Azure AZ-100: Microsoft Azure Infrastructure and Deployment @ 4 Passing Exams -- Accurate & Up to date exam questions of popular IT exams.

NO.1 You have an Azure subscription named Sub1. Sub1 contains two resource groups named RG1 and RG2.You need to ensure that Global Administrators can manage all resources contained in RG1 and RG2.Solution: From the Azure Active Directory Properties blade, you enable Access management for Azure resources.Does this solution meet the goal?

(A) No

(B) Yes

Answer : B

NO.2 You have an Azure subscription named Sub1. Sub1 contains two resource groups named RG1 and RG2.You need to ensure that Global Administrators can manage all resources contained in RG1 and RG2.Solution: From the subscription's Access control (IAM) blade, you click Add role assignment.Does this solution meet the goal?

(A) No

(B) Yes

Answer : A

NO.3 You have an Azure subscription named Sub1. Sub1 contains two resource groups named RG1 and RG2.You need to ensure that Global Administrators can manage all resources contained in RG1 and RG2.Solution: From the Azure Active Directory Roles and administrators blade, you modify the Global administrator role properties.Does this solution meet the goal?

(A) No

(B) Yes

Answer : A

NO.4 You create a Windows Server virtual machine (VM) in an Azure resource group named iaas-rg. You plan to generalize the operating system and capture a system for use in future deployments.You need to ensure that other administrators make no changes to the virtual machine configuration until you complete the image capture process. You need to enact your solution as quickly as possible.What should you do?

(A) Set a Read only lock at the resource group level.

(B) Set a Delete lock at the VM level.

(C) Edit the RBAC permissions at the resource group level.

(D) Edit the RBAC permissions at the VM level.

Answer : A

NO.5 You manage a Windows Server virtual machine (VM) in Azure named prod-vm1. The VM uses managed disk storage, runs Windows Server 2012 R2, and resides in a resource group named prod-west-rg located in the West US region.You need to move prod-vm1 to a resource group named prod-east located in the East US region.What should you do?

(A) Back up prod-vm1 and restore the VM to the prod-east-rg resource group. Delete the original VM instance.

(B) Author an Azure Resource Manager (ARM) template that moves prod-vm1 to the prod-east-rg resource group.

(C) Move prod-vm1 to the prod-east-rg resource group by using the Move-AzureRmResource PowerShell cmdlet.

(D) Use azcopy to copy prod-vm1 to the prod-east-rg resource group.

Answer : A

NO.6 You deploy an application in a resource group named App-RG01 in your Azure subscription.App-RG01 contains the following components:* Two App Services, each with an SSL certificate* A peered virtual network (VNet)* Redis cache deployed in the VNet* Standard Load BalancerYou need to move all resources in App-RG01 to a new resource group named App-RG02.Choose all that apply:

(A) You need to delete SSL certificate from each App Service before moving it to the new resource group.

(B) You can move the Load Balancer only within the same subscription.

(C) You need to disable the peer before moving the VNet.

(D) You can move the VNet only within the same subscription.

Answer : A;C;D

NO.7 You deploy a Storage Account named store01 in your Azure subscription.You grant the contributor role to some users in store01. The users work on an application that will use the storage account for storing some information.The users report that they are not able to list the storage account keys for connecting their application to the storage account.You need to identify the root cause of the issue.What is the most probable cause?

(A) You need to grant the users the owner role.

(B) You configured a ReadOnly lock.

(C) You configured a CanNotDelete lock.

(D) You need to grant the users the Storage Account Key Operator Service role.

Answer : B

NO.8 You are the owner of your organization's Microsoft Azure subscription. You hire a new administrator to help you manage a virtual network that contains nine Windows Server virtual machines (VMs). The deployment is contained in a resource group named prod-rg.You need to provide the administrator with least-privilege access only to the prod-rg resource group. The administrator should be allowed to manage all aspects of the Azure VMs. Your solution should minimize management effort.What should you do?

(A) Assign the Allowed virtual machine SKUs Azure Policy at the resource group scope.

(B) Assign a custom Azure Policy at the management group scope.

(C) Assign the administrator to the Contributor role at the resource group scope.

(D) Assign the administrator to the Virtual Machine Operator role at the virtual machine scope.

Answer : C

NO.9 You determine that business units have Azure resources spread across different Azure resource groups.You need to make sure that resources are assigned to their proper cost centers.What should you do?

(A) Create taxonomic tags and assign them at the resource level.

(B) Create taxonomic tags and assign them at the resource group level.

(C) Deploy the Enforce tag and its value on resource groups Azure Policy.

(D) Deploy the Enforce tag and its value Azure Policy.

Answer : A

NO.10 You are the cloud operations lead for your company's Microsoft Azure subscription. Your team consists of eight administrators who co-manage all Azure-deployed resources.The corporate governance team mandates that all future Azure resources be deployed only within certain regions.You need to meet the compliance requirement.Which Azure feature should you use?

(A) Taxonomic tags

(B) Activity Log Analytics

(C) Role-Based Access Control (RBAC)

(D) Azure Policy

Answer : D

NO.11 You use taxonomic tags to logically organize resources and to make billing reporting easier.You use Azure PowerShell to append an additional tag on a storage account named corpstorage99. The code is as follows:$r = Get-AzureRmResource -ResourceName "corpstorage99" -ResourceGroupName "prod-rg"Set-AzureRmResource -Tag @{Dept="IT"} -ResourceId $r.ResourceId -ForceThe code returns unexpected results.You need to append the additional tag as quickly as possible.What should you do?

(A) Refactor the code by using the Azure Command-Line Interface (CLI).

(B) Call the Add() method on the resource to append the new tag.

(C) Deploy the tag by using an Azure Resource Manager template.

(D) Assign the Enforce tag and its value Azure Policy to the resource group.

Answer : B

NO.12 Your company has an Azure Subscription with several resources deployed. The subscription is managed by a Cloud Service Provider.The accounting department is currently granted the billing reader role, so they are able to see cost-related information. They need to get a better understanding of the costs so they can assign them to the correct cost center.You need to provide cost center information. Your solution should minimize the administrative effort.What two actions should you perform? Each correct answer presents part of the solution.

(A) Create a tag named CostCenter and assign it to each resource.

(B) Instruct the accounting department to use the Cost Analysis blade in the subscription panel.

(C) Instruct the accounting department to use the Azure Account Center.

(D) Create a tag named CostCenter and assign it to each resource group.

Answer : A;D

NO.13 Your company requires all resources deployed in Azure to be assigned to a cost center.You use a tag named CostCenter to assign each resource to the correct cost center. This tag has a set of valid values assigned.Some of the resources deployed in your subscription already have a value assigned to the CostCenter tag.You decide to deploy a subscription policy to verify that all resources in the subscription have a valid value assigned.Choose all that apply:

(A) The Deny effect is not evaluated first.

(B) The Append effect modifies the value of an existing field in a resource.

(C) The Audit effect will create a warning event in the activity log for non-compliant resources.

(D) The DeployIfNotExists effect is only evaluated if the request executed by the Resource Provider returns a success status code.

Answer : A;C;D

NO.14 You are the lead architect for your company's Microsoft Azure infrastructure.To maintain corporate compliance certifications, you need to ensure that any virtual machines (VMs) are created only in approved Azure regions.What should you do?

(A) Create an Azure management group.

(B) Enforce conditional access policy in Azure Active Directory (Azure AD).

(C) Define and deploy a custom Azure Policy template.

(D) Define and deploy an Azure Automation Desired State Configuration (DSC) configuration.

Answer : C

NO.15 Your company is developing a line-of-business (LOB) application that uses the Azure IoT Hub for gathering information from Internet of things (IoT) devices.The LOB application uses the IoT Hub Service SDK to read device telemetry from the IoT Hub.You need to monitor device telemetry and be able configure alerts based on device telemetry values. Your solution should require the least administrative effort.What should you do?

(A) Enable Azure Monitor resource diagnostics logs on the IoT Hub.

(B) Use Azure Resource Health.

(C) Use Azure Activity Logs.

(D) Use Azure Application Insights with the LOB application.

Answer : A

NO.16 Your company has a line-of-business (LOB) application that uses Azure SQL Database for storing transactional information. Your company also has deployed System Center Service Manager.You need to configure an alert when the database reaches the 70% of CPU usage. When this alert rises, you need to notify several users by email and by SMS. You also need to automatically create a ticket in the ITSM system. Your solution should require the minimum administrative effort.Which two actions should you perform? Each correct answer presents part of the solution.

