that is optimized for storing data that is rarely accessed and has flexible
latency requirements. Data in the Archive tier must be stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 19 of 50
You have an Azure subscription.
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.
What are three requirements of storage1? Each correct answer presents part of a complete
solution.
Your Answer
 blob versioning
 a container
 standard general-purpose v2
Correct Answer
 blob versioning
 a container
 standard general-purpose v2
Versioning must be enabled for the source and target. An object type container is needed to
replicate the images. You must create a StandardV2 storage account. File shares are not needed,
and queues are unsupported for replication.
Question 20 of 50
You have an Azure subscription that contains a resource group named RG1.
You have an Azure Resource Manager (ARM) template for an Azure virtual machine.
You need to use PowerShell to provision a virtual machine in RG1 by using the template.
Which PowerShell cmdlet should you run?
Your Answer
 <code>New-AzResourceGroupDeployment </code>
Correct Answer
 <code>New-AzResourceGroupDeployment </code>
Virtual machines are deployed to resource groups, so you must run the New-
AzResourceGroupDeployment cmdlet. You can deploy virtual machines to subscriptions or
management groups directly, therefore, New-AzManagementGroupDeployment and New-
AzSubscriptionDeployment cannot be used. New-AzVM can be used to provision a new virtual
machine, but without using a template.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 21 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an
Azure Blob storage container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
 <code>-Templatefile </code>
Correct Answer
 <code>-TemplateUri </code>
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored
locally in a resources group as a template spec, or from a web-based location. You can use the -
TemplateUri parameter to specify a web-based location, such as GitHub or an Azure Blob
Storage account. You can use -Templatefile to specify a local file. You can use -
TemplateSpecId to specify a template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 22 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure
Resource Manager (ARM) library.
What can you configure during the deployment of the template?
Your Answer
 the resource group
Correct Answer
 the resource group
When you deploy a resource by using a template, you can mention the resource group for the
deployment. The resource group is a container for Azure resources and makes it easier to manage
the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 23 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You
have a virtual machine named VM1 that is connected to Subnet1. VM1 runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
What should you do first?
Your Answer
 From the Azure portal, create an IP group.
Correct Answer
 From the Azure portal, add a network interface.
A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to
Subnet1, VM1 already has a network interface attached that is connected to Subnet1. To connect
VM1 directly to Subnet2, you must create a new network interface that is connected to Subnet2.
Next, you must attach the new network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network
bridge allows you to connect multiple existing network connection in Windows together.
Changing the IP configurations of the existing network interface results in VM1 being connected
to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 24 of 50
You are deploying a virtual machine by using an availability set in the East US Azure region.
You have deployed 18 virtual machines in two fault domains and 10 update domains.
Microsoft performed planned physical hardware maintenance in the East US region.
What is the maximum number of virtual machines that will be unavailable?
Your Answer
 2
Correct Answer
 2
18 virtual machines are shared across 10 update domains. The first 10 virtual machines go to 10
update domains, so eight update domains will have two virtual machines. When there is physical
hardware maintenance, some virtual machines will be unavailable based on their configuration.
If there was a rack failure, then 18 virtual machines will be distributed to two fault domains with
nine virtual machines each.
Availability sets overview - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 25 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents
a complete solution.
Your Answer
 the Azure capacity needs
 the current price of the instance
Correct Answer
 the Azure capacity needs
 the current price of the instance
Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual
machines can be stopped by Azure when Azure needs the capacity for other pay-as-you-go
workloads, or when the price of the spot instance exceeds the maximum price that you have set.
These virtual machines are good for dev, testing, or for workloads that do not require any
specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 26 of 50
Your development team plans to deploy an Azure container instance. The container needs a
persistent storage layer.
Which service should you use?
Your Answer
 Azure Files
Correct Answer
 Azure Files
You can persist data for Azure Container Instances with the use of Azure Files. Azure Files
offers fully managed file shares hosted in Azure Storage that are accessible via the industry
standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn
Explore Azure Storage services - Training | Microsoft Learn
Question 27 of 50
You have an Azure subscription that contains a Docker container named container1.
You create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
Your Answer
 Publish
Correct Answer
 Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish
option and select Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a
Docker container as web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you
publish a Docker container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 28 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service
Bus.
Which scale trigger should you use?
Your Answer
 event-driven
Correct Answer
 event-driven
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure
Service Bus, an event-driven trigger can be used to run the escalation method. The remaining
scale triggers cannot use a scale rule based on messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Scaling in Azure Container Apps | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 29 of 50
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named
AKS1. The autoscaling feature is enabled.
You need to configure the minimum and maximum node counts for AKS1.
Which cmdlet should you run?
Your Answer
 <code>Set-AzAksCluster</code>
Correct Answer
 <code>Set-AzAksCluster</code>
Set-AzAKsCluster: Configures minimum and maximum node values for AKS autoscaling
Start-AzAksCluster: Starts a stopped managed cluster
Update-AzAksNodePool: Updates a node pool in a managed cluster
Set-AzAksClusterCredential: Resets the service principal of an existing AKS cluster
Use the cluster autoscaler in Azure Kubernetes Service (AKS) - Azure Kubernetes Service |
Microsoft Learn
Set-AzAksCluster (Az.Aks) | Microsoft Learn
Configure Azure Kubernetes Service - Training | Microsoft Learn
Question 30 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage goes
beyond 80 percent for a duration of 15 minutes.
Your Answer
 Scale up the App Service plan.
 Configure a scaling condition to scale based on a metric, and then add the rules.
Correct Answer
 Scale up the App Service plan.
 Configure a scaling condition to scale based on a metric, and then add the rules.
Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement.
Increase the number of virtual machine instances that run the app. The scale settings take only
seconds to apply and affect all the apps in the App Service plan. Then, you must set up a scaling
condition with the required metrics to scale up/down and scale out/in when certain thresholds are
met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
Question 31 of 50
You need to create an Azure App Service web app that runs on Windows. The web app requires
scaling to five instances, 45 GB of storage, and a custom domain name. The solution must
minimize costs.
Which App Service plan should you use?
Your Answer
 Free
Correct Answer
 Standard
The Standard service plan can host unlimited web apps, up to 50 GB of disk space, and up to 10
instances. The plan will cost approximately $0.10/hour. The Free plan only offers 1 GB of disk
size and 0 instances to host the app. The Premium plan offers 250 GB of disk space and up to 30
instances and will cost approximately $0.20/hour. The Basic plan offers 10 GB of disk space and
up to three virtual machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
Question 32 of 50
You have an Azure virtual network named VNet1.
You create an Azure Private DNS zone named contoso.com.
You need to ensure that the virtual machines on VNet1 register in the contoso.com private DNS
zone.
What should you do?
Your Answer
 Configure each virtual machine to use a custom DNS server.
Correct Answer
 Add a virtual network link to contoso.com.
To associate a virtual network to a private DNS zone, you add the virtual network to the zone by
creating a virtual network link.
Azure DNS Private Resolver is used to proxy DNS queries between on-premises environments
and Azure DNS.
A custom DNS server will work if you deploy a DNS server as a virtual machine or an
appliance, however, this configuration does not work with a private DNS zone.
Quickstart - Create an Azure private DNS zone using the Azure portal | Microsoft Learn
Configure Azure DNS - Training | Microsoft Learn
Question 33 of 50
You have an Azure subscription that contains the following virtual networks:
 VNet1 has an IP address range of 192.168.0.0/24.
You need configure virtual network peering.
Which two peerings can you create? Each correct answer presents complete solution.
Your Answer
 VNet1 can be peered with VNet3.
Correct Answer
VNet1 and VNet2 have non-overlapping IP addresses. For virtual network peering, both virtual
networks must have non-overlapping IP addresses.
Azure Virtual Network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
Question 34 of 50
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual network named VNet1 and a VPN gateway. Sub2 contains a virtual
network named VNet2.
You have an on-premises device named Device1 that runs Windows and has a Point-to-Site
(P2S) VPN client installed.
You configure network peering between VNet1 and VNet2.
You need to ensure that Device1 can access VNet2 when a VPN connection is established.
What should you do?
Your Answer
 Download and reinstall the P2S VPN client on Device1.
Correct Answer
 Download and reinstall the P2S VPN client on Device1.
Point-to-Site (P2S) VPN clients must be downloaded and reinstalled again after virtual network
