pdfyyiiii

Answer Summary
Below is a summary of your answers.
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is
configured to sync users to the tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes.
The solution must minimize administrative effort.
Which two actions should you perform? Each correct answer presents part of the
solution.
Your Answer
Assign the licenses to the dynamic groups.
This answer is correct.
Create dynamic groups.
Correct Answer
To assign licenses to users based on Microsoft Entra ID attributes, you must create
a dynamic security group and configure rules based on custom attributes. The
dynamic group must be added to a license group for automatic synchronization. All
users in the groups will get the license automatically. Microsoft Entra evaluates
the users in the organization that are in scope for an assignment policy rule and
creates assignments for the users who don't have assignments to an access package;
automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft

Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
You have an Azure subscription.
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following
details:
Id: 8755b347-3545-3876-3987-999999999999
DisplayName: Ben Smith
Mail: [email protected]
UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Which statement accurately describes the user?
Your Answer
The user is a guest in the tenant.
Correct Answer
For guest users, the user principal name (UPN) will contain the email of the guest
user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the
tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of
[email protected].
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Question 3 of 50
You have a Microsoft Entra tenant.
You create a new user named User1.
You need to assign a Microsoft 365 E5 license to User1.
Which user attribute should be configured for User1 before you can assign the
license?
Your Answer
Usage location
Correct Answer
Usage location
Not all Microsoft 365 services are available in all locations. Before a license can
be assigned to a user, you must specify the Usage location. The attributes of First
name, Last name, Other email address, and User type are not mandatory for license
assignment.
Assign or remove licenses - Microsoft Entra | Microsoft Learn
Question 4 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain
multiple users.
You need to configure self-service password reset (SSPR) password writeback

functionality. The solution must minimize costs.
Which Microsoft Entra ID edition should you use?
Your Answer
Microsoft Entra ID P1
Correct Answer
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the
lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra |

Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training |

Microsoft Learn
Question 5 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
"Name": "Custom Role",

"Id": null,
"IsCustom": true,
"Description": "Custom Role description",
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
}
Which three actions can be performed by a user that is assigned the custom role?
Each correct answer presents a complete solution.
Your Answer
Call Microsoft Support.
Create and read a snapshot.
Read all virtual machine settings.
Correct Answer
The role can read all compute resources, call Microsoft support roles, and allow
the creation and reading of a snapshot.
Azure custom roles - Azure RBAC | Microsoft Learn
Secure your Azure resources with Azure role-based access control (Azure RBAC) -
Training | Microsoft Learn
Question 6 of 50
You have the following resource groups, management groups, and Azure subscriptions:
Two resource groups named RG1 and RG2 that are associated with a subscription named
111-222-333 and a management group named MG1
Two resource group named RG10 and RG11 that are associated with a subscription
named 222-333-444 and a management group named MG2
You need to assign a role to a user to ensure the user can view all the resources
in the subscriptions. The solution must use the principle of least privilege.
Which role should you assign?
Your Answer
the Reader role for MG1 and MG2
Correct Answer
Assigning the Reader role for MG1 and MG2 is correct because the simplest way to
give user access to all resources is to assign a role at the management group
level.
Steps to assign an Azure role - Azure RBAC | Microsoft Learn
Question 7 of 50
You have an Azure subscription that contains a resource group named RG1. RG1
contains a virtual machine that runs daily reports.
You need to ensure that the virtual machine shuts down when resource group costs
exceed 75 percent of the allocated budget.
solution.
Your Answer
Create an action group of type Runbook, and then select **Stop VM** as an action.
From Cost Management + Billing, modify the Budgets settings.
Correct Answer
You must go to Cost Management + Billing, and then Budgets to edit the budget
associated with the resource group resources. You must also create a new action
group of the Runbook type, and then choose Stop VM as an action. The cost analysis
will not stop the virtual machine from running and the Scale Up VM action group is
not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft
Learn
Question 8 of 50
You have an Azure subscription that contains hundreds of virtual machines that were
migrated from a local datacenter.
You need to identify which virtual machines are underutilized.
Which Azure Advisor settings should you use?
Your Answer
Cost
Correct Answer
Cost
The Cost blade allows you to optimize and reduce your overall Azure spending. You
can use this to identify the virtual machines that are underutilized. The
Performance blade allows you to improve the speed of your applications. High
availability is unavailable via Azure Advisor. Operational Excellence helps you
achieve process and workflow efficiency, resource manageability, and deployment
best practices.
Introduction to Azure Advisor - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized
virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is
generated. The solution must minimize administrative effort.
What should you configure?
Your Answer
an action group
Correct Answer
an action group
Whenever Azure Advisor detects a new recommendation for resources, an event is
stored in the Azure Activity log. You can set up alerts for these events from Azure
Advisor. You can select a subscription and optionally a resource group to specify
the resources for which you want to receive alerts. You also need to create an
action group that will contain all the users to be notified.
Improve incident response with Azure Monitor alerts - Training | Microsoft Learn
Create Azure Advisor alerts for new recommendations using Azure portal - Azure
Advisor | Microsoft Learn
Question 10 of 50
You are responsible for managing user identities and governance within your Azure
environment.
You need to ensure that a new employee can create and manage user accounts and
groups, manage support tickets, and monitor service health.
You need to use the principle of least privilege.
Which Microsoft Entra role should you assign to the new employee?
Your Answer
User Administrator
Correct Answer
User Administrator
The User Administrator role allows creation and management of users and groups,
managing support tickets, and monitoring service health. The Global Administrator
has more permissions than required. The Billing Administrator is focused on
financial aspects and the Service Administrator is a classic role with full access
to Azure services, which is not required for user and group management.
Azure roles, Microsoft Entra roles, and classic subscription administrator roles |
Microsoft Learn
Manage app and resource access by using Microsoft Entra groups - Training |
Microsoft Learn
Question 11 of 50
Contoso, Ltd. has multiple Azure subscriptions and resources that need to be
efficiently managed.
You need to manage access, policies, and compliance across all subscriptions in a
unified manner.
What should you do? Each correct answer presents part of the solution. Select
three.
Your Answer
Create a management group and assign all subscriptions to it.
Apply necessary policies at the management group level.
Configure role-based access control at the management group level.
Correct Answer
Creating a management group and assigning all subscriptions to it allows for
efficient management of access, policies, and compliance across all subscriptions.
Applying policies and configuring role-based access control at the management group
level ensures that these settings are inherited by all subscriptions within the
group. Managing each subscription individually or applying policies and access
control at the individual resource level would not be as efficient or unified.
Organize your Azure resources effectively - Cloud Adoption Framework | Microsoft

Learn
Create management groups - Training | Microsoft Learn

Question 12 of 50
You need to create an Azure Storage account that supports the Azure Data Lake
Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a
complete solution.
Your Answer
standard general-purpose v2
premium page blobs
This answer is incorrect.
Correct Answer
premium block blobs
To support Data Lake Storage, the storage account must support blob storage, which
is available as standard general-purpose v2 and premium block blobs. Additionally,
when you create the storage account, you must enable the hierarchical namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage |
Microsoft Learn
Determine storage account types - Training | Microsoft Learn
Question 13 of 50
You have an Azure Storage account.
You need to copy data to the storage account by using the AzCopy tool.
Which two types of data storage are supported by AzCopy? Each correct answer
presents a complete solution.
Your Answer
blob
file
Correct Answer
blob
file
You can provide authorization credentials by using Microsoft Entra, or by using a
shared access signature (SAS) token. Both storage types, blob and file, are
supported in AzCopy.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Upload, download, and manage data with Azure Storage Explorer - Training |
Microsoft Learn
Question 14 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
Hierarchical namespace: Disabled

Default access tier: Hot
Blob public access: Enabled
Blob soft delete: Enabled (7 days)
Container soft delete: Enabled (7 days)
Versioning: Disabled
Change feed: Enabled
NFS v3: Disabled
Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object
replication?
Your Answer
Hierarchical namespace
Correct Answer
Versioning
Versioning must be enabled for both the source and destination accounts. In this
scenario, versioning is currently disabled.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 15 of 50
You have an Azure Storage account named storageaccount1 with a blob container named
container1 that stores confidential information.
You need to ensure that content in container1 is not modified or deleted for six
months after the last modification date.
Your Answer
the immutability policy
Correct Answer
A timed-based retention policy or legal hold policies can be applied to block
deletion. Immutability policies can be scoped to a blob version or to a container.
Overview of immutable storage for blob data - Azure Storage | Microsoft Learn
Question 16 of 50
You create an Azure Storage account.
You need to create a lifecycle management rule to move blobs to Cool storage if the
blobs have not been used for 30 days.
What should you do first?
Your Answer
Refresh the blob inventory.
Correct Answer
Enable access tracking.
A lifecycle management rule can be used to move or delete blobs automatically. The
rule can be based on the time the blob was last modified or the time the blob was
last accessed (read or write). To perform an action based on the access time,
access tracking must be enabled. This can incur additional storage costs.
Configure a lifecycle management policy - Azure Storage | Microsoft Learn
Question 17 of 50
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the
internet.
You need to ensure that the users at the secure location can access the file share
in Azure by using SMB protocol.
Which outbound port should you allow from the secure location?
Your Answer
445
Correct Answer
445
For accessing the file share, port 445 must be open. Port 5671 is used to send
health information to Microsoft Entra. It is recommended, but not required, in the
latest versions. Port 80 is used to download certificate revocation lists (CRLs) to
verify TLS/SSL certificates. Port 443 is used for https traffic, for example to
sync AD DS with Microsoft Entra.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft
Learn
Configure Azure Storage security - Training | Microsoft Learn
Question 18 of 50
You have an Azure subscription that contains a storage account named storage1.
You need to provide storage1 with access to a partner organization. Access to

storage1 must expire after 24 hours.
Your Answer
a shared access signature (SAS)
Correct Answer
A SAS provides secure delegated access to resources in a storage account. With a
SAS, you have granular control over how a client can access data, including time
restrictions.
Access keys and Azure CDN provide permanent access to resources. They will require
manual steps to remove access. Lifecycle management is not needed.
Grant limited access to data with shared access signatures (SAS) - Azure Storage |
Microsoft Learn
Question 19 of 50
You need to ensure that public network access is disabled from all networks,
including the internet.
What should you configure on storage1?
Your Answer
Networking
Correct Answer
Networking
The Networking node of a storage account provides settings to configure public
network access and network routing. To disable public network access, you can
disable public network access, or configure the access to only allow specific
virtual networks and IP addresses.
Configure Azure Storage firewalls and virtual networks | Microsoft Learn
Question 20 of 50
You plan to create a storage account named storage1.
You need to ensure that storage1 provides POSIX-compliant access control lists
(ACLs).
Which option should you configure when creating storage1?
Your Answer
hierarchical namespace
Correct Answer
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace
must be used. The remaining options are valid for a storage account, but do not
provide the POSIX-compliant feature.
Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn

Configure storage accounts - Training | Microsoft Learn
Question 21 of 50
A company is using Azure Blob Storage to store large amounts of unstructured data
that is accessed infrequently but requires fast retrieval when needed.
You need to minimize storage costs while ensuring data retrieval performance is not
compromised.
Each correct answer presents part of the solution. Select three.
Your Answer
Configure the access tier of the Azure Blob Storage account to Cool.
Correct Answer
The Cool access tier is cost-effective for storing large amounts of data that is
infrequently accessed. The Hot access tier is more expensive and is optimized for
data that is accessed frequently. Object replication is not related to cost
optimization but rather to data availability and redundancy. Upgrading to a
general-purpose v2 storage account does not directly address the need for cost-
effective storage for infrequently accessed data.
Storage account overview - Azure Storage | Microsoft Learn
Connect Azure Storage Explorer to a storage account - Training | Microsoft Learn
Question 22 of 50
You have an Azure subscription that contains a resource group named RG1.
You have an Azure Resource Manager (ARM) template for an Azure virtual machine.
You need to use PowerShell to provision a virtual machine in RG1 by using the
template.
Which PowerShell cmdlet should you run?
Your Answer
New-AzManagementGroupDeployment
Correct Answer
New-AzResourceGroupDeployment
Virtual machines are deployed to resource groups, so you must run the New-
AzResourceGroupDeployment cmdlet. You can deploy virtual machines to subscriptions
or management groups directly, therefore, New-AzManagementGroupDeployment and New-
AzSubscriptionDeployment cannot be used. New-AzVM can be used to provision a new
virtual machine, but without using a template.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft
Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft

Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 23 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored
in an Azure Blob storage container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
-TemplateUri
Correct Answer
-TemplateUri
The PowerShell deployment cmdlets can be used to deploy JSON templates that are
stored locally in a resources group as a template spec, or from a web-based
location. You can use the -TemplateUri parameter to specify a web-based location,
such as GitHub or an Azure Blob Storage account. You can use -Templatefile to
specify a local file. You can use -TemplateSpecId to specify a template that was
save to Azure as a template spec.
Learn

Learn
Question 24 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the
Azure Resource Manager (ARM) library.
What can you configure during the deployment of the template?
Your Answer
the size of virtual machine
Correct Answer
the resource group
When you deploy a resource by using a template, you can mention the resource group
for the deployment. The resource group is a container for Azure resources and makes
it easier to manage the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Question 25 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and
Subnet2. You have a virtual machine named VM1 that is connected to Subnet1. VM1
runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
Your Answer
From the Azure portal, add a network interface.
Correct Answer
A network interface is used to connect a virtual machine to a subnet. Since VM1 is
connected to Subnet1, VM1 already has a network interface attached that is
connected to Subnet1. To connect VM1 directly to Subnet2, you must create a new
network interface that is connected to Subnet2. Next, you must attach the new
network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and

subnets. A network bridge allows you to connect multiple existing network
connection in Windows together. Changing the IP configurations of the existing
network interface results in VM1 being connected to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 26 of 50
Your company plans to host an application on four Azure virtual machines.
You need to ensure that at least two virtual machines are available if a single
Azure datacenter fails.
Which availability option should you select for the virtual machine?
Your Answer
an availability zone
Correct Answer
To protect against datacenter level failures, and if you want connectivity to
multiple machines, you must ensure that the virtual machines are deployed across
various availability zones.
What are Azure regions and availability zones? | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 27 of 50
You are deploying a virtual machine by using an availability set in the East US
Azure region.
You have deployed 18 virtual machines in two fault domains and 10 update domains.
Microsoft performed planned physical hardware maintenance in the East US region.
What is the maximum number of virtual machines that will be unavailable?
Your Answer
8
Correct Answer
2
18 virtual machines are shared across 10 update domains. The first 10 virtual
machines go to 10 update domains, so eight update domains will have two virtual
machines. When there is physical hardware maintenance, some virtual machines will
be unavailable based on their configuration. If there was a rack failure, then 18
virtual machines will be distributed to two fault domains with nine virtual
machines each.
Availability sets overview - Azure Virtual Machines | Microsoft Learn
Question 28 of 50
You have an Azure subscription that contains a Docker container image named
container1.
You plan to create a new Azure web app named WebApp1.
You need to ensure that you can use container1 for WebApp1.
Which WebApp1 setting should you configure?
Your Answer
Publish
Correct Answer
Publish
If you want to run a Docker container as an Azure web service, you must configure
the Publish option and select Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want
to deploy a Docker container as web app, the runtime stack option is unavailable.
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is

unavailable when you publish a Docker container as an Azure web app.
Overview - Azure App Service | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 29 of 50
You have an Azure subscription that contains an Azure App Service web app named
App1.
You have the following diagnostic logging configurations:
Application Logging (FileSystem): Error

Application Logging (Blob): Information
Detailed Error Message: Warning
Web Server Logging: Verbose
You need to configure diagnostic logging to store all warnings or higher.
Which types of diagnostic logging and severity should you enable?
Your Answer
Application Logging (Blob)
Application Logging (FileSystem)
Detailed Error Message
Correct Answer
Warning
You must enable the Application Logging (Blob) diagnostic, which can be stored for
more than a week. You must also set the severity level to warning, to store
warning, error, and critical log messages.
Enable diagnostics logging - Azure App Service | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
Question 30 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage
goes beyond 80 percent for a duration of 15 minutes.
solution.
Your Answer
Configure a scaling condition to scale based on a metric, and then add the rules.
Scale out the App Service plan.
Correct Answer
Scale up the App Service plan.
Scale up the web app by adding more CPU, memory, and disk space to fulfill the
requirement. Increase the number of virtual machine instances that run the app. The
scale settings take only seconds to apply and affect all the apps in the App
Service plan. Then, you must set up a scaling condition with the required metrics
to scale up/down and scale out/in when certain thresholds are met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Question 31 of 50
You need to create an Azure App Service web app that runs on Windows. The web app
requires scaling to five instances, 45 GB of storage, and a custom domain name. The
solution must minimize costs.
Which App Service plan should you use?
Your Answer
Standard
Correct Answer
Standard
The Standard service plan can host unlimited web apps, up to 50 GB of disk space,
and up to 10 instances. The plan will cost approximately $0.10/hour. The Free plan
only offers 1 GB of disk size and 0 instances to host the app. The Premium plan
offers 250 GB of disk space and up to 30 instances and will cost approximately
$0.20/hour. The Basic plan offers 10 GB of disk space and up to three virtual
machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
Question 32 of 50
contains an application named App1 and a container app named containerapp1.
App1 is experiencing performance issues when attempting to add messages to the

containerapp1 queue.
You need to create a job to perform an application resource cleanup when a new
message is added to a queue.
Which command should you run?
Your Answer
az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type
"Event" \ -replica-timeout 60 --replica-retry-limit 1 ...
Correct Answer
Azure Container Apps jobs enable you to run containerized tasks that execute for a
finite duration, and then exit. You can use jobs to perform tasks such as data
processing, machine learning, or any scenario where on-demand processing is
required. Container apps and jobs run in the same environment, allowing them to
share capabilities such as networking and logging.
A job's trigger type determines how the job is started. The following trigger types
are available:
Manual: Manual jobs are triggered on demand.
Schedule: Scheduled jobs are triggered at specific times and can run repeatedly.
Event: Event-driven jobs are triggered by events such as a message arriving in a

queue.
Jobs in Azure Container Apps (preview) | Microsoft Learn
Question 33 of 50
You are an Azure Administrator for Best For You Organics Company. The company uses
ARM templates for deploying resources.
You need to pass an array as an inline parameter during the deployment of a local
template.
What should you do?
Your Answer
Provide the array values in the --parameters switch in the deployment command.
Correct Answer
To pass an array as an inline parameter during the deployment of a local template,
you should provide the array values in the --parameters switch in the deployment
command. The other options are not correct methods for passing an array as an
inline parameter.
Azure deployment templates with Azure CLI – Azure Resource Manager - Azure Resource
Manager | Microsoft Learn
Explore Azure Resource Manager template structure - Training | Microsoft Learn
Question 34 of 50
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual network named VNet1 and a VPN gateway. Sub2 contains a
virtual network named VNet2.
You have an on-premises device named Device1 that runs Windows and has a Point-to-
Site (P2S) VPN client installed.
You configure network peering between VNet1 and VNet2.
You need to ensure that Device1 can access VNet2 when a VPN connection is
established.
What should you do?
Your Answer
Download and reinstall the P2S VPN client on Device1.
Correct Answer
Point-to-Site (P2S) VPN clients must be downloaded and reinstalled again after
virtual network peering is successfully configured to ensure that the new routes
are downloaded to the client.
A private endpoint and Azure Front Door are not required nor used to be able to
access VNet2 from VNet1.
Device1 already has a digital certificate when you install the P2S VPN client, so
you do not need to create new certificate manually.
Create, change, or delete an Azure virtual network peering | Microsoft Learn
Configure virtual network peering - Training | Microsoft Learn
Question 35 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the
internet.
Which Azure service should you deploy?
Your Answer
Azure Bastion
Correct Answer
Azure Bastion
Azure Bastion is a service that lets you connect to a virtual machine by using a
browser, without exposing RDP and SSH ports. Azure Monitor helps you maximize the
availability and performance of applications and services. Azure Network Watcher
provides tools to monitor, diagnose, view metrics, and enable or disable logs for
resources in an Azure virtual network. Remote Desktop is a feature of the operating
system, which exposes the RDP port to connect to a server from the internet.
About Azure Bastion | Microsoft Learn
Question 36 of 50
You have three network security groups (NSGs) named NSG1, NSG2, and NSG3. Port 80
is blocked in NSG3 and allowed in NSG1 and NSG2.
You have four Azure virtual machines that have the following configurations:
VM1:
Subnet: Subnet1
Network card: NIC1
NIC1 is assigned to NSG2.
VM2:
Subnet: Subnet1
Network card: NIC2
VM3:
Subnet: Subnet3
Network card: NIC3
VM4:
Subnet: Subnet2
You have the following subnets:
Subnet1 is assigned to NSG1.