(A) Configure one Action Group with three actions: one for email notification, one for SMS notification, and one for ITSM ticket creation.

(B) Configure System Center Service Manager with Azure Automation.

(C) Configure two Action Groups: one Action Group for email and SMS notification and one for ITSM ticket creation.

(D) Configure an IT Service Management Connector (ITSMC).

Answer : A;D

NO.17 Your company has an Azure subscription that hosts all services that the company uses in production. The Finance department notices that the bills related to Azure are increasing. The company wants to keep the costs of this Azure subscription under control.After reviewing the costs analysis reports you realize that there are several virtual machines that are consuming more resources than expected.You need to inform management when the spend for these resources is unusual.What should you do?

(A) Configure the PowerBI content pack for Azure Enterprise.

(B) Configure a billing alert in the subscription page of the account portal.

(C) Use the costs-by-service blade in the cost analysis section of the subscription.

(D) Configure a report schedule in the Cost Management portal.

Answer : D

NO.18 Your company has a line-of-business (LOB) application that uses Azure SQL Database for storing transactional information. The LOB application also uses Windows and Linux virtual machines for business and presentation application layers.Some users are reporting errors in the application.You need to be alerted every time that an exception arises in any part of the application. Your solution should require the minimal administrative effort.Which two actions should you perform? Each correct answer presents part of the solution.

(A) Create an alert using a search query that looks for exceptions in Windows servers.

(B) Create an alert using a search query that looks for exceptions in business and presentation layer virtual machines.

(C) Create an alert using a search query that looks for exceptions in application layer servers.

(D) Create an alert using a search query that looks for exceptions in business layer servers.

(E) Create an alert using a search query that looks for exceptions in Linux servers.

Answer : A;E

NO.19 You have a Microsoft Azure subscription that has 8 virtual machines (VMs).You need to configure monitoring such that when either CPU usage or available memory reaches a threshold value, Azure both notifies administrators via email and creates a new issue in your corporate issue tracker.What is the minimum number of Azure alerts and action groups you need to meet these requirements?

(A) eight alerts and one action group

(B) two alerts and two action groups

(C) one alert and one action group

(D) one alert and two action groups

Answer : C

NO.20 You have 20 Azure subscriptions. All subscriptions are linked to the same Azure Active Directory (Azure AD) tenant named company.com.You plan to generate detailed usage and spend reports across all Azure subscriptions.You need to incorporate resource optimization suggestions into your reports.What should you do?

(A) Design metrics charts in Azure Monitor.

(B) Run interactive queries in Azure Log Analytics.

(C) Create a Stream Analytics job in the Azure portal.

(D) Use Cloudyn reports.

Answer : D

NO.21 You have an Azure resource group named RG1. RG1 contains a Windows Server virtual machine (VM) named VM1.You plan to use Azure Monitor to configure an alert rule for VM1.You need to configure an alert that notifies you whenever the VM is restarted.What should you do?

(A) Define an action group with an ITSM action type.

(B) Define an action group with a webhook action type.

(C) Define a metric-based alert condition.

(D) Define an Activity Log alert condition.

Answer : D

NO.22 You have a website hosted in Azure App Services that is used globally within your company. The website contains a mixture of dynamic and static content.You are asked to put a Content Delivery Network (CDN) in place to optimize the experience for the end users.You need to configure the CDN and web app to optimize both dynamic and static content where possible.What two actions should you perform? Each correct answer presents part of the solution.

(A) Implement general web delivery on the CDN.

(B) Implement custom caching rules on the CDN.

(C) Implement cross origin sharing (CORS) on the website.

(D) Implement dynamic site acceleration (DSA) on the CDN.

Answer : B;D

NO.23 You are configuring the XML file specifying the data paths to use. This file will configure the export job to control the data exported. Your file currently looks like this:<?xml version="1.0" encoding="utf-8"?> <BlobList> <BlobPath>pictures/animals/kangaroo.jpg</BlobPath> <BlobPathPrefix>/vhds/</BlobPathPrefix> <BlobPathPrefix>/movies/dramas</BlobPathPrefix> </BlobList> What will be exported based on the current XML file?Choose all that apply:

(A) You are configuring the XML file specifying the data paths to use.

(B) Everything in the vhds folder will be exported.

(C) Everything in the dramas folder will be exported.

(D) Files in the vhds folder but not the subfolders will be exported.

(E) Everything in the movies folder beginning with dramas will be exported.

Answer : A;D;E

NO.24 Your company has developed a web application that serves dynamic and static content to users. The application is deployed in several Azure Web Apps in different Azure regions to achieve the best performance.The Support department for the web application receives complains from users about poor performance of the application.You review the performance of all components of the application and determine that you need to deploy a Content Delivery Network (CDN).You need to configure a CDN for achieving the best performance.What are two ways that you can configure the CDN? Each correct answer presents a complete solution.

(A) Configure a single Azure CDN Premium from Verizon endpoint, configure dynamic site acceleration, and configure caching rules.

(B) Configure a single Azure CDN Standard from Akamai endpoint, configure dynamic site acceleration, and configure caching rules.

(C) Configure a single Azure CDN Standard Microsoft endpoint, configure dynamic site acceleration, and configure caching rules.

(D) Configure a single Azure CDN Standard from Verizon endpoint, configure dynamic site acceleration, and configure caching rules.

Answer : B;D

NO.25 Your company has line-of-business (LOB) application deployed in Azure. This LOB application creates a large amount of information that is stored in a storage account.To optimize the costs for storage, the LOB application changes the storage tier from hot to archive for those blobs that will not be needed anymore.You are requested to get the information that the LOB application archived. You decide to create an Azure Export job for getting the archived information.When creating the export job, you are not able to see the storage account in the list of storage accounts where the data resides.Why are you not able to see the storage account in the list?

(A) You are using a General Purpose V2 storage account.

(B) You are using a General Purpose V1 storage account.

(C) You are using Azure Files storage.

(D) You are using a Page Blob.

Answer : A

NO.26 Your on-premises datacenter has a mixture of servers running Windows Server 2012 R2 Datacenter edition and Windows Server 2016 Datacenter edition.You need to configure Azure Sync Service between the Azure Files service and the servers in the datacenter.Which two activities must you complete to ensure that the service will operate successfully on your servers? Each correct answer presents part of the solution.

(A) Disable Internet Explorer Enhanced Security for Admins and Users.

(B) Ensure that the PowerShell version deployed to the servers is at minimum version 5.1.

(C) Ensure that for fileserver clusters, Azure Active Directory Connect is deployed to at least one server in the cluster.

(D) Disable Internet Explorer Enhanced Security for Admins only.

(E) Ensure that the Windows Identity Framework is deployed to all servers.

Answer : A;B

NO.27 You are configuring the Azure File Sync service to synchronize data from your Windows Server failover cluster to Azure Files. Your Windows Server failover cluster is currently configured to support the Scale-Out file server for application data operational mode. The Failover Cluster is set up with data deduplication. The server endpoint is located on the system drive.The Azure Files Sync service fails to operate on the failover cluster.You need to rectify the situation.What two actions should you perform? Each correct answer presents part of the solution.

(A) Configure the cluster to support clustered shared volumes.

(B) Move the server endpoint off the system volume.

(C) Disable the deduplication feature of the Windows clustered file server.

(D) Configure the cluster to support File Server for General Use.

Answer : C;D

NO.28 Your company has a file server that stores important information. The operating system for this file server is Windows Server 2012 R2 Standard Edition. The information is stored in a separate volume from the system volume. To improve security, the volume that stores corporate information is encrypted using BitLocker.Your company wants to centralize the storage of information and improve the flexibility for accessing the information. You decide to use Azure File Sync for achieving this goal.You configure an Azure File share and the appropriate firewall rules for allowing access from your company offices.After configuring the Sync group, you receive an error about the cloud endpoint creation.What is the most likely cause of the error?

(A) You forgot to register the file server with Azure File Sync.

(B) Windows Server 2012 R2 Standard Edition is not supported by the Azure File Sync service.

(C) You are using firewall rules in the storage account.

(D) You are trying to sync an encrypted volume.

Answer : C

NO.29 Your company deploys an Azure File Sync service. This service syncs with an on-premises file server located on your office. The server stores the information synced with Azure in a volume different from the system volume. The file server has an antivirus solution installed.You notice that some infrequently accessed files are downloaded to the file server. After monitoring file system access, you determine that no user is accessing to the affected files.You need to troubleshoot what is happening with those files.What are two ways of meeting your goal? Each correct answer presents a complete solution.