peering is successfully configured to ensure that the new routes are downloaded to the client.
A private endpoint and Azure Front Door are not required nor used to be able to access VNet2
from VNet1.
Device1 already has a digital certificate when you install the P2S VPN client, so you do not need
to create new certificate manually.
Create, change, or delete an Azure virtual network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
Question 35 of 50
You have an Azure subscription that contains a network security group (NSG) named NSG1.
You plan to configure NSG1 to allow the following types of traffic:
 Remote Desktop Management
 Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer
 443
 3389
Correct Answer
 443
 3389
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to
send outbound email by using authenticated SMTP relay. Port 80 is used for unsecured traffic.
Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 36 of 50
You have a virtual machine named VM1 that is assigned to a network security group (NSG)
named NSG1.
NSG1 has the following outbound security rules:
Rule1:
 Priority: 900
 Name: BlockInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Destination: Any
 Action: Block
Rule2:
 Priority: 1000
 Name: AllowInternet
 Port: 80
 Protocol: TCP
 Source: Any
 Destination: Any
 Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?
Your Answer
 Change the priority of Rule2.
Correct Answer
 Change the priority of Rule2.
Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2,
decrease the priority of Rule1, or change the action of Rule1 to achieve the goal.
Azure network security groups overview | Microsoft Learn
Question 37 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet.
Which Azure service should you deploy?
Your Answer
 Azure Network Watcher
Correct Answer
 Azure Bastion
Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without
exposing RDP and SSH ports. Azure Monitor helps you maximize the availability and
performance of applications and services. Azure Network Watcher provides tools to monitor,
diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.
Remote Desktop is a feature of the operating system, which exposes the RDP port to connect to a
server from the internet.
About Azure Bastion | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 38 of 50
Your company plans to migrate servers from on-premises to Azure. There will be dev, test, and
production virtual machines on a single virtual network.
You need to restrict traffic between the dev, test, and production virtual machines to specific
ports.
What should you use?
Your Answer
 a network security group (NSG)
Correct Answer
 a network security group (NSG)
Must configure network security group (NSG) rules to allow TCP or ICMP traffic for specific
ports. Azure Firewall is a managed service that protects your Azure services across multiple
virtual networks. Load balancers are used to distribute incoming traffic to available backend
servers. Azure VPN is used to have a connection establishment between on-premises and Azure.
Question 39 of 50
You have an Azure subscription that contains an ASP.NET application. The application is hosted
on four Azure virtual machines that run Windows Server 2022.
You have a load balancer named LB1 to load balances requests to the virtual machines.
You need to ensure that site users connect to the same web server for all requests made to the
application.
Your Answer
 Set Session persistence to Client IP.
 Set Session persistence to Protocol.
Correct Answer
 Set Session persistence to Client IP.
 Set Session persistence to Protocol.
By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the
same web server for all requests made to the application. Setting Session persistence to None
disables sticky sessions and an inbound NAT rule is used to forward traffic from a load balancer
frontend to a backend pool.
Azure Load Balancer distribution modes | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 40 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set
named AVSet1.
You need to configure Azure Load Balancer with a backend system of VM1 and VM2. The
solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
 Basic Azure Load Balancer with Basic SKU public IP
Correct Answer
 Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load
Balancer supports only Basic SKU public IP. Azure Standard Load Balancer is zone-redundant,
but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Question 41 of 50
You migrate a web app from on-premises to Azure. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server
and must check whether the server is listening on port 80.
Which command should you run?
Your Answer
 <code>Test-NetConnection localhost </code>
Correct Answer
 <code>netstat -an </code>
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will
perform a ping/ICMP test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the
virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two
virtual machines named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure
Monitor metrics.
Your Answer
 Use packet capture.
 Install AzureNetworkWatcherExtension.
Correct Answer
 Use packet capture.
 Install AzureNetworkWatcherExtension.
Azure Network Watcher variable packet capture allows you to create packet capture sessions to
track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies
both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal |
Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains virtual machines, virtual networks, application
