NEW QUESTION 1
HOT SPOT
You have an Azure web app named WebApp1 that runs in an Azure App Service plan named ASP1. ASP1 is based on the D1 pricing tier.
You need to ensure that WebApp1 can be accessed only from computers on your on-premises network. The solution must minimize costs.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: B1
B1 (Basic) would minimize cost compared P1v2 (premium) and S1 (standard). Box 2: Cross Origin Resource Sharing (CORS)
Once you set the CORS rules for the service, then a properly authenticated request made against the service from a different domain will be evaluated to determine whether it is allowed according to the rules you have specified.
Note: CORS (Cross Origin Resource Sharing) is an HTTP feature that enables a web application running under one domain to access resources in another domain. In order to reduce the possibility of cross-site scripting attacks, all modern web browsers implement a security restriction known as
same-origin policy. This prevents a web page from calling APIs in a different domain. CORS provides a secure way to allow one origin (the origin domain) to call APIs in another origin.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/ https://docs.microsoft.com/en-us/azure/cdn/cdn-cors

NEW QUESTION 2
You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscnption1 is associated to Tenant1 Multi-factor authentication (MFA) is enabled for all the users in Tenant1.
You need to enable MFA for the users in Tenant2. The solution must maintain MFA forTenant1. What should you do first?

• A. Transfer the administration of Subscription1 to a global administrator of Tenants.
• B. Configure the MFA Server setting in Tenant1.
• C. Create and link a subscription to Tenant2.
• D. Change the directory for Subscription1.

Answer: C

Explanation: Case Study: 12
ADatum Corporation Overview
A Datum Corporation is a financial company that has two main offices in New York and Los Angeles. A Datum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office.
A Datum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises workloads to Azure.
A Datum uses Microsoft Exchange Online for email. On-Premises Environment
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory forest named adatum.com and run Windows Server 2021.
The New York office an IP address of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft Online Services. Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed. Azure Environment
You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources shown in the following table.

AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.
Planned Changes
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.
Infrastructure Requirements
ADatum identifies the following infrastructure requirements:
? A new web app named App1 that will access third-parties for credit card processing must be deployed.
? A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately.
? The Azure infrastructure and the on-premises infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
? The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.
? All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
? AG1 must load balance incoming traffic in the following manner:
1. http://corporate.adatum.com/video/* will be load balanced across Pool11.
2. http://corporate.adatum.com/images/* will be load balanced across Pool12.
? AG2 must load balance incoming traffic in the following manner:
1. http://www.adatum.com will be load balanced across Pool21.
2. http://www.fabrikam.com will be load balanced across Pool22.
? ER1 must route traffic between the New York office and the platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available.
? ER2 must route traffic between the Los Angeles office and the PaaS sevices in the West US region, as long as ER2 is available.
? ER1 and ER2 must be configured to fail over automatically. Application Requirements
App2 must be able to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs. Pricing Requirements
ADatum identifies the following pricing requirements:
? The cost of App1 and App2 must be minimized.
? The transactional charges of Azure Storage account must be minimized.

NEW QUESTION 3
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.
Visit the Subscriptions blade in Azure portal and select a subscription. You should see the cost breakdown and burn rate in the popup blade.
Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to populate.
You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a Comma-Separated Values (.csv) file. Box 3: Download the usage report
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-us/azure/billing/billing-getting-started

NEW QUESTION 4
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.
What should you include in the recommended?

• A. Azure AP B2C
• B. Azure AD Identity Protection
• C. an Azure logic app and the Microsoft Identity Management (MIM) client
• D. dynamic groups and conditional access policies

Answer: D

Explanation: Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other conditions.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

NEW QUESTION 5
You have an Azure subscription.
You enable multi-factor authentication for all users.
Some users report that the email applications on their mobile device cannot co browser and from Microsoft Outlook 2021 on their computer.
You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do?
The users can access Exchange Online by using a web

• A. Enable self-service password reset.
• B. Create an app password.
• C. Reset the Azure Active Directory (Azure AD) password.
• D. Reinstall the Microsoft Authenticator app.

Answer: A

Explanation: References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

NEW QUESTION 6
You have a virtual network named VNet1 as shown in the exhibit.

No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named Vnet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering. What should you do first?

• A. Modify the address space of VNet1.
• B. Configure a service endpoint on VNet2
• C. Add a gateway subnet to VNet1.
• D. Create a subnet on VNet1 and VNet2.

Answer: A

Explanation: The virtual networks you peer must have non-overlapping IP address spaces. References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-managepeering# requirements-and-constraints

NEW QUESTION 7
You have an Azure subscription that contains a virtual network named VNet1. VNet 1 has two subnets named Subnet1 and Subnet2. VNet1 is in the West Europe Azure region.
The subscription contains the virtual machines in the following table.

You need to deploy an application gateway named AppGW1 to VNet1. What should you do first?

• A. Add a service endpoint.
• B. Add a virtual network.
• C. Move VM3 to Subnet1.
• D. Stop VM1 and VM2.