(A) Run the Set-AzureRmStorageSyncServerEndpoint -Id serverendpointid -CloudTiering true -VolumeFreeSpacePercent 60 PowerShell cmdlet.

(B) Run the Test-NetConnection -ComputerName storage-account-name.file.core.windows.net -Port 443 PowerShell cmdlet.

(C) Run the fltmc command at an elevated command prompt.

(D) Review the Application event log.

(E) Review the Services\Microsoft\FileSync\Agent event log.

Answer : D;E

NO.30 You have a Windows Server 2012 R2 file server deployed in your on-premises infrastructure. You want to deploy a file server hybrid solution. You decide to use Azure File Sync.Choose all that apply:

(A) You can use cloud tiering with server endpoints on the system volume.

(B) The Data tiering free space policy apply to each server endpoint individually.

(C) For tiered files, the media file type will be partially downloaded as needed.

(D) The free space policy takes precedence over any other policy.

(E) You can sync files in a mount point inside a server endpoint.

Answer : C;D

NO.31 You have several Windows Server 2012 R2 file servers deployed in your on-premises infrastructure. You want to deploy a file server hybrid solution. You decide to use Azure File Sync with some of your file servers.You configure two Azure File Storage accounts for this purpose. You are configuring the Azure File Sync.Choose all that apply:

(A) You can use more than one Azure file share in the same sync group.

(B) A server can sync with multiple sync groups.

(C) Changes made directly on the file share can take up to 24 to be synced.

(D) Pre-seeding is the best approach for doing the first synchronization.

Answer : C

NO.32 You have an Azure subscription that contains a storage account.Your on-premises environment includes six file servers that host a total of 12 file shares.You need to meet the following technical requirements:* Requirement 1: Reduce the storage footprint of the on-premises file servers.* Requirement 2: Provide fault tolerance for the on-premises file shares.* Requirement 3: Secure the hybrid cloud connection with IPSec.You plan to configure Azure File Sync.Choose all that apply:

(A) Azure File Sync meets technical requirement 1.

(B) Azure File Sync meets technical requirement 2.

(C) Azure File Sync meets technical requirement 3.

Answer : A;B

NO.33 You have a Microsoft Azure subscription that contains a storage account.Your on-premises environment includes six file servers that host a total of 12 file shares. These file shares are consolidated in a Distributed File System Replication (DFS-R) configuration.You plan to deploy Azure File Sync to centralize the distributed file shares in Azure and to enable cloud tiering. You configure Azure File Sync as follows:* Two Storage Sync Service instances with 6 file servers in each instance* Four Sync Groups* Two cloud endpointsChoose all that apply:

(A) All servers in the topology can sync with each other

(B) The topology requires six registered servers.

(C) You need to decommission the DFS-R environment before enabling Azure File Sync

Answer : B

NO.34 You are asked to configure an Azure storage account to be accessible from only one specific Virtual Network in an Azure Virtual Network (VNet). It must not be accessible from any other network or region in use across your company's Azure subscription.You need to implement this requirement.What should you do?

(A) Add a network security group.

(B) Create a VNet service endpoint.

(C) Deploy Azure Traffic Manager.

(D) Activate the Secure transfer required option.

Answer : B

NO.35 You manage several Windows Server virtual machines (VMs) located in a virtual network (VNet) named prod-vnet. These VMs are used internally by development staff and are not accessible from the Internet.You need to provide your development staff with secure access to object and table data to support their Azure-based applications. The storage account data reside in Azure, but must not be exposed to the Internet.What two actions should you perform? Each correct answer presents part of the solution.

(A) Configure a service endpoint.

(B) Deploy a blob storage account.

(C) Deploy an Azure File Sync sync group.

(D) Configure a point-to-site (P2S) virtual private network (VPN).

(E) Deploy a general-purpose storage account.

(F) Configure an Azure Content Delivery Network (CDN)profile.

Answer : A;E

NO.36 You create a binary large object (blob) storage account named reportstorage99 that contains archival reports from past corporate board meetings.A board member requests access to a specific report. The member does not have an Azure Active Directory (Azure AD) user account. Moreover, he has access only to a web browser on his Google Chromebook device.You need to provide the board member with least-privilege access to the requested report while maintaining security compliance and minimizing administrative overhead.What should you do?

(A) Create an Azure AD account for the board member and grant him role-based access control (RBAC) access to the storage account.

(B) Deploy a point-to-site virtual private network (VPN)connection on the board member's Chromebook and grant the board member role-based access control (RBAC) access to the report.

(C) Copy the report to an Azure File Service share and provide the board member with a PowerShell connection script.

(D) Generate a shared access signature (SAS) token for the report and share the Uniform Resource Locator (URL) with the board member.

Answer : D

NO.37 The development team asks you to provision an Azure storage account for their use.To remain in compliance with IT security policy, you need to ensure that the new Azure storage account meets the following requirements:* Data must be encrypted at rest.* Access keys must facilitate automatic rotation.* The company must manage the access keys.What should you do?

(A) Require secure transfer for the storage account.

(B) Enable Storage Service Encryption (SSE) on the storage account.

(C) Create a service endpoint between the storage account and a virtual network (VNet).

(D) Configure the storage account to store its keys in Azure Key Vault.

Answer : D

NO.38 Your company is developing a .NET application that stores part of the information in an Azure Storage Account. The application will be installed on end user computers.You need to ensure that the information stored in the Storage Account is accessed in a secure way. You ask the developers to use a shared access signature (SAS) when accessing the information in the Storage Account. You need to make the required configurations on the storage account to follow security best practices.Choose all that apply:

(A) You need to configure a stored access policy.

(B) You should set the SAS start time to now.

(C) You should validate data written using SAS.

(D) One option for revoking a SAS is by deleting a stored access policy.

Answer : A;C;D

NO.39 Your company wants to configure a storage account.You need to ensure that the storage is available in case of failure of an entire datacenter. You also need to move the data to different access tiers depending on the frequency of access. Your solution needs to be the most cost-effective.What type of storage should you configure?

(A) Read-Access Geo Redundant Storage (RA-GRS)

(B) Geo Redundant Storage (GRS)

(C) Local Redundant Storage (LRS)

(D) Zone Redundant Storage (ZRS)

Answer : D

NO.40 You have performed a lift and shifted migration of several Windows Servers to Azure Infrastructure as a Service (IaasS).You need to configure the servers to support Azure Backup.What are two ways of achieving your goal? Each correct answer presents a complete solution.

(A) Execute the Backup-AzureRmBackupItem PowerShell cmdlet.

(B) Install the Azure VM Agent on the migrated VMs.

(C) Install the Azure VM Backup Agent on the migrated VMs.

(D) Enable Backup via the Backup Blade in the Azure VM Configuration Panel.

Answer : B;C

NO.41 You are tasked with managing the corporate Microsoft Azure subscription. Presently, a site-to-site virtual private network (VPN) connects the company's on-premises network infrastructure to a virtual network (VNet) named prod-vnet.You need to implement a backup strategy for nine virtual machines (VMs) located on prod-vnet.What should you do first?

(A) Define an Azure Site Recovery (ASR) recovery plan.

(B) Deploy Azure Backup Server in your on-premises environment.

(C) Create a Recovery Services vault.

(D) Install the VM Backup extension on the Azure-based VMs.

Answer : C

NO.42 You back up all Azure-based virtual machines (VMs) to a Recovery Services vault. One of these VMs is a Windows Server 2016 domain member server named app1 that hosts an internally developed line of business (LOB) web application.A developer informs you that she needs to review three-month-old log files stored on app1. You need to retrieve these files as efficiently as possible.What should you do?

(A) Download the appropriate virtual hard disk (VHD) files from the Recovery Services vault to your administrative workstation.

(B) Retrieve the files from the appropriate backed-up virtual hard disks (VHDs) by using Azure Storage Explorer.

(C) Mount the virtual hard disks (VHDs) from the relevant VM backup as drives on your administrative workstation.

(D) Make a Remote Desktop Protocol (RDP) connection to app1 and use the Previous Versions feature to restore the requested log files.

Answer : C

NO.43 You have an Azure resource group named RG1. RG1 contains a Linux virtual machine (VM) named VM1.You need to automate the deployment of 20 additional Linux VMs. The new VMs should be based upon VM1's configuration.Solution: From the virtual machine's Automation script blade, you click Deploy.Does this solution meet the goal?