Subnet 3 does not have an NSG assigned.
Which virtual machine will allow traffic from the internet on port 80?
Your Answer
VM1
Correct Answer
VM1
On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow traffic on port 80.
On VM2, NSG1 allows traffic, but NSG3 blocks traffic for the network interface. On
VM3 and VM4, NSG3 blocks traffic.
Network security group - how it works | Microsoft Learn
Configure network security groups - Training | Microsoft Learn

Question 37 of 50
Your company plans to migrate servers from on-premises to Azure. There will be dev,
test, and production virtual machines on a single virtual network.
You need to restrict traffic between the dev, test, and production virtual machines
to specific ports.
What should you use?
Your Answer
a network security group (NSG)
Correct Answer
Must configure network security group (NSG) rules to allow TCP or ICMP traffic for
specific ports. Azure Firewall is a managed service that protects your Azure
services across multiple virtual networks. Load balancers are used to distribute
incoming traffic to available backend servers. Azure VPN is used to have a
connection establishment between on-premises and Azure.
Azure network security groups overview | Microsoft Learn
Question 38 of 50
You have an Azure subscription that contains an ASP.NET application. The
application is hosted on four Azure virtual machines that run Windows Server.
You have a load balancer named LB1 to load balances requests to the virtual
machines.
You need to ensure that site users connect to the same web server for all requests
made to the application.
solution.
Your Answer
Set Session persistence to Client IP.
Set Session persistence to Protocol.
Correct Answer
By setting Session persistence to Client IP and Protocol, you ensure that site
users connect to the same web server for all requests made to the application.
Setting Session persistence to None disables sticky sessions and an inbound NAT
rule is used to forward traffic from a load balancer frontend to a backend pool.
Azure Load Balancer distribution modes | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 39 of 50
You migrate a web app from on-premises to an Azure virtual machine. The web app was
configured by using load balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the
web server and must check whether the server is listening on port 80.
Your Answer
Test-NetConnection localhost
Correct Answer
netstat -an
Using netstat -an will list the ports that the server is listening on. Test-
NetConnection will perform a ping/ICMP test. Nbtstat -c checks the NBT cache. Get-
AzVirtualNetwork gets the virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Question 40 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a
virtual network named VNet3, a virtual machine named VM1, and a public IP address
named PubIP1. All the resources are in the West US Azure region.
You plan to create and configure a network security group (NSG) named NSG1 for the
following types of traffic:
Remote Desktop Management

HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the
solution.
Your Answer
New-AzNetworkSecurityGroup
New-AzNetworkSecurityRuleConfig
Correct Answer
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type,
protocol, direction, and port number. New-AzNetworkSecurityGroup creates a network
security group (NSG). -SecurityRules specifies a list of network security rule
objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn

Question 41 of 50
You have an Azure subscription that contains a virtual network named VNet1.
You plan to deploy a virtual machine named VM1 to be used as a network inspection
appliance.
You need to ensure that all network traffic passes through VM1.
What should you do?
Your Answer
Configure a user-defined route.
Correct Answer
Azure automatically creates a route table for each subnet on an Azure virtual
network and adds system default routes to the table. You can override some of the
Azure system routes with custom user-defined routes and add more custom routes to
route tables. Azure routes outbound traffic from a subnet based on the routes on a
subnet's route table.
Azure virtual network traffic routing | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
You add a new subdomain named test.contoso.com.
You plan to delegate test.contoso.com to a different DNS server.
How should you configure the domain delegation?
Your Answer
Add an NS record set named test to the contoso.com zone.
Correct Answer
You must create a DNS NS record set named test in the contoso.com zone. An NS zone
must be created at the apex of the zone named contoso.com. You do not need to
create the SOA record set in test.contoso.com. It must only be created in
contoso.com. You do not need to create or modify the DNS A record.
Delegate a subdomain - Azure DNS | Microsoft Learn
Host your domain on Azure DNS - Training | Microsoft Learn
Question 43 of 50
You have an Azure virtual network named VNet1.
You create an Azure Private DNS zone named contoso.com.
You need to ensure that the virtual machines on VNet1 register in the contoso.com
private DNS zone.
What should you do?

Your Answer
Add a virtual network link to contoso.com.
Correct Answer
To associate a virtual network to a private DNS zone, you add the virtual network
to the zone by creating a virtual network link.
Azure DNS Private Resolver is used to proxy DNS queries between on-premises
environments and Azure DNS.
A custom DNS server will work if you deploy a DNS server as a virtual machine or an
appliance, however, this configuration does not work with a private DNS zone.
Quickstart - Create an Azure private DNS zone using the Azure portal | Microsoft
Learn
Question 44 of 50
You need to create Azure alerts based on metric values and activity log events.
The solution must meet the following requirements:
Set a limit on how many times an alert notification is sent.
Call an Azure function when an alert is triggered.
Configure the alert to have a severity of warning when triggered.
Which two resources should you create? Each correct answer presents part of the
solution.
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
You must create an action group to set up an action and create an alert rule to set
the severity of the errors. A notification is only used to send email and you do
not need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Improve incident response with alerting on Azure - Training | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine named VM1 that is protected by using Azure site
recovery.
You fail over VM1 from the primary region to the secondary region.
You need to reprotect VM1 after the failover so that VM1 will replicate back to the
primary region.
What is the VM1 status before the reprotection?
Your Answer
Failover committed
Correct Answer
Failover committed
Before you begin, you must ensure that the virtual machine status is Failover
committed. This will ensure replication back to the primary region.
Tutorial to fail over Azure VMs to a secondary region for disaster recovery with
Azure Site Recovery. - Azure Site Recovery | Microsoft Learn
Introduction to Azure Backup - Training | Microsoft Learn
Question 46 of 50
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following
configurations:
Backup schedule frequency: Weekly

Retain instant recovery snapshot(s) for: 5 days
Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks
You plan to reduce the amount of storage used by Instant Restore.
You need to instance recovery snapshots to be retained for only two days.
Your Answer
Change Policy sub type to Enhanced.
Correct Answer
Change the backup schedule frequency to **Daily**.
You can choose to store between one and five instant recovery snapshots and the
default value is two. However, when the backup schedule frequency is weekly, you
must retain five instant recovery snapshots.
Azure Instant Restore Capability - Azure Backup | Microsoft Learn
Introduction to Azure Backup - Training | Microsoft Learn
Question 47 of 50
You have an Azure virtual network named VNet1 that is deployed to the Azure East US
region.
You need to ensure that email is sent to an administrator when a virtual machine is
connected to VNet1.
What should you create?
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
Azure Monitor alerts proactively notify you when important conditions are found in
monitoring data. They allow you to identify and address issues in the system before
customers notice them. You can set alerts on metrics, logs, and the activity log.
Different types of alerts have benefits and drawbacks. Metrics is a feature of
Azure Monitor that collects numeric data from monitored resources into a time-
series database. Metrics are numerical values that are collected at regular
intervals and describe some aspect of a system at a particular time.
When Azure Monitor data indicates that there may be an issue with an infrastructure
or application, an alert is triggered. Azure Monitor, Azure Service Health, and
Azure Advisor then use action groups to notify users about the alert and take
action. An action group is a collection of notification preferences defined by the
owner of an Azure subscription.
Monitoring Azure virtual networks | Microsoft Docs
Define metrics and logs - Training | Microsoft Learn
Question 48 of 50
You plan to provision an Azure subscription that will contain the following virtual
networks:
VNet1 in the East US Azure region with two subnets

VNet2 in the East US region with four subnets
VNet3 in the West Europe Azure region with four subnets
VNet4 in the West Europe region with two subnets
How many Azure Network Watcher instances will be provisioned as part of the
deployment?
Your Answer
2
Correct Answer
2
Azure Network Watcher is a regional service that allows you to monitor and diagnose
conditions at a network scenario level in, to, and from Azure. When you create or
update a virtual network in a subscription, Network Watcher will be enabled
automatically in the virtual network's region. There is no impact on resources or
associated charges for automatically enabling Network Watcher.
Create an Azure Network Watcher instance | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 49 of 50
You have an Azure subscription that contains 20 virtual networks and 500 virtual
machines.
You deploy a new virtual machine named VM501.
You discover that VM501 is unable to communicate with a virtual machine named VM20
in the subscription. You suspect that a network security group (NSG) is the cause
of the issue.
You need to identify whether an NSG is blocking communications. The solution must
minimize administrative effort.
Your Answer
IP flow verify
Correct Answer
IP flow verify
IP flow verify lets you specify a source and destination IPv4 address, port,
protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify
can identify the specific network security group (NSG) that prevents communication.
NSG flow logs is a feature of Azure Network Watcher that allows you to log
information about IP traffic flowing through an NSG. Although the logs may help you
identify the source of the issue, it requires much more configuration and manual
evaluation. Packet capture allows you to create packet capture sessions to track
traffic to and from a virtual machine. Packet capture may help narrow down the
scope of the issue, but it will not identify the specific NSG that prevents
communication.
Azure Network Watcher | Microsoft Learn
Question 50 of 50
You plan to create an alert in Azure Monitor that will have an action group to send
SMS messages.
What is the maximum number of SMS messages that will be sent every hour if the
alert gets triggered every minute?
Your Answer
12
Correct Answer
12
A maximum of one SMS message can be sent every five minutes. Therefore, a maximum
of 12 messages will be sent per hour.
Rate limiting for SMS, emails, push notifications - Azure Monitor | Microsoft Learn
Skip to main content

Learn
Credentials
Learn Credentials Browse Credentials Microsoft Certified: Azure Administrator
Associate
Practice Assessment Results: December 19, 2024
Practice Assessment for Exam AZ-104: Microsoft Azure Administrator

It took you 5 minutes to complete this assessment.
Overall Results
To be better prepared for the exam, aim to achieve a score of 80% or higher in
multiple attempts.
Score: 80%
Performance by assessment section

To further strengthen your skills in the following areas, refer to the Customized
Learning Material section below.
Manage Azure identities and governance
Implement and manage storage
Deploy and manage Azure compute resources
Implement and manage virtual networking
Monitor and maintain Azure resources
Ready to take the exam?
Customized learning material to improve your skills

Because you scored lower in "Implement and manage storage":
Upload, download, and manage data with Azure Storage Explorer

37 mins
Configure Azure Files and Azure File Sync
36 mins
Configure Azure Blob Storage
45 mins
Configure storage accounts
38 mins
Configure Azure Storage security
55 mins
Configure virtual machines
40 mins
Because you scored lower in "Deploy and manage Azure compute resources":
Automate Azure tasks with Azure PowerShell

71 mins
Deploy Azure infrastructure by using JSON ARM templates
43 mins
Configure Azure App Service plans
24 mins
Configure Azure App Service
62 mins
Configure Azure Container Instances
26 mins
38 mins
Configure virtual machine availability
64 mins
40 mins
Configure virtual networks
35 mins
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2024
Answer Summary
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is
configured to sync users to the tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes.
The solution must minimize administrative effort.
solution.
Your Answer
Correct Answer
To assign licenses to users based on Microsoft Entra ID attributes, you must create
a dynamic security group and configure rules based on custom attributes. The
dynamic group must be added to a license group for automatic synchronization. All
users in the groups will get the license automatically. Microsoft Entra evaluates
the users in the organization that are in scope for an assignment policy rule and
creates assignments for the users who don't have assignments to an access package;
automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft

Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
details:
Id: 8755b347-3545-3876-3987-999999999999
Your Answer
Correct Answer
[email protected].
Question 3 of 50
license?
Your Answer
Usage location
Correct Answer
Usage location
assignment.
Question 4 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
"Name": "Custom Role",
"Id": null,
"IsCustom": true,
"Description": "Custom Role description",
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
}
Which three actions can be performed by a user that is assigned the custom role?
Each correct answer presents a complete solution.
Your Answer
Correct Answer
The role can read all compute resources, call Microsoft support roles, and allow
the creation and reading of a snapshot.
Azure custom roles - Azure RBAC | Microsoft Learn
Question 5 of 50
You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource
group named RG1. You must use the principle of least privilege.
Which role should you assign to User1?
Your Answer
Reader
Correct Answer
Reader
The Reader role allows you to view all the resources but does not allow you to make
any changes. The Contributor role allows you to manage all the resources, the
Billing Reader role provides read access only to billing data, and the Tag
Contributor role allows you to manage entity tags without providing access to the
entities themselves.
Azure built-in roles - Azure RBAC | Microsoft Learn
Question 6 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
Manage containers within the storage accounts.

