- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to Sa1.
Solution: You generate new SASs. Does this meet the goal?
Correct Answer:
B
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access
policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
- (Exam Topic 4)
You create an Azure subscription.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Solution:
Step 1: Consent to PIM
Step: 2 Verify your identity by using multi-factor authentication (MFA)
Click Verify my identity to verify your identity with Azure MFA. You'll be asked to pick an account. Step 3: Sign up PIM for Azure AD roles
Once you have enabled PIM for your directory, you'll need to sign up PIM to manage Azure AD roles. References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You create an alert rule that has the following settings: 
Resource: RG1
Condition: All Administrative operations Actions: Action groups configured for this alert rule: ActionGroup1 Alert rule name: Alert1
You create an action rule that has the following settings: Scope: VM1 Filter criteria: Resource Type = "Virtual Machines" Define on this scope: Suppression Suppression config: From now (always) Name: ActionRule1
For each of the following statements, select Yes if the statement is true. Otherwise, select No. Note: Each correct selection is worth one point.
Solution:
Box 1:
The scope for the action rule is set to VM1 and is set to suppress alerts indefinitely. Box 2:
The scope for the action rule is not set to VM2. Box 3:
Adding a tag is not an administrative operation. References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use automatically generated service principal for the AKS cluster to authenticate to the Azure
Container Registry.
What should you create?
Correct Answer:
B
References:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
- (Exam Topic 4)
You have an Azure Active Directory (Azure AD) tenant.
You have the deleted objects shown in the following table.
On May 4, 2020, you attempt to restore the deleted objects by using the Azure Active Directory admin center. Which two objects can you restore? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Correct Answer:
BC
Deleted users and deleted Office 365 groups are available for restore for 30 days. You cannot restore a deleted security group.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-restore-deleted