(A) No

(B) Yes

Answer : B

NO.44 You have an Azure resource group named RG1. RG1 contains a Linux virtual machine (VM) named VM1.You need to automate the deployment of 20 additional Linux VMs. The new VMs should be based upon VM1's configuration.Solution: From the Templates blade, you click Add.Does this solution meet the goal?

(A) No

(B) Yes

Answer : B

NO.45 You have an Azure resource group named RG1. RG1 contains a Linux virtual machine (VM) named VM1.You need to automate the deployment of 20 additional Linux VMs. The new VMs should be based upon VM1's configuration.Solution: From the resource group's Policies blade, you click Assign policy.Does this solution meet the goal?

(A) No

(B) Yes

Answer : A

NO.46 You manage a Windows Server 2016 virtual machine (VM) named VM1.You need to configure an additional public IPv4 address for VM1.Solution: From the VM's Networking blade, you click Attach network interface.Does this solution meet the goal?Complete the Case Study

(A) No

(B) Yes

Answer : A

NO.47 You manage a Windows Server 2016 virtual machine (VM) named VM1.You need to configure an additional public IPv4 address for VM1.Solution: From the network interface's IP configurations blade, you click Add.Does this solution meet the goal?

(A) No

(B) Yes

Answer : B

NO.48 You manage a Windows Server 2016 virtual machine (VM) named VM1.You need to configure an additional public IPv4 address for VM1.Solution: From the virtual machine's Extensions blade, you click Add.Does this solution meet the goal?

(A) No

(B) Yes

Answer : A

NO.49 Your company has two Azure subscriptions, subsA and subsB, for different lines of business. Each subscription has its own Azure Active Directory (Azure AD) tenant assigned.You have a virtual machine (VM) deployed in the subsA subscription, in a resource group named RG-A1. You attempt to move the VM to another resource group named RG-B2 that is configured in the subsB subscription.While you are trying to move the VM, you get an error.You need to identify the cause of the error so you can move the VM.What is the most likely cause?

(A) The subscriptions are in different Azure AD tenants.

(B) The VM is a classic VM.

(C) The VM has managed disks configured.

(D) The destination resource group is in a different subscription.

Answer : A

NO.50 Your company has an Azure subscription with some virtual machines (VMs) deployed. One of these VMs is used by the development team for testing purposes.You receive a call from the development team stating that they are not able to access the VM. After doing some troubleshooting and resetting the Remote Desktop Protocol (RDP) configuration, you decide to redeploy the VM.You need to use PowerShell to redeploy the VM.Which cmdlet should you use?

(A) Set-AzureRmVM

(B) New-AzureRmVMConfig

(C) Remove-AzureRmVM

(D) Restart-AzureRmVM

(E) Update-AzureRmVM

Answer : A

NO.51 You have a Windows Server 2012 R2 virtual machine (VM) that is experiencing connectivity issues. You are not able to connect to the VM using Remote Desktop (RDP).You need to move the VM to a different node inside the Azure infrastructure.Which two commands can you use? Each correct answer presents a complete solution.

(A) az vm redeploy

(B) az vm deallocate

(C) New-AzureRmVM

(D) Update-AzureRmVM

(E) Set-AzureRmVM

(F) az vm convert

Answer : A;E

NO.52 Your company purchases a new application and is planning to deploy it in Azure. The application requires Windows Server 2016. It also requires high-availability, so it will be deployed using a scalability set.You are asked to prepare the virtual machine (VM) to automatically deploy all needed requirements for the application to run. You decide to use a custom script extension.Before deploying the custom script, you test it and ensure that the script runs with no errors in the local environment. You store the script and some dependencies needed for the application in a blob storage account.While you are testing automatic deployment, you realize that the custom script is not running.What is the reason for the custom script not running?

(A) The operation is taking more than 90 minutes.

(B) You need to add an entry in the Network Security Group (NSG).

(C) You need to configure a proxy server for the custom script.

(D) You need to sign the script.

Answer : B

NO.53 Last month you deployed an Ubuntu Linux server virtual machine (VM) named linux1 to a virtual network (VNet) in Azure.Today, you need to perform emergency remote management of linux1 from your Windows 10 Enterprise Edition workstation. Your solution must minimize both setup time and administrative effort.What should you do?

(A) Connect to the VM by using Secure Shell (SSH) and Azure Cloud Shell.

(B) Connect to the VM by using Secure Shell (SSH) and Windows Subsystem for Linux.

(C) Connect to the VM by using Remote Desktop Protocol (RDP) and PowerShell Core 6.0.

(D) Connect to the VM by using Remote Desktop Protocol (RDP) and Remote Desktop Connection.

Answer : A

NO.54 Your company's Azure environment consists of the following resources:* 4 virtual networks (VNets)* 48 Windows Server and Linux virtual machines (VMs)* 6 general purpose storage accountsYou need to design a universal monitoring solution that enables you to query across all diagnostic and telemetry data emitted by your resources.What should you do first?

(A) Activate resource diagnostic settings.

(B) Create a Log Analytics workspace.

(C) Install the Microsoft Monitoring Agent.

(D) Enable Network Watcher.

Answer : B

NO.55 Your company's Azure environment consists of two virtual networks (VNets) arranged in the following topology:* prod-vnet: 9 virtual machines (VMs)* dev-vnet: 9 virtual machines (VMs)The VMs in the prod-vnet should run continuously. The VMs in dev-vnet are used only between 7:00 A.M. and 7:00 P.M. local time.You need to automate the shutdown and startup of the dev-vnet VMs to reduce the organization's monthly Azure spend.Which Azure feature should you use?

(A) Azure Auto-Shutdown

(B) Azure Change Tracking

(C) Azure Automation Desired State Configuration (DSC)

(D) Azure Automation runbook

Answer : D

NO.56 Your media production company recently moved all its infrastructure into Azure.Every 14 days you run a batch to render several thousand video clips into various media formats for customers. At the moment the batch job is run on a single H-series virtual machine (VM).You need to design a scalable compute solution. The solution must meet the following technical and business requirements:* Must use VM instance sizes smaller than H series* Must support automatic scale out and scale in based on CPU metrics* Must minimize deployment time* Must minimize administrative overheadWhat should you do?

(A) Deploy a virtual machine scale set (VMSS).

(B) Create an Azure Data Factory pipeline.

(C) Configure an auto-scaling rule on the existing VM.

(D) Author an Azure Resource Manager (ARM) template that creates additional VMs.

Answer : A

NO.57 You have a Microsoft Azure subscription named Sub1.You deploy a Windows Server 2016 virtual machine (VM) named VM1 to Sub1.You need to change the availability set assignment for VM1.What should you do?

(A) Redeploy VM1 from a recovery point.

(B) Move VM1 to a different availability zone.

(C) Migrate VM1 to another Azure region.

(D) Assign VM1 to the new availability set.

Answer : A

NO.58 You have an Azure resource group named RG1. RG1 contains four virtual machines (VMs) and their associated resources.You need to generate resource usage reports by using interactive queries.What should you use?

(A) Azure Monitor

(B) Azure Alerts

(C) Azure Log Analytics

(D) Azure Service Bus

Answer : C

NO.59 You have a Microsoft Azure subscription that has four virtual machines (VMs) located in the East US region.You configure the four VMs identically to act as web servers.You need to ensure that traffic is distributed equally across the four web servers. You also need to protect the web servers against the most common web application security risks. Your solution must minimize expense.What should you do?

(A) Deploy a virtual machine scale set.

(B) Deploy Azure Application Gateway.

(C) Deploy a Traffic Manager profile.

(D) Deploy an Azure Content Delivery Network (CDN) profile.

Answer : B

NO.60 You have a Linux virtual machine (VM) named VM1 that runs in Azure. VM1 has the following properties:* Size: Standard_D4s_v3* Number of virtual CPUs: 2* Storage type: Premium* Number of data disks: 6* Public IP address: Standard SKUYou attempt to resize the VM to the Standard_D2s_v3 size, but the resize operation fails.Which VM property is the most likely cause of the failure?

(A) Storage type

(B) Number of virtual CPUs

(C) Public IP address

(D) Number of data disks

Answer : D

NO.61 You use Azure VM Backup to back up all Windows Server and Linux VMs in Azure to a Recovery Services vault.One of your colleagues informs you that he accidentally deleted corp-archive-vm1. You inspect Azure Monitor and verify that the server has been backed up every night for the past two months even though it has been powered off the entire time.You need to restore the VM to its original location as quickly as possible.What two actions should you perform? Each correct answer presents part of the solution.