gateways, and load balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?
Your Answer
Correct Answer
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable
logs for resources on an Azure virtual network. Azure Resource Manager is the deployment and
management service for Azure. Network security groups (NSGs) are used only for security, not
monitoring. Azure Monitor is used for the HTTP Data Collector API to send log data to Log
Analytics.
Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 44 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual
network named VNet3, a virtual machine named VM1, and a public IP address named PubIP1.
All the resources are in the West US Azure region.
You plan to create and configure a network security group (NSG) named NSG1 for the following
types of traffic:
 Remote Desktop Management
 HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
 <code>New-AzNetworkSecurityRuleConfig </code>
 <code>New-AzNetworkSecurityGroup </code>
Correct Answer
 <code>New-AzNetworkSecurityRuleConfig </code>
 <code>New-AzNetworkSecurityGroup </code>
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol,
direction, and port number. New-AzNetworkSecurityGroup creates a network security group
(NSG). -SecurityRules specifies a list of network security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
Question 45 of 50
You need to create Azure alerts based on metric values and activity log events.
The solution must meet the following requirements:
 Set a limit on how many times an alert notification is sent.
 Call an Azure function when an alert is triggered.
 Configure the alert to have a severity of warning when triggered.
Which two resources should you create? Each correct answer presents part of the solution.
Your Answer
 a notification
 an alert rule
Correct Answer
 an action group
 an alert rule
You must create an action group to set up an action and create an alert rule to set the severity of
the errors. A notification is only used to send email and you do not need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn
Question 46 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom
application that outputs log data in the JSON format.
You need to recommend a solution to collect the logs in Azure Monitor.
What should you include in the recommendation?
Your Answer
 the Azure VMAccess extension
Correct Answer
 the Log Analytics agent for Linux
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from
the Linux virtual machines.
The Azure Custom Script Extension is used for post-deployment configuration, software
installation, or any other configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to manage an IT
and development infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to
reset access to Linux or perform disk-level maintenance.
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor -
Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 47 of 50
You have multiple Azure virtual machines. Recovery Services is configured with the default
backup policy to periodically back up the virtual machines.
What is the retention period of virtual machine backups in the default backup policy?
Your Answer
 30 days
Correct Answer
 30 days
By default, backups of virtual machines are kept for 30 days.
Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn
Configure virtual machine backups - Training | Microsoft Learn
Question 48 of 50
You have an Azure virtual machine named Server1 that runs Windows Server.
You need to configure Azure Backup to back up files and folders.
What should you install on Server1?
Your Answer
 the Microsoft Azure Recovery Services (MARS) agent
Correct Answer
 the Microsoft Azure Recovery Services (MARS) agent
The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers. The
MARS agent is mandatory to perform backup and recovery services for any servers.
Manage the Azure recovery services agent - Training | Microsoft Learn
Question 49 of 50
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following configurations:
 Backup schedule frequency: Weekly
 Retain instant recovery snapshot(s) for: 5 days
 Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks
You plan to reduce the amount of storage used by Instant Restore.
You need to instance recovery snapshots to be retained for only two days.
What should you do first?
Your Answer
 Change Policy sub type to Enhanced
Correct Answer
 Change the backup schedule frequency to Daily.
You can choose to store between one and five instant recovery snapshots and the default value is
two. However, when the backup schedule frequency is weekly, you must retain five instant
recovery snapshots.
Azure Instant Restore Capability - Azure Backup | Microsoft Learn
Configure file and folder backups - Training | Microsoft Learn
Question 50 of 50
You plan to create an alert in Azure Monitor that will have an action group to send SMS
messages.
What is the maximum number of SMS messages that will be sent every hour if the alert gets
triggered every minute?
Your Answer
 12
Correct Answer
 12
A maximum of one SMS message can be sent every five minutes. Therefore, a maximum of 12
messages will be sent per hour.
Rate limiting for SMS, emails, push notifications - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn

Attempt 2

Uploaded by

Copyright:

Available Formats

Attempt 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Attempt 2

Uploaded by

Copyright:

Available Formats

Question 1 of 50

You might also like