70-533.examcollection.premium.exam.

337q

Number: 70-533
Passing Score: 800
Time Limit: 120 min
File Version: 22.1

70-533

Implementing Microsoft Azure Infrastructure Solutions

Version 22.1

Sections
1. Topic 1, Design and Implement Azure App Service
2. Topic 2, Create and Manage Azure Resource Manager Virtual Machines
3. Topic 3, Design and Implement a Storage Strategy
4. Topic 4, Implement Virtual Networks
5. Topic 5, Design and Deploy ARM Templates
6. Topic 6, Manage Azure Security and Recovery Services
7. Topic 7, Manage Azure Operations
8. Topic 8, Manage Azure Identities
Exam A

QUESTION 1
Your network includes a legacy application named LegacyApp1. The application only runs in the Microsoft .NET
3.5 Framework on Windows Server 2008.

You plan to deploy to Azure Cloud Services.

You need to ensure that LegacyApp1 will run correctly in the new environment.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. Upload a VHD with Windows Server 2008 installed.

B. Deploy LegacyApp1 to a cloud service instance configured with Guest OS Family 2.
C. Deploy LegacyApp1 to a cloud service instance configured with Guest OS Family 1.
D. Deploy LegacyApp1 to a cloud service instance configured with Guest OS Family 3.

Correct Answer: AB
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
A: All Azure virtual machines have at least two disks – a Windows operating system disk and a temporary disk.
The operating system disk is created from an image, and both the operating system disk and the image are
virtual hard disks (VHDs) stored in an Azure storage account.

B: Family 2 releases, Windows Server 2008 R2 SP1. .NET Framework installed: 3.5, 4.0, 4.5, 4.5.1, 4.5.2

Incorrect Answers:
C: Sept 2, 2014 The Azure Guest operating system (Guest OS) Family 1.x, which is based on the Windows
Server 2008 operating system, was officially retired.
D: Guest OS Family 3 and Guest OS Family 4 supports .NET 4.0 and .Net 4.5.

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/about-disks-and-vhds
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-update-matrix
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-family1-retirement

QUESTION 2
DRAG DROP

You administer a cloud service named contosoapp that has a web role and worker role.

Contosoapp requires you to perform an in-place upgrade to the service.

You need to ensure that at least six worker role instances and eight web role instances are available when you
apply upgrades to the service. You also need to ensure that updates are completed for all instances by using
the least amount of time.

Which value should you use with each configuration? To answer, drag the appropriate value to the correct
configuration. Each value may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You need to ensure that at least six worker role instances and eight web role instances are available when
you apply upgrades to the service.
You can decide whether you want to update all of the roles in your service or a single role in the service. In
either case, all instances of each role that is being upgraded and belong to the first upgrade domain are
stopped, upgraded, and brought back online. Once they are back online, the instances in the second
upgrade domain are stopped, upgraded, and brought back online.

References:
http://msdn.microsoft.com/en-us/library/azure/ee758711.aspx
http://msdn.microsoft.com/en-us/magazine/ff714589.aspx

QUESTION 3
You migrate a Windows Server .NET web application to Azure Cloud Services.

You need enable trace logging for the application.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Update the service definition file.

B. Update the Azure diagnostics configuration.
C. Update the service configuration file.
D. Enable verbose monitoring.
E. Update the application web.config file.

Correct Answer: BC
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/en-us/library/azure/hh411537.aspx

QUESTION 4
You manage a cloud service that is running in two small instances. The cloud service hosts a help desk
application. The application utilizes a virtual network connection to synchronize data to the company's internal
accounting system.

You need to reduce the amount of time required for data synchronization.

What should you do?

A. Configure the servers as large instances and re-deploy.

B. Increase the instance count to three.
C. Deploy the application to Azure Web Sites.
D. Increase the processors allocated to the instances.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
When you create your service model, you can specify the size to which to deploy an instance of your role,
depending on its resource requirements. The size of the role determines the number of CPU cores, the
memory capacity, and the local file system size that is allocated to a running instance.

References: http://msdn.microsoft.com/en-us/library/azure/dn197896.aspx

QUESTION 5
You manage a cloud service that has a web application named WebRole1. WebRole1 writes error messages to
the Windows Event Log.

Users report receiving an error page with the following message: "Event 26 has occurred. Contact your system
administrator."

You need to access the WebRole1 event log.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Enable verbose monitoring.

B. Update the WebRole1 web.config file.
C. Update the cloud service definition file and the service configuration file.
D. Run the Set-AzureVMDiagnosticsExtension PowerShell cmdlet.
E. Run the Enable-AzureWebsiteApplicationDiagnostic PowerShell cmdlet.
F. Create a storage account.

Correct Answer: ACF

Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
AF: You can monitor key performance metrics for your cloud services in the Azure Management Portal. You
can set the level of monitoring to minimal and verbose for each service role, and can customize the monitoring
displays. Verbose monitoring data is stored in a storage account, which you can access outside the portal.

C: The service configuration file specifies the number of role instances to deploy for each role in the service,
the values of any configuration settings, and the thumbprints for any certificates associated with a role. If the
service is part of a Virtual Network, configuration information for the network must be provided in the service
configuration file, as well as in the virtual networking configuration file. The default extension for the service
configuration file is .cscfg.

The service definition file defines the service model for an application. The file contains the definitions for the
roles that are available to a cloud service, specifies the service endpoints, and establishes configuration
settings for the service.

References:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-monitor/
http://msdn.microsoft.com/en-us/library/azure/ee758710.aspx
http://msdn.microsoft.com/en-us/library/azure/ee758711.aspx

QUESTION 6
DRAG DROP

You manage an application hosted on cloud services. The development team creates a new version of the
application. The updated application has been packaged and stored in an Azure Storage account.

You have the following requirements:

Deploy the latest version of the application to production with the least amount of downtime.
Ensure that the updated application can be tested prior to deploying to the Production site.
Ensure that the original version of the application can be restored until the new version is verified.

Which four steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Once you have uploaded the compiled package to Azure Storage, you would create a new staging deployment.
You can then provide the URL to the development team. Once approved, you would promote the new
deployment to production by performing a VIP swap. You can then stop the instance of the old production
deployment and keep it at hand in the staging slot.

References:
http://msdn.microsoft.com/en-us/library/ff803371.aspx
http://azure.microsoft.com/en-gb/documentation/articles/web-sites-staged-publishing/

QUESTION 7
You manage a cloud service that utilizes data encryption.

You need to ensure that the certificate used to encrypt data can be accessed by the cloud service application.

What should you do?

A. Upload the certificate referenced in the application package.

B. Deploy the certificate as part of the application package.
C. Upload the certificate’s public key referenced in the application package.
D. Use RDP to install the certificate.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You have to upload a .pfx file, and not a .cer file. pfx files contains the private key, while cer files contains public
and private keys.

References: http://azure.microsoft.com/en-gb/documentation/articles/cloud-services-configure-ssl-certificate/
#step3

QUESTION 8
You administer a solution deployed to a virtual machine (VM) in Azure. The VM hosts a web service that is used
by several applications. You are located in the US West region and have a worldwide user base.

Developers in Asia report that they experience significant delays when they execute the services.

You need to verify application performance from different locations.

Which type of monitoring should you configure?

A. Disk Read
B. Endpoint
C. Network Out
D. CPU
E. Average Response Time

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The question states: “You need to verify application performance from different locations”. The question is not
asking you to determine WHY the application is slow, it’s asking you to ‘measure’ the performance from
different locations.
Endpoint Monitoring monitors your server with HTTP Get requests from locations that you choose.

References:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-monitor/#webendpointstatus
https://azure.microsoft.com/en-us/documentation/articles/app-insights-web-monitor-performance/

QUESTION 9
DRAG DROP

You administer a virtual machine (VM) that is deployed to Azure. The VM hosts a web service that is used by
several applications.

You need to ensure that the VM sends a notification in the event that the average response time for the web
service exceeds a pre-defined response time for an hour or more.

Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:

Step 1: From configure page, add a monitoring endpoint for the virtual machine
Create an endpoint
1. If you haven't already done so, sign in to the Azure portal.
2. Click Virtual Machines, and then click the name of the virtual machine that you want to configure.
3. Click Endpoints in the Settings group. The Endpoints page lists all the current endpoints for the virtual
machine.
4. In the command bar above the endpoint entries, click Add.

Step 2: From the monitor page, Add a metric for the Response Time for the end point

Step 3: From the Monitor page, add a rule for the response time of the end point.

References:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/alert-metric
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/alert-metric

QUESTION 10
HOTSPOT

You manage an Azure Web Site named contosoweb.

Some users report that they receive the following error when they access contosoweb:
“http Status 500.0 - Internal Server Error.”

You need to view detailed diagnostic information in XML format.

Which option should you enable? To answer, select the appropriate option in the answer area.

Hot Area:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Failed Request Tracing is the only option that produces its output in XML files as specified in the question.

QUESTION 11
DRAG DROP

You manage an Azure Web App named contososite.

You download the subscription publishing credentials named Contoso-Enterprise.publishsettings.

You need to use Azure PowerShell to achieve the following:

Connect to the Contoso-Enterprise subscription.
Create a new App Setting named IsCustom with a value of True.
Restart the Web App.

How should you complete the relevant Azure PowerShell script? To answer, drag the appropriate Azure
PowerShell cmdlet to the correct location in the solution. Each cmdlet may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Step 1: Import-AzurePublishSettingsFile
The Import-AzurePublishSettingsFile cmdlet imports a .publishsettings file that has been downloaded using the
Get-AzurePublishSettingsFile cmdlet. This file contains settings and an encoded certificate that provides
management credentials for the Windows Azure account.

Step 2: Set-AzureWebsite
The Set-AzureWebsite cmdlet configures an Azure website.

Step 3: Restart-AzureWebsite
The Restart-AzureRmWebApp cmdlet stops and then starts an Azure Web App.

Select-AzureSubscription "-Appsettings" publishsettings

References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.websites/restart-azurermwebapp?
view=azurermps-6.5.0
https://msdn.microsoft.com/en-us/library/mt788684(v=azure.200).aspx

QUESTION 12
Your company has a subscription to Azure. You plan to deploy 10 websites.

You have the following requirements:

Each website has at least 15 GB of storage.
All websites can use azurewebsite.net.

You need to deploy the 10 websites while minimizing costs.

Which web tier plan should you recommend?

A. Free
B. Small Business
C. Standard
D. Basic

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Standard offers 50 GB of storage space, while Basic only gives 10 GB.

References: http://azure.microsoft.com/en-us/pricing/details/websites/
http://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits

QUESTION 13
You administer an Azure Web Site named contoso. The development team has implemented changes to the
website that need to be validated.

You need to validate and deploy the changes with minimum downtime to users.

What should you do first?

A. Create a new Linked Resource.

B. Configure Remote Debugging on contoso.
C. Create a new website named contosoStaging.
D. Create a deployment slot named contosoStaging.
E. Back up the contoso website to a deployment slot.

Correct Answer: D
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The deployment slots feature for Azure Websites allows validating a version of your site with full content and
configuration updates on the target platform before directing customer traffic to this version. The expectation is
that a deployment slot would be fully configured in the desired target format before performing a swap.

References: http://stackoverflow.com/questions/24186809/connection-strings-are-replaced-when-performing-
azure-web-site-staging-swap
QUESTION 14
You manage an Azure Web App that is running in Shared plan.

You discover that the Web App is experiencing increased average response time during periods of heavy user
activity.

You need to update the Web App configuration to address the performance issues as they occur.

What should you do?

A. Set the Web App to Standard mode and configure automatic scaling based on CPU utilization.
B. Configure automatic scaling during specific dates.
C. Modify the Web App instance size.
D. Configure automatic scaling based on memory utilization.
E. Set the Web App to Basic tier and configure automatic scaling based on CPU utilization.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Scaling to Standard Plan Mode
Selecting Standard expands the Capacity section to reveal the Instance Size and Instance Count options, which
are also available in Basic mode. The Edit Scale Settings for Schedule and Scale by Metric options are
available only in Standard mode.
Note:
For increased performance and throughput for your websites on Microsoft Azure, you can use the Azure
Management Portal to scale your Web Hosting Plan mode from Free to Shared, Basic, or Standard.
There are 2 options for scaling.

References: http://blogs.msdn.com/b/mast/archive/2013/10/31/exploring-the-autoscale-feature-in-windows-
azure-websites.aspx

QUESTION 15
DRAG DROP

You manage an Azure Web Site in Standard mode at the following address: contoso.azurewebsites.net.

Your company has a new domain for the site that needs to be accessible by Secure Socket Layer (SSL)
encryption.

You need to be able to add a custom domain to the Azure Web Site and assign an SSL certificate.

Which three steps should you perform next in sequence? To answer, move the appropriate actions from the list
of actions to the answer area and arrange them in the correct order. More than one order of answer choices
may be correct. You will receive credit for any of the correct orders you select.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:

First create a CNAME record, then to add the domain name as a custom domain and last add the SNI SSL
binding. The advantage of using a CNAME record and a SNI SSL binding is that it does not matter if the IP
address of the website changes.

References: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/

QUESTION 16
You manage an Azure Web Site named contosoweb. Logging is enabled for contosoweb.

You need to view only errors from your log files in a continuous stream as they occur.

Which Windows PowerShell command should you execute?

A. Get-AzureWebSiteLog -Name contosoweb -OutBuffer Error

B. Save-AzureWebSiteLog -Name contosoweb -Output Errors
C. Get-AzureWebSiteLog -Name contosoweb -Tail -Message Error
D. Get-AzureWebSiteLog -Name contosoweb -Message Error

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
This example starts log streaming and show error logs only.
C:\PS>Get-AzureWebsiteLog -Tail -Message Error

References: http://msdn.microsoft.com/en-us/library/dn495187.aspx

QUESTION 17
HOTSPOT

You manage two websites for your company. The sites are hosted on an internal server that is beginning to
experience performances issues due to high traffic.

You plan to migrate the sites to Azure Web Sites.

The sites have the following configurations:

In the table below, identity the web hosting plan with the lowest cost for each site. Make only one selection in
each column.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:

Site 2 contains 9 GB of data so Basic mode is enough as it provided 10 GB of data (FREE and Shared only
provide 1 GB of data).
Site 1 contains 11 GB of data so Standard mode is adequate as it provided 50 GB of data.

Note: Azure App Service brings together everything you need to create websites, mobile backends, and web
APIs for any platform or device. Free and Shared (preview) plans provide different options to test your apps
within your budget. Basic, Standard and Premium plans are for production workloads and run on dedicated
Virtual Machine instances
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

QUESTION 18
You administer an Azure Web Site named contoso. You create a job named CleanLogs.cmd. You must run the
job manually twice a week.

You need to deploy the job.

To which folder location should you deploy CleanLogs.cmd?

A. ./App_Code/jobs/triggered/cleanLogs/CleanLogs.cmd
B. ./App_Data/jobs/triggered/cleanLogs/CleanLogs.cmd
C. ./App_Code/jobs/continuous/cleanLogs/CleanLogs.cmd
D. ./App_Data/jobs/continuous/cleanLogs/CleanLogs.cmd

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
A WebJob is stored under the following directory in your site:

site\wwwroot\App_Data\jobs\{job type}\{job name}

Where {job type} can be either continuous for a job that is always running or triggered for a job that starts from
an external trigger (on demand / scheduler).

References: http://blog.amitapple.com/post/74215124623/deploy-azure-webjobs/#.VDZam_mSx8E

QUESTION 19
You administer a cloud service.

You plan to host two web applications named contosoweb and contosowebsupport.

You need to ensure that you can host both applications and qualify for the Azure Service Level Agreement. You
want to achieve this goal while minimizing costs.
How should you host both applications?

A. in different web roles with two instances in each web role

B. in the same web role with two instances
C. in different web roles with one instance in each web role
D. in the same web role with one instance

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
A cloud service must have at least two instances of every role to qualify for the Azure Service Level Agreement,
which guarantees external connectivity to your Internet-facing roles at least 99.95 percent of the time.

References: http://azure.microsoft.com/en-us/documentation/articles/cloud-services-what-is/

QUESTION 20
HOTSPOT

You manage two cloud services named Service1 and Service2. The development team updates the code for
each application and notifies you that the services are packaged and ready for deployment.

Each cloud service has specific requirements for deployment according to the following table.

In the table below, identify the deployment method for each service. Make only one selection in each column.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Service 1
As the package must be retained we should deploy it through the Azure Storage cloud.
Service 2
As maintaining the existing storage package is not required we can deploy the package locally.
Azure service package
Whenever you want to deploy your application to a Cloud Service you’ll be creating a Service Package and
upload it, together with the Service Configuration to a deployment in a Cloud Service. These two artifacts
are what makes up a Cloud Service deployment.

QUESTION 21
You manage a web application published to Azure Cloud Services.

Your service level agreement (SLA) requires that you are notified in the event of poor performance from
customer locations in the US, Asia, and Europe.

You need to configure the Azure Management Portal to notify you when the SLA performance targets are not
met.

What should you do?

A. Create an alert rule to monitor web endpoints.
B. Create a Notification Hub alert with response time metrics.
C. Add an endpoint monitor and alert rule to the Notification Hub.
D. Configure the performance counter on the cloud service.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
An alert rule enables you to monitor an available metric within a supported Azure service. When the value of
a specified metric violates the threshold assigned for a rule, the alert rule becomes active and registers an
alert. When you create an alert rule, you can select options to send an email notification to the service
administrator and co- administrators, or another administrator, when the rule becomes active, and when an
alert condition is resolved.
You can configure cloud service alert rules on: Web endpoint status metrics Monitoring metrics from the
cloud service host operating system Performance counters collected from the cloud service guest virtual
machine.

References: http://msdn.microsoft.com/en-us/library/azure/dn306639.aspx

QUESTION 22
You manage a cloud service that hosts a customer-facing application. The application allows users to upload
images and create collages. The cloud service is running in two medium instances and utilizes Azure Queue
storage for image processing. The storage account is configured to be locally redundant.

The sales department plans to send a newsletter to potential clients. As a result, you expect a significant
increase in global traffic.

You need to recommend a solution that meets the following requirements:

Configure the cloud service to ensure the application is responsive to the traffic increase.
Minimize hosting and administration costs.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. Configure the cloud service to run in two Large instances.

B. Configure the cloud service to auto-scale to three instances when processor utilization is above 80%.
C. Configure the storage account to be geo-redundant
D. Deploy a new cloud service in a separate data center. Use Azure Traffic Manager to load balance traffic
between the cloud services.
E. Configure the cloud service to auto-scale when the queue exceeds 1000 entries per machine.

Correct Answer: BE
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
An autoscaling solution reduces the amount of manual work involved in dynamically scaling an application. It
can do this in two different ways: either preemptively by setting constraints on the number of role instances
based on a timetable, or reactively by adjusting the number of role instances in response to some counter(s) or
measurement(s) that you can collect from your application or from the Azure environment.

References: http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-scale/#autoscale

QUESTION 23
You manage a cloud service on two instances. The service name is Service1 and the role name is
ServiceRole1.

Service1 has performance issues during heavy traffic periods.

You need to increase the existing deployment of Service1 to three instances.

Which PowerShell cmdlet should you use?

A. PS C:\>Set-AzureService -ServiceName “Service1” -Label “ServiceRole1” -Description “Instance

count=3”
B. PS C:\>Set-AzureRole -ServiceName “Service1” -Slot “Production” -RoleName “ServiceRole1” -
Count 3
C. PS C:\>Add-AzureWebRole -Name “ServiceRole1” -Instances 3
D. PS C:\> $instancecount = New-Object Hashtable$settings[“INSTANCECOUNT=3”] PS C:\> Set-
AzureWebsite -AppSettings $instancecount ServiceRole1

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The Set-AzureRole cmdlet sets the number of instances of a specified role to run in an Azure deployment

Example:
This command sets the "MyTestRole3" role running in production on the "MySvc1" service to three instances.

Windows PowerShell
C:\PS>Set-AzureRole –ServiceName "MySvc1" –Slot "Production" –RoleName "MyTestRole3" –Count 3

QUESTION 24
HOTSPOT

You have an Azure SQL Database named Contosodb. Contosodb is running in the Standard/S2 tier and has a
service level objective of 99 percent.

You review the service tiers in Microsoft Azure SQL Database as well as the results of running performance
queries for the usage of the database for the past week as shown in the exhibits. (Click the Exhibits button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The P1 performance level has 100 DTUs compared to the 200 DTUs of the P2 performance level. That means
that the P1 performance level provides half the performance of the P2 performance level. So, 50% of CPU
utilization in P2 equals 100% CPU utilization in P1. As long as the application does not have timeouts, it may
not matter if a big job takes 2 hours or 2.5 hours to complete as long as it gets done today. An application in
this category can probably just use a P1 performance level.
References: http://msdn.microsoft.com/en-us/library/azure/dn369873.aspx

QUESTION 25
HOTSPOT

You manage an Internet Information Services (IIS) 6 website named contososite1. Contososite1 runs a legacy
ASP.NET 1.1 application named LegacyApp1. LegacyApp1 does not contain any integration with any other
systems or programming languages.

You deploy contososite1 to Azure Web Sites.

You need to create documentation for configuring Azure Web Sites. You have the following requirements:
LegacyApp1 runs correctly.
The application pool does not recycle.