View storage account access keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
Storage Account Contributor
Correct Answer
Storage Account Contributor
Storage Account Contributor allows the management of storage accounts. It provides
access to the account key, which can be used to access data via Shared Key
authorization. Storage Blob Data Contributor grants permissions to read, write, and
delete Azure Storage containers and blobs. Reader allows you to view all resources
but does not allow you to make any changes. Owner grants full access to manage all
resources, including the ability to assign roles in Azure RBAC.
Question 7 of 50
You have an Azure subscription and a user named User1.
You need to assign User1 a role that allows the user to create and manage all types
of resources in the subscription. The solution must prevent User1 from assigning
roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
Contributor
Correct Answer
Contributor
Users with the Contributor role can create and manage all types of resources but
cannot delegate new access to other users. Users with the Reader role can view
existing Azure resources but cannot perform any action against them. Users with the
API Management Service Contributor role can only manage API Management services and
APIs. Users with the Owner role provides full access to all resources, including
the right to delegate access to others.
Question 8 of 50
Your Answer
an action group
Correct Answer
an action group
Question 9 of 50
environment.
Your Answer
User Administrator
Correct Answer
User Administrator
Microsoft Learn
Microsoft Learn
Question 10 of 50
A financial institution is implementing Azure to enhance their infrastructure. They
need to maintain strict access controls due to regulatory requirements.
You need to ensure that the finance team can view costs and manage budgets for
Azure services without the ability to modify resources.
Which role should you assign to the finance team at the subscription scope?
Your Answer
Cost Management Reader
Correct Answer
The Cost Management Reader role allows viewing costs and managing budgets without
the ability to modify resources, which is appropriate for the finance team. The
Billing Reader role is incorrect because it only provides access to view billing
information, not manage budgets. The Contributor role is incorrect because it
allows for management of resources. The Reader role is incorrect because it does
not provide capabilities to manage budgets.
Manage access to your Azure environment with Azure role-based access control -
Cloud Adoption Framework | Microsoft Learn
What is Azure RBAC? - Training | Microsoft Learn
Question 11 of 50
Contoso, Ltd. has multiple Azure subscriptions and resources that need to be
efficiently managed.
You need to manage access, policies, and compliance across all subscriptions in a
unified manner.
What should you do? Each correct answer presents part of the solution. Select
three.
Your Answer
Correct Answer
Creating a management group and assigning all subscriptions to it allows for
efficient management of access, policies, and compliance across all subscriptions.
Applying policies and configuring role-based access control at the management group
level ensures that these settings are inherited by all subscriptions within the
group. Managing each subscription individually or applying policies and access
control at the individual resource level would not be as efficient or unified.
Organize your Azure resources effectively - Cloud Adoption Framework | Microsoft

Learn
Create management groups - Training | Microsoft Learn
Question 12 of 50
complete solution.
Your Answer
premium block blobs
Correct Answer
premium block blobs
Microsoft Learn
Question 13 of 50
Your need to create an Azure Storage account that meets the following requirements:
Stores data in a minimum of two availability zones

Provides high availability
Which type of storage redundancy should you use?
Your Answer
zone-redundant storage (ZRS)
Correct Answer
zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates a storage account synchronously across
three Azure availability zones in the primary region. For ensuring high
availability, Microsoft recommends using ZRS in the primary region and also
replicating to a secondary region.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 14 of 50
Your Answer
blob
file
Correct Answer
blob
file
Microsoft Learn
Question 15 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
You need to configure object replication from storage1 to storage2.
Which three features should be enabled before configuring object replication? Each
correct answer presents part of the solution.
Your Answer
blob versioning for storage1
point-in-time restore for the containers on storage1
Correct Answer
change feed for storage1
Object replication can be used to replicate blobs between storage accounts. Before
configuring object replication, you must enable blob versioning for both storage
accounts, and you must enable the change feed for the source account.
Configure object replication - Azure Storage | Microsoft Learn
Question 16 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos.
Users reported that 99 percent of the assigned storage is used.
You need to ensure that the file share can support large files and store up to 100
TiB.
Which two PowerShell commands should you run? Each correct answer presents part of
the solution.
Your Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -
Name share1 -QuotaGiB 102400
Correct Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -
Name share1 -QuotaGiB 102400
You must enable the storage account to support large files and update the storage
account quota to 102,400 GB. You do not need to change the type of storage account,
and you are updating the existing share.
Question 17 of 50
Your Answer
Correct Answer
Question 18 of 50
internet.
Your Answer
445
Correct Answer
445
Learn
Question 19 of 50
You have an Azure subscription and an on-premises Hyper-V virtual machine named
VM1. VM1 contains a single virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
You need to upload VM1 to Azure.
Which cmdlet should you run?
Your Answer
Add-AzVhd
Correct Answer
Add-AzVhd
Add-AzVhd: Uploads an on-premises VHD to Azure
New-AzVM: Used to create a new virtual machine
New-AzDisk: Used to create a managed disk
New-AzDataShare: Used to create an Azure data share
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines |

Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure
Virtual Machines | Microsoft Learn
Configure virtual machines - Training | Microsoft Learn
Question 20 of 50
You have an Azure subscription that contains a storage account named storage1 and a
Microsoft Entra tenant named contoso.com.
You plan to provide identity-based access to storage1.
Which storage1 data service can be configured to use identity-based access?
Your Answer
file shares
Correct Answer
file shares
File shares can be configured to use Microsoft Entra Kerberos to provide identity-
based access to data storage.
Compare storage for file shares and blob data - Training | Microsoft Learn
Question 21 of 50
compromised.
Your Answer
Correct Answer
Question 22 of 50
contains an Azure virtual machine named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer presents
a complete solution.
Your Answer
From Azure Cloud Shell, run the Get-AzVM and New-AzVM cmdlets.
From Azure Cloud Shell, run the Save-AzDeploymentScriptLog and New-
AzResourceGroupDeployment cmdlets.
From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
Correct Answer
From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
From RG1, select Export template, select Download, and then, from Azure Cloud
Shell, run the New-AzResourceGroupDeployment cmdlet.
From VM1, select Export template, and then select Deploy.
From RG1, selecting the Download option from the Export template page exports the
Azure Resource Manager (ARM) template from the resource group properties. You can
then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM
template. You can then deploy the ARM template by running the New-
AzResourceGroupDeployment cmdlet.
From VM1, selecting the Deploy option from the Export template page allows you to
deploy a new Azure virtual machine and use the configuration of VM1 as the
template.
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment

script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the
Azure subscription.
Export template in Azure portal - Azure Resource Manager | Microsoft Learn
Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn
Question 23 of 50
Your Answer
Correct Answer
Question 24 of 50
Azure region.

Your Answer
2
Correct Answer
2
machines each.
Question 25 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct
answer presents a complete solution.
Your Answer
the Azure capacity needs
the current price of the instance
Correct Answer
Azure Spot instances allow you to provision virtual machines at a reduced cost, but
these virtual machines can be stopped by Azure when Azure needs the capacity for
other pay-as-you-go workloads, or when the price of the spot instance exceeds the
maximum price that you have set. These virtual machines are good for dev, testing,
or for workloads that do not require any specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 26 of 50
You have an Azure subscription that contains an Azure Storage account named
vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?
Your Answer
a file share
Correct Answer
a file share
An Azure container instance (Docker container) can mount Azure File Storage shares
as directories and use them as persistent storage. An Azure container instance
cannot mount and use as persistent storage blob containers, queues and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates |
Microsoft Azure
Question 27 of 50
Your development team plans to deploy an Azure container instance. The container
needs a persistent storage layer.
Which service should you use?
Your Answer
Azure Files
Correct Answer
Azure Files
You can persist data for Azure Container Instances with the use of Azure Files.
Azure Files offers fully managed file shares hosted in Azure Storage that are
accessible via the industry standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft
Learn
Explore Azure Storage services - Training | Microsoft Learn
Question 28 of 50
You have an Azure subscription that contains multiple resource groups and Azure App
Service web apps. A resource group named RG1 hosts a web app named appservice1. The
App Service uses a free App Service Managed SSL certificate.
You create a resource group named RG2.
You plan to move all the resources in RG1 to RG2.
solution.
Your Answer
Delete the SSL Certificate from RG1 and upload it to RG2.
Move all the resources from RG1 to RG2.
Correct Answer
Delete the SSL Certificate from RG1 and upload it to RG2.
Move all the resources from RG1 to RG2.
The SSL certificate must be deleted. You will have to move all other resources to
RG2.
Move Azure App Service resources across resource groups or subscriptions - Azure
Resource Manager | Microsoft Learn
Question 29 of 50
You need to create an Azure App Service web app that runs on Windows. The web app
requires scaling to five instances, 45 GB of storage, and a custom domain name. The
Which App Service plan should you use?
Your Answer
Standard
Correct Answer
Standard
The Standard service plan can host unlimited web apps, up to 50 GB of disk space,
and up to 10 instances. The plan will cost approximately $0.10/hour. The Free plan
only offers 1 GB of disk size and 0 instances to host the app. The Premium plan
offers 250 GB of disk space and up to 30 instances and will cost approximately
$0.20/hour. The Basic plan offers 10 GB of disk space and up to three virtual
machines.
App Service Pricing | Microsoft Azure
Question 30 of 50
You plan to deploy a web app in a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the
following requirements:
Supports a custom domain name

