1. Topic 1, Contoso, Ltd

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

Designate a new user named Admin1 as the service administrator of the Azure subscription.

Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to implement a backup solution for App1 after the application is moved.

What should you create first?

2. You need to recommend an identify solution that meets the technical requirements.

What should you recommend?

3. You need to move the blueprint files to Azure.

What should you do?

4. HOTSPOT

You need to configure the Device settings to meet the technical requirements and the user requirements.

Which two settings should you modify? To answer, select the appropriate settings in the answer area.

5. HOTSPOT

You need to recommend a solution for App1. The solution must meet the technical requirements .

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

6. HOTSPOT

You need to identify the storage requirements for Contoso.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

7. You need to meet the user requirement for Admin1.

What should you do?

8. You are planning the move of App1 to Azure.

You create a network security group (NSG).

You need to recommend a solution to provide users with access to App1.

What should you recommend?

9. Topic 2, Misc. Questions

You have Azure virtual machines deployed to three Azure regions. Each region contains a single virtual network that has four virtual machines on the same subnet. Each virtual machine runs an application named App1. App1 is accessible by using HTTPS. Currently, the virtual machines are inaccessible from the internet.

You need to use Azure Front Door to load balance requests for App1 across all the virtual machines.

Which additional Azure service should you provision?

10. You have an Azure subscription that contains an Azure Sentinel workspace. Sentinel is configured to monitor several Azure resources.

You need to send notification emails to resource owners when alerts or recommendations are generated for a resource.

What should you use?

11. You have an Azure App Service app.

You need to implement tracing for the app.

The tracing information must include the following:

✑ Usage trends

✑ AJAX call responses

✑ Page load speed by browser

✑ Server and browser exceptions

What should you do?

12. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your company is deploying an on-premises application named Appl. Users will access App1 by using a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the My Apps portal for all the users.

Solution: You create a conditional access policy for App1.

13. You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.

You plan to move DB1 and DB2 to Azure.

You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.

Solution: You deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

Does this meet the goal?

14. HOTSPOT

Your company hosts multiple websites by using Azure virtual machine scale sets (VMSS) that run Internet Information Server (IIS).

All network communications must be secured by using end to end Secure Socket Layer (SSL) encryption. User sessions must be routed to the same server by using cookie-based session affinity.

The image shown depicts the network traffic flow for the websites to the VMSS.

Use the drop-down menus to select the answer choice that answers each question. NOTE: Each correct selection is worth one point.

15. HOTSPOT

You have an Azure subscription that contains the resource groups shown in the following table.

You create an Azure Resource Manager template named Template1 as shown in the following exhibit.

From the Azure portal, you deploy Template1 four times by using the settings shown in the following table.

What is the result of the deployment? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

16. HOTSPOT

You plan to implement an access review to meet the following requirements:

✑ The access review must be enforced until otherwise configured.

✑ Each user or group that has access to the Azure environment must be in the scope of the access review.

✑ The access review must be completed within two weeks.

✑ A lack of response must not cause changes in the operational environment.

An administrator creates the access review shown in the answer area.

Which two sections of the access review should you modify to meet the requirements? To answer, select the appropriate sections in the answer area. NOTE: Each correct selection is worth one point.

17. HOTSPOT

A company runs multiple Windows virtual machines (VMs) in Azure.

The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.

You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required.

What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

18. HOTSPOT

Your network contains an on-premises Active Directory domain named contoso.com that contains a user named User1. The domain syncs to Azure Active Directory (Azure AD).

You have the Windows 10 devices shown in the following table.

The User Sign-In settings are configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point

19. Your on-premises network contains several Hyper-V hosts.

You have an hybrid deployment of Azure Active Directory (Azure AD).

You create an Azure Migrate project.

You need to ensure that you can evaluate virtual machines by using Azure Migrate.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

20. HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

The tenant contains the users shown in the following table.

The tenant contains computers that run Windows 10.

The computers are configured as shown in the following table.

You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

21. Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

You are creating a Dockerfile to build a container image.

You need to add a file named File1.txt from Server1 to a folder named C:Folder1 in the container image.

Solution: You add the following line to the Dockerfile.

ADD File1.txt C:/Folder1/

You then build the container image.

Does this meet the goal?

22. HOTSPOT

You create a virtual machine scale set named Scale1.

Scale1 is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

23. HOTSPOT

Your company has a virtualization environment that contains the virtualization hosts shown in the following table.

The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).

You plan to migrate the virtual machines to Azure by using Azure Site Recovery.

You need to identify which virtual machines can be migrated.

Which virtual machines should you identify for each server? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

24. HOTSPOT

You have an Azure subscription that contains a virtual network named VNet1.

VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table.

Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.

You need to route all inbound traffic to VNet1 through VM1.

How should you configure RT1? To answer, select the appropriate options in the answer area.

25. You have an app named App1 that uses data from two on-premises Microsoft SQL Server

databases named DB1 and DB2.

You plan to move DB1 and DB2 to Azure.

You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and D&2.

Solution: You deploy DB1 and DB2 to an Azure SQL Database managed instance.

Does this meet the goal?

26. You have a virtual network named VNet1 as shown in the exhibit.

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named Vnet2 in the same region. VNet2 has an address space of 10.2.0.0/16.

You need to create the peering.

What should you do first?

27. You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD).

You need to select authentication mechanisms that can be used for both MFA and SSPR.

Which two authentication methods should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

28. You have an Azure key vault named KV1.

You need to implement a process that will digitally sign the blobs stored in Azure Storage .

What is required in KV1 to sign the blobs?

29. HOTSPOT

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.

The subscription contains the Azure SQL databases shown in the following table.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

30. Your company plans to develop an application that will use a NoSQL database. The database will be used to store transactions and customer information by using JSON documents .