Which four settings should you document? To answer, select the appropriate settings in the answer area.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Target 1: NET FRAMEWORK VERSION: V 3.5
Need to use older version of .NET, such as 3.5, not 4.6 (or 4.5).

Target 2: MANAGED PIPELINE VERSION: CLASSIC

Managed Pipeline Mode: Classic.
Sets the IIS pipeline mode. Leave this set to Integrated (the default) unless you have a legacy website that
requires an older version of IIS. In this case we have a legacy app

Target 3: ALWAYS ON: ON

Always On. By default, websites are unloaded if they are idle for some period of time. This lets the system
conserve resources. In Basic or Standard mode, you can enable Always On to keep the site loaded all the time.
If your site runs continuous web jobs, you should enable Always On, or the web jobs may not run reliably

References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure

QUESTION 26
You administer an Azure Web Site named contosoweb that is used to sell various products.
Contosoweb experiences heavy traffic during weekends.

You need to analyze the response time of the product catalog page during peak times, from different locations.

What should you do?

A. Configure endpoint monitoring.

B. Add the Requests metric.
C. Turn on Failed Request Tracing.
D. Turn on Detailed Error Messages.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Endpoint monitoring configures web tests from geo-distributed locations that test response time and uptime of
web URLs. The test performs an HTTP get operation on the web URL to determine the response time and
uptime from each location. Each configured location runs a test every five minutes.
After you configure endpoint monitoring, you can drill down into the individual endpoints to view details
response time and uptime status over the monitoring interval from each of the test location

References: https://azure.microsoft.com/en-us/documentation/articles/web-sites-monitor/#webendpointstatus

QUESTION 27
HOTSPOT

You manage an Azure Web Site for a consumer-product company.

The website runs in Standard mode on a single medium instance.

You expect increased traffic to the website due to an upcoming sale during a holiday weekend.

You need to ensure that the website performs optimally when user activity is at its highest.

Which option should you select? To answer, select the appropriate option in the answer area.
Hot Area:

Correct Answer:

Section: Topic 1, Design and Implement Azure App Service

Explanation

Explanation/Reference:
Explanation:
Note: The ‘small’ instance is selected. This setting would be for the weekdays. Then you would select a larger
instance for the ‘weekend’ schedule setting to cover the increased activity.

References: http://azure.microsoft.com/en-us/documentation/articles/web-sites-scale/

QUESTION 28
Your company has a subscription to Azure.

You configure your contoso.com domain to use a private Certificate Authority. You deploy a web site named
MyApp by using the Shared (Preview) web hosting plan.
You need to ensure that clients are able to access the MyApp website by using https.

What should you do?

A. Back up the Site and import into a new website.

B. Use the internal Certificate Authority and ensure that clients download the certificate chain.
C. Add custom domain SSL support to your current web hosting plan.
D. Change the web hosting plan to Standard.

Correct Answer: D
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Enabling HTTPS for a custom domain is only available for the Standard web hosting plan mode of Azure
websites.

References: https://azure.microsoft.com/en-us/pricing/details/app-service/

QUESTION 29
DRAG DROP

You administer an Azure Web Site named contosoweb that uses a production database. You deploy changes
to contosoweb from a deployment slot named contosoweb-staging.

You discover issues in contosoweb that are affecting customer data.

You need to resolve the issues in contosoweb while ensuring minimum downtime for users.
You swap contosoweb to contosoweb-staging.

Which four steps should you perform next in sequence? To answer, move the appropriate actions from the list
of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Step 1: Make sure old production database is online.
Step 2: Set up staging database with the test database.
Step 3: Fix issues with test database.
Step 4: Once you have deployed and tested your new version on the staging environment, first point, then click
the SWAP button and Azure immediately makes your staging environment the live one

References: http://azure.microsoft.com/en-us/documentation/articles/web-sites-staged-publishing/#Swap

QUESTION 30
DRAG DROP

You manage an Azure Web Site named salessite1. You notice some performance issues with salessite1. You
create a new database for salessite1.

You need to update salessite1 with the following changes, in the order shown:
Display the list of current connection strings.
Create a new connection string named conn1 with a value of:
Server=tcp:samplel.database.windows.net,1433;
Database=NewDB;
 User ID=User@samplel;
Password=Passwordl;
Trusted_Connection=False;
Encrypt=True;
Connection Timeout=30;
Download the application logs for analysis.

Which three xplat-cli commands should you perform in sequence? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
site connectionstring list
site connectionstring add
site log download

azure site log download websitename

This will download the log files for the website specified by websitename and save them to a log.zip file in the
current directory.
Note:
Commands to manage your Website connection strings
site connectionstring list [options] [name]
site connectionstring add [options] <connectionname> <value> <type> [name]
site connectionstring delete [options] <connectionname> [name]
site connectionstring show [options] <connectionname> [name]

References: http://azure.microsoft.com/en-us/documentation/articles/command-line-tools

QUESTION 31
DRAG DROP

You create a Push Notification service by using an Azure Notification Hub.

You need to monitor the Notification Hub programmatically.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:

Section: Topic 1, Design and Implement Azure App Service

Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/en-us/library/azure/dn458823.aspx

QUESTION 32
HOTSPOT

You deploy an ASP.NET application to an Azure Cloud Service.

You must collect telemetry data for troubleshooting performance issues and resource usage.

You need to configure Azure diagnostics.

For each requirement, which data source should you specify? To answer, select the appropriate data source
from each list in the answer area.
Hot Area:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-us/documentation/articles/azure-diagnostics/#cloud-services

QUESTION 33
HOTSPOT

You deploy an Azure Web App named ContosoApp.

You configure a Traffic Manager profile for ContosoApp.

You need to create the required DNS record to redirect queries to ContosoApp from the Internet. The solution
must ensure that remote users can connect to ContosoApp by using the https://webservice.contoso.com URL.

Which DNS record should you create? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/web-sites-traffic-manager-custom-
domain-name/

QUESTION 34
DRAG DROP

You manage a web application that currently uses a small instance size.

You need to scale the instance size to medium.

How should you complete the Azure PowerShell script? To answer, drag the appropriate Azure PowerShell
segments to the correct locations. Each Azure PowerShell segment may be used once, more than once, or not
at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 35
HOTSPOT

You manage a web application named Contoso that is accessible from the URL http://www.contoso.com.

You need to view a live stream of log events for the web application.
How should you configure the Azure PowerShell command? To answer, select the appropriate Azure
PowerShell segment from each list in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: Topic 1, Design and Implement Azure App Service

Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/en-us/library/azure/dn495187.aspx

QUESTION 36
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1 that has a domain name of
tenant1.onmicrosoft.com.

You need to add the contoso.com domain name to Tenant1.

Which DNS record should you add to the contoso.com zone to be able to verify from Azure whether you own
the contoso.com domain?

A. signature (SIG)
B. text (TXT)
C. host (AAAA)
D. DNSKEY

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You can use a txt record or alternatively an MX record. as MX record isn’t an option, the only option left is TXT.
You would add the MS=xxxxxxxxx into these record.

References:
https://stackoverflow.com/questions/22380653/verify-a-domain-name-in-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/add-custom-domain#add-a-dns-entry-forthe-domain-
name-at-the-domain-name-registrar

QUESTION 37
HOTSPOT

You have an Azure Web App that uses the URL contoso.azurewebsites.net. The virtual IP address of the web
app is subject to change.

Users must be able to navigate to a custom domain name to access the Web App. You set up the DNS records
for a custom domain at a third party registrar.

You need to configure the web app to use the custom domain name.

For each mapping, which DNS record type should you create? To answer, select the appropriate DNS record
type from each list in the answer area.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/web-sites-custom-domain-name/

QUESTION 38
You are migrating an existing solution to Azure.

The solution includes a user interface tier and a database tier. The user interface tier runs on multiple virtual
machines (VMs). The user interface tier has a website that uses Node.js. The user interface tier has a
background process that uses Python. This background process runs as a scheduled job. The user interface
tier is updated frequently. The database tier uses a self-hosted MySQL database. The user interface tier
requires up to 25 CPU cores.

You must be able to revert the user interface tier to a previous version if updates to the website cause technical
problems. The database requires up to 50 GB of memory. The database must run in a single VM.

You need to deploy the solution to Azure. What should you do first?

A. Deploy the entire solution to an Azure website. Use a web job that runs continuously to host the database.
B. Deploy the database to a VM that runs Windows Server on the Standard tier.
C. Deploy the entire solution to an Azure website. Run the database by using the Azure data management
services.
D. Deploy the user interface tier to a VM. Use multiple availability sets to continuously deploy updates from
Microsoft Visual Studio Online.
Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 39
You are designing a Windows Azure application that will use Windows Azure Table storage. You need to
recommend an approach for minimizing storage costs.
What should you recommend?

A. Use Entity Group Transactions.

B. Use multiple partitions to store data.
C. Use a transaction scope to group all storage operations.
D. Use Microsoft Distributed Transaction Coordinator (MSDTC).

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 40
You are designing an application that will use Windows Azure Table storage to store millions of data points
each day.

The application must retain each day's data for only one week. You need to recommend an approach for
minimizing storage transactions.

What should you recommend?

A. Use a separate table for each date. Delete each table when it is one week old.
B. Use a separate table for each week. Delete each table when it is one week old.
C. Use a single table, partitioned by date. Use Entity Group Transactions to delete data when it is one week
old.
D. Use a single table, partitioned by week. Use Entity Group Transactions to delete data when it is one week
old.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 41
You are designing a Windows Azure application that will store data in two SQL Azure databases. The
application will insert data in both databases as part of a single logical operation. You need to recommend an
approach for maintaining data consistency across the databases.

What should you recommend?

A. Execute database calls on parallel threads.

B. Wrap the database calls in a single transaction scope.
C. Use Microsoft Distributed Transaction Coordinator (MSDTC).
D. Handle errors resulting from the database calls by using compensatory logic.

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Currently, there is not possible to update two tables of different databases using a single transaction in Azure
SQL Database in the same way that we have in SQL Server.

If you need to implement in your code a distributed transactions, your application will the coordinator of this
distributed transaction using the transaction scope method using .NET.

References: https://blogs.msdn.microsoft.com/azuresqldbsupport/2018/03/30/lesson-learned-37-how-to-use-
distributed-transactions-in-azure-sql-database/

QUESTION 42
A Windows Azure application stores data in a SQL Azure database. The application will start an operation that
includes three insert statements. You need to recommend an approach for rolling back the entire operation if
the connection to SQL Azure is lost.

What should you recommend?

A. Ensure that all statements execute in the same database transaction.

B. Create a stored procedure in the database that wraps the insert statements in a TRY CATCH block
C. Create a stored procedure in the database that wraps the insert statements in a TRANSACTION block.
D. Open a new connection to the database. Use a separate transaction scope to roll back the original
operation.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 43
You are developing a Windows Azure application in which a web role and worker role will communicate by
using a Windows Azure Queue.

You need to recommend an approach for ensuring that the worker role does not attempt to process any
message more than three times.

What should you recommend?

A. Appropriately handle poison messages.

B. Decrease the visibility timeout for messages.
C. Reduce the time-to-live interval for messages in the queue.
D. Increase the number of worker role instances reading messages from the queue.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Poison message support Yes Yes To find "poison" messages in Windows Azure Queues, when dequeuing a
message the application examines the DequeueCount property of the message. If DequeueCount is above a
given threshold, the application moves the message to an application-defined "dead letter" queue.

QUESTION 44
You are designing a Windows Azure application.

The application includes processes that communicate by using Windows Communications Foundation (WCF)
services.

The WCF services must support streaming.

You need to recommend a host for the processes and a WCF binding.

Which two actions should you recommend? Each correct answer presents part of the solution. (Choose two.)

A. Host the processes in web roles.

B. Host the processes in worker roles.
C. Use NetTcpBinding for the WCF services.
D. Use WSHttpBinding for the WCF services.

Correct Answer: BC
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 45
You are evaluating a Windows Azure application.

The application uses one instance of a web role.

The role instance size is set to Medium.

The application does not use SQL Azure.

You have the following requirements for scaling the application:

Maximize throughput.
Minimize downtime while scaling.
Increase system resources.

You need to recommend an approach for scaling the application.

What should you recommend?

A. Set up vertical partitioning.

B. Set up horizontal partitioning.
C. Increase the number of role instances.
D. Change the role instance size to Large.

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
QUESTION 46
You are designing a Windows Azure web application.

The application will be accessible at a standard cloudapp.net URL. You need to recommend a DNS resource
record type that will allow you to configure access to the application through a custom domain name.

Which type should you recommend?

A. A
B. CNAME
C. MX
D. SRV

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service.

We [Microsoft] recommend that you use a CNAME for all custom DNS names except a root domain

References: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain

QUESTION 47
You deploy an Azure web app named contosoApp. ContosoApp is available by using HTTP or HTTPS.

You need to ensure that a web administrator receives an email notification if the average response time for
contosoAPP exceeds 50 milliseconds.

Which two tasks should you perform? Each correct answer presents part of the solution.

A. Create an HTTPS monitoring endpoint.

B. Create a metric
C. Create a rule.
D. Create an HTTP monitoring endpoint.
E. Add a multi-factor authentication provider.

Correct Answer: BC
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Metrics for an App or App Service plan can be hooked up to alerts.

Create an alert rule on a metric with the Azure portal

1. In the portal, locate the resource you are interested in monitoring and select it.
2. Select Alerts (Classic) under the MONITORING section. The text and icon may vary slightly for different
resources. If you do not find Alerts (Classic), you might find them under Alerts or Alert Rules
3. Select the Add metric alert (classic) command and fill in the fields.
4. Name your alert rule, and choose a Description, which also shows in notification emails.

References:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-alerts-portal

QUESTION 48
You manage an Azure web app in standard service tier at the following address: contoso.azurewebsites.net.

Your company has a new domain for the site named www.contoso.com that must be accessible by secure
socket layer (SSL) encryption.

You need to add a custom domain to the Azure web app and assign an SSL certificate.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Add SSL binding for the www.contosco.com domain with the IP-based SSL option selected.
B. Create a CNAME record from www.contoso.com to contoso.azurewebsites.net.
C. Create a new file that will redirect the site to the new URL and upload it to the Azure Web site.
D. Add SSL binding for the www.contoso.com domain with the server Name indication (SNL)SSL option
selected.
E. Add www.contoso.com to the list of domain names as a custom domain.

Correct Answer: BDE

Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Step 1 (B): When adding a CNAME record, you must set the Host Name field to the sub-domain you wish to
use.
For example, www. You must set the Address field to the .azurewebsites.netdomain name of your Azure
Website. For example, contoso.azurwebsites.net.

Step 2: Modify the service definition and configuration files

Your application must be configured to use the certificate, and an HTTPS endpoint must be added. As a result,
the service definition and service configuration files need to be updated.
Step 3: IP based SSL associates a certificate with a domain name by mapping the dedicated public IP address
of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.)
associated with your service to have a dedicated IP address. This is the traditional method of associating SSL
certificates with a web server.
D: You need bind your SSL certificate.

E: You need to add it to the custom domain whether you are buying a new one or using an existing domain.

References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain

QUESTION 49
HOTSPOT

You are developing an Azure App Service.

You must implement an external authentication method for the App Service.

You need to ensure that users can log on to the App Service by using a Microsoft account.

How should you configure the environment? To answer, select the appropriate options in the answer area.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 50
You manage Azure Web Apps for a company. You migrate an on-premises web app to Azure. You plan to
update the Azure Web App by modifying the connection string and updating the files that have changed since
previous revision.

The deployment process must use Secure Socket Layer (SSL) and occur during off-peak hours as an
automated batch process.

You need to update the Azure Web App.

What should you do?

A. Configure a File Transfer Protocol (FTP) transfer script.

B. Deploy the web app from GitHub.
C. Use MSDeploy.exe.
D. Deploy the web app from the Internet Information Services (IIS) Management console.

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/app-service-web/app-service-deploy-local-git

QUESTION 51
HOTSPOT

You are the administrator for your company’s Azure environment.

A developer creates an application that needs to access resources in external systems. The application will be
deployed in the domain.

You need to use the Azure Command-Line Interface (CLI) to create a service principal.

How should you configure the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The default role for a service principal is Contributor. This role has full permissions to read and write to an
Azure account, and is usually not appropriate for applications. The Reader role is more restrictive, providing
read-only access.

References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-
cli
https://docs.microsoft.com/en-us/rest/api/

QUESTION 52
Your company has an Azure subscription. You plan to deploy 10 Web Apps.
You have the following requirements:
Each Web App has at least 15 GB of storage.
All Web App can use azurewebsites.net.

You need to deploy the 10 web apps while minimizing costs.

Which pricing tier plan should you recommend?

A. Standard
B. Free
C. Basic
D. Shared

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-us/pricing/details/app-service/

QUESTION 53
You deploy an Azure Web App named ContosoApp. ContosoApp runs on five instances.

You need to run an application named App1.exe automatically as a background process for ContosoApp. The
solution must ensure that App1.exe runs in one instance only.

How should you deploy App1.exe?

A. as a continuous web job

B. in a new linked resource
C. as an on-demand web job
D. as a native application

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a
web app, API app, or mobile app. There is no additional cost to use WebJobs.
A continuous web job starts immediately when the WebJob is created. To keep the job from ending, the
program or script typically does its work inside an endless loop. If the job does end, you can restart it. It runs on
all instances that the web app runs on. You can optionally restrict the WebJob to a single instance.

Incorrect Asnwers:
C: There are no such thing as on-demand web jobs.

References: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-create-web-
jobs#CreateScheduled

QUESTION 54
DRAG DROP

You manage an Azure Web App.

You need to move the Web App to a new App Service plan.
How should you complete the Azure PowerShell script? To answer, drag the appropriate Azure PowerShell
cmdlets to the correct locations. Each Azure PowerShell cmdlets may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 55
HOTSPOT

A company is using Azure to host virtual machines (VMs) and web apps.
Two web apps named App1 and App2 are configured in the environment. App1 must be able to scale up to 10
instances. App2 must be able to scale up to 25 instances. The app services must be configured to minimize
costs.

You need to set the app service tier for each application.

Which service tier should you use for each app? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#app-service-limits

QUESTION 56
DRAG DROP

You administer an Azure Web Site named WebProd that uses a production database. You deploy changes to
WebProd from a deployment slot named WebStaging. You use a test database while making changes to the
Web App.

After you deploy the Web App, you discover issues in WebProd that are affecting customer data.

You need to resolve the issues in WebProd while ensuring minimum downtime for users.

You swap WebProd to WebStaging.

Which four steps should you perform next in sequence? To answer, move the appropriate actions from the list
of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 57
You are deploying an ASP.NET application to an Azure virtual machine (VM). The application throws an
exception when invalid data is entered. When exceptions occur, an administrator must log on to the system to
remove the bad data, and then restart the application.

You need to gather information about application crashes.

What should you do?

A. Collect basic metrics.

B. Collect network and web metrics.
C. View the Windows event application logs.
D. View the Windows event system logs.
Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Application diagnostics allows you to capture information produced by a web application. ASP.NET applications
can use the System.Diagnostics.Trace class to log information to the application diagnostics log.

References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log

QUESTION 58
You manage Azure Web Apps for a company. You migrate an on-premises web app to Azure. You plan to
update the Azure Web App by modifying the connection string and updating the files that have changed since
previous revision.

The deployment process must use Secure Socket Layer (SSL) and occur during off-peak hours as an
automated batch process.

You need to update the Azure Web App.

What should you do?

A. Configure a File Transfer Protocol (FTP) transfer script.

B. Deploy the project from Microsoft Visual Studio.
C. Run the New-AzureRMWebApp Azure PowerShell cmdlet.
D. Run the New-AzureRmResouceGroupDeployment Azure PowerShell cmdlet.

Correct Answer: D
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 59
You plan to use Azure Monitor with AutoScale Services. You create a URI to be used with the monitoring
service.

You need to configure an alert that specifies the URI.

Which Azure Command-Line Interface (CLI) command or Azure PowerShell cmdlet should you run?

A. New-AzureRmAlertRuleEmail
B. azure insights logprofile add
C. New-AzureRmAlertRuleWebhook
D. New-AzureRmAutoscaleRule

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The New-AzureRmAlertRuleWebhook cmdlet creates an alert rule webhook.

Syntax:
New-AzureRmAlertRuleWebhook
[-ServiceUri] <String>
[[-Properties] <Hashtable>]
[<CommonParameters>]

Example: Create an alert rule webhook

New-AzureRmAlertRuleWebhook -ServiceUri "http://contoso.com"
This command creates an alert rule webhook by specifying only the service URI.

Incorrect Answers:
A: The New-AzureRmAlertRuleEmail cmdlet creates an e-mail action for an alert rule.

Syntax:
New-AzureRmAlertRuleEmail
[[-CustomEmails] <String[]>]
[-SendToServiceOwners]
[<CommonParameters>]

B: The azure insights logprofile add command adds a log profile.

Example: Add a log profile without retention
azure insights logprofile add --name default --storageId /subscriptions/1a66ce04-b633-4a0b-b2bc-
a912ec8986a6/resourceGroups/insights-integration/providers/Microsoft.Storage/storageAccounts/
insightsintegration7777 --locations global,westus,eastus,northeurope,westeurope

D: The New-AzureRmAutoscaleRule cmdlet creates an Autoscale rule.

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.insights/new-
azurermalertrulewebhook?view=azurermps-4.3.1

QUESTION 60
A company uses Azure to host virtual machines (VMs) and web apps.