Provides the ability to scale out automatically based on demand.
Minimizes administrative effort
Minimizes costs
Which solution should you recommend?
Your Answer
Azure App Service
Correct Answer
Azure App Service
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale
Sets, Azure Kubernetes Service (AKS), and Azure Container Instances are more
difficult to administer and more costly.
Question 31 of 50
You have an Azure subscription that contains a container app named App1. App1 is
configured to use cached data.
You plan to create a new container.
You need to ensure that the new container automatically refreshes the cache used by
App1.
Which type of container should you configure?
Your Answer
sidecar
Correct Answer
sidecar
Azure Container Apps manages the details of Kubernetes and container orchestration.
Containers in Azure Container Apps can use any runtime, programming language, or
development stack of your choice. You can define multiple containers in a single
container app to implement the sidecar pattern, for example, an agent that reads
logs from the primary app container in a shared volume and forwards them to a
logging service.
Containers in Azure Container Apps | Microsoft Learn
Question 32 of 50

Your Answer
Correct Answer
are available:

queue.
Question 33 of 50
You have an Azure subscription that contains a web app named App1.
You configure App1 with a custom domain name of webapp1.contoso.com.
You need to create a DNS record for App1. The solution must ensure that App1
remains accessible if the IP address changes.
Which type of DNS record should you create?
Your Answer
CNAME
Correct Answer
CNAME
For web apps, you create either an A (Address) record or a CNAME (Canonical Name)
record. An A record maps a domain name to an IP address. A CNAME record maps a
domain name to another domain name. DNS uses the second name to look up the
address. Users still see the first domain name in their browser. If the IP address
changes, a CNAME entry is still valid, whereas an A record must be updated.
Create custom domain names - Training | Microsoft Learn
Question 34 of 50
established.
What should you do?
Your Answer
Correct Answer
Question 35 of 50
You have an Azure subscription that contains network security groups (NSGs).
Which two resources can be associated with a NSG? Each correct answer presents a
complete solution.
Your Answer
network interfaces
subnets
Correct Answer
network interfaces
subnets
You can use a network security group (NSG) to be assigned to a network interface.
NSGs can be associated with subnets or individual virtual machine instances within
that subnet. When an NSG is associated with a subnet, the access control list (ACL)
rules apply to all virtual machine instances of that subnet.
Question 36 of 50
to specific ports.
Your Answer
Correct Answer
Question 37 of 50
machines.
solution.
Your Answer
Correct Answer
Question 38 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability
set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2. The
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
Basic Azure Load Balancer with Basic SKU public IP
Correct Answer
Basic Azure Load Balancer supports deployment in a single availability zone. Basic
Azure Load Balancer supports only Basic SKU public IP. Azure Standard Load Balancer
is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Question 39 of 50

HTTP
solution.
Your Answer
Correct Answer
Question 40 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and
VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate
seamlessly between both networks.
What should you configure from the Azure portal?
Your Answer
peerings
Correct Answer
peerings
You can connect virtual networks to each other with virtual network peering. Once
the virtual networks are peered, the resources on both virtual networks can
communicate with each other with the same latency and bandwidth as though the
resources were on the same virtual network.
Configure Azure Virtual Network peering - Training | Microsoft Learn
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 41 of 50
You have an Azure subscription that contains a virtual network named VNet1 and a
virtual machine named VM1.
VM1 can only be accessed from the internal network.
An external contractor needs access to VM1. The solution must minimize

administrative effort.
Your Answer
a public IP address
Correct Answer
a public IP address
To share a virtual machine with an external user, you must add a public IP address
to the virtual machine. An additional IP address or firewall configuration will not
help in this case. Configuring a S2S VPN does not have minimal administrative
effort.
Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines |

Microsoft Learn
Question 42 of 50
You plan to enable VNet1 connectivity to on-premises resources by using an

encrypted connection.
What should you configure for VNet1?
Your Answer
a virtual network gateway
Correct Answer
A VPN gateway is a type of virtual network gateway that sends encrypted traffic
between a virtual network and an on-premises location across a public connection.
You can also use a VPN gateway to send traffic between virtual networks across the
Azure backbone. A VPN gateway connection relies on the configuration of multiple
resources, each of which contains configurable settings.
Introduction to Azure VPN Gateway - Training | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
You add a new subdomain named test.contoso.com.
You plan to delegate test.contoso.com to a different DNS server.
How should you configure the domain delegation?
Your Answer
Correct Answer
You must create a DNS NS record set named test in the contoso.com zone. An NS zone
must be created at the apex of the zone named contoso.com. You do not need to
create the SOA record set in test.contoso.com. It must only be created in
contoso.com. You do not need to create or modify the DNS A record.
Delegate a subdomain - Azure DNS | Microsoft Learn
Question 44 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
Your Answer
Azure Monitor
Correct Answer
Azure Monitor
Azure Monitor stores metrics in a time-series database that is optimized for
analyzing time-stamped data. Activity logs detect and address issues before users
notice them proactivity. Azure Advisor analyzes configuration and usage metrics but
does not provide time-lapsed data. Azure Cost only helps to optimize and reduce
overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
Question 45 of 50
You have multiple Azure virtual machines and an Azure recovery services vault.
Virtual machines are configured with the default backup policy.
What is the retention period of virtual machine backups in the default backup
policy?
Your Answer
30 days
Correct Answer
30 days
By default, backups of virtual machines are kept for 30 days.
Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn
Question 46 of 50
You have an Azure virtual network named VNet1 that is deployed to the Azure East US
region.
You need to ensure that email is sent to an administrator when a virtual machine is
connected to VNet1.
What should you create?
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
Azure Monitor alerts proactively notify you when important conditions are found in
monitoring data. They allow you to identify and address issues in the system before
customers notice them. You can set alerts on metrics, logs, and the activity log.
Different types of alerts have benefits and drawbacks. Metrics is a feature of
Azure Monitor that collects numeric data from monitored resources into a time-
series database. Metrics are numerical values that are collected at regular
intervals and describe some aspect of a system at a particular time.
When Azure Monitor data indicates that there may be an issue with an infrastructure
or application, an alert is triggered. Azure Monitor, Azure Service Health, and
Azure Advisor then use action groups to notify users about the alert and take
action. An action group is a collection of notification preferences defined by the
owner of an Azure subscription.
Monitoring Azure virtual networks | Microsoft Docs
Define metrics and logs - Training | Microsoft Learn
Question 47 of 50
You have an Azure subscription that contains the following resources:
Eight virtual networks

24 virtual machines
16 storage accounts
You need to implement a monitoring solution that provides the ability to view
diagnostics and telemetry data generated by Azure resources.
What should you include in the solution?
Your Answer
a Log Analytics workspace
Correct Answer
A Log Analytics workspace is a unique environment for log data from Azure Monitor
and other Azure services, such as Microsoft Sentinel and Microsoft Defender for
Cloud. Each workspace has its own data repository and configuration and can combine
data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Docs
Determine Log Analytics uses - Training | Microsoft Learn
Question 48 of 50
networks:

deployment?
Your Answer
2
Correct Answer
2
Question 49 of 50
You have an Azure subscription that contains virtual machines, virtual networks,
application gateways, and load balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?
Your Answer
network security groups (NSGs)
Correct Answer
Azure Network Watcher
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable
or disable logs for resources on an Azure virtual network. Azure Resource Manager
is the deployment and management service for Azure. Network security groups (NSGs)
are used only for security, not monitoring. Azure Monitor is used for the HTTP Data
Collector API to send log data to Log Analytics.
Question 50 of 50
machines.
of the issue.
Your Answer
IP flow verify
Correct Answer
IP flow verify
communication.

Learn
Credentials
Associate
Overall Results
multiple attempts.
Score: 94%


Congratulations, you passed all the sections! If you have passed multiple
attempts, consider scheduling an exam.
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2024
Answer Summary
Question 1 of 50
You have a Microsoft Entra tenant that uses Microsoft Entra Connect to sync with an
Active Directory Domain Services (AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure portal.
The users must be able to use two methods to reset their password.
solution.
Your Answer
From Password reset in the Azure portal, configure the Registration settings.
Run Microsoft Entra Connect and select Password writeback.
Correct Answer
From Password reset in the Azure portal, configure the Authentication methods
settings.
You must run the Microsoft Entra Connect Wizard to enable Password writeback. You
must configure the authentication option to enable the two methods required to
reset a password.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft

Learn
Implement Azure AD self-service password reset - Training | Microsoft Learn
Question 2 of 50
license?
Your Answer
Usage location
Correct Answer
Usage location
assignment.
Question 3 of 50
Your Answer
the Billing Reader role for all the subscriptions
Correct Answer
level.
Question 4 of 50
You run the following command:
Get-AzRoleDefinition | Format-Table -Property Name, Id
The command output contains data that includes the following:
CustomRole1 111-222-333-444-555
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Reader acdd72a7-3385-48ef-bd42-f606fba81ae7
You have a script that manages access to resources at the resource group level. The
assignment process is automated by running the following PowerShell script nightly.
$rg = "RG1"
$RoleName = "111-222-333-444-555"
$Role = Get-AzRoleDefinition -Name $RoleName
New-AzRoleAssignment -SignInName [email protected] `
-RoleDefinitionName $Role.Name `
-ResourceGroupName $rg
User1 is unable to access the RG1 resource group. You discover that the script
fails to complete for User1.
You need to modify the script to ensure that it does not fail.
What should you change in the script?
Your Answer
$Role = Add-AzRoleDefinition -Name $RoleName
Correct Answer
$RoleName = "CustomRole1"
For the script to work as written, the $RoleName variable should refer to the name
instead of the ID.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Question 5 of 50
Your Answer
Reader
Correct Answer
Reader
Question 6 of 50
contains a virtual machine that runs daily reports.
You need to ensure that the virtual machine shuts down when resource group costs
exceed 75 percent of the allocated budget.
solution.
Your Answer
From Cost Management + Billing, create a new cost analysis.
Correct Answer
You must go to Cost Management + Billing, and then Budgets to edit the budget
associated with the resource group resources. You must also create a new action
group of the Runbook type, and then choose Stop VM as an action. The cost analysis
will not stop the virtual machine from running and the Scale Up VM action group is
not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft
Learn
Question 7 of 50
Your Answer
Operational Excellence
Correct Answer
Cost
best practices.
Question 8 of 50
You need to ensure that each virtual machine is associated to a specific department
for reporting purposes.
Your Answer
storage accounts
Correct Answer
tags
Tags are metadata elements that can be applied to Azure resources. Tags can be used
for tracking resources such as virtual machines and associating each resource to a
department for billing and reporting purposes.
Administrative units are containers used for delegating administrative roles to

manage a specific portion of Microsoft Entra. Administrative units cannot contain
Azure virtual machines.
Management groups are containers that can be used to manage access, policy, and
compliance across multiple Azure subscriptions.
Azure Storage accounts contain Azure Storage data objects, including blobs, file
shares, queues, tables, and disks. A storage account cannot contain virtual
machines.
Tag resources, resource groups, and subscriptions for logical organization - Azure
Resource Manager | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains a tenant named contoso.com.
All users in contoso.com are currently able to invite external users to B2B
collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and
Global Administrator roles can invite guest users.
Your Answer
Conditional Access
Correct Answer
External collaboration settings
External collaboration settings let you specify which roles in your organization
can invite external users for B2B collaboration. These settings also include
options for allowing or blocking specific domains and options for restricting which
external guest users can see in your Microsoft Entra directory.
Conditional Access allows you to apply rules to strengthen authentication and block
access to resources from unknown locations.
Cross-tenant access settings are used to configure collaboration with a specific

Microsoft Entra organization.
Access reviews are not used to control who can invite guest users.
Enable B2B external collaboration settings - Microsoft Entra | Microsoft Learn
Question 10 of 50
environment.
Your Answer
Service Administrator
Correct Answer
User Administrator
Microsoft Learn
Microsoft Learn
Question 11 of 50
A financial institution is implementing Azure to enhance their infrastructure. They
need to maintain strict access controls due to regulatory requirements.
You need to ensure that the finance team can view costs and manage budgets for
Azure services without the ability to modify resources.
Which role should you assign to the finance team at the subscription scope?
Your Answer
Correct Answer
The Cost Management Reader role allows viewing costs and managing budgets without
the ability to modify resources, which is appropriate for the finance team. The
Billing Reader role is incorrect because it only provides access to view billing
information, not manage budgets. The Contributor role is incorrect because it
allows for management of resources. The Reader role is incorrect because it does
not provide capabilities to manage budgets.
Manage access to your Azure environment with Azure role-based access control -
Cloud Adoption Framework | Microsoft Learn
What is Azure RBAC? - Training | Microsoft Learn
Question 12 of 50
complete solution.
Your Answer
premium block blobs
Correct Answer
premium block blobs
Microsoft Learn
Question 13 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder
named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
Azcopy copy \\server1\images https://corpimages.blob.core.windows.net/public -
recursive
Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container
" corpimages"
Set-AzStorageBlobContent -Container "ContosoUpload" -File "\\server1\images" -Blob
" corporateimages "
Correct Answer
recursive
" corpimages"
The AzCopy command allows you to copy all files to a storage account. You then use
Get-ChildItem with the path parameter, recurse to select everything, and then use
the Set-AzureStorageBlobContent cmdlet.
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Microsoft Learn
Question 14 of 50
You have an Azure Storage account named storageaccount1 with a blob container named
container1 that stores confidential information.
You need to ensure that content in container1 is not modified or deleted for six
months after the last modification date.
Your Answer
Correct Answer
A timed-based retention policy or legal hold policies can be applied to block
deletion. Immutability policies can be scoped to a blob version or to a container.
Overview of immutable storage for blob data - Azure Storage | Microsoft Learn
Question 15 of 50
internet.
Your Answer
445
Correct Answer
445
Learn
Question 16 of 50
Your Answer
Add-AzVhd
Correct Answer
Add-AzVhd

Microsoft Learn
Question 17 of 50
You need to provide storage1 with access to a partner organization. Access to

storage1 must expire after 24 hours.
Your Answer
Correct Answer
A SAS provides secure delegated access to resources in a storage account. With a
SAS, you have granular control over how a client can access data, including time
restrictions.
Access keys and Azure CDN provide permanent access to resources. They will require
manual steps to remove access. Lifecycle management is not needed.
Grant limited access to data with shared access signatures (SAS) - Azure Storage |
Microsoft Learn
Question 18 of 50
Your Answer
containers
Correct Answer
file shares
Question 19 of 50
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.
What are three requirements of storage1? Each correct answer presents part of a
complete solution.
Your Answer
a container
blob versioning
Correct Answer
a container
blob versioning
Versioning must be enabled for the source and target. An object type container is
needed to replicate the images. You must create a StandardV2 storage account. File
shares are not needed, and queues are unsupported for replication.
Question 20 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
Archive
Correct Answer
Archive
Archive is an offline tier that is optimized for storing data that is rarely
accessed and has flexible latency requirements. Data in the Archive tier must be
stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 21 of 50
compromised.
Your Answer
Upgrade to a general-purpose v2 storage account.
Correct Answer
Question 22 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored
in an Azure Blob storage container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
-TemplateUri
Correct Answer
-TemplateUri
The PowerShell deployment cmdlets can be used to deploy JSON templates that are
stored locally in a resources group as a template spec, or from a web-based
location. You can use the -TemplateUri parameter to specify a web-based location,
such as GitHub or an Azure Blob Storage account. You can use -Templatefile to
specify a local file. You can use -TemplateSpecId to specify a template that was
save to Azure as a template spec.
Learn

Learn
Question 23 of 50

Your Answer
the size of virtual machine
Correct Answer
the resource group
Question 24 of 50
Your company has a set of resources deployed to an Azure subscription. The
resources are deployed to a resource group named app-grp1 by using Azure Resource
Manager (ARM) templates.
You need to verify the date and the time that the resources in app-grp1 were
created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
Policy
Correct Answer
Deployments
Navigating to the Diagnostics settings blade provides the ability to diagnose
errors or review warnings. Navigating to the Metrics blade provides metrics
information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name,
status, date last modified, and duration, are visible. Navigating to the Policy
blade only provides information related to the policies enforced on the resource
group.
Azure AD deployment checklist - Microsoft Entra | Microsoft Learn
Question 25 of 50
Your Answer
scale sets
Correct Answer
Question 26 of 50
You have an Azure virtual machine.
You receive a notification that the virtual machine is going to be affected by an

underlying maintenance activity on the physical infrastructure.
You need to move the virtual machine to a different host to avoid a service
interruption.
What should you do?
Your Answer
Redeploy the virtual machine.
Correct Answer
Redeploy the virtual machine.
You must redeploy the virtual machine, which can move the virtual machine to a
different host. Azure will shut down the virtual machine and move the virtual
machine to a new node within the Azure infrastructure.
Redeploy Windows virtual machines in Azure - Virtual Machines | Microsoft Learn
Question 27 of 50
vmstorageaccount1.
Your Answer
a table
Correct Answer
a file share
Microsoft Azure
Question 28 of 50

Your Answer
Azure Queue Storage
Correct Answer
Azure Files
Learn
Question 29 of 50
You have an Azure subscription that contains an Azure App Service web app named
App1.
You have the following diagnostic logging configurations:
Application Logging (FileSystem): Error

Application Logging (Blob): Information
Detailed Error Message: Warning
Web Server Logging: Verbose
You need to configure diagnostic logging to store all warnings or higher.
Which types of diagnostic logging and severity should you enable?
Your Answer
Application Logging (FileSystem)
Detailed Error Message
Correct Answer
Warning
You must enable the Application Logging (Blob) diagnostic, which can be stored for
more than a week. You must also set the severity level to warning, to store
warning, error, and critical log messages.
Enable diagnostics logging - Azure App Service | Microsoft Learn
Question 30 of 50
solution.
Your Answer
Configure a scaling condition to scale based on an instance count, and then set the
instance count.
Correct Answer
Question 31 of 50
You have an Azure subscription that contains a container app named App1. App1 is
configured to use cached data.
You plan to create a new container.
You need to ensure that the new container automatically refreshes the cache used by
App1.
Which type of container should you configure?
Your Answer
blob
Correct Answer
sidecar
Azure Container Apps manages the details of Kubernetes and container orchestration.
Containers in Azure Container Apps can use any runtime, programming language, or
development stack of your choice. You can define multiple containers in a single
container app to implement the sidecar pattern, for example, an agent that reads
logs from the primary app container in a shared volume and forwards them to a
logging service.
Containers in Azure Container Apps | Microsoft Learn
Question 32 of 50

Your Answer
az containerapp job start \ --name "my-job" --resource-group " RG1" -trigger-type
"Schedule" \ -replica-timeout 60 --replica-retry-limit 1 ...
Correct Answer
are available:

queue.
Question 33 of 50
Your Answer
TXT
Correct Answer
CNAME
Question 34 of 50
established.
What should you do?
Your Answer
Correct Answer
Question 35 of 50
You have an Azure subscription that contains network security groups (NSGs).
Which two resources can be associated with a NSG? Each correct answer presents a
complete solution.
Your Answer
network interfaces
subnets
Correct Answer
network interfaces
subnets
You can use a network security group (NSG) to be assigned to a network interface.
NSGs can be associated with subnets or individual virtual machine instances within
that subnet. When an NSG is associated with a subnet, the access control list (ACL)
rules apply to all virtual machine instances of that subnet.
Question 36 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains
10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound
traffic over TCP port 8080 to two virtual machines on each subnet. The NSG will be
associated to each subnet.
You need to recommend a solution to configure the inbound access by using the
fewest number of NSG rules possible.
What should you use as the destination in the NSG?
Your Answer
the subnets of the virtual machines
Correct Answer
an application security group
Application security groups allow you to group together the network interfaces from
multiple virtual machines, and then use the group as the source or destination in
an NSG rule. The network interfaces must be in the same virtual network.
You can use the IP address of each virtual machine as the destination, but you must
create a rule for each virtual machine.
Using the subnets will require four rules and will also allow traffic to all the
virtual machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure
Backup.
Azure application security groups overview | Microsoft Learn
Question 37 of 50
internet.
Your Answer
Azure Bastion
Correct Answer
Azure Bastion
Question 38 of 50
You have three network security groups (NSGs) named NSG1, NSG2, and NSG3. Port 80
is blocked in NSG3 and allowed in NSG1 and NSG2.
You have four Azure virtual machines that have the following configurations:
VM1:
Subnet: Subnet1
Network card: NIC1
VM2:
Subnet: Subnet1
Network card: NIC2
VM3:
Subnet: Subnet3
Network card: NIC3
VM4:
Subnet: Subnet2
You have the following subnets:

Subnet 3 does not have an NSG assigned.
Which virtual machine will allow traffic from the internet on port 80?
Your Answer
VM1
Correct Answer
VM1
On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow traffic on port 80.
On VM2, NSG1 allows traffic, but NSG3 blocks traffic for the network interface. On
VM3 and VM4, NSG3 blocks traffic.
Network security group - how it works | Microsoft Learn
Question 39 of 50
machines.
solution.
Your Answer
Correct Answer
Question 40 of 50
set named AVSet1.
Your Answer
Correct Answer
Question 41 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and
VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate
seamlessly between both networks.
What should you configure from the Azure portal?
Your Answer
peerings
Correct Answer
peerings
You can connect virtual networks to each other with virtual network peering. Once
the virtual networks are peered, the resources on both virtual networks can
communicate with each other with the same latency and bandwidth as though the
resources were on the same virtual network.
Configure Azure Virtual Network peering - Training | Microsoft Learn
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 42 of 50
You plan to deploy a virtual machine named VM1 to be used as a network inspection
appliance.
You need to ensure that all network traffic passes through VM1.
What should you do?
Your Answer
Correct Answer
Azure automatically creates a route table for each subnet on an Azure virtual
network and adds system default routes to the table. You can override some of the
Azure system routes with custom user-defined routes and add more custom routes to
route tables. Azure routes outbound traffic from a subnet based on the routes on a
subnet's route table.
Azure virtual network traffic routing | Microsoft Learn
Question 43 of 50
You plan to implement four Azure virtual networks that will be peered. All virtual
machines will use a DNS suffix of contoso.com.
You need to configure name resolution for the virtual networks to ensure that all
the virtual machines can communicate by using their FQDNs. The solution must
Your Answer
an Azure Private DNS zone
Correct Answer
an Azure Private DNS zone
Azure Private DNS allows for private name resolution between Azure virtual
networks. Azure public DNS provides DNS for public access, such as name resolution
for a publicly accessible website. Azure-provided name resolution does not support
user-defined domain names and only supports a single virtual network. A DNS server
on a virtual machine can also be used to achieve the goal but involves much more
administrative effort to implement and maintain than using Azure Private DNS.
Name resolution for resources in Azure virtual networks | Microsoft Learn
Question 44 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.