Which two Azure Cosmos DB APIs can developers use for the application? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

31. You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNetl. You need to ensure that you can configure a point to-site connection from an on-premises computer to VNetV .

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point

32. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

Solution: You use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.

Does this meet the goal?

33. You create an Azure virtual machine named VM1 in a resource group named RG1.

You discover that VM1 performs slower than expected.

You need to capture a network trace on VM1.

What should you do?

34. You have an Azure subscription that contains the storage accounts shown in the following table.

You enable Azure Advanced Threat Protection (ATP) for all the storage accounts.

You need to identify which storage accounts will generate Azure ATP alerts.

Which two storage accounts should you identify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

35. You have a server named Server1 that runs Windows Server 2019. Server! is a container host.

You plan to create a container image.

You create the following instructions in a text editor.

You need 10 be able to automate the container image creation by using the instructions.

To which file should you save the instructions?

36. You have an Azure subscription that contains 10 virtual machines on a virtual network.

You need to create a graph visualization to display the traffic flow between the virtual machines.

What should you do from Azure Monitor?

37. You have SQL Server on an Azure virtual machine named SQL1.

You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for the virtual machines.

The backups must meet the following requirements:

• Meet a recovery point objective (RPO) of 15 minutes.

• Retain the backups for 30 days.

• Encrypt the backups at rest.

What should you provision as part of the backup solution?

38. HOTSPOT

You have an Azure subscription named Subscription1.

In Subscription1, you create an alert rule named Alert1.

The Alert1 action group is configured as shown in the following exhibit.

Alert1 alert criteria is triggered every minute.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

39. Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day.

Container1 contains the items shown in the following table.

You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.

Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

40. You have an Azure subscription that contains the resource groups shown in the following table.

The subscription contains the storage accounts shown in the following table.

You create a Recovery Services vault named Vault1 in RG1 in the West US location.

You need to identify which storage accounts can be used to archive the diagnostics logs of Vault1.

Which storage accounts should you identify?

41. You have an Azure subscription.

You have an on-premises virtual machine named VM1.

The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.

What should you modify on VM1?

42. HOTSPOT

You have an Azure subscription that contains the virtual networks shown in the following table.

You create an Azure Cosmos DB account as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

43. HOTSPOT

You plan to create an Azure Storage account in the Azure region of East US 2.

You need to create a storage account that meets the following requirements:

✑ Replicates synchronously

✑ Remains available if a single data center in the region fails

How should you configure the storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

44. You have an Azure SQL database named DB1.

You plan to create the following four tables in DB1 by using the following code.

You need to identify which table must be created last.

What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

45. You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.

You plan to change the partition key for Container1.

What should you do first?

46. You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.

You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.

Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

47. You create the following Azure role definition.

You need to create Role1 by using the role definition.

Which two values should you modify before you create Role1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

48. You have an Azure subscription that contains 100 virtual machines.

You have a set of Pester tests in PowerShell that validate the virtual machine environment.

You need to run the tests whenever there is an operating system update on the virtual machines. The solution must minimize implementation time and recurring costs.

Which three resources should you use to implement the tests? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

49. HOTSPOT

You have an Azure Resource Manager template for a virtual machine named Template1.

Template1 has the following parameters section.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

50. A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The

on-premises and Azure-based VMs communicate using ExpressRoute.

The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and must not require Multiprotocol Label Switching (MPLS) support.

You need to recommend a solution that provides continued operations.

What should you recommend?

51. Your company has an office in Seattle.

You have an Azure subscription that contains a virtual network named VNET1.

You create a site-to-site VPN between the Seattle office and VNET1.

VNET1 contains the subnets shown in the following table.

You need to redirect all Internet-bound traffic from Subnet1 to the Seattle office.

What should you create?

52. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it As a result, these questions will not appear in the review screen.

You have an Azure Active Directory {Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin 1 discovers that all the other Identity Governance settings are available.

Admin1 is assigned The User administrator. Compliance administrator, and Security administrator roles.

You need to ensure that Admin1 can create access reviews in contoso.com. .

Solution: You assign the Global administrator role to Admin1.

Does this meet the goal?

53. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

Solution: You use Synchronization Rules Editor to create a synchronization rule.

Does this meet the goal?

54. You have an Azure subscription.

You create a custom role in Azure by using the following Azure Resource Manager template.

You assign the role to a user named User1.

Which action can User1 perform?

55. HOTSPOT

You have an Azure subscription named Subscription1.

Subscription1 contains the resources in the following table:

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator named Admin1 creates an Azure virtual machine VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.

You need to move the custom application to VNet2. The solution must minimize administrative effort.

Which two actions should you perform? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

56. Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.

You need to enable multi-factor authentication (MFA) for the users in Group1 only.

Solution: From Multi-Factor Authentication, you select Bulk update, and you provide a CSV file that contains the members of Group1.

Does this meet the goal?

57. You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.

KeyVault1 has an access policy that provides several users with Create Key permissions.

You need to ensure that the users can only register secrets in KeyVault1 from VM1.

What should you do?

58. You create the user-assigned identities shown in the following table.

You create a virtual machine that has the following configurations:

• Name:VM1

• Location: West US

• Resource group: RG1

Which managed identities can you add to VM1?

59. You create the Azure resources shown in the following table.

You attempt to add a role assignment to a resource group as shown in the following exhibit.

What should you do to ensure that you can assign VM2 the Reader role for the resource group?

60. You create an Azure Kubernetes Service (AKS) cluster configured as shown in the exhibit. (Click the Exhibit tab.)

You deploy a containerized application named App1 to the agentPool node pool.

You need to create a containerized application named App2 that runs on four nodes of size DS3 v2.

What should you do first?