You need to ensure that you can configure a schedule to scale app services.

How should you configure the app service?

A. Set the scale by metric setting to Queue.

B. Set the scale up by instances setting to 5.
C. Set the scale down by instances setting to 5.
D. Ensure that linked resources are also scaled.
E. Set the scale by metric setting to None.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
The Automatic scale - Queue mode automatically scales if the number of messages in a queue goes above or
below a specified threshold. Role instances are created or deleted when this happens.

Incorrect Answers:
B, C: To set the scale up/scale down by instances setting you must first set the scale by metric setting to CPU.
D: Scale linked resources
Often when you scale a role, it's beneficial to scale the database that the application is using also. If you link the
database to the cloud service, you can access the scaling settings for that resource.

References: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-how-to-scale
QUESTION 61
A company uses Azure to host virtual machines (VMs) and web apps. You plan to deploy a new web app in the
Shared App Service tier.

The web app must support running up to 25 instances concurrently.

You need to ensure that you can configure HTTPS for the new web app.

What should you do?

A. Configure the domain name mapping.

B. Set the deployment credentials for the app service.
C. Create a new app service.
D. Scale up to the Premium App Service tier.
E. Configure a custom domain.
F. Scale up to the Basic App Service tier.
G. Scale up to the Standard App Service tier.

Correct Answer: D
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
SSL is not available in the Shared App Service Tier. Secure Sockets Layer (SSL) Certificates for custom
domains is available on Basic, Standard, and Premium service plans.

References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

QUESTION 62
You manage an Azure Web Site that is running in Shared mode.

You discover that the website is experiencing increased average response time during periods of heavy user
activity.

You need to update the website configuration to address the performance issues as they occur. What should
you do?

A. Set the website to Standard mode and configure automatic scaling based on CPU utilization.
B. Configure automatic seating during specific dates.
C. Modify the website instance size.
D. Configure automatic scaling based on memory utilization.
E. Set the website to Basic mode and configure automatic scaling based on CPU utilization.

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Scaling to Standard Plan Mode Selecting Standard expands the Capacity section to reveal the Instance Size
and Instance Count options, which are also available in Basic mode. The Edit Scale Settings for Schedule and
Scale by Metric options are available only in Standard mode.

Note:
For increased performance and throughput for your websites on Microsoft Azure, you can use the Azure
 Management Portal to scale your Web Hosting Plan mode from Free to Shared, Basic, or Standard.
There are 2 options for scaling:
1. Based on a Schedule
2. Based on CPU usage

QUESTION 63
DRAG DROP

Your company manages several Azure Web Apps that are running in an existing web-hosting plan named
plan1.

You need to move one of the Web Apps named contoso, to a new App Service plan named plan2.

How should you complete the Azure PowerShell command?? To answer, drag the appropriate Azure
PowerShell segment to the correct location. Each PowerShell segment may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:

QUESTION 64
You plan to use Azure Monitor with AutoScale Services. You create a URI to be used with the monitoring
service.

You need to configure an alert that specifies the URI.

Which Azure Command-Line Interface (CLI) command or Azure PowerShell cmdlet should you run?

A. New-AzureRmAlertRuleEmail
B. azure insights logprofile add
C. azure insights alerts actions webhook create
D. azure insights alerts rule list

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
To create a webhook or send an email when a classic metric alert fires, first create the email or webhook. Then
create the rule immediately afterwards. You can't associate webhooks or emails with rules that have already
been created.

azure insights alerts actions email create --customEmails [email protected]

azure insights alerts actions webhook create https://www.contoso.com

azure insights alerts rule metric set myrulewithwebhookandemail eastu

References:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-autoscale-to-webhook-email
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-alerts-command-line-interface

QUESTION 65
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company uses Azure to host virtual machines (VMs) and web apps. You have an app service named App1
that uses the Basic app service tier.

You need to ensure that diagnostic data for App1 is permanently stored.

Solution: You specify a storage account in the ServiceConfiguration.cscfg file

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You specify the storage account that you want to use in the ServiceConfiguration.cscfg.

The service configuration file specifies the number of role instances to deploy for each role in the service, the
values of any configuration settings, and the thumbprints for any certificates associated with a role. If the
service is part of a Virtual Network, configuration information for the network must be provided in the service
configuration file, as well as in the virtual networking configuration file. The default extension for the service
configuration file is .cscfg.

References: https://docs.microsoft.com/en-us/azure/cloud-services/schema-cscfg-file
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics-storage

QUESTION 66
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company uses Azure to host virtual machines (VMs) and web apps. You have an app service named App1
that uses the Basic app service tier.

You need to ensure that diagnostic data for App1 is permanently stored.

Solution: You specify a storage account in the Diagnostics.xml file.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You specify the storage account that you want to use in the ServiceConfiguration.cscfg.

The service configuration file specifies the number of role instances to deploy for each role in the service, the
values of any configuration settings, and the thumbprints for any certificates associated with a role. If the
service is part of a Virtual Network, configuration information for the network must be provided in the service
configuration file, as well as in the virtual networking configuration file. The default extension for the service
configuration file is .cscfg.

References: https://docs.microsoft.com/en-us/azure/cloud-services/schema-cscfg-file
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics-storage

QUESTION 67
HOTSPOT

А company has three web apps that run in Azure.

The web apps have the following characteristics and requirements:

App1 has a legacy database. Only one instance of the web app must be used at a given time.
App2 has users in different regions. Users must be balanced between multiple web app instances.
App3 has users in different regions. Users must access the web app in the nearest physical region.

You need to configure traffic routing.

For each app, which method should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
There are four traffic routing methods available in Traffic Manager:

App 1: Priority
Select Priority when you want to use a primary service endpoint for all traffic, and provide backups in case the
primary or the backup endpoints are unavailable.

App2: Weighted
Select Weighted when you want to distribute traffic across a set of endpoints, either evenly or according to
weights, which you define.

App3: Performance:
Select Performance when you have endpoints in different geographic locations and you want end users to use
the "closest" endpoint in terms of the lowest network latency.

Note: 4th option is Geographic: Select Geographic so that users are directed to specific endpoints (Azure,
External, or Nested) based on which geographic location their DNS query originates from.

References: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods

QUESTION 68
You are an administrator for your company's Azure environment.

A developer creates an application that needs to access resources in external systems. The application will be
deployed in the domain.

You need to authenticate the Active Directory application.

What should you implement?

A. a certificate and a service principal

B. a certificate and a service account
C. a single sign-on and a service principal
D. a service account and a service principal

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You can upload public certificates to your web app so the app can access an external service that requires
certificate authentication. You can use public certificates with apps in App Service Environments also. If you
need to store the certificate in the LocalMachine certificate store, you need to use a web app on App Service
Environment.

When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD
tenant: an application object, and a service principal object.

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos
authentication to associate a service instance with a service logon account. This allows a client application to
request that the service authenticate an account even if the client does not have the account name.

References: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl

QUESTION 69
DRAG DROP

А company plans to use Operations Management Suite (OMS) to track configuration changes within virtual
machines (VMs).

You need to determine the change types that report differences when changes are found.

Which action for each source type is performed by the OMS agent? To answer, drag the appropriate action to
the data source. Each action may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
MS Log Analytics performs Windows registry monitoring and tracking with the Change Tracking solution.

The file tracking feature will track files on both Windows and Linux systems with the OMS agent installed.

References: https://novacontext.com/microsoft-operations-management-suite-oms-change-update-
management/

QUESTION 70
DRAG DROP

Your company manages several Azure Web Sites that are running in an existing web- hosting plan named
plan1.

You need to move one of the websites, named contoso, to a new web-hosting plan named plan2.

Which Azure PowerShell cmdlet should you use with each PowerShell command line? To answer, drag the
appropriate Azure PowerShell cmdlet to the correct location in the PowerShell code. Each PowerShell cmdlet
may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to
view content.

Select and Place:

Correct Answer:

Section: Topic 1, Design and Implement Azure App Service

Explanation

Explanation/Reference:
Explanation:
Example: let's update the properties and call Set-AzureResource
$prop = $null;
$prop = @{ 'serverFarm' = $hpn }
$res = Set-AzureResource -Name $site -ResourceGroupName $rgn -ResourceType Microsoft.Web/sites -
ApiVersion 2014-04-01 -PropertyObject $prop
References: https://blogs.msdn.microsoft.com/shad_phillips/2014/11/06/changing-azure-hosting-plans-with-
powershell/

QUESTION 71
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1 that has a domain name of
tenant1.onmicrosoft.com. You need to add the contoso.com domain name to Tenant1.

Which DNS record should you add to the contoso.com zone to be able to verify from Azure whether you own
the contoso.com domain?

A. standard alias (CNAME)

B. mail exchanger (MX)
C. host (AAAA)
D. signature (SIG)

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Mail Exchanger (MX) record to verify a custom domain.
You can use a txt record or alternatively an MX record

References:
https://stackoverflow.com/questions/22380653/verify-a-domain-name-in-azure-active-directory https://
docs.microsoft.com/en-us/azure/active-directory/add-custom-domain#add-a-dns-entry-forthe-domain-name-at-
the-domain-name-registrar

QUESTION 72
You deploy an Azure web app named contosoApp. ContosoApp is available by using HTTP or HTTPS. You
need to ensure that a web administrator receives an email notification if the average response time for
contosoAPP exceeds 50 milliseconds.

Which two tasks should you perform? Each correct answer presents part of the solution.

A. Create an HTTPS monitoring endpoint.

B. Create a metric
C. Create a rule.
D. Create an HTTP monitoring endpoint.
E. Modify the properties of the connection strings.
F. Enable Application logging.

Correct Answer: BC
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Metrics for an App or App Service plan can be hooked up to alerts.

Create an alert rule on a metric with the Azure portal

1. In the portal, locate the resource you are interested in monitoring and select it.
2. Select Alerts (Classic) under the MONITORING section. The text and icon may vary slightly for different
resources. If you do not find Alerts (Classic), you might find them under Alerts or Alert Rules
3. Select the Add metric alert (classic) command and fill in the fields.
4. Name your alert rule, and choose a Description, which also shows in notification emails.

References:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-alerts-portal

QUESTION 73
You are designing a web app deployment in Azure.

You need to ensure that inbound requests to the web app are routed based on the endpoint that has the lowest
latency.

What should you use?

A. Azure Traffic Manager

B. Azure Fabric Controller
C. Azure Load Balancer
D. Azure health probes

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-load-balancing-azure
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring

QUESTION 74
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company uses Azure to host virtual machines (VMs) and web apps. You have an app service named App1
that uses the Basic app service tier.

You need to ensure that diagnostic data for App1 is permanently stored.

Solution: You scale up the app service to the Standard tier.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Diagnostic data is not permanently stored unless you transfer it to the Microsoft Azure storage emulator or to
Azure storage.
You specify the storage account that you want to use in the ServiceConfiguration.cscfg file.

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics-storage
References: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#storage-limits

QUESTION 75
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company uses Azure to host virtual machines (VMs) and web apps. You have an app service named App1
that uses the Basic app service tier.

You need to ensure that diagnostic data for App1 is permanently stored.

Solution: You scale up the app service to the Premium tier.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#storage-limits

QUESTION 76
DRAG DROP

You manage a web app named App1 in Azure App Service. App1 is a member of resource group RG1. You
plan to use a custom domain name with the web app.

The web app must have a Secure Sockets Layer (SSL) certificate associated with the custom domain name.
You upload the SSL certificate to Azure and set the thumbprint to a variable named $thumbprint.

You need to use the Azure Command-Line Interface (Azure CLI) to bind the SSL certificate with the web app.

How should you complete the command? To answer, drag the appropriate parameters to the correct locations.
Each parameter may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 1, Design and Implement Azure App Service

Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/cli/azure/webapp/config/ssl?view=azure-cli-latest#az-webapp-
config-ssl-bind

QUESTION 77
DRAG DROP

You manage an Azure Web App named contososite.

You download the subscription publishing credentials named Contoso-Enterprise.publishsettings.

You need to use Azure PowerShell to achieve the following:

Connect to the Contoso-Enterprise subscription.
Create a new App Setting named IsCustom with a value of True.
Restart the Web App.

Which command should you use? To answer, drag the appropriate Azure PowerShell command to the correct
location in the solution. Each cmdlet may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Step 1: Import-AzurePublishSettingsFile
The Import-AzurePublishSettingsFile cmdlet imports a .publishsettings file that has been downloaded using the
Get-AzurePublishSettingsFile cmdlet. This file contains settings and an encoded certificate that provides
management credentials for the Windows Azure account.

Step 2: Set-AzureWebsite
The Set-AzureWebsite cmdlet configures an Azure website.

Step 3: Restart-AzureWebsite
The Restart-AzureRmWebApp cmdlet stops and then starts an Azure Web App.

Select-AzureSubscription "-Appsettings" publishsettings

References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.websites/restart-azurermwebapp?
view=azurermps-6.5.0
https://msdn.microsoft.com/en-us/library/mt788684(v=azure.200).aspx

QUESTION 78
HOTSPOT

You plan to deploy a web app in an Azure App Service. The web app must use a database to store data and
minimize monthly recurring costs.

You need to ensure that you can perform scheduled backups that includes the web app and database.

How should you configure the web app App Service? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Box 1: Standard.
The Backup and Restore feature requires the App Service plan to be in the Standard tier or Premium tier. We
choose Standard as we want to minimize the cost.

Box 2: Azure Database for MySQL

The following database solutions are supported with backup feature:
SQL Database
Azure Database for MySQL (Preview)
Azure Database for PostgreSQL (Preview)
MySQL in-app

References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

QUESTION 79
HOTSPOT

A company plans to create an App Service that uses the ASP.NET web app template. The company also plans
to create a backup job for the App Service. The App Service must have the lowest recurring cost possible.

You need to ensure that you can create a backup of the App Service.
What should you use for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Box 1: Standard
The Backup and Restore feature requires the App Service plan to be in the Standard tier or Premium tier. We
choose Standard as we want to minimize the cost.

Box 2: Resource group

References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

QUESTION 80
You manage an Azure Web App.

You must log detailed error messages and failed requests.

You need to log the events and make the logs available for download by using an encrypted method.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Create a File Transfer Protocol (FTP) deployment username and password.
B. Enable the App Service Authentication.
C. Change the Azure authentication provider.
D. Enable diagnostic logging for the app service.
E. Provide the developer with the secure download URL.

Correct Answer: ABD

Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
A: Diagnostic information stored to the web app file system can be accessed directly using FTP.

D: To enable diagnostics in the Azure portal, go to the page for your web app and click Settings > Diagnostics
logs.
References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log#enablediag

QUESTION 81
A company uses Azure to host virtual machines (VMs) and web apps.

You need to ensure that you can configure a schedule to scale app services.

How should you configure the app service?

A. Set the scale up by instances setting to 5.

B. Ensure that linked resources are also scaled.
C. Set the scale by metric setting to CPU.
D. Increase the instance count range.

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Conditions can be set for a cloud service worker role that trigger a scale in or out operation. The conditions for
the role can be based on the CPU, disk, or network load of the role. You can also set a condition based on a
message queue or the metric of some other Azure resource associated with your subscription.

References: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-how-to-scale

QUESTION 82
You deploy an Azure Web App named ContosoApp. ContosoApp runs on five instances.

You need to run an application named App1.exe automatically as a background process for ContosoApp. The
solution must ensure that App1.exe runs in one instance only.

How should you deploy App1.exe?

A. as a virtual application
B. as a new Web App
C. as a native application
D. as a scheduled web job

Correct Answer: D
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a
web app, API app, or mobile app. There is no additional cost to use WebJobs.
You can schedule WebJobs.

References: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-create-web-
jobs#CreateScheduled

QUESTION 83
You are an administrator for your company's Azure environment.
A developer creates an application that needs to access resources in external systems. The application will be
deployed in the domain.
You need to authenticate the Active Directory application.

What should you implement?

A. a password and a service account

B. a certificate and a service principal
C. a password and a single sign-on
D. a password and a service principal

Correct Answer: B
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You can upload public certificates to your web app so the app can access an external service that requires
certificate authentication. You can use public certificates with apps in App Service Environments also. If you
need to store the certificate in the LocalMachine certificate store, you need to use a web app on App Service
Environment.

When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD
tenant: an application object, and a service principal object.

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos
authentication to associate a service instance with a service logon account. This allows a client application to
request that the service authenticate an account even if the client does not have the account name.

References: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl

QUESTION 84
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1 that has a domain name of
tenant1.onmicrosoft.com. You need to add the contoso.com domain name to Tenant1.

Which DNS record should you add to the contoso.com zone to be able to verify from Azure whether you own
the contoso.com domain?

A. text (TXT)
B. service location (SRV)
C. standard alias (CNAME)
D. DNSKEY

Correct Answer: A
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
You can use a txt record or alternatively an MX record. as MX record isn’t an option, the only option left is TXT.
You would add the MS=xxxxxxxxx into these record.

References:
https://stackoverflow.com/questions/22380653/verify-a-domain-name-in-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/add-custom-domain#add-a-dns-entry-forthe-domain-
name-at-the-domain-name-registrar

QUESTION 85
You are deploying an ASP.NET application to an Azure virtual machine (VM). The application throws an
exception when invalid data is entered. When exceptions occur, an administrator must log on to the system to
remove the bad data, and then restart the application.

You need to gather information about application crashes.

What should you do?

A. View the Diagnostics infrastructure logs

B. Collect .NET metrics
C. View the Windows event application logs.
D. View the Windows event system logs.

Correct Answer: C
Section: Topic 1, Design and Implement Azure App Service
Explanation

Explanation/Reference:
Explanation:
Application diagnostics allows you to capture information produced by a web application. ASP.NET applications
can use the System.Diagnostics.Trace class to log information to the application diagnostics log.

References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log

QUESTION 86
You administer an Azure subscription with an existing cloud service named contosocloudservice.
Contosocloudservice contains a set of related virtual machines (VMs) named ContosoDC, ContosoSQL and
ContosoWeb1.

You want to provision a new VM within contosocloudservice.

You need to use the latest gallery image to create a new Windows Server 2012 R2 VM that has a target IOPS
of 500 for any provisioned disks.

Which PowerShell command should you use?

A.

B.

C.

D.

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
This is a hotly debated question. The syntax appears to be wrong in each choice.
MS has been known to do this on purpose. When this occurs, choose the best option.
In this case, we know that New-AzureVMConfig is supposed to be used.
Also, we know that there is no -InstanceSize switch called "Basic_A1", but there is one called "Small"
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-sizes-specs#a-series

For this reason, we choose the option which uses New-AzureVMConfig and -InstanceSize Small

Note: The New-AzureVMConfig cmdlet creates a new virtual machine configuration object. This object can then
be used to perform a new deployment, as well as to add a new virtual machine to an existing deployment.

Incorrect Answers:

Not C, Not D: The New-AzureQuickVM cmdlet sets the configuration for a new virtual machine and creates the
virtual machine. You can create a new Azure service for the virtual machine by specifying either the Location or
AffinityGroup parameters, or deploy the new virtual machine into an existing service.
AdminUsername is not required.

References:
http://msdn.microsoft.com/en-us/library/dn495159.aspx
http://msdn.microsoft.com/en-us/library/dn495159.aspx

QUESTION 87
DRAG DROP

You administer an Azure Virtual Machine (VM) named server1. The VM is in a cloud service named
ContosoService1.

You discover that the VM is experiencing storage issues due to increased application logging on the server.

You need to create a new 256-GB disk and attach it to the server.

Which PowerShell cmdlets should you use? To answer, drag the appropriate cmdlet to the correct location in
the PowerShell command. Each cmdlet may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
This example gets a virtual machine object for the virtual machine named “MyVM” in the “myservice” cloud
service, updates the virtual machine object by attaching an existing data disk from the repository using the disk
name, and then updates the Azure virtual machine.

Windows PowerShell
C:\PS>Get-AzureVM "myservice" -Name "MyVM" `| Add-AzureDataDisk -Import -DiskName "MyExistingDisk" -
LUN 0 `| Update-AzureVM

References: http://msdn.microsoft.com/en-us/library/dn495298.aspx

QUESTION 88
You are the administrator for three Azure subscriptions named Dev, Test, and Prod.

Your Azure PowerShell profile is configured with the Dev subscription as the default.

You need to create a new virtual machine in the Test subscription by using the least administrative effort.

Which PowerShell command should you use?

A. PS C:\> Select-AzureSubscription –SubscriptionName “Test”

B. PS C:\> Set-AzureSubscription –SubscriptionName “Test” –CurrentStorageAccountName “teststorage”
PS C:\> Select-AzureSubscription “Test”
C. PS C:\> Set-AzureSubscription “Test” –CurrentStorageAccountName “teststorage”
D. PS C:\> Select-AzureSubscription –SubscriptionName “Test” -Default

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
This command makes Test the current subscription.
C:\PS> Select-AzureSubscription -SubscriptionName Test -Current

References: http://msdn.microsoft.com/en-us/library/dn722499.aspx

QUESTION 89
DRAG DROP

You manage an Azure virtual machine (VM) named AppVM. The application hosted on AppVM continuously
writes small files to disk. You disable caching for all disks that are attached to AppVM. Recently the usage of
applications on AppVM has increased greatly.

You need to improve disk performance on AppVM.