You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be shown on the shared
dashboard?
Your Answer
14
Correct Answer
30
Data shown on a shared dashboard can only be displayed for a maximum of 30 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 45 of 50
solution.
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
Question 46 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
Your Answer
Azure Monitor
Correct Answer
Azure Monitor
Azure Monitor stores metrics in a time-series database that is optimized for
analyzing time-stamped data. Activity logs detect and address issues before users
notice them proactivity. Azure Advisor analyzes configuration and usage metrics but
does not provide time-lapsed data. Azure Cost only helps to optimize and reduce
overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
Question 47 of 50
You have an Azure virtual machine named Server1 that runs Windows Server.
You need to configure Azure Backup to back up files and folders.
What should you install on Server1?
Your Answer
the Microsoft Azure Recovery Services (MARS) agent
Correct Answer
the Microsoft Azure Recovery Services (MARS) agent
The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers.
The MARS agent is mandatory to perform backup and recovery services for any
servers.
Manage the Azure recovery services agent - Training | Microsoft Learn
Question 48 of 50
contains two virtual machines named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use
Azure Monitor metrics.
solution.
Your Answer
Configure Network In and Network Out.
Install AzureNetworkWatcherExtension.
Correct Answer
Use packet capture.
Azure Network Watcher variable packet capture allows you to create packet capture
sessions to track traffic to and from a virtual machine. Packet capture helps to
diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the
Azure portal | Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Question 49 of 50
networks:

deployment?
Your Answer
2
Correct Answer
2
Question 50 of 50
You plan to create an alert in Azure Monitor that will have an action group to send
SMS messages.
What is the maximum number of SMS messages that will be sent every hour if the
alert gets triggered every minute?
Your Answer
60
Correct Answer
12
A maximum of one SMS message can be sent every five minutes. Therefore, a maximum
of 12 messages will be sent per hour.
Rate limiting for SMS, emails, push notifications - Azure Monitor | Microsoft Learn

Learn
Credentials
Associate
Overall Results
multiple attempts.
Score: 52%


Because you scored lower in "Manage Azure identities and governance":
Allow users to reset their password with Microsoft Entra self-service password
reset
31 mins
Improve incident response with Azure Monitor alerts
58 mins
Introduction to Azure Advisor
16 mins
Secure your Azure resources with Azure role-based access control (Azure RBAC)
37 mins
Configure Azure Policy
40 mins
Configure user and group accounts
20 mins
40 mins
Because you scored lower in "Deploy and manage Azure compute resources":
Automate Azure tasks with Azure PowerShell

71 mins
Deploy Azure infrastructure by using JSON ARM templates
43 mins
Configure Azure App Service plans
24 mins
Configure Azure App Service
62 mins
Configure Azure Container Instances
26 mins
38 mins
Configure virtual machine availability
64 mins
40 mins
Configure virtual networks
35 mins
Because you scored lower in "Monitor and maintain Azure resources":
Improve incident response with Azure Monitor alerts

58 mins
Introduction to Azure Backup
18 mins
Configure Azure Monitor
59 mins
Configure Log Analytics
28 mins
Configure Network Watcher
19 mins
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2024
Answer Summary
Question 1 of 50
You have a Microsoft Entra tenant that uses Microsoft Entra Connect to sync with an
Active Directory Domain Services (AD DS) domain.
You need to ensure that users can reset their AD DS password from the Azure portal.
The users must be able to use two methods to reset their password.
solution.
Your Answer
settings.
Correct Answer
settings.
You must run the Microsoft Entra Connect Wizard to enable Password writeback. You
must configure the authentication option to enable the two methods required to
reset a password.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft

Learn
Implement Azure AD self-service password reset - Training | Microsoft Learn
Question 2 of 50
details:
Id: 8755b347-3545-3876-3987-999999999999
Your Answer
Correct Answer
[email protected].
Question 3 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain
multiple users.
You need to configure self-service password reset (SSPR) password writeback

functionality. The solution must minimize costs.
Which Microsoft Entra ID edition should you use?
Your Answer
Correct Answer
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the
lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra |

Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training |

Microsoft Learn
Question 4 of 50
Your Answer
Correct Answer
level.
Question 5 of 50
You run the following command:
Get-AzRoleDefinition | Format-Table -Property Name, Id
The command output contains data that includes the following:
CustomRole1 111-222-333-444-555
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Reader acdd72a7-3385-48ef-bd42-f606fba81ae7
You have a script that manages access to resources at the resource group level. The
assignment process is automated by running the following PowerShell script nightly.
$rg = "RG1"
$RoleName = "111-222-333-444-555"
$Role = Get-AzRoleDefinition -Name $RoleName
New-AzRoleAssignment -SignInName [email protected] `
-RoleDefinitionName $Role.Name `
-ResourceGroupName $rg
User1 is unable to access the RG1 resource group. You discover that the script
fails to complete for User1.
You need to modify the script to ensure that it does not fail.
What should you change in the script?
Your Answer
Correct Answer
For the script to work as written, the $RoleName variable should refer to the name
instead of the ID.
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Question 6 of 50
Your Answer
Reader
Correct Answer
Reader
Question 7 of 50
You have an Azure subscription and a user named User1.
You need to assign User1 a role that allows the user to create and manage all types
of resources in the subscription. The solution must prevent User1 from assigning
roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
Contributor
Correct Answer
Contributor
Users with the Contributor role can create and manage all types of resources but
cannot delegate new access to other users. Users with the Reader role can view
existing Azure resources but cannot perform any action against them. Users with the
API Management Service Contributor role can only manage API Management services and
APIs. Users with the Owner role provides full access to all resources, including
the right to delegate access to others.

Question 8 of 50
Your Answer
Cost
Correct Answer
Cost
best practices.
Question 9 of 50
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer
Your Answer
resource groups
subscriptions
virtual machines
Correct Answer
resource groups
subscriptions
virtual machines
You can use delete locks to block the deletion of virtual machines, subscriptions,
and resource groups. You cannot use delete locks on management groups or storage
account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 10 of 50
Your Answer
an action group
Correct Answer
an action group
Question 11 of 50
environment.
Your Answer
User Administrator
Correct Answer
User Administrator
Microsoft Learn
Microsoft Learn
Question 12 of 50
complete solution.
Your Answer
premium block blobs
Correct Answer
premium block blobs
Microsoft Learn
Question 13 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder
named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
recursive
" corpimages"
Correct Answer
recursive
" corpimages"
The AzCopy command allows you to copy all files to a storage account. You then use
Get-ChildItem with the path parameter, recurse to select everything, and then use
the Set-AzureStorageBlobContent cmdlet.
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Microsoft Learn
Question 14 of 50
Your Answer
blob
file
Correct Answer
blob
file
Microsoft Learn
Question 15 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
Hierarchical namespace: Disabled
Default access tier: Hot
Blob public access: Enabled
Blob soft delete: Enabled (7 days)
Container soft delete: Enabled (7 days)
Versioning: Disabled
Change feed: Enabled
NFS v3: Disabled
Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object
replication?
Your Answer
Change feed
Correct Answer
Versioning
Versioning must be enabled for both the source and destination accounts. In this
scenario, versioning is currently disabled.

Question 16 of 50
Your Answer
Correct Answer
Question 17 of 50
Your Answer
Add-AzVhd
Correct Answer
Add-AzVhd

Microsoft Learn
Question 18 of 50
Your Answer
file shares
Correct Answer
file shares
Question 19 of 50
You plan to create a storage account named storage1.
You need to ensure that storage1 provides POSIX-compliant access control lists
(ACLs).
Which option should you configure when creating storage1?
Your Answer
Correct Answer
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace
must be used. The remaining options are valid for a storage account, but do not
provide the POSIX-compliant feature.
Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn
Question 20 of 50
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.
What are three requirements of storage1? Each correct answer presents part of a
complete solution.
Your Answer
a container
blob versioning
Correct Answer
a container
blob versioning
Versioning must be enabled for the source and target. An object type container is
needed to replicate the images. You must create a StandardV2 storage account. File
shares are not needed, and queues are unsupported for replication.
Question 21 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
Archive
Correct Answer
Archive
Archive is an offline tier that is optimized for storing data that is rarely
accessed and has flexible latency requirements. Data in the Archive tier must be
stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 22 of 50
Your Answer
the resource group
Correct Answer
the resource group
Question 23 of 50
You have two Azure virtual machines named VM1 and VM2 that run Windows Server.
VM1 has a single data disk that stores backup files.

You need to move the data disk from VM1 to VM2 as quickly as possible.
Your Answer
Stop VM1.
Correct Answer
Detach the data disk from VM1.
You can detach a disk from a running virtual machine (hot removal). You do not need
to stop VM2 or restart the VM1.
Detach a data disk from a Windows VM - Azure - Azure Virtual Machines | Microsoft
Learn
Question 24 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and
Subnet2. You have a virtual machine named VM1 that is connected to Subnet1. VM1
runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
Your Answer
Correct Answer
A network interface is used to connect a virtual machine to a subnet. Since VM1 is
connected to Subnet1, VM1 already has a network interface attached that is
connected to Subnet1. To connect VM1 directly to Subnet2, you must create a new
network interface that is connected to Subnet2. Next, you must attach the new
network interface to VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and

subnets. A network bridge allows you to connect multiple existing network
connection in Windows together. Changing the IP configurations of the existing
network interface results in VM1 being connected to Subnet2 but not to Subnet1.
Question 25 of 50
Azure region.