(A) Select the most recent application-consistent restore point.

(B) Restore the corp-archive-vm1 disks and ARM template and redeploy the VM using Azure PowerShell.

(C) Select the most recent crash-consistent restore point.

(D) Restore corp-archive-vm1 by creating a new VM.

Answer : C;D

NO.62 You manage an Azure Windows Server virtual machine (VM) that hosts several SQL Server databases.You need to configure backup and retention policies for the VM. The backup policy must include transaction log backups.What should you do?

(A) Configure a point-in-time snapshot from the Disks Azure portal blade.

(B) Configure point-in-time and long-term retention policies from the SQL Servers Azure portal blade.

(C) Configure a continuous delivery deployment group from the Virtual Machine Azure portal blade.

(D) Configure a SQL Server in Azure VM backup policy from the Recovery Services Azure portal blade.

Answer : D

NO.63 You deploy Azure Recovery Services in your Azure Subscription. You are making a backup of all the virtual machines (VMs) in this subscription.Some of the VMs in the subscription were deployed using custom images. You also have encrypted VMs.Due to your company's disaster recovery plan, you need to be able to recover VMs.Choose all that apply:

(A) You can use the replace existing option with encrypted VMs

(B) When you restore a VM, you can customize the VM configuration using PowerShell.

(C) You can only restore VMs that have single NICs.

(D) Restoring VMs created using custom images using the replace existing option is unsupported.

Answer : B;D

NO.64 Your company has a custom line-of-business (LOB) application that uses several Azure resources. All resources assigned to the LOB application are in the same resource group. After the first deployment of the LOB application, the company adds more features to the application. You also add more resources to the resource group in different additional deployments.You need to create a template to redeploy the resources needed for the LOB application.What should you do?

(A) Use the Get-AzureRmResourceGroupDeployment cmdlet.

(B) Use the Save-AzureRmResourceGroupDeploymentTemplate cmdlet.

(C) Use the Export-AzureRmResourceGroup cmdlet.

(D) Use the Get-AzureRmResourceGroupDeploymentOperation cmdlet.

Answer : C

NO.65 You have an ARM template for creating a Windows virtual machine. You got this template from an existing resource group with a single virtual machine, using the automation script option.You want to reuse this template for other deployments. You need all the resources in the resource group to be on the same location.What should you do?

(A) Edit the parameters file and add a new parameter named location of type string with the default value of [resourceGroup().location].

(B) Edit the template file and update each location parameter with the value [resourceGroup().location].

(C) Use the New-AzureRmResourceGroup cmdlet with the location parameter to create a resource group in the desired location. Then use the New-AzureRmResourceGroupDeployment cmdlet using the newly created resource group.

(D) Use the Azure portal and create a resource group in the desired location. Then use the New-AzureRmResourceGroupDeployment cmdlet using the newly created resource group.

Answer : B

NO.66 Your company is planning to deploy a new application in its Azure subscription. The application consists of several Linux virtual machines (VMs).You are asked to deploy the needed VMs for this new application. The VMs will run version 18.04-LTS of Ubuntu server. You decide to create an ARM template for the deployment.You need to ensure that the VM image can automatically update after the initial deployment. You also need to use VM images from the marketplace.Which two ARM parameters should you configure? Each correct answer presents part of the solution.

(A) osType

(B) vmSize

(C) sku

(D) offer

(E) version

Answer : C;D

NO.67 You have a resource group named APP-RG that consists of several resources.You are asked to add a storage account to the resource group. You decide to deploy the new storage account by using an ARM template and the New-AzureRmResourceGroupDeployment cmdlet. This template does not contain any linked or nested templates.After the deployment finishes successfully, you realize that all the resources in the resource group have been replaced by the new storage account.Why did this happen?

(A) You used the -mode complete parameter with the New-AzureRmResourceGroupDeployment cmdlet.

(B) The template contains the mode parameter with the value of incremental.

(C) You did not use the -mode parameter with the New-AzureRmResourceGroupDeployment cmdlet.

(D) The template contains the mode parameter with the value of complete.

Answer : A

NO.68 You deploy a line of business (LOB) application. All resources that are part of the LOB application are deployed in a resource group named APP-RG.The resources that are part of the LOB application were added in different phases.You need to export the current configuration of the resources in APP-RG to an ARM template. You will later use this template for deploying the LOB application infrastructure in different environments for testing or development purposes.For each of the following statements, select Yes if the statement is true. Otherwise, select No.

(A) You need to export the ARM template from the latest deployment.

(B) Each deployment contains only the resources that have been added in that deployment.

(C) The parameters file contains the values used during the deployment.

(D) The template contains needed scripts for deploying the template.

Answer : B;C;D

NO.69 You need to deploy several virtual machines (VMs) in your Azure Subscription. All VMs will be deployed in the resource group RG01 based on an ARM template that is stored in GitHub.You need to automate this operation.Which two commands can you use? Each correct answer presents a complete solution

(A) New-AzureRmVM

(B) az group deployment create

(C) az vm create

(D) New-AzureRmResourceGroupDeployment

Answer : B;D

NO.70 Your company deploys a line-of-business (LOB) application. This application is installed on three separate virtual machines (VMs).You receive some performance alerts on one of the VMs. After some troubleshooting, you identify a deficiency in the IO of the storage system.You need to add an additional new empty data disk to the existing VM. You decide to use an unmanaged disk.Which PowerShell cmdlet should you use?

(A) New-AzureRmDiskConfig

(B) Add-AzureRmVhd

(C) Add-AzureRmVMDataDisk

(D) New-AzureRmDisk

(E) New-AzureRmVMDataDisk

Answer : C

NO.71 You are configuring a Network Security Group (NSG). The default NSG rules are already in place.You need to configure the NSG to support only the following the types of traffic into the subnet from the Internet.* Remote Desktop Management* Secured HTTPS traffic* Unsecured HTTP trafficWhich three ports should you configure in the NSG configuration? Each correct answer presents part of the solution.

(A) 3389

(B) 53

(C) 443

(D) 80

(E) 21

Answer : A;C;D

NO.72 You design a virtual network (VNet) topology with the following characteristics:* web subnet: 3 web front-end virtual machines (VMs)* app subnet: 3 application server VMs* data subnet: 3 database server VMsThe client requires that inter-subnet network traffic be strictly controlled with network security groups (NSGs).You need to design a solution that minimizes NSG rule creation and maintenance.What should you do?

(A) Enable the built-in rules in each NSG. False

(B) Define application security groups (ASGs) that align to each application tier.

(C) Bind a route table to each subnet.

(D) Employ the VirtualNetwork NSG service tag in each NSG.

Answer : B

NO.73 You hosts a line-of-business (LOB) web application in a virtual network (VNet) in Azure. A site-to-site virtual private network (S2S VPN) connection links your on-premises environment with the Azure VNet.You plan to use a network security group (NSG) to restrict inbound traffic into the VNet to the following IPv4 address ranges:* 192.168.2.0/24* 192.168.4.0/24* 192.168.8.0/24Your solutions must meet the following technical requirements:* Limit rule scope only to the three IPv4 address ranges.* Minimize the number of NSG rules.* Minimize future administrative maintenance effort.What should you do?

(A) Pass the three IPv4 address ranges into the NSG rule as a comma-separated list.

(B) Pass the IPv4 address range 192.168.0.0/22 into the NSG rule.

(C) Define an application security group (ASG) that includes the three IPv4 address ranges.

(D) Define an NSG rule that includes the VirtualNetwork service tag.

Answer : A

NO.74 You deploy a virtual network (VNet) named VNET01. You deploy several virtual machines (VMs) connected to VNET01.You configure a new service on VM01, which is one of the VMs connected to VNET01.You need to allow inbound traffic to TCP port 992. You decide to create a network security group named NSG01 and attach it to the primary NIC of VM01.Which PowerShell cmdlet should you use?

(A) Set-AzureRmNetworkInterface

(B) Set-AzureRmVirtualNetworkSubnetConfig

(C) Set-AzureRmNetworkSecurityRuleConfig

(D) Set-AzureRmNetworkSecurityGroup

Answer : A

NO.75 You deploy a virtual network (VNet) named VNET01. VNET01 also has multiple subnets configured.You have several virtual machines (VMs) connected to VNET01 subnets. You configure three network security groups (NSGs) named NSG01, NSG02 and NSG03. NSG01 is attached to VNET01. NSG02 and NSG03 are attached to different VMs.Users experience some connectivity issues when they connect to the services hosted on the VMs.You need to troubleshoot these connectivity issues. You need to identify the security rules that affect each VM.Which two commands should you use in your script? Each correct answer presents a complete solution.

(A) az network nic show-effective-route-table

(B) Get-AzureRmEffectiveNetworkSecurityGroup

(C) Get-AzureRmNetworkSecurityGroup

(D) az network nic list

(E) az network nic list-effective-nsg

(F) Get-AzureRmNetworkProfile

Answer : B;E

NO.76 You are asked to deploy a virtual machine (VM) in your Azure subscription. This VM must be configured with a static IP address for connectivity to some legacy applications.You need to configure the VM to support a static IP address.What are two ways to achieve your goal? Each correct answer presents a complete solution.

(A) Use the Add-AzureRmVMNetworkInterface PowerShell cmdlet.

(B) Use the New-AzureRmNetworkInterface PowerShell cmdlet when creating the VM.

(C) Use the Azure Portal to set the static ip address after the VM has been created.

(D) Use the Set-AzureRmNetworkInterface PowerShell cmdlet.

Answer : B;C

NO.77 You are asked to configure Azure virtual machine (VM) connectivity between two virtual networks (VNets) in the same Azure Resource Group.The solution must support an application that requires connectivity using IPv6 and may not fall back to IPv4 for compliance reasons within the application being hosted. The application must also support IPv6 clients on the public Internet.You need to implement these requirements.What three actions should you perform? Each correct answer presents part of the solution.

(A) Add a Network Security Group (NSG) to the subnets hosting the VMs to block IPv4 connectivity.

(B) Add one Azure Load Balancer in the resource group.

(C) Add an IPv6 endpoint to each VM supporting the application.

(D) Add a public IPv6 IP address to the Internet facing Azure Load Balancer.

(E) Add an Azure Load Balancer for each VNet in the resource group.

Answer : C;D;E

NO.78 You need to configure public IP addressing for four infrastructure virtual machines (VMs) that reside on an Azure virtual network (VNet).Your solution must meet the following technical and business requirements:* Minimize the VMs' attack surface* Minimize administrative/maintenance complexity* Minimize costWhat should you do?

(A) Assign a public IP address to each VM virtual network interface card (vNIC) and use Just-in-Time (JIT) VM Access to reach the VMs.

(B) Assign a public IP address to an Azure Virtual Private Network (VPN) Gateway and use a public load balancer to reach the VMs.

(C) Assign a public IP address to each VM and use network security groups (NSGs) to reach the VMs.

(D) Assign a public IP address to a public load balancer and use Network Address Translation (NAT) to reach the VMs.

Answer : D

NO.79 You need to assign a static private IPv4 address for a Windows Server virtual machine (VM) named corp-vm1 running in a virtual network (VNet) named corp-vnet.What should you do?

(A) Connect to corp-vm1 by using Remote Desktop Protocol (RDP) and edit the VM's virtual network connection properties.

(B) Edit the address range of corp-vnet.

(C) Modify the IP configuration of the virtual network interface associated with corp-vm1.

(D) Connect to corp-vm1 by using WinRM and run the Set-NetIPAddress PowerShell cmdlet.

Answer : C

NO.80 One of your colleagues deployed a new virtual network (VNet) named corp-vnet that has the following properties:* Address range: 172.16.0.0/16* Front-end subnet: 172.16.2.0/24* Mid-tier subnet: 172.16.3.0/24* Back-end subnet: 172.16.4.0/24To avoid a conflict with your on-premises IPv4 address space, you need to change the corp-vnet address space to 192.168.0.0/16 and redefine the subnet IDs immediately, before your colleague attempts to migrate virtual machines (VMs) to the new VNet.What should you do?

(A) Remove and redeploy corp-vnet.

(B) Delete the three subnet resources from corp-vnet.

(C) Add the 192.168.0.0/16 address space to corp-vnet.

(D) Edit the corp-vnet address range to 192.168.0.0/16.

Answer : A

NO.81 Your company's Microsoft Azure infrastructure team asks you for help in designing a traffic control solution for their deployment.The deployment consists of a single virtual network (VNet) that has the following topology:* edge subnet: Linux-based network virtual appliance (NVA) running enterprise firewall software with IP forwarding enabled* data1 subnet: 4 Windows Server virtual machines (VMs)* data2 subnet: 4 Ubuntu Linux VMsYou need to recommend a solution to the infrastructure team so that all outbound Azure VM traffic must pass through the NVA on the edge subnet.What two actions should you perform? Each correct answer presents part of the solution.

(A) Create a network security group (NSG) with an outbound rule.

(B) Create a route table with a next-hop IP address.

(C) Deploy two internal load balancers between the three subnets.

(D) Bind the resource to each subnet.

(E) Bind the resource to each VM virtual network interface card (vNIC).

Answer : B;D

NO.82 A virtual machine (VM) named VM01 is deployed in a resource group named RG01. This VM is connected to a virtual network (VNet) named VNET01.You plan to connect VM01 to an additional VNet named VNET02.You need to create an additional NIC on VM01 and connect it to VNET02.Which two Azure CLI commands should you use? Each correct answer presents part of the solution.

(A) az network nic create

(B) az vm nic add

(C) az network nic update

(D) az vm nic set

Answer : A;B

NO.83 You are deploying a group of new virtual machines (VMs) in your Azure Subscription. These new VMs are part of the frontend layer of a new application that your company is publishing.You plan to configure an Azure Load Balancer for these new VMs. You decide to configure a Standard Load Balancer.You need to configure the public IP address that you will assign to the load balancer.Choose all that apply:

(A) You can only use a standard SKU public IP with Standard Load Balancers.

(B) Standard SKU public IP addresses allow inbound communication by default.

(C) You can only use the static allocation method with standard SKU public IP addresses.

(D) You can specify the IP address of a public IP resource.

Answer : A;C

NO.84 You are asked to connect a virtual network (VNet) to a private DNS zone to support new application namespaces in the new private zone. The VNet already has virtual machines (VMs) assigned to it and has existing private DNS zones assigned.You need to complete this task.What should you do first?

(A) Set the existing VMs to support the new DNS zone via the Windows Server IP Configuration DNS settings app.

(B) Add the new private DNS zone to the existing VNet.

(C) Remove the existing VMs from the VNet.

(D) Setup a new VNet, assign the private DNS zone to this VNet, and move the existing VMs to it.

Answer : B

NO.85 You deployed two virtual networks (VNets) that have the following properties:* dev-vnet-west (West US region)* prod-vnet-east (East US region)You configure global VNet peering to link to dev-vnet-west and prod-vnet-east VNets.You need to ensure that virtual machines (VMs) in either VNet can resolve fully qualified domain names (FQDNs) of any other VM in Azure.What should you do?

(A) Use Azure-provided DNS in each VNet.

(B) Deploy DNS servers in each VNet and add their private IP addresses to the DNS servers list.

(C) Add service endpoints to each VNet.

(D) Create a private zone in Azure DNS.

Answer : D

NO.86 A client asks you to assist in moving a public website and Domain Name System (DNS) domain from the current host into Azure.You help the client migrate the website to an Azure App Service web application. You also create a zone in Azure DNS for the client's company.com domain.You now need to configure DNS so that user requests to company.com resolve to the Azure App Service app.What should you do next?

(A) Create a CNAME record for company.com in Azure DNS.

(B) Delegate the company.com zone to Azure DNS.

(C) Configure Azure DNS as a secondary name server.

(D) Create an A record for company.com in Azure DNS.

Answer : B

NO.87 You have an Azure resource group named RG1. RG1 contains two virtual networks (VNets) with the following attributes:* VNet1: East US region; 4 Windows Server virtual machines (VMs)* VNet2: West US region; 8 Linux VMsYou need to configure host name resolution for all VMs within RG1. Your solution must meet the following technical requirements:* VMs within each VNet should be able to resolve each other's fully qualified domain names (FQDNs).* VMs in VNet1 should be able to resolve the host names of VMs in VNet2.* VMs in VNet2 should be able to resolve the host names of VMs in VNet1.What should you do?

(A) Enable Azure-provided name resolution.