Which Microsoft Azure PowerShell cmdlet should you use with each PowerShell command line? To answer,
drag the appropriate Microsoft Azure PowerShell cmdlet to the correct location in the PowerShell code. Each
PowerShell cmdlet may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

Box 1: Set-AzureDataDisk
The Set-AzureDataDisk cmdlet modifies the cache attributes of an existing data disk on an Azure virtual
machine.
We should enable caching on the data disk, not on the OS disk, as we are concerned about the performance of
an application.

Box 2: ReadWrite
The application continuously writes small files to disk

References: https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure/set-
azuredatadisk?view=azuresmps-4.0.0

QUESTION 90
DRAG DROP

You have an Azure Virtual Network named fabVNet with three subnets named Subnet-1, Subnet-2 and Subnet-
3. You have a virtual machine (VM) named fabVM running in the fabProd service.

You need to modify fabVM to be deployed into Subnet-3. You want to achieve this goal by using the least
amount of time and while causing the least amount of disruption to the existing deployment.

What should you do? To answer, drag the appropriate PowerShell cmdlet to the correct location in the
PowerShell command. Each cmdlet may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
This example changes the size of the virtual machine "MyVM3", running in "MySvc1", to "Medium".

Windows PowerShell
C:\PS>Get-AzureVM -ServiceName "MySvc1" -Name "MyVM3" `| Set-AzureVMSize –InstanceSize "Medium" `|
Update-AzureVM

References: http://msdn.microsoft.com/en-us/library/dn495230.aspx

QUESTION 91
You manage a set of virtual machines (VMs) deployed to the cloud service named fabrikamVM.

You configure auto scaling according to the following parameters:

With an instance range of two to six instances
To maintain CPU usage between 70 and 80 percent to scale up one instance at a time
With a scale up wait time of 30 minutes
To scale down one instance at a time
With a scale down wait time of 30 minutes

You discover the following usage pattern of a specific application:

The application peaks very quickly, and the peak lasts for several hours.
CPU usage stays above 90 percent for the first 1 to 1.5 hours after usage increases.
 After 1.5 hours, the CPU usage falls to about 75 percent until application usage begins to decline.

You need to modify the auto scaling configuration to scale up faster when usage peaks.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. Decrease the scale down wait time.

B. Decrease the scale up wait time.
C. Increase the number of scale up instances.
D. Increase the scale up wait time.
E. Increase the maximum number of instances.

Correct Answer: BC
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 92
You develop a set of PowerShell scripts that will run when you deploy new virtual machines (VMs).

You need to ensure that the scripts are executed on new VMs. You want to achieve this goal by using the least
amount of administrative effort.

What should you do?

A. Create a new GPO to execute the scripts as a logon script.

B. Create a SetupComplete.cmd batch file to call the scripts after the VM starts.
C. Create a new virtual hard disk (VHD) that contains the scripts.
D. Load the scripts to a common file share accessible by the VMs.
E. Set the VMs to execute a custom script extension.

Correct Answer: E
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
After you deploy a Virtual Machine you typically need to make some changes before it’s ready to use. This is
something you can do manually or you could use Remote PowerShell to automate the configuration of your VM
after deployment for example.

But now there’s a third alternative available allowing you customize your VM: the CustomScriptextension.

This CustomScript extension is executed by the VM Agent and it’s very straightforward: you specify which files it
needs to download from your storage account and which file it needs to execute. You can even specify
arguments that need to be passed to the script. The only requirement is that you execute a .ps1 file.

References: http://azure.microsoft.com/blog/2014/04/24/automating-vm-customization-tasks-using-custom-
script-extension/

QUESTION 93
You manage a virtual Windows Server 2012 web server that is hosted by an on-premises Windows Hyper-V
server. You plan to use the virtual machine (VM) in Azure.

You need to migrate the VM to Azure Storage to add it to your repository.

Which Azure PowerShell cmdlet should you use?

A. Import-AzureVM
B. New-AzureVM
C. Add-AzureDisk
D. Add-AzureWebRole
E. Add-AzureVhd

Correct Answer: E
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Add-AzureVhd command uploads a virtual hard disk (in .vhd file format) from an on-premises virtual
machine to a blob in a cloud storage account in Azure.

References: https://msdn.microsoft.com/en-us/library/azure/dn495173.aspx

QUESTION 94
You administer a set of virtual machine (VM) guests hosted in Hyper-V on Windows Server 2012 R2.

The virtual machines run the following operating systems:

Windows Server 2008
Windows Server 2008 R2
Linux (open SUSE 13.1)

All guests currently are provisioned with one or more network interfaces with static bindings and VHDX disks.
You need to move the VMs to Azure Virtual Machines hosted in an Azure subscription.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Install the WALinuxAgent on Linux servers.

B. Ensure that all servers can acquire an IP by means of Dynamic Host Configuration Protocol (DHCP).
C. Upgrade all Windows VMs to Windows Server 2008 R2 or higher.
D. Sysprep all Windows servers.
E. Convert the existing virtual disks to the virtual hard disk (VHD) format.

Correct Answer: ACE

Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
A: For Linux the WALinuxAgent agent is mandatory.
C: Need to upgrade to Windows Server 2008 R2 or higher.
E: VHDX is not supported, so VHD is needed.

References:
https://azure.microsoft.com/fr-fr/documentation/articles/virtual-machines-create-upload-vhd-windows-server/

QUESTION 95
You administer a virtual machine (VM) that is deployed to Azure. You configure a rule to generate an alert when
the average availability of a web service on your VM drops below 95 percent for 15 minutes.

The development team schedules a one-hour maintenance period.

You have the following requirements:
No alerts are created during the maintenance period.
Alerts can be restored when the maintenance is complete.

You want to achieve this goal by using the least amount of administrative effort.

What should you do from the Management Portal?

A. Select and disable the rule from the Dashboard page of the virtual machine.
B. Select and delete the rule from the Configure page of the virtual machine.
C. Select and disable the rule from the Monitor page of the virtual machine.
D. Select and disable the rule on the Configure page of the virtual machine.

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

Virtual Machines
You can configure virtual machine alert rules on:

References:
http://azure.microsoft.com/en-us/documentation/articles/web-sites-monitor/#webendpointstatus

QUESTION 96
You manage an Azure subscription with virtual machines (VMs) that are running in Standard mode.

You need to reduce the storage costs associated with the VMs.

What should you do?

A. Locate and remove orphaned disks.
B. Add the VMs to an affinity group.
C. Change VMs to the Basic tier.
D. Delete the VHD container.

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Standard offers 50 GB of storage space, while Basic only gives 10 GB but it will save costs.

References: http://azure.microsoft.com/en-us/pricing/details/websites/

QUESTION 97
You manage several Azure virtual machines (VMs). You create a custom image to be used by employees on
the development team.

You need to ensure that the custom image is available when you deploy new servers.

Which Azure PowerShell cmdlet should you use?

A. Update-AzureVMImage
B. Add-AzureVhd
C. Add-AzureVMImage
D. Update-AzureDisk
E. Add-AzureDataDisk

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Add-AzureVMImage cmdlet adds an operating system image to the image repository. The image should be
a generalized operating system image, using either Sysprep for Windows or, for Linux, using the appropriate
tool for the distribution.

References: https://docs.microsoft.com/en-us/powershell/module/azure/add-azurevmimage?view=azuresmps-
4.0.0

QUESTION 98
DRAG DROP

You administer two virtual machines (VMs) that are deployed to a cloud service. The VMs are part of a virtual
network.

The cloud service monitor and virtual network configuration are configured as shown in the exhibits. (Click the
Exhibits button.)
You need to create an internal load balancer named fabLoadBalancer that has a static IP address of
172.16.0.100.

Which value should you use in each parameter of the PowerShell command?

To answer, drag the appropriate value to the correct location in the PowerShell command. Each value may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 99
A company has an Azure subscription with four virtual machines (VM) that are provisioned in an availability set.
The VMs support an existing web service. The company expects additional demand for the web service. You
add 10 new VMs to the environment.

You need to configure the environment.

How many Update Domains (UDs) and Fault Domains (FDs) should you create?

A. 2 UDs and 5 FDs

B. 5 UDs and 2 FDs
C. 14 UDs and 2 FDs
D. 14 UDs and 14 FDs

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
QUESTION 100
You have an Azure subscription that has five virtual machines (VMs). You provision the VMs in an availability
set to support an existing web service.

You anticipate additional traffic. You identify the following additional requirements for the VMs:
disk size 500 GB
IOPS per disk: 2000
throughput per disk 100 MB per second
number of highly utilized disks: 40

You need to scale the service.

What should you recommend?

A. P10 Premium Storage

B. P20 Premium Storage
C. Basic Tier VM
D. Standard Tier VM

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/storage-premium-storage/#premium-
storage-scalability-and-performance-targets

QUESTION 101
DRAG DROP

You create a virtual machine (VM) in Azure. The VM runs an important line of business application.

Users report that the application is slow and unstable.

You need to enable diagnostics for the VM.

In which order should you perform the actions? To answer, move all actions from the list of actions to the
answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Azure Portal can be used to configure Azure Diagnostics. Clicking on one of the lenses in the Monitoring
tab for a VM brings up the Metric blade. Clicking on the Diagnostics button then brings up the Diagnostics blade
which can be used to configure diagnostics.

References: https://azure.microsoft.com/en-gb/documentation/articles/insights-how-to-use-diagnostics/

QUESTION 102
You have an Azure subscription.

In Azure, you create two virtual machines named VM1 and VM2. Both virtual machines are instances in a cloud
service named Cloud1.

You need to ensure that the virtual machines only replicate within the data center in which they were created.

Which settings should you modify?

A. virtual machine
B. storage account
C. cloud services
D. Azure subscription

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 103
You host an application on an Azure virtual machine (VM) that uses a data disk. The application performs
several input and output operations per second.

You need to disable disk caching for the data disk.

Which two actions will achieve the goal? Each answer presents a complete solution.

A. Use the Azure Resource Manager REST API

B. Use the Service Management REST API.
C. Run the following Windows PowerShell cmdlet: Remove-AzureDataDisk
D. Run the following Windows PowerShell cmdlet: Set-AzureDataDisk

Correct Answer: BD
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
B: The Service Management REST API include the Update Data Disk operation, which updates the
configuration of the specified data disk that is attached to the specified Virtual Machine.

D: The Set-AzureDataDisk cmdlet modifies the cache attributes of an existing data disk on an Azure virtual
machine.

References: http://msdn.microsoft.com/en-us/library/azure/jj157190.aspx

QUESTION 104
You are developing a REST API service that provides data about products.

The service will be hosted in an Azure virtual machine (VM). The product data must be stored in Azure tables
and replicated to multiple geographic locations. API calls that use the HTTP GET operation must continue to
function when the data tables at the primary Azure datacenter are not accessible.

You need to configure storage for the service.

Which type of replication should you choose?

A. Locally Redundant Storage replication

B. Geo-Redundant Storage replication
C. Zone-Redundant Storage replication
D. Read-Access Geo-Redundant Storage replication

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 105
You have an Azure subscription that has a virtual machine named VM1. VM1 runs a line-of-business
application named APP1.

You create two additional virtual machines named VM2 and VM3 to host APP1

You need to ensure that there is always at least one virtual machine online to host App1.

Which command should you run? To answer, select the appropriate options in the answer area.

A. Export-AzureVM
B. Get-AzureaffinityGroup
C. Get-AzureEndPoint
D. Get-AzureVM

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Get-AzureVM cmdlet retrieves information about virtual machines running in Azure. It returns an object with
information on a specific virtual machine, or if no virtual machine is specified, for all the virtual machines in the
specified service of the current subscription.

References:
https://msdn.microsoft.com/fr-fr/library/azure/dn495236.aspx

QUESTION 106
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You create an Ubuntu Linux virtual machine (VM) by using the Azure Portal. You do not specify a password
when you create the VM.

You need to connect to the terminal of the VM.

Solution: You connect to the public IP address of the VM by using Secure Shell (SSH) and specify your public
key.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

QUESTION 107
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You create an Ubuntu Linux virtual machine (VM) by using the Azure Portal. You do not specify a password
when you create the VM.

You need to connect to the terminal of the VM.

Solution: You connect to the public IP address of the VM by using Secure Shell (SSH) and specify your private
key.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

QUESTION 108
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You create an Ubuntu Linux virtual machine (VM) by using the Azure Portal. You do not specify a password
when you create the VM.

You have a workstation that is connected to the Internet.

You need to connect the workstation to the terminal of the VM.

Solution: You use the Connect button on the Overview blade for the VM.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-quick-create-
portal?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json

QUESTION 109
DRAG DROP

You are the administrator for your company’s virtual environment.

The company is planning to deploy an e-commerce application that will experience random performance
fluctuations. The application must be able to scale to meet temporary needs and be idle when the needs
disappear.

You need to create automatic virtual machine (VM) scale sets to support the application.

In which order should you perform the actions? To answer, move all actions from the list of actions to the
answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
windows-autoscale

QUESTION 110
You develop a set of PowerShell scripts that will run when you deploy new virtual machines (Vms).

You need to ensure that the scripts are run automatically when the VM is started.

What should you do?

A. Load the scripts to a common file share accessible by the VMs.

B. Create a SetupComplete.cmd batch file to call the scripts after the VM starts.
C. Set the VMs to execute a custom extension.
D. Create a new virtual hard disk (VHD) that contains the scripts.

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is
useful for post deployment configuration, software installation, or any other configuration / management task.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

QUESTION 111
HOTSPOT

You deploy a Web App to Azure. The Web App uses several Basic tier, single instance virtual machines (Vms).

The App includes a web tier, services tier, data tier, and a compute-intensive processing tier, as shown in the
following diagram:

You have the following requirements:

The application must be available during all Azure platform events, including planned (VM restarts required)
and unplanned (hardware failure) events.
You must simplify VM deployments by using JSON templates and the Azure Resource Manager (ARM).
The processing tier must support high volume CPU loads at peak times throughout the year.
The web tier must support high volumes of incoming Internet traffic during peak times throughout the year.
The company has authorized downtime for the infrastructure upgrades. Future updates must not include
downtime.
The infrastructure upgrades must provide the most economical solution while meeting all requirements.

Users report application outages during planned Azure maintenance windows. You plan to upgrade the
application to support upcoming company initiatives as well as address the user reports.

You need to upgrade the application and infrastructure.

For each tier, which action should you perform? To answer, select the appropriate action from each list in the
answer area.

Hot Area:
Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Web tier: Use 2 Standard tier VMs in a new availability set, load balanced with Azure Load Balancer.
The web tier must support high volumes of incoming Internet traffic during peak times throughout the year.

Services: Use 2 Standard Tier VM in a new availability set.

Data: Use 2 Standard tier VMs contained within the services tier availability set.

Processing: Use 2 Dv2-series Vms in a new scale set.

The processing tier must support high volume CPU loads at peak times throughout the year.
Dv2-series, a follow-on to the original D-series, features a more powerful CPU. The Dv2-series CPU is about
35% faster than the D-series CPU.
Automatic scaling of virtual machines in a scale set is the creation or deletion of machines in the set as needed
to match performance requirements. As the volume of work grows, an application may require additional
resources to enable it to effectively perform tasks.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-sizes
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-
overview

QUESTION 112
You have an Azure subscription.

In Azure, you create two virtual machines named VM1 and VM2.
You need to ensure that any virtual hard disks that the VMs use are not replicated between datacenters.

Which settings should you modify?

A. Azure subscription
B. virtual machine
C. cloud services
D. storage account

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/storage/storage-introduction

QUESTION 113
DRAG DROP

You plan to deploy an application by using three Azure virtual machines (VMs). The application has a web-
based component that uses TCP port 443 and a custom component that uses UDP port 2020.

The application must be available during planned and unplanned Azure maintenance events. Incoming client
requests must be distributed across the three VMs. Clients must be connected to a VM only if both application
components are running.

You need to configure the VM environment.

For each requirement, what should you implement? To answer, drag the appropriate configuration type to the
correct target. Each configuration type may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/guidance/guidance-compute-multi-vm

QUESTION 114
HOTSPOT

You plan to deploy Ubuntu Linux virtual machines (VMs) in Azure.

You need to ensure that you are not prompted for a password when you create or connect to the VMs.

How should you configure the environment? To answer, configure the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: http://askubuntu.com/questions/46930/how-can-i-set-up-password-less-ssh-login

QUESTION 115
You are an administrator of an Azure subscription for your company.

Management asks you to configure Azure permissions for a user in your Azure Active Directory (Azure AD).
The user must be able to perform all actions on the virtual machines (VMs). The user must not be allowed to
create and manage availability sets for the VMs.

You need to implement the required permissions with the least administrative effort.
How should you assign permissions?

A. Use Windows PowerShell to assign the Classic Virtual Machine Contributor role to the user.
B. Use Windows PowerShell to create a custom role from the Virtual Machine Contributor role and then use
NotActions to customize the role permissions.
C. Implement a custom role through the Azure Portal and customize the role by adding the appropriate
permissions.
D. Assign the Virtual Machine Contributor role to the user.

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation
Explanation/Reference:
Explanation:

The Virtual Machine Contributor role lets you manage classic virtual machines, but not access to them, and not
the virtual network or storage account they’re connected to.

To specify the permissions for your custom role, you add the operations to the Actions or NotActions properties
of the role definition.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#classic-virtual-machine-
contributor
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

QUESTION 116
You are the administrator for your company’s virtual environment. The company plans to deploy an e-
commerce application that will experience random performance fluctuations.

The application must be able to scale to meet temporary needs and be idle when the needs disappear. You
create an automatic virtual machine (VM) scale set to support the application.

You need to set up automatic scaling for the scale set.

Which three tools can you use? Each correct answer presents a complete solution.

A. Resource Manager templates

B. Azure PowerShell
C. Azure Command-Line Interface (CLI)
D. Azure Traffic Manager
E. Azure Resource Explorer

Correct Answer: ABC

Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
autoscale-overview#set-up-scaling-by-using-resource-manager-templates

QUESTION 117
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You create an Ubuntu Linux virtual machine (VM) by using the Azure Portal. You do not specify a password
when you create the VM.

You have a workstation that is connected to the Internet.

You need to connect the workstation to the terminal of the VM.

Solution: You connect to the private IP address of the VM by using Secure Shell (SSH) and specify your public
key.
Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
You need to connect to the public IP, not the private IP.

QUESTION 118
HOTSPOT

You manage an Azure environment that has 12 virtual machines (VMs). A set of VMs run a Web App that uses
ASP.NET.

The developer of the application must have access to ASP.NET metrics and Internet Information Services (IIS)
logs from the VMs.

You need to ensure that the metrics and logs are saved and provide the developer access to the data.

For each requirement, which option should you use? To answer, select the appropriate options in the answer
area.

Hot Area:
Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 119
DRAG DROP

You plan to deploy a new public-facing website on an Azure virtual machine (VM) by using the Azure Resource
Manager (ARM). You have an existing cloud service and a storage account in the Azure subscription.

You need to create and deploy the VM.

Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 120
DRAG DROP

You plan to create an Azure virtual machine (VM) that runs the Linux operating system.

You must use the following values:

You need to create and connect to the VM.

Which three commands should you run in sequence? To answer, move the appropriate commands from the list
of commands to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 121
You are the architect for a software company that provides application servers to customers. The application
servers are Azure virtual machines (VMs) running Windows Server 2012 R2 under your company’s Azure
subscription.

The VMs are administrated by customers, and each customer customizes the system to meet its specific
needs. You identify the following requirements:
The customer must not modify the LocalSystem service account on the VMs.
The customer must run the Azure VM Agent.
You must set the value of the PowerShell execution policy to RemoteSigned for all customers.

When a critical security issue is discovered, the application servers must be updated with a security update as
quickly as possible, without waiting for customer action.

You need to design a strategy that allows for security issues to be updated as quickly as possible.

What should you do?

A. Convert the application so that it runs under a Hyper-V container, and run the security update script on the
host system.
B. Build the security update script into a new base Windows Server 2012 R2 image and deploy the image by
using a Virtual Machine Scale Set.
C. Use WinRM to run the security update script on each customer VM.
D. Create an AzureVMCustomScriptExtension to run the security update on each VM.

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 122
You manage an on-premises monitoring platform. You plan to deploy virtual machines (VMs) in Azure.

You must use existing on-premises monitoring solutions for Azure VMs. You must maximize security for any
communication between Azure and the on-premises environment.

You need to ensure that Azure alerts are sent to the on-premises solution.

What should you do?

A. Enable App Service Authentication for the VMs.

B. Configure a basic authorization webhook.
C. Deploy an HDInsight cluster.
D. Configure a token-based authorization webhook.

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation
Explanation/Reference:

QUESTION 123
A company deploys Microsoft SQL Server on an Azure DS3_V2_ Standard virtual machine (VM).

You need to modify the disk caching policy.

Which Azure PowerShell cmdlet should you run?

A. Set-AzureRmVmOperatingSystem
B. Set-AzureRmVmOSDisk
C. Update-AzureDisk
D. Set-AzureRmVm

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Explanation:
The Set-AzureRmVMOSDisk cmdlet modifies properties of a virtual machine system disk.

Syntax:
Set-AzureRmVMOSDisk
[-VM] <PSVirtualMachine>
[-Lun] <Int32>
[[-Caching] <CachingTypes>]
[[-DiskSizeInGB] <Int32>]
[<CommonParameters>]

The -caching parameter specifies the caching mode of the disk. The acceptable values for this parameter are:
ReadOnly
ReadWrite

The default value is ReadWrite. Changing this value causes the vir machine to restart.