Answer: D

Explanation: If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway.
Verify that you have a working virtual network with a valid subnet. Make sure that no virtual machines or cloud deployments are using the subnet. The application gateway must be by itself in a virtual network subnet.
References:
https://social.msdn.microsoft.com/Forums/azure/en-US/b09367f9-5d01-4cda-9127- b7a506a0a151/cant-create-application-gateway?forum=WAVirtualMachinesVirtualNetwork https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway

NEW QUESTION 8
HOT SPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Group 1 only First rule applies
Box 2: Group1 and Group2 only Both membership rules apply.
References: https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/createcollections

NEW QUESTION 9
You have an Azure subscription named Subscnption1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. What should you do fit -

• A. From the Azure portal modify the Access control (1AM) settings of VM1.
• B. From the Azure portal, modify the Policies settings of RG1.
• C. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
• D. From the Azure portal, modify the Access control (IAM) settings of RG1.

Answer: C

Explanation: A managed identity from Azure Active Directory allows your app to easily access other AADprotected
resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.
User assigned managed identities can be used on Virtual Machines and Virtual Machine Scale Sets. References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity

NEW QUESTION 10
You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1 and a virtual machine named VM1 that runs Windows Server 2021. Storageaccount1 contains the disk files for VM1. You apply a ReadOnly lock to RG1. What can you do from the Azure portal?

• A. Generate an automation script for RG1.
• B. View the keys of storageaccount1.
• C. Upload a blob to storageaccount1.
• D. Start VM1.

Answer: B

Explanation: ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lockresources

NEW QUESTION 11
HOT SPOT
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and Vnet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to Vnet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: You can move a VM and its associated resources to another resource group using the portal. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm

NEW QUESTION 12
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?

• A. From the on-premises network, deploy Active Directory Federation Services (AD FS).
• B. From Azure AD, add and verify a custom domain name.
• C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
• D. From the server that runs Azure AD Connect, modify the filtering option

Answer: B

Explanation: Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them
with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:
State: Verified Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.
State: Not verified Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified.
Action Required: Verify the custom domain in Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userQuestions& Answers PDF P-80 signin

NEW QUESTION 13
You need to deploy an application gateway named appgwl015 to meet the following requirements: Load balance internal IP traffic to the Azure virtual machines connected to subnet0.
Provide a Service Level Agreement (SLA) of 99.99 percent availability for the Azure virtual machines. What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Click New found on the upper left-hand corner of the Azure portal. Step 2:
Select Networking and then select Application Gateway in the Featured list. Step 3:
Enter these values for the application gateway: appgw1015 - for the name of the application gateway. SKU Size: Standard_V2
The new SKU [Standard_V2] offers autoscaling and other critical performance enhancements.

Step 4:
Accept the default values for the other settings and then click OK. Step 5:
Click Choose a virtual network, and select subnet0.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gatewayportal

NEW QUESTION 14
You plan to support many connections to your company's automatically uses up to five instances when CPU utilization on the instances exceeds 70 percent for 10 minutes. When CPU utilization decreases, the solution must automatically reduce the number of instances.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Locate the Homepage App Service plan Step 2:
Click Add a rule, and enter the appropriate fields, such as below, and the click Add. Time aggregation: average
Metric Name: Percentage CPU Operator: Greater than Threshold 70
Duration: 10 minutes Operation: Increase count by Instance count: 4

Step 3:
We must add a scale in rule as well. Click Add a rule, and enter the appropriate fields, such as below, then click Add.
Operator: Less than
Threshold 70
Duration: 10 minutes Operation: Decrease count by Instance count: 4 References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-setsautoscale- portal
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-autoscale-bestpractices

NEW QUESTION 15
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

• A. PTR
• B. MX
• C. NSEC3
• D. RRSIG

Answer: B

Explanation: To verify your custom domain name (example)
Sign in to the Azure portal using a Global administrator account for the directory. Select Azure Active Directory, and then select Custom domain names.
On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.

References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

NEW QUESTION 16
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
• B. Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miamioffice.
• C. Join the client computers in the Miami office to Azure AD.
• D. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
• E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authenticatio

Answer: BE

Explanation: B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Case Study: 2
Contoso Ltd Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains. Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
? File servers
? Domain controllers
? Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
? A SQL database
? A web front end
? A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure: Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project. Technical Requirements
Contoso must meet the following technical requirements: Move all the virtual machines for App1 to Azure. Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups. Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier. Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure. Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible. User Requirements
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD. Designate a new user named Admin1 as the service administrator of the Azure subscription. Ensure that a new user named User3 can create network objects for the Azure subscription.

NEW QUESTION 17
You need to add a deployment slot named staging to an Azure web app named corplod@lab.LabInstance.Idn4. The solution must meet the following requirements:
When new code is deployed to staging, the code must be swapped automatically to the production slot. Azure-related costs must be minimized.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Locate and open the corplod@lab.LabInstance.Idn4 web app.
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications. Step 2:
Open your app's resource blade and Choose the Deployment slots option, then click Add Slot.

Step 3:
In the Add a slot blade, give the slot a name, and select whether to clone app configuration from another existing deployment slot. Click the check mark to continue.
The first time you add a slot, you only have two choices: clone configuration from the default slot in production or not at all.
References:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing