- (Exam Topic 6)
You have an Azure subscription.
You plan to deploy a storage account named storage1 by using the following Azure Resource Manager (ARM) template.
Solution:
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1. Tenant1 contains the users in the following table.
You need to add an Azure AD Privileged Identity Management application to Tenant1. Which account can you use?
Correct Answer:
B
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
Only owner can create an subscription and only global administrator can perform Privileged Identity Management changes. So you can create subscription with external user and then promote him to global administrator to get things done.
As it is mentioned as it is associated with azure tenant so that tenant has an AD domain. So in azure AD the default domain ends with onmicrosoft.com. So you can't have Hotmail IDs there. Moreover always remember the principle of least privileges, when you can get your job done with Global Administrator then you should not look for owner for security purpose.
Admin1@contoso.onmicorosft.com : Correct Choice
As Admin1 is Global Administrator and part of default AD domain so Admin1 can add an Azure AD Privileged Identity Management application to Tenant1
Admin3@contoso.onmicrosoft.com : Incorrect Choice
As per the above explanation Admin3 is not Global Administrator, so this option is incorrect. Admin2@contoso.onmicorosft.com : Incorrect Choice
As per the above explanation Admin2 is not Global Administrator, so this option is incorrect. ContosoAdmin1@hotmail.com : Incorrect Choice
Although this user is Global Administrator but referring to the least privileges principal and default domain consideration this option is incorrect.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
- (Exam Topic 4)
You have several Azure virtual machines on a virtual network named VNet1. You configure an Azure Storage account as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Solution:
Box 1: never
For Subnet 10.2.9.0/24, endpoint (Refer to first endpoint) is not enabled into the storage account shown in th exhibit. Hence there would not be any connectivity to the file shares in storage account. To establish this connection you must have to enable the endpoint.
Box 2: never
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account. As this required setting is missing , so Azure backup will not be able to take backup of unmanaged disks.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-with-azurestorage
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 5)
You have an Azure subscription named Subscription1.
You create an Azure Storage account named contosostorage, and then you create a file share named data. Which UNC path should you include in a script that references files from the data file share? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Solution:
Box 1: contosostorage The name of account
Box 2: file.core.windows.net
Box 3: data
The name of the file share is data. Example:
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 5)
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?
Correct Answer:
D
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1 : Incorrect choice
Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network. Modify the address space of the local network gateway : Incorrect choice
Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.
Remove the public IP addresses from the virtual machines : Incorrect choice
If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