Incorrect Answers:
A: The Set-AzureRmVMOperatingSystem cmdlet sets operating system properties for a virtual machine. You
can specify logon credentials, computer name, and operating system type.
C: The Update-AzureDisk cmdlet changes the label that is associated with a disk in the disk repository of the
current Azure subscription.
D: The Set-AzureRmVM cmdlet marks a virtual machine as generalized

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmosdisk?
view=azurermps-6.3.0

QUESTION 124
HOTSPOT

You are configuring auto-scaling for a virtual machine (VM). The following excerpt is the rules portion of a
resource template.
Use the drop-down menus to select the answer choice that answers each question based on the information
presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Box 1: No
Here the performance counter is Thread Count, the threshold value is 800 for a scale-out action. If you use a
counter such as %Processor Time, the threshold value is set to the percentage of CPU usage that determines
a scaling action.

Box 2: created
The direction value determines the action that is taken when the threshold value is achieved. The possible
values are Increase or Decrease.

References: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-machine-scale-sets/
virtual-machine-scale-sets-autoscale-overview.md

QUESTION 125
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You administer an Azure subscription for your company. You plan to deploy a virtual machine (VM) to Azure.

The VM environment must provide 99.95% uptime. A single switch outage must not cause the VM environment
to be unavailable. The VM must not be offline due to installation of an update that requires a reboot.

You need to configure the environment.

Solution: Create two availability sets. Place a VM in each availability set.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The VM should be within the same availability set.

An Availability Set is a logical grouping capability that you can use in Azure to ensure that the VM resources you
place within it are isolated from each other when they are deployed within an Azure datacenter. Azure ensures
that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage
units, and network switches. If a hardware or Azure software failure occurs, only a subset of your VMs are
impacted, and your overall application stays up and continues to be available to your customers. Availability
Sets are an essential capability when you want to build reliable cloud solutions.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 126
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You administer an Azure subscription for your company. You plan to deploy a virtual machine (VM) to Azure.

The VM environment must provide 99.95% uptime. A single switch outage must not cause the VM environment
to be unavailable. The VM must not be offline due to installation of an update that requires a reboot.

You need to configure the environment.

Solution: Create an availability set and deploy two VMs in it. Ensure that the VMs are in different update and
fault domains.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The hardware in a location is divided in to multiple update domains and fault domains. An update domain is a
group of VMs and underlying physical hardware that can be rebooted at the same time. VMs in the same fault
domain share common storage as well as a common power source and network switch.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 127
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Operations Management Suite (OMS) to track changes within virtual machines (VMs).

The company required that data collection occur at least every 15 minutes.

You need to recommend a solution to monitor VMs which ensures that data collection occurs at least every 15
minutes.

Solution: Monitor registry keys on Windows VMs.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation
Explanation/Reference:
Explanation:
You can use the Change Tracking solution to easily identify changes in your environment. The solution tracks
changes to Windows and Linux software, Windows and Linux files, Windows registry keys, Windows services,
and Linux daemons. Identifying configuration changes can help you pinpoint operational issues.

References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-change-tracking

QUESTION 128
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Operations Management Suite (OMS) to track changes within virtual machines (VMs).

The company required that data collection occur at least every 15 minutes.

You need to recommend a solution to monitor VMs which ensures that data collection occurs at least every 15
minutes.

Solution: Monitor daemons on Linux VMs.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
You can use the Change Tracking solution to easily identify changes in your environment. The solution tracks
changes to Windows and Linux software, Windows and Linux files, Windows registry keys, Windows services,
and Linux daemons. Identifying configuration changes can help you pinpoint operational issues.

Changes to installed software, Windows services, Windows registry and files, and Linux daemons on the
monitored servers are sent to the Log Analytics service in the cloud for processing.

References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-change-tracking

QUESTION 129
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Operations Management Suite (OMS) to track changes within virtual machines (VMs).

The company required that data collection occur at least every 15 minutes.

You need to recommend a solution to monitor VMs which ensures that data collection occurs at least every 15
minutes.

Solution: Monitor files on Linux VMs.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
With OMS change tracking the frequency for monitoring files on Linux VMs is 15 minutes.

Note: You can use the Change Tracking solution to easily identify changes in your environment. The solution
tracks changes to Windows and Linux software, Windows and Linux files, Windows registry keys, Windows
services, and Linux daemons. Identifying configuration changes can help you pinpoint operational issues.

Changes to installed software, Windows services, Windows registry and files, and Linux daemons on the
monitored servers are sent to the Log Analytics service in the cloud for processing.

References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-change-tracking

QUESTION 130
HOTSPOT

You manage an Azure subscription for your company. You plan to implement an application in Azure that
consists of a web tier and a data tier.

The application has the following requirements:

Be available even if a single virtual machine (VM) becomes unavailable.
Remain available during Microsoft planned maintenance events.
Verify the health of the VMs before a connection to a VM is established.

You need to configure the environment.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

Note: To provide redundancy to your application, we recommend that you group two or more virtual machines
in an availability set. This configuration within a datacenter ensures that during either a planned or unplanned
maintenance event, at least one virtual machine is available and meets the 99.95% Azure SLA

References:
https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/n-tier
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

QUESTION 131
DRAG DROP

A Company uses Azure to host web apps.

The company plans to deploy a new web app using a Kubernetes cluster. You create a new resource group for
the cluster.

You need to deploy the application.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:

To package and deploy your application on Google Kubernetes Engine (GKE), you must:

1. Package your app into a Docker image (step 1)

You build the container image. The application is packaged as a Docker image.
2. Run the container locally on your machine (optional)
3. Upload the image to a registry
4. Create a container cluster (step 2)
5. Deploy your app to the cluster (step 3)
To deploy and manage applications on a GKE cluster, you must communicate with the Kubernetes cluster
management system.
Kubernetes represents applications as Pods, which are units that represent a container (or group of tightly-
coupled containers). The Pod is the smallest deployable unit in Kubernetes.
6. Expose your app to the Internet
7. Scale up your deployment
8. Deploy a new version of your app

References: https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app

QUESTION 132
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You deploy a Kubernetes Azure Container Service cluster.

You need to manage the cluster by using the Kubernetes command-line client.

Solution: You run the following Azure Command-Line Interface (Azure CLI) command:

az provider register -n Microsoft.ContainerService

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The az provider register command registers a provider.
Instead, the az acs dcos install-cli command is used to download and install the DC/OS command-line tool for a
cluster.

References: https://docs.microsoft.com/en-us/cli/azure/acs?view=azure-cli-latest

QUESTION 133
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You deploy a Kubernetes Azure Container Service cluster.

You need to manage the cluster by using the Kubernetes command-line client.

Solution: You run the following Azure Command-Line Interface (Azure CLI) command:

az aks install-cli

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Azure CLI 2.0 is a command-line tool providing a great experience for managing Azure resources. The CLI
is designed to make scripting easy, flexibly query data, support long-running operations as non-blocking
processes, and more.

Instead, the az acs dcos install-cli command is used to download and install the DC/OS command-line tool for a
cluster.

References: https://docs.microsoft.com/en-us/cli/azure/acs?view=azure-cli-latest

QUESTION 134
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You deploy a Kubernetes Azure Container Service cluster.

You need to manage the cluster by using the Kubernetes command-line client.

Solution: You run the following Azure Command-Line Interface (Azure CLI) command:

az acs dcos install-cli

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation
Explanation/Reference:
Explanation:
The az acs dcos install-cli command is used to download and install the DC/OS command-line tool for a cluster.

References: https://docs.microsoft.com/en-us/cli/azure/acs?view=azure-cli-latest

QUESTION 135
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You administer an Azure subscription for your company. You plan to deploy a virtual machine (VM) to Azure.

The VM environment must provide 99.95% uptime. A single switch outage must not cause the VM environment
to be unavailable. The VM must not be offline due to installation of an update that requires a reboot.

You need to configure the environment.

Solution: Create an availability set with two VMs. Place the VMs in the same update domain.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The hardware in a location is divided in to multiple update domains and fault domains. An update domain is a
group of VMs and underlying physical hardware that can be rebooted at the same time. VMs in the same fault
domain share common storage as well as a common power source and network switch.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 136
HOTSPOT

You manage a Kubernetes cluster in Azure Container Service.

You have the following command output of the Azure CLI.

Use the drop-down menus to select the answer choice that answers each question based on the information
presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://thorsten-hans.com/hybrid-kubernetes-cluster-on-azure-container-services-ed6f11bf3cb2

QUESTION 137
You need to deploy ubuntu machine to azure, what's the fastest way?

A. xPlat Azure CLI

B. Chef
C. Puppet
D. Cloud-Init

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explantion:
Cloud-init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-
init to install packages and write files, or to configure users and security. Because cloud-init is called during the
initial boot process, there are no additional steps or required agents to apply your configuration.

We are actively working with our endorsed Linux distro partners in order to have cloud-init enabled images
available in the Azure marketplace. These images make your cloud-init deployments and configurations work
seamlessly with VMs and virtual machine scale sets. The following table outlines the current cloud-init enabled
images availability on the Azure platform:

References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/infrastructure-automation

QUESTION 138
A company plans to deploy Linux virtual machines (VM) in Azure.

The VM configuration and applications must be managed automatically.

You need to propose a solution to configure and manage the VMs.

What should you recommend?

A. Resource Manager Templates

B. Azure AD Connect
C. Chef
D. Azure Command-Line Interface (CLI)
E. Application Gateway

Correct Answer: D
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Azure PowerShell module is used to create and manage Azure resources, including Virtual machines, from
the PowerShell command line or in scripts.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-manage-vm

QUESTION 139
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
A company plans to use Operations Management Suite (OMS) to track changes within virtual machines (VMs).

The company requires that data collection occur at least every 15 minutes.

You need to recommend a solution to monitor VMs which ensures that data collection occurs at least every 15
minutes.

Solution: Monitor files on Windows VMs.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor

QUESTION 140
HOTSPOT

You manage a Kubernetes cluster in Azure Container Service. You run the kubectl get pods Windows
PowerShell command and receive the following output.

You need to use Azure CLI to increase the number of virtual machines (VMs) available in the azure-vm-back
deployment to five.

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References:
https://kubernetes.io/docs/reference/kubectl/overview/
https://kubernetes.io/docs/reference/kubectl/cheatsheet/

QUESTION 141
A company plans to deploy Linux virtual machines (VM) in Azure.

The VM configuration and applications must be managed automatically.

You need to propose a solution to configure and manage the VMs.

What should you recommend?

A. Puppet
B. Resource Manager Templates
C. Azure PowerShell
D. Azure AD Connect

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Azure PowerShell module is used to create and manage Azure resources, including Virtual machines, from
the PowerShell command line or in scripts.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-powershell

QUESTION 142
DRAG DROP

You manage an environment that contains Windows and Linux virtual machines (VMs) on-premises and in
Azure.

You need to implement Desired State Configuration (DSC) on as many VMs as possible while minimizing cost.

What should you do for each VM type and location? To answer, drag the appropriate DSC configurations to the
correct VMs. Each DSC configuration may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

QUESTION 143
HOTSPOT

You plan to deploy autoscaling of Azure virtual machine (VM) scale sets. You have the following JSON code
defined:

Use the drop-down menus to select the answer choice that answers each question.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:

Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/library/azure/dn931928.aspx

QUESTION 144
A company uses Azure to host virtual machines (VMs) and web apps.

You need to ensure that a set of VMs are configured identically.

Which two tools or features should you use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Chef
B. Puppet
C. Azure Resource Manager templates
D. Desired State Configuration (DSC)
Correct Answer: CD
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:

QUESTION 145
A company deploys Microsoft SQL Server on an Azure DS3_V2_ Standard virtual machine (VM).

You need to modify the disk caching policy.

Which Azure PowerShell cmdlet should you run?

A. Set -AzureRMVMDataDisk
B. Update-AzureRmVm
C. Set -AzureRmVmOperatingSystem
D. Set -AzureRmVm

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Set-AzureRmVMDataDisk cmdlet modifies properties, including the caching modes, of a virtual machine
data disk.
Optional Parameters includes -Caching, which specifies the caching mode of the disk.

Incorrect Answers:
C: The Set-AzureRmVMOperatingSystem cmdlet sets operating system properties for a virtual machine. You
can specify logon credentials, computer name, and operating system type.
D: The Set-AzureRmVM cmdlet marks a virtual machine as generalized

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmdatadisk?
view=azurermps-6.4.0

QUESTION 146
You administer a Windows Server virtual machine (VM).

You upload the VM to Azure.

You need to ensure that you are able to deploy the BGInfo and VMAccess extensions.

What should you do?

A. Select the Install the VM Agent checkbox while provisioning a VM based on your uploaded VHD.
B. Select the Enable the VM Extensions checkbox while provisioning a VM based on your uploaded VHD.
C. Install the VM Agent MSI and execute the following PowerShell commands:
$vm = Get-AzureVM -serviceName $svc -Name $name$vm.VM.ProvisionGuestAgent = $trueUpdate-
AzureVM -Name Sname -VM $vm.VM -ServiceName $svc
D. Install the VM Agent MSI and execute the following PowerShell commands:
$vm = Get-AzureVM -serviceName $svc -Name $nameSet-AzureVMBGInfoExtension -VM
$vm.VMSet-AzureVM Access Extension -VM $vm.VMUpdate-AzureVM -Name Sname -VM $vm.VM -
ServiceName $svc

Correct Answer: C
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
You are uploading a VM to Azure (not provisioning a VM from Azure – so therefore needs the VM Agent MSI)

Is VM Agent installed?

$x = Get-AzureVM -ServiceName $vmName

$x.vm.ProvisionGuestAgent

If ‘False’ –
Install standalone VM Agent
Inform the Azure platform that the VM now has the agent installed

$vm = Get-AzureVM –serviceName $svc –Name $name $vm.VM.ProvisionGuestAgent = $TRUE Update-

AzureVM –Name $name -VM $vm.VM -ServiceName $svc

References: https://msdn.microsoft.com/en-us/library/azure/dn832621.aspx

QUESTION 147
You manage a cloud service that supports features hosted by two instances of an Azure virtual machine (VM).

You discover that occasional outages cause your service to fail.

You need to minimize the impact of outages to your cloud service.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Deploy a third instance of the VM.

B. Configure Load Balancing on the VMs.
C. Redeploy the VMs to belong to an Affinity Group.
D. Configure the VMs to belong to an Availability Set.

Correct Answer: BD
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Adding your virtual machine to an availability set helps your application stay available during network failures,
local disk hardware failures, and any planned downtime.

Combine the Azure Load Balancer with an Availability Set to get the most application resiliency. The Azure
Load Balancer distributes traffic between multiple virtual machines.

References: http://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-manage-availability/

QUESTION 148
Which machines can be replicated to Azure using vmware vsphere 6.5? (Choose three.)

A. Windows Server 2012

B. Windows Server 2008R2
C. Centos 7.3
D. RHEL 7.3

Correct Answer: ACD

Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
Windows Server 2008 R2 SP 1 and above works fine.
CentOS: 5.2 to 5.11, 6.1 to 6.9, 7.0 to 7.3
Red Hat Enterprise Linux: 5.2 to 5.11, 6.1 to 6.9, 7.0 to 7.3

Incorrect Answers:
B: Windows Server 2008 R2 with at least SP1 is required.

References: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-support-matrix-to-azure

QUESTION 149
A company has virtual machines (VMs) that run in Azure. They plan to use Desired State Configuration (DSC)
to manage the VM settings.

You need to programmatically prepare the VM to use DSC.

Which Azure PowerShell cmdlet should you run?

A. Set-AzureVMDscExtension
B. Set-AzureVMCustomScriptExtension
C. Set-AzureVMExtension
D. Set-AzureVMPuppetExtension

Correct Answer: A
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
The Set-AzureVMDscExtension cmdlet configures the Desired State Configuration (DSC) extension on a virtual
machine.

Incorrect Answers:
B: The Set-AzureVMCustomScriptExtension cmdlet sets information for an Azure virtual machine custom script
extension.
C: The Set-AzureVMExtension cmdlet sets resource extensions for virtual machines.
D: The Set-AzureVMPuppetExtension cmdlet sets the Puppet extension for a virtual machine.

References: https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure/set-
azurevmdscextension?view=azuresmps-4.0.0

QUESTION 150
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You administer an Azure subscription for your company. You plan to deploy a virtual machine (VM) to Azure.

The VM environment must provide 99.95% uptime. A single switch outage must not cause the VM environment
to be unavailable. The VM must not be offline due to installation of an update that requires a reboot.
You need to configure the environment.

Solution: Create an availability set with two VMs. Place the VMs in the same fault domain.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 2, Create and Manage Azure Resource Manager Virtual Machines
Explanation

Explanation/Reference:
Explanation:
VMs in the same fault domain share common storage as well as a common power source and network switch.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 151
DRAG DROP

You manage an application deployed to a cloud service that utilizes an Azure Storage account.

The cloud service currently uses the primary access key.

Security policy requires that all shared access keys are changed without causing application downtime.

Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:

You might want to change the access keys on regular basis as per your corporate security policy. However,
when you change the access the keys, your cloud services using the storage account will no longer be able to
access the storage account. This will lead to a downtime. The cloud services will be able to access the storage
account only after you update the new storage access keys in your configuration file. Hence to avoid this,
update the configuration file with the secondary access keys and only then regenerate the primary access key.
Once the new primary access key is regenerated you can now use this key to update the configuration file once
again.

References: https://blogs.msdn.microsoft.com/mast/2013/11/06/why-does-an-azure-storage-account-have-two-
access-keys/

QUESTION 152
You manage a collection of large video files that is stored in an Azure Storage account.

A user wants access to one of your video files within the next seven days.

You need to allow the user access only to the video file, and you need to be able to revoke access once the
user no longer needs it.

What should you do?

A. Give the user the secondary key for the storage account. Once the user is done with the file, regenerate the
secondary key.
B. Create an Ad-Hoc Shared Access Signature for the Blob resource. Set the Shared Access Signature to
expire in seven days.
C. Create an access policy on the container. Give the external user a Shared Access Signature for the blob by
using the policy. Once the user is done with the file, delete the policy.
D. Create an access policy on the blob. Give the external user access by using the policy. Once the user is
done with the file, delete the policy.

Correct Answer: C
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
By default, only the owner of the storage account may access blobs, tables, and queues within that account. If
your service or application needs to make these resources available to other clients without sharing your
access key, you have the following options for permitting access:

References: https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-
part-1/

QUESTION 153
You administer an Azure Storage account named contosostorage. The account has queues with logging
enabled.

You need to view all log files generated during the month of July 2014.

Which URL should you use to access the list?

A. http://contosostorage.queue.core.windows.net/$logs?restype=container&comp=list&prefix=queue/2014/07
B. http://contosostorage.queue.core.windows.net/$files?restype=container&comp=list&prefix=queue/2014/07
C. http://contosostorage.blob.core.windows.net/$files?restype=container&comp=list&prefix=blob/2014/07
D. http://contosostorage.blob.core.windows.net/$logs?restype=container&comp=list&prefix=blob/2014/07

Correct Answer: D
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
All logs are stored in block blobs in a container named $logs, which is automatically created when Storage
Analytics is enabled for a storage account. The $logs container is located in the blob namespace of the storage
account, for example: http://<accountname>.blob.core.windows.net/$logs. This container cannot be deleted
once Storage Analytics has been enabled, though its contents can be deleted.

Note: Each log will be written in the following format:

<service-name>/YYYY/MM/DD/hhmm/<counter>.log

References: http://msdn.microsoft.com/library/azure/hh343262.aspx

QUESTION 154
You manage an application running on Azure web apps in a Standard tier. The application uses a substantial
amount of large image files and is used by people around the world.

Users from Europe report that the load time of the site is slow.

You need to implement a solution by using Azure services.

Which two actions will achieve the goal? Each correct answer presents a complete solution.

A. Configure Azure blob storage with a custom domain.

B. Configure Azure CDN to cache all responses from the application web endpoint.
C. Configure Azure Web Site auto-scaling to increase instances at high load.
D. Configure Azure CDN to cache site images and content stored in Azure blob storage.

Correct Answer: CD
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:

C: Autoscale is a built-in feature of Cloud Services, Mobile Services, Virtual Machines, and Websites that helps
applications perform their best when demand changes. Of course, performance means different things for
different applications. Some apps are CPU-bound, others memory-bound. For example, you could have a web
app that handles millions of requests during the day and none at night. Autoscale can scale your service by any
of these—or by a custom metric you define.

D: Blobs that benefit the most from Azure CDN caching are those that are accessed frequently during their
time-to-live (TTL) period. A blob stays in the cache for the TTL period and then is refreshed by the blob service
after that time is elapsed. Then the process repeats.

References:
https://azure.microsoft.com/en-us/features/autoscale/
http://blog.maartenballiauw.be/post/2013/08/20/Using-the-Windows-Azure-Content-Delivery-Network-CDN.aspx

QUESTION 155
You manage a cloud service that utilizes an Azure Service Bus queue.

You need to ensure that messages that are never consumed are retained.

What should you do?

A. Check the MOVE TO THE DEAD-LETTER SUBQUEUE option for Expired Messages in the Azure Portal.
B. From the Azure Management Portal, create a new queue and name it Dead-Letter.
C. Execute the Set-AzureServiceBus PowerShell cmdlet.
D. Execute the New-AzureSchedulerStorageQueueJob PowerShell cmdlet.

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
The EnableDeadLetteringOnMessageExpiration property allows to enable\disable the dead-lettering on
message expiration.

References: https://www.simple-talk.com/cloud/cloud-data/an-introduction-to-windows-azure-service-bus-
brokered-messaging/

QUESTION 156
HOTSPOT

You manage an Azure subscription.

You develop a storage plan with the following requirements:

Database backup files that are generated once per year are retained for ten years.
High performance system telemetry logs are created constantly and processed for analysis every month.

In the table below, identify the storage redundancy type that must be used. Make only one selection in each
column.
Hot Area:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-us/documentation/articles/storage-redundancy/

QUESTION 157
You administer an Azure Storage account named contosostorage. The account has a blob container to store
image files.

A user reports being unable to access an image file.

You need to ensure that anonymous users can successfully read image files from the container.

Which log entry should you use to verify access?

A.

B.

C.

D.

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation
Explanation/Reference:
Explanation:
Check for GetBlob and for AnonymousSuccess.

Example: Get Blob AnonymousSuccess:

1.0;2011-07-28T18:52:40.9241789Z;GetBlob;AnonymousSuccess;200;18;10;anonymous;;sally;blob;"http://
sally.blob.core.windows.net/thumbnails/lake.jpg?timeout=30000";"/sally/thumbnails/lake.jpg";a84aa705-8a85-
48c5-b064-b43bd22979c3;0;123.100.2.10;2009-09-19;252;0;265;100;0;;;"0x8CE1B6EA95033D5";Thursday,
28-Jul-11 18:52:40 GMT;;;;"7/28/2011 6:52:40 PM ba98eb12-700b-4d53-9230-33a3330571fc"

References: https://docs.microsoft.com/en-us/rest/api/storageservices/storage-analytics-log-format

QUESTION 158
You administer an Azure Storage account with a blob container. You enable Storage account logging for read,
write and delete requests.

You need to reduce the costs associated with storing the logs.

What should you do?

A. Execute Delete Blob requests over https.

B. Create an export job for your container.
C. Set up a retention policy.
D. Execute Delete Blob requests over http.

Correct Answer: C
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
To ease the management of your logs, we have provided the functionality of retention policy which will
automatically cleanup ‘old’ logs without you being charged for the cleanup. It is recommended that you set a
retention policy for logs such that your analytics data will be within the 20TB limit allowed for analytics data (logs
and metrics combined).

References: http://blogs.msdn.com/b/windowsazurestorage/archive/2011/08/03/windows-azure-storage-
logging-using-logs-to-track-storage-requests.aspx

QUESTION 159
HOTSPOT

You manage a public-facing web application which allows authenticated users to upload and download large
files. On the initial public page there is a promotional video.

You plan to give users access to the site content and promotional video.

In the table below, identify the access method that should be used for the anonymous and authenticated parts
of the application. Make only one selection in each column.

Hot Area:
Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-in/documentation/articles/storage-dotnet-shared-access-signature-
part-1/

QUESTION 160
Your company is launching a public website that allows users to stream videos.

You upload multiple video files to an Azure storage container.

You need to give anonymous users read access to all of the video files in the storage container.

What should you do?

A. Edit each blob's metadata and set the access policy to Public Blob.
B. Edit the container metadata and set the access policy to Public Container.
C. Move the files into a container sub-directory and set the directory access level to Public Blob.
D. Edit the container metadata and set the access policy to Public Blob.

Correct Answer: D
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
By default, the container is private and can be accessed only by the account owner. To allow public read
access to the blobs in the container, but not the container properties and metadata, use the "Public Blob"
option. To allow full public read access for the container and blobs, use the "Public Container" option.

References:
http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-how-to-use-blobs/
https://azure.microsoft.com/en-gb/documentation/articles/storage-manage-access-to-resources/

QUESTION 161
You administer an Azure Active Directory (Azure AD) tenant that has a SharePoint web application named
TeamSite1. TeamSite1 accesses your Azure AD tenant for user information.

The application access key for TeamSite1 has been compromised.

You need to ensure that users can continue to use TeamSite1 and that the compromised key does not allow
access to the data in your Azure AD tenant.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Remove the compromised key from the application definition for TeamSite1.
B. Delete the application definition for TeamSite1.
C. Generate a new application key for TeamSite1.
D. Generate a new application definition for TeamSite1.
E. Update the existing application key.

Correct Answer: AC
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
One of the security aspects of Windows Azure storage is that all access is protected by access keys.
It is possible to change the access keys (e.g. if the keys become compromised), and if changed, we’d need to
update the application to have the new key.

References: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

QUESTION 162
HOTSPOT

You plan to deploy Azure SQL Database instances named DB1 and DB2.

You have the following requirements:

DB1 must support at least 2,000 IOPS.
DB2 must have disk sizes of 750 gigabytes (GB).
Minimize costs when deploying the solution.

You need to assign the appropriate storage tier for the databases.
Which tier should you use for each database? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-premium-storage

QUESTION 163
You deploy a web application to an Azure Cloud Service. The application uses a storage account that contains
a large number of storage objects.

You need to grant clients access to application data for a specified interval of time while minimizing effort.

What should you create?

A. a stored access policy

B. a service shared access signature
C. an account shared access signature
D. a network security group

Correct Answer: C
Section: Topic 3, Design and Implement a Storage Strategy
Explanation
Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/storage-dotnet-shared-access-signature-
part-1/

QUESTION 164
DRAG DROP

You have a virtual machine (VM) that runs in Azure. The VM is located in a geographically distant location from
you.

You experience performance issues when you connect to the VM.

You need to resolve the performance issue.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:

QUESTION 165
An application uses Windows Azure Table storage.

The application uses five tables.

One table used by the application is approaching the limit for storage requests per second. You need to
recommend an approach for avoiding data access throttling.

What should you recommend?

A. Use a single partition key for the table.

B. Compress data before storing it in the table.
C. Create additional partition keys for the table.
D. Continually remove unnecessary data from the table.

Correct Answer: C
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:

QUESTION 166
A Windows Azure application retrieves data from SQL Azure. You need to recommend an approach for
improving application query performance.

What should you recommend?

A. Create a database view to retrieve the data.

B. Use a clustered index on the SQL Azure database tables.
C. Open a new database connection when an operation times out.
D. Create SQL Azure database table indexes based on application queries.

Correct Answer: D
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:

QUESTION 167
You are designing a Windows Azure application that will use a worker role.

The worker role will create temporary files.

You need to recommend an approach for creating the temporary files that minimizes storage transactions.

What should you recommend?

A. Create the files on a Windows Azure Drive.

B. Create the files in Windows Azure local storage.
C. Create the files in Windows Azure Storage page blobs.
D. Create the files in Windows Azure Storage block blobs.

Correct Answer: D
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Block blobs are comprised of blocks, each of which is identified by a block ID. You create or modify a block
blob by writing a set of blocks and committing them by their block IDs. Each block can be a different size, up to
a maximum of 100 MB (4 MB for requests using REST versions before 2016-05-31), and a block blob can
include up to 50,000 blocks.

Incorrect Answers:
C: Page blobs are small. They are a collection of 512-byte pages optimized for random read and write
operations.

References: https://docs.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-
blobs--and-page-blobs

QUESTION 168
You have an Azure subscription that contains a storage account named STOR1 and a container name
CONTAINER1.

You need to monitor read access for the blobs inside CONTAINER1.

The monitoring data must be retained for 10 days.

What should you do?

A. Run the Set-AzureStorageServiceMetricsProperty cmdlet.
B. Run the New-AzureStorageBlobSASToken cmdlet.
C. Run the Set-AzureStorageServiceLoggingProperty cmdlet.
D. Edit the blob properties of CONTAINER1.

Correct Answer: C
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References:
https://msdn.microsoft.com/library/mt603595.aspx?f=255&MSPPError=-2147217396
https://docs.microsoft.com/ru-ru/rest/api/storageservices/Enabling-Storage-Logging-and-Accessing-Log-Data?
redirectedfrom=MSDN#HowtoenableStorageLoggingusingPowerShell
https://docs.microsoft.com/ru-ru/rest/api/storageservices/Enabling-Storage-Logging-and-Accessing-Log-Data?
redirectedfrom=MSDN#HowtoenableStorageLoggingusingPowerShell

QUESTION 169
DRAG DROP

You are an administrator for an Azure subscription that is used by your company.

You have an Azure Web App that contains static content accessed by users. You plan to deliver content based
on geographic location. The solution must allow clients to connect to a URL that ends in your corporate domain
name of adatum.com.

You need to implement the components in Azure to support the above requirements.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Create a CDN profile
Create a CDN endpoint
Create a custom domain and a CNAME record in your DNS.

References:
https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint
https://docs.microsoft.com/en-us/azure/cdn/cdn-map-content-to-custom-domain

QUESTION 170
HOTSPOT

You manage a public-facing web application which allows authenticated users to upload and download large
files. On the initial public page there is a promotional video.

You plan to give authenticated users the ability to upload and download large files. Anonymous users should be
able to view the promotional video.

In the table below, identify the access method that should be used for the anonymous and authenticated parts
of the application.

Make only one selection in each column.

Hot Area:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1
https://docs.microsoft.com/en-us/azure/storage/storage-manage-access-to-resources

QUESTION 171
HOTSPOT

You have an application that uses three separate databases to store application data, logs, and application
security details. The maximum database throughput unit (DTU) per database does not exceed 50. You plan to
deploy the application to Azure.

You need to recommend a configuration for the databases that minimizes costs.

For each requirement, which configuration option should you use? To answer, select the appropriate
configuration option from each list in the answer area.

Hot Area:
Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Box 1: Elastic
SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases
that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure
SQL Database server and share a set number of resources at a set price. Elastic pools in Azure SQL Database
enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget
while delivering performance elasticity for each database.

Box 2: Standard
The Standard service tier supports Autoscale, which would be needed here.

Incorrect Answers:
Basic: Autoscale is not included in the Basic service tier.

References: https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
QUESTION 172
You administer an Azure subscription for your company.

You have an application that updates text files frequently. The text files will not exceed 20 gigabytes (GB) in
size. Each write operation must not exceed 4 megabytes (MB).

You need to allocate storage in Azure for the application.

Which three storage types will achieve the goal? Each correct answer presents a complete solution.

A. page blob
B. queue
C. append blob
D. block blob
E. file share

Correct Answer: ACD

Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:

QUESTION 173
A company plans to store data for the accounting and human resources departments in azure storage
accounts. You have the following requirements:
Data for both departments must be encrypted when stored
The accounting department must be able to query each object to verify that it is encrypted.
The human resources department must be able to switch access tiers at any time.

Which storage types should you use?

A. Blob storage
B. file storage
C. table storage
D. queue storage

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Blob storage can switch tiers.

To verify encryption is enabled for their storage accounts, customers can either query the status of encrypted
data for blobs and file (not available for table and queue storage), or check account properties.

References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

QUESTION 174
HOTSPOT

A company uses Azure to host virtual machines (VMs) and web apps.
Storage Analytics data for the web apps must be kept as long as possible. The solution must not result in
additional costs.

You need to configure a storage policy for the analytics data.

How should you configure the policy? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Box 1: retention
There are two ways to delete Storage Analytics data: by manually making deletion requests or by setting a data
retention policy. Manual requests to delete Storage Analytics data are billable, but delete requests resulting
from a retention policy are not billable.
To avoid unnecessary charges, set a retention policy for logging and metrics.

Note: By default, Storage Analytics will not delete any logging or metrics data. Blobs and table entities will
continue to be written until the shared 20TB limit is reached. Once the 20TB limit is reached, Storage Analytics
will stop writing new data and will not resume until free space is available.

Box 2: 365
You can configure two data retention policies: one for logging and one for metrics. When enabled for both,
Storage Analytics will delete logs and table entries older than the specified number of days. The maximum
retention period is 365 days (1 year).

References: https://docs.microsoft.com/en-us/rest/api/storageservices/Setting-a-Storage-Analytics-Data-
Retention-Policy

QUESTION 175
You are the Azure administrator for your company. The company has developed a mobile application used to
support sales people in the field.
The application uses Azure Active Directory (Azure AD) accounts for authentication. The application sends and
receives HTTP requests on publicly accessible endpoints.

You need to provide the ability to authenticate the application using Azure.

Which tool should you use?

A. OAuth 2.0 authorization code grant

B. Azure AD Connect
C. Azure Portal
D. Azure AD Graph API

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Azure Active Directory (Azure AD) uses OAuth 2.0 to enable you to authorize access to web applications and
web APIs in your Azure AD tenant.

Note: The authorization code grant type is used to obtain both access tokens and refresh tokens and is
optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting
with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via
redirection) from the authorization server.

References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
https://tools.ietf.org/html/rfc6749#section-4.1

QUESTION 176
A company uses Azure to host virtual machines (VMs) and web apps.

A line of business (LOB) application that runs on a VM uses encrypted storage.

You need to ensure that the VMs support the LOB application.

What should you do?

A. Run the Set-AzureRmVMDiskEncryptionExtension Azure PowerShell cmdlet.

B. Run the Test-AzureRmVMAEMExtention Azure PowerShell cmdlet.
C. Run the Add- AzureRmVMSshPublicKey Azure PowerShell cmdlet.
D. Create a security policy from the Azure Security Manager.

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-
azurermvmdiskencryptionextension?view=azurermps-4.4.1

QUESTION 177
DRAG DROP

A company plans to store data for the accounting and human resources departments in Azure storage
accounts.

You have the following requirements:

Data for both departments must be encrypted when stored.
The accounting department must be able to query each object to verify that it is encrypted.
The human resources department must be able to switch access tiers at any time.

You need to configure the storage encryption.

Which storage typed should you use? To answer, drag the appropriate storage type to the correct department.
Each storage type may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
Box 1: Blob Storage
The accounting department must be able to query each object to verify that it is encrypted.
To verify encryption is enabled for their storage accounts, customers can query the status of encrypted data for
blobs and file (not available for table and queue storage).

Box 2: Blob Storage

With block blob data you can switch between access tiers at any time.
The human resources department must be able to switch access tiers at any time.

References:
https://azure.microsoft.com/en-us/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-
storage/
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

QUESTION 178
DRAG DROP

A company uses Azure to store data in blobs.

You need to modify metadata properties for the Azure storage containers.

How should you complete the REST API segment? To answer, drag the appropriate REST API segments to the
correct targets. Each segment may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 3, Design and Implement a Storage Strategy

Explanation
Explanation/Reference:
Explanation:
Sample Request
Request Syntax: PUT https://myaccount.blob.core.windows.net/mycontainer?
restype=container&comp=metadata HTTP/1.1
Request Headers:
x-ms-version: 2011-08-18
x-ms-date: Sun, 25 Sep 2011 22:50:32 GMT
x-ms-meta-Category: Images
Authorization: SharedKey myaccount:Z5043vY9MesKNh0PNtksNc9nbXSSqGHueE00JdjidOQ=

References: https://docs.microsoft.com/en-us/rest/api/storageservices/set-container-metadata

QUESTION 179
You plan to implement shared storage policies.

You need to apply a policy to the appropriate resource.

What should you use?

A. queues
B. Standard Disk storage
C. Premium Disk storage
D. resource group

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
The following storage resources support stored access policies: Blob containers, File shares, Queues, and
Tables.

A stored access policy provides an additional level of control over service-level shared access signatures (SAS)
on the server side. Establishing a stored access policy serves to group shared access signatures and to
provide additional restrictions for signatures that are bound by the policy.
References: https://docs.microsoft.com/en-us/rest/api/storageservices/establishing-a-stored-access-policy

QUESTION 180
A company uses Azure to host virtual machines and web app. A Line Of Business application that turns on a
VM must use encrypted storage. You need to ensure that the VMs support the LOB application.

What should you do?

A. Run the Add-AzureRmVmssSecret Azure PowerShell cmdlet

B. Scan the environment from the azure security manage.
C. Run the Test-AzureRmVmaemExtention Azure PowerShell cmdlet
D. Run the Set-AzureRmVmDiskEncrpytionExtension Azure PowerShell cmdlet

Correct Answer: D
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
The Set-AzureRmVMDiskEncryptionExtension cmdlet can be used to encrypt managed.
References: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption#disk-encryption-
deployment-scenarios-and-user-experiences

QUESTION 181
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to create a Content Delivery Network (CDN) in Azure that meets the following requirements:

Ensure that content can be preloaded into CDN endpoints.

Accept client requests that use HTTP or HTTPS.
Accept content from customized origin ports.
Minimize costs per gigabyte (GB) delivered.

You need to create the CDN profile and endpoint.

Solution: You create a CDN profile by using Azure CDN Premium from Verizon SKU. You configure the profile
to use a storage account endpoint.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint
https://cdn.reviews/azure-review/

QUESTION 182
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to create a Content Delivery Network (CDN) in Azure that meets the following requirements:

Ensure that content can be preloaded into CDN endpoints.

Accept client requests that use HTTP or HTTPS.
Accept content from customized origin ports.
Minimize costs per gigabyte (GB) delivered.

You need to create the CDN profile and endpoint.

Solution: You create a CDN profile by using the Azure CDN Standard from Akamai SKU. You configure the
profile to use a cloud service endpoint.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint
https://cdn.reviews/azure-review/

QUESTION 183
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to create a Content Delivery Network (CDN) in Azure that meets the following requirements:

Ensure that content can be preloaded into CDN endpoints.

Accept client requests that use HTTP or HTTPS.
Accept content from customized origin ports.
Minimize costs per gigabyte (GB) delivered.

You need to create the CDN profile and endpoint.

Solution: You create a CDN profile by using the Azure CDN Standard from Akamai SKU. You configure the
profile to use a storage account endpoint.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint
https://cdn.reviews/azure-review/

QUESTION 184
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to enable access to a blob storage account for external clients. The access method must include an
expiration time and clients should not be able to access other storage services.

You need to provide access to the storage account.

Solution: You create a storage account resource type configured as a shared access signature.
Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-
part-1?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

QUESTION 185
A company has an Azure subscription and hosts a virtual network in the cloud. The company uses
authenticated web proxies on their local network.

You need to grant two specific users on the local network access to the virtual network.

Which three steps must you perform on the two local machines? Each correct answer presents part of the
solution.

NOTE: Each correct selection is worth one point.

A. Upload an X.509 certificate to the virtual network.

B. Configure multifactor access control on the virtual network.
C. Enable Direct Access on the local devices.
D. Create an exception to the authentication proxy.
E. Download and install the VPN client package from the Azure Management Portal.
F. Install an X.509 certificate on the local devices.

Correct Answer: DEF

Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-classic-
azure-portal

QUESTION 186
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals: Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to enable access to a blob storage account for external clients. The access method must include an
expiration time and clients should not be able to access other storage services.

You need to provide access to the storage account.

Solution: You create a new Azure Key Vault.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-
part-1?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

QUESTION 187
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals: Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You plan to enable access to a blob storage account for external clients. The access method must include an
expiration time and clients should not be able to access other storage services.

You need to provide access to the storage account.

Solution: You regenerate the storage account keys.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-
part-1?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

QUESTION 188
HOTSPOT

You manage an Azure Service Bus for your company. You plan to enable access to the Azure Service Bus for
an application named ContosoLOB.

You need to create a new shared access policy for subscriptions and queues that has the following
requirements:
Receives messages from a queue
Deadletters a message
Defers a message for later retrieval
Enumerates subscriptions
Gets subscription description

In the table below, identify the permission you need to assign to ensure that ContosoLOB is able to accomplish
the above requirements. Make only one selection in each column.

Hot Area:
Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
For Service Bus, the three permission claims are ‘Send’ for all send operations, ‘Listen’ to open up listeners or
receive messages, and ‘Manage’ to observe or manage the state of the Service Bus tenant.

To receive a message from a queue we need to have Listen access level.

To numerate subscriptions, we need to have the manage access level.

References: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas

QUESTION 189
You publish an application named MyApp to Azure Active Directory (Azure AD). You grant access to the web
APIs through OAuth 2.0.

MyApp is generating numerous user consent prompts.

You need to reduce the amount of user consent prompts.

What should you do?

A. Enable Multi-resource refresh tokens.

B. Enable WS-federation access tokens.
C. Configure the Open Web Interface for .NET.
D. Configure SAML 2.0.

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
When using the Authorization Code Grant Flow, you can configure the client to call multiple resources.
Typically, this would require a call to the authorization endpoint for each target service. To avoid multiple calls
and multiple user consent prompts, and reduce the number of refresh tokens the client needs to cache, Azure
Active Directory (Azure AD) has implemented multi-resource refresh tokens. This feature allows you to use a
single refresh token to request access tokens for multiple resources.

References: https://msdn.microsoft.com/en-us/library/azure/dn645538.aspx

QUESTION 190
DRAG DROP

You administer an Azure SQL database named contosodb that is running in Standard/S1 tier. The database is
in a server named server1 that is a production environment. You also administer a database server named
server2 that is a test environment. Both database servers are in the same subscription and the same region but
are on different physical clusters.

You need to copy contosodb to the test environment.

Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/sql-database-export/

QUESTION 191
You are migrating a local virtual machine (VM) to an Azure VM. You upload the virtual hard disk (VHD) file to
Azure Blob storage as a Block Blob.

You need to change the Block blob to a page blob.

What should you do?

A. Delete the Block Blob and re-upload the VHD as a page blob.
B. Update the type of the blob programmatically by using the Azure Storage .NET SDK.
C. Update the metadata of the current blob and set the Blob-Type key to Page.
D. Create a new empty page blob and use the Azure Blob Copy PowerShell cmdlet to copy the current data to
the new blob.

Correct Answer: A
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:
To copy the data files to Windows Azure Storage by using one of the following methods: AzCopy Tool, Put Blob
(REST API) and Put Page (REST API), or Windows Azure Storage Client Library for .NET or a third-party
storage explorer tool.
Important: When using this new enhancement, always make sure that you create a page blob not a block blob.

References: http://msdn.microsoft.com/en-us/library/dn466429.aspx

QUESTION 192
DRAG DROP

You manage an Azure Data Lake Store. The store has a file named File1.txt that is located in a directory path
named \Share\Folder1.

A security group named Group1 must be able to read the file in the store.

You need to assign the minimum permissions needed to read the file.

Which permission levels should you assign? To answer, drag the appropriate permissions levels to the correct
targets. Each permission levels may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 3, Design and Implement a Storage Strategy
Explanation

Explanation/Reference:
Explanation:

The permissions on a filesystem object are Read, Write, and Execute, and they can be used on files and
folders as shown in the following table:

References: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/data-lake-store/data-lake-store-
access-control.md

QUESTION 193
You administer an Azure virtual network named fabrikamVNet.

You need to deploy a virtual machine (VM) and ensure that it is a member of the fabrikamVNet virtual network.

Which two actions will achieve the goal? Each correct answer presents a complete solution.

A. Run the following Azure PowerShell cmdlet: New-AzureRmVM

B. Run the following Azure PowerShell cmdlet: New-AzureQuickVM
C. Run the following Azure PowerShell cmdlet: New-AzureAfhnityGroup
D. Update fabrikamVNet's existing Availability Set.
Correct Answer: AB
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:

A: The New-AzureRmVM cmdlet creates a virtual machine in Azure.

The -VirtualNetworkName parameter is the name of a new (or existing) virtual network for the created VM to
use.
B: The New-AzureQuickVM cmdlet sets the configuration for a new virtual machine and creates the virtual
machine.
The -VNetName parameter specifies the name of the virtual network that you want the virtual machine to use.

References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/new-azurermvm?view=azurermps-
6.10.0
https://msdn.microsoft.com/en-us/library/azure/dn495183.aspx

QUESTION 194
You manage a large datacenter that has limited physical space.

You plan to extend your datacenter to Azure.

You need to create a connection that supports a multiprotocol label switching (MPLS) virtual private network.

Which connection type should you use?

A. Site-to-site
B. VNet-VNet
C. ExpressRoute.
D. Site-to-peer

Correct Answer: C
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
ExpressRoute allows you to securely add compute and storage capacity to your existing datacenter. With high
throughput and fast latencies, Azure will feel like a natural extension to your datacenter so you enjoy the scale
and economics of the public cloud without having to compromise on network performance.

References: http://azure.microsoft.com/en-us/services/expressroute/

QUESTION 195
You manage a cloud service named fabrikamReports that is deployed in an Azure data center.
You deploy a virtual machine (VM) named fabrikamSQL into a virtual network named fabrikamVNet.

FabrikamReports must communicate with fabrikamSQL.

You need to add fabrikam Reports to fabrikamVNet.

Which file should you modify?

A. the network configuration file for fabrikamVNet

B. the service definition file (.csdef) for fabrikamReports
C. the service definition file (.csdef) for fabrikamSQL
D. the service configuration file (.cscfg) for fabrikamReports
E. the service configuration file (.cscfg) fabrikamSQL

Correct Answer: D
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
The service configuration file specifies the number of role instances to deploy for each role in the service, the
values of any configuration settings, and the thumbprints for any certificates associated with a role. If the
service is part of a Virtual Network, configuration information for the network must be provided in the service
configuration file, as well as in the virtual networking configuration file. The default extension for the service
configuration file is .cscfg.

References: https://msdn.microsoft.com/en-us/library/azure/ee758710.aspx

QUESTION 196
You manage an application deployed to virtual machines (VMs) on an Azure virtual network named corpVnet1.

You plan to hire several remote employees who will need access to the application on corpVnet1.

You need to ensure that new employees can access corpVnet1. You want to achieve this goal by using the
most cost effective solution.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Create a VPN subnet.

B. Enable point-to-point connectivity for corpVnet1.
C. Enable point-to-site connectivity for corpVnet1.
D. Create a gateway subnet.
E. Enable site-to-site connectivity for corpVnet1.
F. Convert corpVnet1 to a regional virtual network.

Correct Answer: CD
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
You need a point to site and a gateway subnet.

References: https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/

QUESTION 197
DRAG DROP

You manage a solution deployed in two Azure subscriptions for testing and production. Both subscriptions have
virtual networks named fabVNet.

You plan to add two new virtual machines (VMs) in a new subnet.

You have the following requirements:

Deploy the new VMs to the virtual network in the testing subscription.
Minimize any errors in defining the network changes.
Minimize the work that will be required when the change is made to the production virtual network.
Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Azure uses an xml file to define all virtual networks available to a subscription. You can download this file, edit it
to modify or delete existing virtual networks, and create new virtual networks.

Creating and configuring a virtual network (classic) with a network configuration file requires exporting,
changing, and importing the file.

References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-using-network-
configuration-file

QUESTION 198
DRAG DROP
You administer an Azure Virtual Machine (VM) named CON-CL1. CON-CL1 is in a cloud service named
ContosoService1.

You want to create a new VM named MyApp that will have a fixed IP address and be hosted by an Azure
Datacenter in the US West region.

You need to assign a fixed IP address to the MyApp VM.

Which Azure PowerShell cmdlets and values should you use? To answer, drag the appropriate cmdlet or value
to the correct location in the PowerShell command. Each cmdlet or value may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Create a Reserved IP and associate it with a cloud service (Virtual Machines)
Use the following script as a template to create a Reserved IP and then use the Reserved IP to create a cloud
service deployment (Virtual Machines).

$ReservedIP = New-AzureReservedIP -ReservedIPName "FirewallIP" -Label "WebAppFirewallIP" -Location

"Japan West"
New-AzureVMConfig -Name "WebAppVM" -InstanceSize Small -ImageName $images[60].ImageName | Add-
AzureProvisioningConfig -Windows -AdminUsername cloudguy -Password Abc123 | New-AzureVM -
ServiceName "WebApp" –ReservedIPName $ReservedIP -Location "Japan West"

QUESTION 199
DRAG DROP

You plan to deploy a cloud service named contosoapp. The service includes a web role named
contosowebrole. The web role has an endpoint named restrictedEndpoint.

You need to allow access to restricted Endpoint only from your office machine using the IP address
145.34.67.82.

Which values should you use within the service configuration file? To answer, drag the appropriate value to the
correct location in the service configuration file. Each value may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Rule with lower order are applied first.
We can selectively permit or deny network traffic (in the management portal or from PowerShell) for a virtual
machine input endpoint by creating rules that specify “permit” or “deny”. By default, when an endpoint is
created, all traffic is permitted to the endpoint. So for that reason, it’s important to understand how to create
permit/deny rules and place them in the proper order of precedence to gain granular control over the
network traffic that you choose to allow to reach the virtual machine endpoint. Note that at the instant you
add one or more “permit” ranges, you are denying all other ranges by default. Moving forward from the first
permit range, only packets from the permitted IP range will be able to communicate with the virtual machine
endpoint.

QUESTION 200
DRAG DROP
You plan to deploy a cloud service named contosoapp that has a web role named contosoweb and a worker
role named contosoimagepurge.

You need to ensure the service meets the following requirements:

Contosoweb can be accessed over the Internet by using http.
Contosoimagepurge can only be accessed through tcp port 5001 from contosoweb.
Contosoimagepurge cannot be accessed directly over the Internet.

Which configuration should you use? To answer, drag the appropriate configuration setting to the correct
location in the service configuration file. Each configuration setting may be used once, more than once, or not
at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References:
http://www.codeproject.com/Articles/331391/Azure-Role-Endpoints-and-Network-Traffic-Rules

QUESTION 201
Your company network includes two branch offices. Users at the company access internal virtual machines
(VMs) that are hosted in Azure.

You want to ensure secure communications between the branch offices and the internal VMs and Azure.

You need to create a site-to-site VPN connection.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. a private IPv4 IP address and a compatible VPN device

B. a private IPv4 IP address and a RRAS running on Windows Server 2012
C. a public-facing IPv4 IP address and a compatible VPN device
D. a public-facing IPv4 IP address and a RRAS running on Windows Server 2012

Correct Answer: CD
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
C: VPN Device IP Address - This is public facing IPv4 address of your on-premises VPN device that you’ll use
to connect to Azure. The VPN device cannot be located behind a NAT.
D: At least one or preferably two publicly visible IP addresses: One of the IP addresses is used on the Windows
Server 2012 machine that acts as the VPN device by using RRAS. The other optional IP address is to be used
as the Default gateway for out-bound traffic from the on-premises network. If the second IP address is not
available, it is possible to configure network address translation (NAT) on the RRAS machine itself, to be
discussed in the following sections. It is important to note that the IP addresses must be public. They cannot be
behind NAT and/or a firewall.

QUESTION 202
DRAG DROP

Your development team has created a new solution that is deployed in a virtual network named fabDevVNet.

Your testing team wants to begin testing the solution in a second Azure subscription.

You need to create a virtual network named fabTestVNet that is identical to fabDevVNet. You want to achieve
this goal by using the least amount of administrative effort.

Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 203
Your network environment includes remote employees.

You need to create a secure connection for the remote employees who require access to your Azure virtual
network.

What should you do?

A. Deploy Windows Server 2012 RRAS.

B. Configure a point-to-site VPN.
C. Configure an ExpressRoute.
D. Configure a site-to-site VPN.
Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
New Point-To-Site Connectivity

With today’s release we’ve added an awesome new feature that allows you to setup VPN connections between
individual computers and a Windows Azure virtual network without the need for a VPN device. We call this
feature Point-to-Site VirtualPrivate Networking. This feature greatly simplifies setting up secure connections
between Windows Azure and client machines, whether from your office environment or from remote locations.

It is especially useful for developers who want to connect to a Windows Azure Virtual Network (and to the
individual virtual machines within it) from either behind their corporate firewall or a remote location. Because it
is point-to-site they do not need their IT staff to perform any activities to enable it, and no VPNhardware needs
to be installed or configured. Instead you can just use the built-in Windows VPN client to tunnel to your Virtual
Network in Windows Azure.

References: http://www.ditii.com/windows-azure-sdk-for-ruby-improvements-to-virtual-networks-vms-cloud-
services/61871/

QUESTION 204
DRAG DROP

You have a solution deployed into a virtual network in Azure named fabVNet. The fabVNet virtual network has
three subnets named Apps, Web, and DB that are configured as shown in the exhibit. (Click the Exhibit button.)
You want to deploy two new VMs to the DB subnet.

You need to modify the virtual network to expand the size of the DB subnet to allow more IP addresses.

Which three steps should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 205
DRAG DROP

You manage two solutions in separate Azure subscriptions.

You need to ensure that the two solutions can communicate on a private network.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Once the virtual networks are created, there are five more steps to perform before the VNet to VNet connection
configuration is complete:

Configure each VNet to identify the other VNet as a local network site in Azure (step 1 in the answer)
Create dynamic routing gateways for each VNet (step 2 in the answer)
Configure each local network with the IP address of the local gateway
Configure a shared key for the VNet to VNet connection
Connect the VPN gateways (step 3 in the answer)

Incorrect Answers:
VNet-to-VNet requires Azure VPN gateways with dynamic routing VPNs. Azure static routing VPN gateways are
not supported.

References: http://www.virtualizationadmin.com/articles-tutorials/cloud-computing/microsoft/virtual-networks-
microsoft-azure-part1.html
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/
#create-the-dynamic-routing-gateways-for-each-vnet

QUESTION 206
You manage a cloud service that has a web role named fabWeb. You create a virtual network named fabVNet
that has two subnets defined as Web and Apps.

You need to be able to deploy fabWeb into the Web subnet.

What should you do?

A. Modify the service definition (csdef) for the cloud service.

B. Run the Set-AzureSubnet PowerShell cmdlet.
C. Run the Set-AzureVNetConfig PowerShell cmdlet.
D. Modify the network configuration file.
E. Modify the service configuration (cscfg) for the fabWeb web role.

Correct Answer: E
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Azure Service Definition Schema (.csdef File)
The service definition file defines the service model for an application. The file contains the definitions for the
roles that are available to a cloud service, specifies the service endpoints, and establishes configuration
settings for the service.

References: https://blog.vbmagic.net/2014/03/31/connecting-an-azure-web-role-to-an-existing-virtual-network-
connected-to-company-wan/

QUESTION 207
DRAG DROP

You manage an Azure virtual network environment for a company that has an office in Boston. The company
plans to open a new office location in Paris.

You must replicate the Boston virtual network environment in Paris.

How should you complete the relevant Azure PowerShell commands? To answer, drag the appropriate Azure
PowerShell segment to the correct location. Each Azure PowerShell segment may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:

Box 1: Get-AzureVNetConfig
The Get-AzureVNetConfig cmdlet retrieves the virtual network configuration of the current Azure subscription. If
the ExportToFile parameter is specified, a network configuration file is created.

Box 2: ExportToFile

Box 3: Set-AzureVNetConfig
The Set-AzureVNetConfig cmdlet updates the network configuration for the current Azure subscription by
specifying a path to a network configuration file (.netcfg). The network configuration file defines DNS servers
and subnets for cloud services within a subscription.

Box 4: ConfigurationPath
The Set-AzureVNetConfig -ConfigurationPath parameter specifies the path and file name of a network
configuration file (.netcfg).

References:
https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure/get-azurevnetconfig?
view=azuresmps-4.0.0
https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure/set-azurevnetconfig?
view=azuresmps-4.0.0
QUESTION 208
HOTSPOT

You have a virtual machine (VM) that must be secured. Direct access to the VM is not permitted. You create
the following Azure PowerShell script. Line numbers are included for reference only.

You assign the virtual network to the variable $vnet. You assign the subnet to the variable $backendSubnet.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:
Correct Answer:

Section: Topic 4, Implement Virtual Networks

Explanation

Explanation/Reference:
Explanation:

Box 1: Yes
On line 3, the New-AzureRmLoadBalancerInboundNatRuleConfig cmdlet creates an inbound network address
translation (NAT) rule configuration for an Azure load balancer. It uses port 3389, to enable to a connection to
an Azure VM.

Box 2: No
Only TCP 80 traffic is redirected to local ports.

Box 3: Yes

References: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/new-
azurermloadbalancerinboundnatruleconfig?view=azurermps-6.10.0

QUESTION 209
For development purposes, you deploy several virtual machines in an Azure subscription.
Developers report that the virtual machines fail to access each other.

You export the virtual network configuration for the subscription as shown in the following output.

You need to modify the network configuration to resolve the connection issue.
What should you modify?
A. the IP address range of Subnet-1
B. the IP address range of the gateway subnet
C. the IP address of the DNS server
D. the site of the virtual network

Correct Answer: C
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 210
You purchase an Azure subscription. You plan to deploy an application that requires four Azure virtual
machines (VMs). All VMs use Azure Resource Management (ARM) mode.

You need to minimize the time that it takes for VMs to communicate with each other.

What should you do?

A. Create a multi-site virtual network.

B. Create a regional virtual network.
C. Create a site-to-site virtual network.
D. Add the VMs to the same affinity group.

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:

Affinity Groups were required for creating Virtual Networks. However, with the introduction of Regional Virtual
Networks, that was not required anymore.

Note: In the old Classic Mode, you would use an affinity group. However, the question states that the VMs use
Azure Resource Management (ARM) mode and affinity groups are not available in ARM mode.

Incorrect Answers:
D: Affinity groups are not available in ARM mode.

References: https://docs.microsoft.com/en-gb/azure/azure-resource-manager/resource-manager-deployment-
model

QUESTION 211
You manage an Azure virtual network that hosts 15 virtual machines (VMs) on a single subnet, which is used
for testing a line of business (LOB) application. The application is deployed to a VM named
TestWebServiceVM.

You need to ensure that TestWebServiceVM always starts by using the same IP address. You need to achieve
this goal by using the least amount of administrative effort.

What are two possible ways to achieve the goal? Each correct answer presents a complete solution.

A. Run the following Azure PowerShell cmdlet: Set-AzureStaticVNetIP

B. Use the Azure portal to configure TestWebServiceVM.
C. Run the following Azure PowerShell cmdlet: Get-AzureReservedIP
D. Use RDP to configure TestWebServiceVM.

Correct Answer: AB
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/en-us/library/azure/dn722490.aspx

QUESTION 212
DRAG DROP

You have a virtual network and virtual machines that use the Resource Manager deployment model.

You plan to create a Network Security Group (NSG). You must apply rules to both inbound and outbound traffic.

You need to create the NSG.

In which order will the rules be applied to the virtual network? To answer, drag the appropriate option to the
correct location. Each option may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-nsg/

QUESTION 213
You deploy several virtual machines (VMs) to Azure by using the Azure Service Manager (classic).

You must deploy new VMs by using the Azure Resource Manager (ARM).

You need to ensure the new VMs can communicate with the existing Vms.

What should you do?

A. Create a new resource group and include all VMs.

B. Create a site-to-site (S2S) VPN connection between the classic VNet and the ARM VNet.
C. Migrate the classic VMs to the ARM VNet.
D. Create a new availability set and include all VMs.

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-different-deployment-
models-portal
QUESTION 214
HOTSPOT

You have two on-premises networks. You need to connect the two networks to Azure.

The networks must be secure.

You need to configure the environment.

Which actions should you perform? For each of the following statements, select Yes if the statement is true.
Otherwise, select No.

Hot Area:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References:
https://blogs.technet.microsoft.com/canitpro/2016/02/02/step-by-step-multi-site-azure-vpn-in-the-resource-
manager-model/
https://technet.microsoft.com/en-us/library/dn786406.aspx

QUESTION 215
You manage an application that has a front-end tier, a middle tier, and a back-end tier. Each tier is located on a
different subnet.

You need to apply access to and between the tiers as follows:

Only the front-end tier must be able to access the Internet.
You must permit network access between the front-end tier and the middle tier.
You must permit network access between the middle tier and the back-end tier.
You must prevent all other network traffic.

You need to apply this configuration to all virtual machines inside the subnets.

What should you do?

A. Use a Network Security Group (NSG).

B. Add a VPN gateway.
C. Add a regional VNET.
D. Add an Availability Set.

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources
connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or
individual network interfaces (NIC) attached to VMs (Resource Manager). When an NSG is associated to a
subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also
associating an NSG to a VM or NIC.

Incorrect Answers:
D: An Availability Set is a logical grouping capability that you can use in Azure to ensure that the VM resources
you place within it are isolated from each other when they are deployed within an Azure datacenter. Azure
ensures that the VMs you place within an Availability Set run across multiple physical servers, compute racks,
storage units, and network switches. If a hardware or Azure software failure occurs, only a subset of your VMs
are impacted, and your overall application stays up and continues to be available to your customers. Availability
Sets are an essential capability when you want to build reliable cloud solutions.

References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 216
You manage the on-premises and cloud network for a company. The network includes an Azure classic virtual
network (VNet) on an East US server with two subnets that must remain online until the end of the year. You
update all other VNets to Azure Resource Manager (ARM) Vnets.

You need to set up communication between specific ARM VNets and the classic Vnet.

What should you do?

A. Create a Local VPN gateway for the classic VNet. Create VPN gateways for any ARM VNets to
communicate with the local gateway.
B. Create Local VPN gateways for the ARM VNets. Create a VPN gateway for the classic VNet to
communicate with the local gateways.
C. Move the ARM VNets to the US East region. Update the classic VNet to use a single subnet. Add the
classic VNet as a subnet to any ARM VNet that requires communication.
D. Move the ARM VNets to a non US East region. Update the classic VNet to use a single subnet. Add the
classic VNet as a subnet to any ARM VNet that requires communication.
E. Set the resource group of the classic VNet to use the same resource group that you use to create any ARM
VNet that requires communication.

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-different-deployment-
models-portal

QUESTION 217
You have an existing classic virtual network.

You need to export the virtual network settings to an XML file to make modifications.

Which Azure PowerShell cmdlet should you use?

A. Get-AzureVNetSite
B. Get-AzureVNetConnection
C. Get-AzureVNetGateway
D. Get-AzureVNetConfig
Correct Answer: D
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 218
DRAG DROP

Your company has a main office and several branch offices.

You create an Azure subscription and you deploy several virtual machines. The virtual machines are located in
multiple subnets.

You need to provide remote access to the virtual machines to five users in each office by using a VPN
connection. The remote access connections will not require a VPN device nor a public-facing IP address in
order to work.

Which three actions should you perform in sequence before you download the VPN client on each computer?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 219
DRAG DROP

Your company is implementing an Intrusion Detection System (IDS). The IDS has the IP address 192.168.3.92.
You plan to deploy the network by using Azure Resource Manager (ARM).

You need to ensure that all subnet traffic goes through the IDS.