(B) Create a private zone in Azure DNS.

(C) Deploy a VNet-to-VNet virtual private network (VPN) connection.

(D) Define a peering between VNet1 and VNet2.

Answer : B

NO.88 You configure the companycs.com zone in Azure DNS. You have an A record set named app that points to an App Service that hosts a web application.You need to make this application available by using the webapp.companycs.com domain name. This new domain name needs to point to the public IP address of the App Service.You need to ensure that the DNS record for this new domain name is updated or deleted automatically in case the app.companycs.com DNS record is modified or deleted.Which type of record set should you create?

(A) An alias record set

(B) CNAME record set

(C) CNAME alias record set

(D) A record set

Answer : A

NO.89 Your company acquires another business that also uses Azure to deploy virtual machines (VMs) to run business applications for their users. You are tasked with ensuring that your existing applications hosted in Azure can connect securely to the newly acquired company's applications and data hosted in their existing Azure subscription.You need to configure this environment.What should you do?

(A) Enable VNet Peering.

(B) Create a virtual network gateway in both subscriptions.

(C) Enable a Site-to-Site VPN connection.

(D) Enable a Point-to-Point VPN connection.

Answer : C

NO.90 Your company acquires another business. The acquired business has Azure resources located in a sovereign Azure cloud.You are asked to configure network connectivity between your company's Azure network and the Azure network of the acquired company.You need to implement this connectivity.What should you do?

(A) Enable a VNet-to-VNet VPN gateway.

(B) Configure VNet Peering

(C) Configure a Point-to-Point VPN.

(D) Configure a Site-to-Site VPN.

Answer : D

NO.91 You have several Windows Server and Ubuntu Linux virtual machines (VMs) distributed across two virtual networks (VNets):* prod-vnet-west (West US region)* prod-vnet-east (East US region)You need to allow VMs in either VNet to connect and to share resources by using only the Azure backbone network. Your solution must minimize cost, complexity, and deployment time.What should you do?

(A) Configure peering between prod-vnet-west and prod-vnet-west.

(B) Create a private zone in Azure DNS.

(C) Deploy a VNet-to-VNet virtual private network (VPN).

(D) Add a service endpoint to each VNet.

Answer : A

NO.92 You use an Azure Resource Manager (ARM) template to deploy a virtual network (VNet) that contains two Windows Server virtual machines (VMs).You need to verify connectivity between the newly deployed VMs. Your tests include the following requirements:* Determine whether line-of-business (LOB) traffic is allowed between the VMs.* Isolate any network security group(s) that may block valid inter-VM network traffic.* Minimize cost, time, and troubleshooting complexity.What should you do first?

(A) Run the Test-NetConnection PowerShell cmdlet from your administrative workstation.

(B) Configure an Azure Automation runbook to perform a packet capture on the target VNet.

(C) Deploy the Network Performance Monitor (NPM) management solution.

(D) Enable Network Watcher in the target Azure region.

Answer : D

NO.93 Your company has an Azure subscription with an Azure Active Directory (Azure AD) tenant. Your company wants to deploy a system that allows users to have a unified experience across all their Windows devices. The security policies of your company require that all user and application data must be encrypted before moving to the cloud and also be encrypted at rest when stored in the cloud.All computers in your company runs different versions of Windows 7, Windows 8.1, and Windows 10. Your company has an Active Directory Domain Service (AD DS) domain on the local infrastructure. All the computers in the company are joined to the AD DS domain.You need to deploy Enterprise State Roaming. Your solution needs to require the lowest possible costs.Which two prerequisites do you need to meet before configuring Enterprise State Roaming? Each correct answer presents part of the solution.

(A) Deploy Active Directory Federation Services (AD FS).

(B) Purchase Azure AD Premium P1 licenses.

(C) Deploy Azure AD Connect.

(D) Purchase Azure AD Basic licenses.

(E) Update all Windows 7 and Windows 8.1 computers to Windows 10.

Answer : B;C

NO.94 Your company has an Office 365 tenant for communications and collaboration. The company has also an Azure subscription with an Azure Active Directory (Azure AD) Premium tenant. The company also has an on-premises Active Directory Domain Services (AD DS) domain.The security policies of your company allow access to cloud applications from employee-owned devices. The security policies require that access to any Office 365 application from a mobile device be limited to users who have enrolled and registered their devices in the corporate Azure AD tenant. The policy applies only to iOS or Android devices.You need create a conditional access policy to implement the security policy for Microsoft Office 365 Exchange Online to meet the requirements.Which four conditions should you configure? Each correct answer presents part of the solution.

(A) Device state

(B) Device platform

(C) Require approved client app

(D) Require device to be marked as compliant

(E) Users and groups

(F) Location

Answer : B;E

NO.95 Your company has an Azure subscription with an Azure Active Directory (Azure AD) tenant. Your company uses this Azure AD tenant for managing access to the resources deployed in Azure.Your company has a security policy that states that all users must have only the required privileges to do their job. This policy also requires that all privileges be reviewed every month and any incorrect permission assignments must be corrected.You decide to use Azure AD access review. Access review has not been used before.You need to configure Azure AD access review. Your solution must require the least administrative effort.What two actions should you perform? Each correct answer represents part of the solution.

(A) Configure a monthly frequency with 14 days for the duration setting.

(B) Configure a quarterly frequency with 30 days for the duration setting.

(C) Use the Default Program.

(D) Configure a yearly frequency with 30 days for the duration setting.

(E) Create a new program.

Answer : A;C

NO.96 Your company's local environment consists of a single Active Directory Domain Services (AD DS) domain.You plan to offer your users single sign-on (SSO) access to Azure-hosted software-as-a-service (SaaS) applications that use Azure Active Directory (Azure AD) authentication. The tenant's current domain name is companycom.onmicrosoft.com.You need to configure Azure AD to use company.com, the organization's owned public domain name.What should you do?

(A) Add a DNS verification record at the domain registrar.

(B) Run Azure AD Connect from a domain member server and specify the custom installation option.

(C) Add a company.com user principal name (UPN) suffix to the AD DS domain.

(D) Remove the companycom.onmicrosoft.com domain name from the Azure AD tenant.

Answer : A

NO.97 You have a single Active Directory Domain Services (AD DS) domain operating at the Windows Server 2016 domain functional level. Account synchronization is configured between AD DS and your corporate Azure Active Directory (Azure AD) tenant. All user workstations run Windows 10 Enterprise Edition.The support desk informs you that they regularly receive support requests from users who changed their Azure AD password and are no longer able to log onto the local AD DS domain.You need to configure the environment to allow users to change their password either locally or in the cloud, and have the passwords remain in sync.What should you do?

(A) Configure Azure AD Join for all Windows 10 workstations.

(B) Enable Azure AD conditional access.

(C) Upgrade Azure AD to a premium pricing tier.

(D) Deploy Active Directory Federation Services (AD FS) in the local AD DS domain.

Answer : C

NO.98 Your company has an Azure Active Directory (Azure AD) tenant federated with its on-premises Active Directory Domain Services (AD DS) domain. This domain is named companycs.com.Your company recently purchased another company named CompanyBD. CompanyBD has its own AD DS domain named companybd.net. This domain is not federated with an Azure AD tenant.You need to integrate the companybd.net domain with your Azure AD tenant. You decide to federate this new domain.You attempt to federate the companybd.net domain with Azure AD by using the following cmdlet:Convert-MsolDomaintoFederated -DomainName companybd.netYou get the following error:Convert-MsolDomaintoFederated: The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again.What is the most likely reason for getting this error?

(A) The value for the IssuerUri parameter is companycs.com.

(B) The value for the IssuerUri parameter is adfs.companybd.net.

(C) The value for the IssuerUri parameter is adfs.companycs.com.

(D) The value for the IssuerUri parameter is companybd.net.

Answer : C

NO.99 You are the administrator of the Azure Active Directory (Azure AD) tenant and the Active Directory Domain Services (AD DS) on-premises domain in your company. Your company uses Office 365 as well as other third-parties cloud services. Your company uses Windows 8.1 and Windows 10 domain client computers.Your company wants to allow all employees to use their own devices to access the company's resources, using a Bring Your Own Device (BYOD) approach.You need to ensure that your company's assets are still protected while allowing the employees to use their own devices. You also need to keep your current device management capabilities. You plan to deploy Azure AD Join. You should ensure that your solution allows Single Sign-On (SSO).Which two tools should you deploy? Each correct answer presents part of the solution.