Your Answer
2
Correct Answer
2
machines each.
Question 26 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct
answer presents a complete solution.
Your Answer
Correct Answer
Azure Spot instances allow you to provision virtual machines at a reduced cost, but
these virtual machines can be stopped by Azure when Azure needs the capacity for
other pay-as-you-go workloads, or when the price of the spot instance exceeds the
maximum price that you have set. These virtual machines are good for dev, testing,
or for workloads that do not require any specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 27 of 50
vmstorageaccount1.
Your Answer
a file share
Correct Answer
a file share
Microsoft Azure
Question 28 of 50
Your Answer
Azure Files
Correct Answer
Azure Files
Learn
Question 29 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in
Azure Service Bus.
Which scale trigger should you use?
Your Answer
event-driven
Correct Answer
event-driven
Azure Container Apps allows a set of triggers to create new instances, called
replicas. For Azure Service Bus, an event-driven trigger can be used to run the
escalation method. The remaining scale triggers cannot use a scale rule based on
messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Question 30 of 50
solution.
Your Answer
Correct Answer
Question 31 of 50
You plan to deploy a web app in a Linux-based Docker container.
You need to recommend a solution for the deployment of the web app that meets the
following requirements:
Supports a custom domain name

Provides the ability to scale out automatically based on demand.
Minimizes administrative effort
Minimizes costs
Which solution should you recommend?
Your Answer
Azure App Service
Correct Answer
Azure App Service
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale
Sets, Azure Kubernetes Service (AKS), and Azure Container Instances are more
difficult to administer and more costly.
Question 32 of 50

Your Answer
CNAME
Correct Answer
CNAME
Question 33 of 50
You are an Azure Administrator for Best For You Organics Company. The company uses
ARM templates for deploying resources.
You need to pass an array as an inline parameter during the deployment of a local
template.
What should you do?
Your Answer
Correct Answer
To pass an array as an inline parameter during the deployment of a local template,
you should provide the array values in the --parameters switch in the deployment
command. The other options are not correct methods for passing an array as an
inline parameter.
Azure deployment templates with Azure CLI – Azure Resource Manager - Azure Resource
Manager | Microsoft Learn
Explore Azure Resource Manager template structure - Training | Microsoft Learn
Question 34 of 50
established.
What should you do?
Your Answer
Correct Answer
Question 35 of 50
You have an Azure subscription that contains a network security group (NSG) named
NSG1.
You plan to configure NSG1 to allow the following types of traffic:

Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the
solution.
Your Answer
443
3389
Correct Answer
443
3389
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and
587 to send outbound email by using authenticated SMTP relay. Port 80 is used for
unsecured traffic. Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 36 of 50
You have a virtual machine named VM1 that is assigned to a network security group
(NSG) named NSG1.
NSG1 has the following outbound security rules:

Rule1:
Priority: 900
Name: BlockInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Block
Rule2:
Priority: 1000
Name: AllowInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?
Your Answer
Change the priority of Rule2.
Correct Answer
Change the priority of Rule2.
Rule1 has higher priority, so the action will be blocked. You can increase the
priority of Rule2, decrease the priority of Rule1, or change the action of Rule1 to
achieve the goal.
Question 37 of 50
internet.
Your Answer
Azure Bastion
Correct Answer
Azure Bastion

Question 38 of 50
to specific ports.
Your Answer
Correct Answer
Question 39 of 50
set named AVSet1.
Your Answer
Correct Answer
Question 40 of 50

HTTP
solution.
Your Answer
Correct Answer
Question 41 of 50
You have an Azure subscription that contains a virtual network named VNet1 and a
virtual machine named VM1.
VM1 can only be accessed from the internal network.
An external contractor needs access to VM1. The solution must minimize

administrative effort.
Your Answer
a Site-to-Site (S2S) VPN
Correct Answer
a public IP address
To share a virtual machine with an external user, you must add a public IP address
to the virtual machine. An additional IP address or firewall configuration will not
help in this case. Configuring a S2S VPN does not have minimal administrative
effort.
Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines |

Microsoft Learn
Question 42 of 50
You plan to enable VNet1 connectivity to on-premises resources by using an
encrypted connection.
What should you configure for VNet1?
Your Answer
Correct Answer
A VPN gateway is a type of virtual network gateway that sends encrypted traffic
between a virtual network and an on-premises location across a public connection.
You can also use a VPN gateway to send traffic between virtual networks across the
Azure backbone. A VPN gateway connection relies on the configuration of multiple
resources, each of which contains configurable settings.
Introduction to Azure VPN Gateway - Training | Microsoft Learn
Question 43 of 50
You have an Azure virtual network named VNet1.
You create an Azure Private DNS zone named contoso.com.
You need to ensure that the virtual machines on VNet1 register in the contoso.com
private DNS zone.
What should you do?
Your Answer
Correct Answer
To associate a virtual network to a private DNS zone, you add the virtual network
to the zone by creating a virtual network link.
Azure DNS Private Resolver is used to proxy DNS queries between on-premises
environments and Azure DNS.
A custom DNS server will work if you deploy a DNS server as a virtual machine or an
appliance, however, this configuration does not work with a private DNS zone.
Quickstart - Create an Azure private DNS zone using the Azure portal | Microsoft
Learn
Question 44 of 50

solution.
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
Question 45 of 50
You have a Kusto query that returns 1,000 events from the SecurityEvent table in
Azure Monitor.
You need to configure the query to aggregate the results by the Account column.
Which operator should you use?
Your Answer
summarize
Correct Answer
summarize
Summarize is used to group records from one or more columns of data. Where is used
to filter the rows. Project is used to rename and select columns. Extend is used to
add columns.
Get started with log queries in Azure Monitor - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 46 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a
custom application that outputs log data in the JSON format.
You need to recommend a solution to collect the logs in Log Analytics workspace.
What should you include in the recommendation?
Your Answer
the Azure Monitor agent for Linux
Correct Answer
the Azure Monitor agent for Linux
You can use the Log Analytics agent for Linux as part of a solution to collect JSON
output from the Linux virtual machines.
The Azure Custom Script Extension is used for post-deployment configuration,

software installation, or any other configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to
manage an IT and development infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the
console to reset access to Linux or perform disk-level maintenance.
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure
Monitor - Azure Monitor | Microsoft Learn
Question 47 of 50
You have multiple Azure virtual machines and an Azure recovery services vault.
Virtual machines are configured with the default backup policy.
What is the retention period of virtual machine backups in the default backup
policy?
Your Answer
30 days
Correct Answer
30 days
By default, backups of virtual machines are kept for 30 days.
Back up an Azure VM from the VM settings - Azure Backup | Microsoft Learn
Question 48 of 50
You have an Azure subscription that contains the following resources:
Eight virtual networks

24 virtual machines
16 storage accounts
You need to implement a monitoring solution that provides the ability to view
diagnostics and telemetry data generated by Azure resources.
What should you include in the solution?
Your Answer
Correct Answer
A Log Analytics workspace is a unique environment for log data from Azure Monitor
and other Azure services, such as Microsoft Sentinel and Microsoft Defender for
Cloud. Each workspace has its own data repository and configuration and can combine
data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Docs
Determine Log Analytics uses - Training | Microsoft Learn

Question 49 of 50
contains two virtual machines named VM1 and VM2.
You need to inspect all the network traffic from VM1 to VM2.The solution must use
Azure Monitor metrics.
solution.
Your Answer
Use packet capture.
Correct Answer
Use packet capture.
Azure Network Watcher variable packet capture allows you to create packet capture
sessions to track traffic to and from a virtual machine. Packet capture helps to
diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the
Azure portal | Microsoft Learn
Introduction to Packet capture in Azure Network Watcher | Microsoft Learn
Question 50 of 50
machines.
of the issue.
Your Answer
IP flow verify
Correct Answer
IP flow verify
communication.

Learn
Credentials
Associate
Overall Results
multiple attempts.
Score: 94%


Congratulations, you passed all the sections! If you have passed multiple
attempts, consider scheduling an exam.
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2024

pdfyyiiii

Uploaded by

Copyright:

Available Formats

pdfyyiiii

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

pdfyyiiii

Uploaded by

Copyright:

Available Formats

Answer Summary

Below is a summary of your answers.

Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft

Configure user and group accounts - Training | Microsoft Learn

You create a new user named User1.

You need to assign a Microsoft 365 E5 license to User1.

Assign or remove licenses - Microsoft Entra | Microsoft Learn

You need to configure self-service password reset (SSPR) password writeback

Which Microsoft Entra ID edition should you use?

Enable Azure Active Directory self-service password reset - Microsoft Entra |

What is self-service password reset in Azure Active Directory? - Training |

"Name": "Custom Role",

"Description": "Custom Role description",

Azure custom roles - Azure RBAC | Microsoft Learn

Which role should you assign?

Steps to assign an Azure role - Azure RBAC | Microsoft Learn

You need to identify which virtual machines are underutilized.

Which Azure Advisor settings should you use?

Introduction to Azure Advisor - Training | Microsoft Learn

What should you configure?

Organize your Azure resources effectively - Cloud Adoption Framework | Microsoft

Create management groups - Training | Microsoft Learn

Determine storage account types - Training | Microsoft Learn

Hierarchical namespace: Disabled

Blob public access: Enabled

Blob soft delete: Enabled (7 days)

Container soft delete: Enabled (7 days)

Change feed: Enabled

NFS v3: Disabled

Allow cross-tenant replication: Enabled

Object replication overview - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

What should you configure?

Configure Azure Blob Storage - Training | Microsoft Learn

What should you do first?

Configure a lifecycle management policy - Azure Storage | Microsoft Learn

Configure Azure Blob Storage - Training | Microsoft Learn

Configure Azure Storage security - Training | Microsoft Learn

You need to provide storage1 with access to a partner organization. Access to

What should you configure?

Configure Azure Storage security - Training | Microsoft Learn

What should you configure on storage1?

Configure Azure Storage security - Training | Microsoft Learn

Configure Azure Storage firewalls and virtual networks | Microsoft Learn

You plan to create a storage account named storage1.

Which option should you configure when creating storage1?

Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn

Each correct answer presents part of the solution. Select three.

Storage account overview - Azure Storage | Microsoft Learn

Connect Azure Storage Explorer to a storage account - Training | Microsoft Learn

Which PowerShell cmdlet should you run?

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft

You plan to deploy the template by running the New-AzDeployment cmdlet.

Which parameter should you use to reference the template?

Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft

What can you configure during the deployment of the template?

Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn

New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn

You need to ensure that VM1 is connected directly to both subnets.

What should you do first?