(A) Azure AD Connect

(B) System Center Configuration Manager

(C) Active Directory Federation Services

(D) Upgrade all domain client computers to Windows 10

Answer : B;C

NO.100 Your company is evaluating a hybrid identity management strategy for authenticating users accessing application hosted in Azure.You have the following requirements:* Users must be able to login to the Azure hosted applications using the same username and password as they use on-premises.* Minimum additional infrastructure is needed to support the sign on mechanism.* User accounts revoked on premises must be instantly revoked in Azure.*A cloud based solution should be in place in the event of disaster recovery being invoked. This cloud based solution will not have the same restriction on instant user revocation.You need to implement the identity management strategy.Which two identity management solutions should you choose? Each correct answer presents part of the solution.

(A) Cloud authentication

(B) Active Directory Federation Services (ADFS)

(C) Azure AD Connect with Password Synchronization

(D) Azure AD Pass-through Authentication

Answer : C;D

NO.101 You implement Azure Active Directory (Azure AD) Connect to synchronize your on premises Active Directory objects to Azure AD. You discover that the Domain Users group is not available for assigning permissions to applications in Azure.You need to resolve the issue using the least administrative effort.What should you do?

(A) Move the Domain Users group to an Organizational Unit in Active Directory that is configured for synchronization.

(B) Modify the IsCriticalSystemObject property of the group to False.

(C) Create a new Active Directory group and add all domain users to the group. Synchronize this group with Azure AD.

(D) Set the repsTo property on the Domain Users group to the Azure AD Tenant ID.

Answer : C

NO.102 You configure federated authentication on your Azure subscription for multiple applications. As a part of that work, you enable Home Realm Discovery and set the policy as shown in the exhibit.The majority of your users can successfully access the application, but several users report that they are unable to sign in.You need to resolve the problem.What are two ways to resolve the problem? Each correct answer presents a complete solution.

(A) Change the AllowCloudPasswordValidation value to False.

(B) Change the PreferredDomain value to the domain of the users who cannot login.

(C) Disable Home Realm Discovery.

(D) Add the users who cannot login to the federated.example.edu domain.

Answer : C;D

NO.103 Your company's local environment consists of a single Active Directory Domain Services (AD DS) domain. The company purchases a Microsoft Office 365 E5 subscription, and you plan to configure directory synchronization between AD DS and Azure Active Directory (Azure AD) to support single sign-on (SSO) for your users.You need to ensure that improperly formatted domain user names will not cause synchronization errors.What should you do?

(A) Run the Synchronization Rules Editor.

(B) Run the Synchronization Service Manager.

(C) Run Azure AD Connect in custom mode.

(D) Run the IdFix tool.

Answer : D

NO.104 One of your colleagues used Azure AD Connect to synchronize all Active Directory domain user and group accounts to your Azure Active Directory (Azure AD) tenant. As a result, authorized domain users have single sign-on (SSO) access to internally developed software-as-a-service (SaaS) apps that rely on Azure AD authentication.You need to reconfigure directory synchronization to exclude domain service accounts and user identities that should not have access to the SaaS application.What should you do?

(A) Run the Synchronization Rules Editor.

(B) Stop the synchronization service.

(C) Configure conditional access in Azure AD.

(D) Re-run Azure AD Connect.

Answer : D

NO.105 Your company recently purchased an Office 365 subscription. Your company has an on-premises Active Directory Domain Services (AD DS) domain. You configure smartcard authentication support for some specific users.You want to ensure that users can access all Office 365 applications without typing their password. You also want to ensure that they use the same password for the AD DS company domain and Office 365.You need to deploy a solution that meets all the company's requirements.Which solution should you deploy?

(A) Active Directory Federation Services (AD FS) and Seamless Single Sign-On (SSO)

(B) Active Directory Federation Services (AD FS).

(C) Azure AD Connect with pass-through authentication and Seamless Single Sign-On (SSO)

(D) Azure AD Connect with pass-through authentication

(E) Azure AD Connect with password hash synchronization

(F) Azure AD Connect with password hash synchronization and Seamless Single Sign-On (SSO)

Answer : B

NO.106 You are asked to connect your new Office 365 subscription with your on-premises Active Directory Domain Services (AD DS) domain. You configure Azure AD Connect and enable Seamless Single Sign-On (SSO).You need to configure Group Policy Object (GPO) support for SSO.Which two policies or settings should you configure? Each correct answer presents part of the solution.

(A) Allow updates to status bar via script for Internet Zone

(B) Allow updates to status bar via script for Intranet Zone

(C) Turn on Notification bar notification for intranet content

(D) Internet Zone Template

(E) Site to Zone Assignment List

(F) Intranet Zone Template

Answer : B;E

NO.107 You configure Azure AD Connect to synchronize your on-premises Active Directory Domain Services (AD DS) domain with your Office 365 subscription. You enable the password hash synchronization feature. Then, you sync all user accounts that are assigned to an employee. You also configure group-based filtering.A user indicates that she cannot log in to Office 365 applications. However, she is able to log in successfully through her company's workstations.You need to troubleshoot the password synchronization process.After some investigation, you realize that this user has been moved to another job position in the company.What is the most likely cause of the login problem?

(A) The user object has been disabled.

(B) The user object has selected the User must change password at next logon setting.

(C) You have configured the cloudFiltered attribute.

(D) The user object has been moved to another security group.

Answer : D

NO.108 You are asked to create a new set of Azure Active Directory (Azure AD) security groups that represent the entire hierarchy of a manager's team. This is to include people managed by the manager but not people managed by the manager's own team. For example if Bob manages Tom and Tom manages Fred. The group must include Tom but not Fred. The group should also update dynamically as people change managers over time.You need to implement the request using the least amount of administrative effort.What should you do?

(A) Create new groups using the Direct Reports rule.

(B) Create new Azure AD groups for each manager and use a custom script to detect ManagerID attribute changes and modify the group membership accordingly.

(C) Construct dynamic groups in Azure AD using a ruleset including the ManagerID property.

(D) Create multiple Azure AD groups and add the members with the same ManagerID attribute value to each group.

Answer : A

NO.109 Your company has an Azure subscription configured with an Azure Active Directory (Azure AD) tenant. This tenant is used for managing user information. Your company has also a line-of-business (LOB) application that uses the Azure AD tenant for getting information from users.You are asked to update the mobile attribute of all tenant users.You need to perform this task using the least administrative effort.What should you do?

(A) Use the Set-AzureADUser cmdlet.

(B) Use the Set-MsolUser cmdlet.

(C) Use the Invoke-RestMethod cmdlet to call the Graph API.

(D) Use the Set-ADUser cmdlet.

Answer : A

NO.110 Due to a recent corporate reorganization, team members in the Accounting department are now part of the Finance department.You need to change the Department property for 36 Azure AD user accounts. Your solution must minimize administrative effort and make future bulk updates easier to perform.What should you do?

(A) Write a Desired State Configuration (DSC) script and deploy it using Azure Automation.

(B) Write a PowerShell script using the AzureAD module.

(C) Write a PowerShell Azure Function using the AzureRM.Profile module.

(D) Write a PowerShell workflow using the MSOnline module and a comma-separated value (CSV) file containing the relevant usernames.

Answer : B

NO.111 You hire another administrator who will be responsible for managing all infrastructure-as-a-service (IaaS) deployments in your Azure subscription.You create a new Azure Active Directory (Azure AD) user account for the new hire. You need to configure the new user account to meet the following requirements:* Read/write access to all Azure IaaS deployments* Read-only access to Azure AD* No access to Azure subscription metadataYour solution must also minimize your access maintenance in the future.What should you do?

(A) Assign the user the Virtual Machine Operator role at the subscription level.

(B) Assign the user the Global administrator directory role.

(C) Assign the user the Contributor role at the resource group level.

(D) Assign the user the Owner role at the resource level.

Answer : C

NO.112 Your company has an Azure Active Directory (Azure AD) tenant named companycs.com, for managing all users that need to access the resources deployed in their Azure subscription.You need to grant access to an external consultant to some of the resources deployed in your subscription. This external consultant will use her own email address as her username. The company of the external consultant does not use Office 365 or any other Azure AD tenant.Which PowerShell cmdlet should you use?

(A) New-AzureADMSInvitation

(B) New-MsolUser

(C) New-AzureADUser

(D) New-ADUser

Answer : A

Practicing AZ-100: Microsoft Azure Infrastructure and Deployment