How should you complete the JSON configuration code? To answer, drag the appropriate JSON segments to
the correct location or locations. Each JSON segment may be used once, more than once, or not at all. You
may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 220
DRAG DROP

You have an on-premises application that must connect to Azure. You implement ExpressRoute.
Connections from the on-premises application to Azure must not use the public Internet, and must be low
latency.
You need to configure networking for Azure services.
For each service, which peering path should you use? To answer, drag the appropriate peering path to the
correct Azure service. Each peering path may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Box 1: Private peering path
Private peering: Virtual networks, including all virtual machines and cloud services

Box 2: Microsoft peering path

The Azure App Service Environment is an Azure App Service feature that provides a fully isolated and
dedicated environment for securely running App Service apps at high scale. This capability can host your:
Windows web apps, Linux web apps, Docker containers, Mobile apps, Functions
Box 3: Microsoft peering path
All Azure PaaS services are accessible through Microsoft peering. Microsoft recommends you to create
Microsoft peering and connect to Azure PaaS services over Microsoft peering.

Box 4: Not supported

Not Public peering or Microsoft Peering. Multi-factor Authentication is not support through either Public peering
or Microsoft Peering.

References:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs
https://docs.microsoft.com/en-us/azure/app-service/environment/intro

QUESTION 221
You manage the on-premises and cloud for a company. Employees use Microsoft Office 365 to collaborate and
manage product development. They authenticate to Azure Active Directory (Azure AD) to access all on-
premises and cloud-based resources.
You must grant employees access to several custom-built applications.

You need to ensure that you can automatically add or remove employee access to Office 365 based on
employee group memberships or attributes.

What should you use?

A. Active Directory Configuration

B. Advanced Rules for an Active Directory Group.
C. Application Access to Active Directory
D. The Users group in Active Directory

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:

QUESTION 222
A company has a hybrid environment. The public IP address of the on-premises environment is 40.84.199.233.
The company deploys virtual machines (VMs) to Azure on different subnets.

You need to ensure that the Azure VMs can communicate with the on-premises environment.

What should you create?

A. an Internet rule for each subnet

B. a user defined route to 255.255.255.0/0 with a VPN gateway
C. a user defined route to 0.0.0.0/0 with a VPN gateway
D. a user defined route to 40.84.199.233/32
E. a user defined route to 0.0.0.0/30 with a VPN gateway

Correct Answer: C
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
You can create custom, or user-defined, routes in Azure to override Azure's default system routes, or to add
additional routes to a subnet's route table.
0.0.0.0/0 is a default route for all non-local traffic. This will forward all outbound traffic to a VPN gateway.
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is
not within the address prefix of any other route in a subnet's route table.

References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

QUESTION 223
DRAG DROP

A company has a hybrid environment. You plan to create routes to connect the Azure and on-premises
resources.
You need to use the Azure CLI to create the route for a front-end subnet.

How should you complete the Azure CLI command? To answer, drag the appropriate IP addresses or subnets
to the correct locations. Each IP address or subnet may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Parameters include:
--address-prefix
The destination CIDR to which the route applies.

--next-hop-ip-address
The IP address packets should be forwarded to when using the VirtualAppliance hop type.

Example: Create a route that forces all inbound traffic to a Network Virtual Appliance.
az network route-table route create -g MyResourceGroup --route-table-name MyRouteTable -n MyRoute \
--next-hop-type VirtualAppliance --address-prefix 10.0.0.0/16 --next-hop-ip-address 10.0.100.4

References: https://docs.microsoft.com/en-us/cli/azure/network/route-table/route?view=azure-cli-latest

QUESTION 224
A company uses Azure Resource Manager (ARM) templates to create resources.

The following segment is from one of the company's ARM templates.

“properties”:{
Routes: {
{
:name”: “myroute”;
“properties” {
“addressprefix”: “{parameters)(‘backendsubnetprefix’)};
“nexthoptype”: “”virtualappliance”,
“nexthopipaddress” : “[parameters(vmIPaddress’)]
}}]

The type of route defined is:

A. UDR-Frontend
B. UDR-BackEnd
C. VNet
D. Internet

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explantion:
To better illustrate how to create UDRs, this document uses the following scenario:

In this scenario, you create one UDR for the Front-end subnet and another UDR for the Back-end subnet, as
follows:

UDR-FrontEnd. The front-end UDR is applied to the FrontEnd subnet, and contain one route:
RouteToBackend. This route sends all traffic to the back-end subnet to the FW1 virtual machine.
UDR-BackEnd. The back-end UDR is applied to the BackEnd subnet, and contain one route:
RouteToFrontend. This route sends all traffic to the front-end subnet to the FW1 virtual machine.

References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-create-udr-classic-cli

QUESTION 225
You are developing a web application that connects to an existing virtual network. The web application needs to
access a database that runs on a virtual machine.

In the Azure portal, you use the virtual network integration user interface to select from a list of virtual networks.
The virtual network that the web application needs to connect to is not selectable.

You need to update the existing virtual network so you can connect to it.

What should you do?

A. Enable ExpressRoute.
B. Enable point-to-site VPN with a static routing gateway.
C. Enable point-to-site VPN with a dynamic routing gateway.
D. Enable site-to-site VPN.

Correct Answer: C
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

QUESTION 226
You manage network routes in an Azure subscription.

You have the following routes:

You observe that traffic destined to the IP address 192.168.1.0 is being sent to the IP address 10.10.5.5.

You need to ensure that the user-defined route takes precedence.

What should you do?

A. Add the user-defined route to the Border Gateway Protocol (BGP) table.
B. Delete and recreate the user-defined route.
C. Set the next hop of the user-defined route to the IP address 10.10.5.5.
D. Set the user-defined route subnet mask to the IP address 255.255.255.0.

Correct Answer: C
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
QUESTION 227
A company has a hybrid environment. The public IP address of the on-premises environment is 40.84.199.233.
The company deploys virtual machines (VMs) to Azure on different subnets.

You need to make sure that Azure VMs can communicate with the on-premises environment.

What should you create?

A. a Border Gateway Protocol (BGP) route by using ExpressRoute

B. an Internet rule for each subnet
C. a local vNet rule for each subnet
D. a user defined route to 40.84.199.233/0

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

QUESTION 228
You are designing the network infrastructure between on-premises data centers and Azure.

You have the following requirements:

Inbound Azure data transfers must be unlimited.

The network design must support 5,000 routes.
A single connection to Azure must provide access to global services.
Minimize monthly billing costs.

You need to implement the Azure connection.

What should you use?

A. ExpressRoute Metered Data plan with the ExpressRoute Premium add-on

B. ExpressRoute Unlimited Data plan
C. ExpressRoute Metered Data plan
D. ExpressRoute Unlimited Data plan with the ExpressRoute Premium add-on

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References:
https://azure.microsoft.com/en-gb/pricing/details/expressroute/

QUESTION 229
A company has deployed multiple ExpressRoute circuits. The configured circuits have been designed to
optimize traffic flow.
You need to ensure that an alert is generated if traffic is routed through a secondary circuit.
What should you do?

A. Create an Operations Management Suite (OMS) workspace.

B. Monitor the dedicated VNet.
C. Enable Active Directory Federation Services (AD FS) auditing.
D. Enable Network Performance Monitoring (NPM)

Correct Answer: D
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
NPM offers an extension for ExpressRoute that lets you monitor network performance over ExpressRoute
circuits that are configured to use private peering or Microsoft peering. When you configure NPM for
ExpressRoute, you can detect network issues to identify and eliminate. This service is also available for Azure
Government Cloud. You can:
* Monitor loss and latency across various VNets and set alerts
Etc.

References: https://docs.microsoft.com/en-us/azure/expressroute/how-to-npm

QUESTION 230
Your company has two cloud services named CS01 and CS02. You create a virtual machine (VM) in CS02
named Accounts.

You need to ensure that users in CS01 can access the Accounts VM by using port 8080.

What should you do?

A. Create a firewall rule.

B. Configure load balancing.
C. Configure port redirection.
D. Configure port forwarding.
E. Create an end point.

Correct Answer: E
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
All virtual machines that you create in Azure can automatically communicate using a private network channel
with other virtual machines in the same cloud service or virtual network. However, other resources on the
Internet or other virtual networks require endpoints to handle the inbound network traffic to the virtual machine.

References: http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/

QUESTION 231
DRAG DROP

You administer an Azure Virtual Machine (VM) named CON-CL1. CON-CL1 is in a cloud service named
ContosoService1.

You discover unauthorized traffic to CON-CL1. You need to:

Create a rule to limit access to CON-CL1.
Ensure that the new rule has the highest precedence.

Which Azure PowerShell cmdlets and values should you use? To answer, drag the appropriate cmdlet or value
to the correct location in the PowerShell command. Each cmdlet or value may be used once, more than once,
or not at all. You may need to drag the split bat between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Box 1: New-AzureAclConfig
The New-AzureAclConfig cmdlet creates an empty access control list (ACL) configuration object.

Box 2: Set-AzureAclConfig
The Set-AzureAclConfig command sets an access control list (ACL) configuration.

Box 3: 0
The Set-AzureAclConfig Parameter -Order specifies the relative order in which this rule should be processed
compared to the other rules applied to the ACL object. The lowest order takes precedence. 0 is allowed.
Incorrect Answers:
Not 100, 300: Order 100 (or 300) would be incorrect as the lower value of 0 takes precedence.

Box 4: Deny
The -Action parameter specifies whether the rule will permit or deny incoming network traffic from the specified
remote subnet. The value must be either Permit or Deny. As we want to limit access to the virtual machine, we
should deny remote access.

References:
https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure/new-azureaclconfig?
view=azuresmps-4.0.0
http://msdn.microsoft.com/en-us/library/dn495192.aspx

QUESTION 232
HOTSPOT

Your company network has two branch offices. Some employees work remotely, including at public locations.
You manage an Azure environment that includes several virtual networks.

All users require access to the virtual networks.

In the table below, identify which secure cross-premises connectivity option is needed for each type of user.
Make only one selection in each column.

Hot Area:

Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:

Box 1 (Branch Office Users): Multi-site

You can connect multiple on-premises sites to a single virtual network. This is especially attractive for building
hybrid cloud solutions. Creating a multi-site connection to your Azure virtual network gateway is similar to
creating other Site-to-Site connections.

Box 2 (Remote Users): Point-to-site

A point-to-site VPN also allows you to create a secure connection to your virtual network. In a point-to-site
configuration, the connection is configured individually on each client computer that you want to connect to the
virtual network.
Use a point-to-site configuration when:
You want connect to your virtual network from a remote location. For example, connecting from a coffee
shop.

Incorrect Answers:
Site-to-Site: You would need two site-to-site connections. This would be a multi-site connection.

References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-classic-azure-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-multi-site

QUESTION 233
HOTSPOT

You create a virtual network named fabVNet01.

You design the virtual network to include two subnets, one named DNS-subnet and one named Apps-subnet,
as shown in the exhibit. (Click the Exhibit button.)

In the table below, identify the number of IP addresses that will be available for virtual machines (VMs) or cloud
services in each subnet. Make only one selection in each column.

Hot Area:
Correct Answer:
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
References: http://msdn.microsoft.com/en-us/library/azure/jj156074.aspx

QUESTION 234
You administer an Azure solution that uses a virtual network named FabVNet. FabVNet has a single subnet
named Subnet-1.

You discover a high volume of network traffic among four virtual machines (VMs) that are part of Subnet-1.

You need to isolate the network traffic among the four VMs. You want to achieve this goal with the least amount
of downtime and impact on users.

What should you do?

A. Create a new subnet in the existing virtual network and move the four VMs to the new subnet.
B. Create a site-to-site virtual network and move the four VMs to your datacenter.
C. Create a new virtual network and move the VMs to the new network.
D. Create an availability set and associate the four VMs with that availability set.

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
The process to carry out a move of your VM to a different subnet is straight forward:
Migrate a VM from one subnet to another.
Update the VM configuration and restart the VM.

References: https://blogs.technet.microsoft.com/canitpro/2014/05/19/step-by-step-move-a-microsoft-azure-vm-
to-a-different-subnet-within-a-vnet/

QUESTION 235
A company has a hybrid environment. The public IP address of the on-premises environment is 40.84.199.233.
The company deploys virtual machines (VMs) to Azure on different subnets.

You need to ensure that the Azure VMs can communicate with the on-premises environment.

What should you create?

A. a Border Gateway Protocol (BGP) route by using ExpressRoute

B. an Internet rule for each subnet
C. a local vNet rule for each subnet
D. a user defined route to 40.84.199.233/0

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a
private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to
Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.

References: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

QUESTION 236
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Azure subscription with multiple virtual network in different regions. You deploy an application
to one region in the subscription.

Network traffic from other regions to the application must be routed through a single virtual network.

You need to configure the network

Solution: You create a container for the application.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Use Microsoft Azure ExpressRoute.

References: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

QUESTION 237
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You manage an Azure subscription with multiple virtual network in different regions. You deploy an application
to one region in the subscription.

Network traffic from other regions to the application must be routed through a single virtual network.

You need to configure the network

Solution: You configure an Azure ExpressRoute connection between the subscription and an on-premises
datacenter.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a
private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to
Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.

References: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

QUESTION 238
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You manage an Azure subscription with multiple virtual network in different regions. You deploy an application
to one region in the subscription.

Network traffic from other regions to the application must be routed through a single virtual network.

You need to configure the network

Solution: You enable virtual network peering with service chaining.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 4, Implement Virtual Networks
Explanation

Explanation/Reference:
Explanation:
Use Microsoft Azure ExpressRoute.

References: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

QUESTION 239
HOTSPOT

A company uses Azure Resource Manager (ARM) templates to create resources.

The following segment is from one of the company’s ARM templates.

Use the drop-down menus to select the answer choice that answers each question based on the information
presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
References: https://github.com/squillace/staging/blob/master/articles/virtual-network/virtual-network-create-udr-
arm-template.md

QUESTION 240
A company uses Azure Resource Manager (ARM) templates to deploy virtual machines (VMs).

You plan to include the following JSON segment in the ARM template.
You need to provide monitoring and diagnostics capabilities for the VM.

Which additional parameter should you include in the template?

A. condition
B. currentenvironmentSettings
C. existingdiagnosticsStorageResourceGroup
D. instanceCount

Correct Answer: C
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
The diagnostics extension json snippet above assumes two parameters
existingdiagnosticsStorageAccountName and existingdiagnosticsStorageResourceGroup to specify the
diagnostics storage account where diagnostics data is stored. Specifying the diagnostics storage account as a
parameter makes it easy to change the diagnostics storage account across different environments, for example
you may want to use a different diagnostics storage account for testing and a different one for your production
deployment.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-diagnostics-template

QUESTION 241
You are an administrator of the Azure subscription for your company.

You are updating an Azure Resource Manager (ARM) template.

You need to ensure that the JSON file uses the latest version available.

Which template element should you modify?

A. parameters
B. resources
C. $schema
D. variables

Correct Answer: C
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
$schema is the location of the JSON schema file that describes the version of the template language.
Note:
In its simplest structure, a template has the following elements:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "",
"parameters": { },
"variables": { },
"functions": [ ],
"resources": [ ],
"outputs": { }
}

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-
templates

QUESTION 242
DRAG DROP

A company plans to use Azure Site Recovery as a disaster recovery (DR) solution.

You identify the following requirements for groups:

Senior administrators must be able to enable and manage DR for applications.

Junior administrators must be able to execute failover operations, but not manage DR.
The CIO and IT directors must be able to view settings but not make any changes.

You need to configure the permission levels.

Which permission level should you assign for each group? To answer, drag the appropriate permission levels
to the correct groups. Each permission level may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 5, Design and Deploy ARM Templates

Explanation
Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-role-based-linked-access-
control

QUESTION 243
HOTSPOT

You are an administrator of an Azure subscription for your company.

Management asks you to assign the user [email protected] to a role that can create and manage virtual
machines (VMs). The user must not be able to manage storage or virtual networks for the
MarketingGroupResources resource group. User1 must have no other permissions.

You need to implement the requirements.

How should you complete the Azure PowerShell command? To answer, select the appropriate Azure
PowerShell segments in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroleassignment?
view=azurermps-6.0.0
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

QUESTION 244
HOTSPOT

A company uses Azure to host virtual machines (VMs) and a web app that requires restricted access based on
group membership.

You need to implement a policy to manage access control for the web app.

How should you configure the policy? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:

QUESTION 245
DRAG DROP

You plan to use Azure Resource Manager (ARM) templates to deploy resources.

You need to create a policy that permits deployments only for compute and storage resources.

Develop the solution by selecting and ordering the required code segments. You may not need all of the code
segments.

Select and Place:

Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:

Box 1: if not anyOf

Box 2:

Box 3: .. deny ..
Deny is used to prevent a resource request that doesn't match desired standards through a policy definition and
fails the request.
Example:

"then": {
"effect": "deny"
}

Incorrect Answers:
Append: Append is used to add additional fields to the requested resource during creation or update.

Audit: Audit effect is used to create a warning event in the activity log when a non-compliant resource is
evaluated, but it does not stop the request.

References: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

QUESTION 246
A company uses Linux virtual machines (VMs) in Azure. An administrator requires root access to the Linux
VMs.

You need to enable access for the administrator using the principle of least privilege.

Which role should you assign?

A. Virtual Machine Contributor

B. Virtual Machine User Login
C. User Access Administrator
D. Virtual Machine Administrator Login

Correct Answer: D
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
Users with the Virtual Machine Administrator Login role assigned can log in to an Azure virtual machine with
Windows Administrator or Linux root user privileges.

References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

QUESTION 247
You are a developer for a company that produces bug tracking software. The software runs on customer
provisioned virtual machines (VMs) running in Azure, including deployments within private Azure Virtual
Networks.

The software has the following requirements for the runtime environment, if any of these components are
missing or not configured correctly, the application will not function correctly.

User groups named bug_users and bug_admins

 a log file location at c:\bug\logs
a registry key that contains the license keys
Visual C++ runtime components
a Windows service named BugCleanup

You need to provide a mechanism to distribute the application to customers that ensures that the application
always functions correctly.

What should you do?

A. Provide a Windows Installer MSI that configures the VM to meet application requirements.
B. Provide an Azure Resource Manager template to customers with an Azure PowerShell DSC script that
installs the application and configures the VM.
C. Convert the application to a ClickOnce application and distribute the URL of the application to customers.
D. Convert the application to an Azure Cloud Service and configure the VM during startup.

Correct Answer: B
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
You can deploy applications and services onto your Service Fabric cluster via Azure Resource Manager. This
means that instead of deploying and managing applications via PowerShell or CLI after having to wait for the
cluster to be ready, you can now express applications and services in JSON and deploy them in the same
Resource Manager template as your cluster. The process of application registration, provisioning, and
deployment all happens in one step.

References: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-arm-resource

QUESTION 248
HOTSPOT

A company uses Azure to host virtual machines (VMs) and web apps.

You plan to delegate access using Role-Based Access Control (RBAC). Users must not have more
permissions than necessary.
Admin1 must not be able to manage resource access.
Admin1 must be able to manage all other Azure components.
Admin2 must be able to stop and restart Azure jobs.

You need to assign the appropriate role to the new admins.

Which role should you assign to each admin account? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is#built-in-roles
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

QUESTION 249
DRAG DROP

You are administrator for your company’s Azure subscription.

Company policy dictates that you must deploy new Azure Resource Manager (ARM) templates using Azure
PowerShell.

You need to deploy the ARM templates.

How should you complete the Azure PowerShell command? To answer, drag the appropriate Azure PowerShell
cmdlets to the correct locations. Each Azure PowerShell cmdlet may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:

Correct Answer:

Section: Topic 5, Design and Deploy ARM Templates

Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy

QUESTION 250
You are the administrator for your company’s Azure subscription.

Company policy dictates that you must deploy new Azure Resource Manager (ARM) templates using Azure
Command-Line Interface (CLI). Parameters are included in a file called azuredeploy.parameters.json and do
not contain any password information. All JSON files are located in the root of drive E.

You need to ensure that password parameters are passed to the command.

Which two commands are possible ways to achieve this goal? Each correct answer presents a complete
solution.

A. Add the appropriate password parameters to the azuredeploy.parameters.json file and then run the
following CLI command:
azure group create –n “ARMBasic” -l “West US” -f “e:\azuredeploy.json” -e “e:
\azuredeploy.parameters.json”
B. Run the following CLI command. Do not add additional switches:
azure group create –n “ARMBasic” -l “West US” -f “e:\azuredeploy.json” -e “e:
\azuredeploy.parameters.json”
C. Run the following CLI command. Add a switch to include password parameters:
azure group create –n “ARMBasic” -l “West US” -f “e:\azuredeploy.json”
D. Run the following CLI command. Add switches to include all parameters:
azure group create –n “ARMBasic” -l “West US” -f “e:\azuredeploy.json”

Correct Answer: AD
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
A: Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that
contains the parameter values.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-
cli

QUESTION 251
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1.

You plan to integrate Tenant1 and the on-premises Active Directory.

You need to create a user account that can be used to synchronize changes from the on-premises Active
Directory. The solution must use the principle of least privilege.

Which organizational role should you assign to the user account?

A. Service administrator
B. Global administrator
C. Password administrator
D. User administrator

Correct Answer: B
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
QUESTION 252
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You use Azure Resource Manager (ARM) templates to deploy resources.

You need to ensure that storage resources defined in templates cannot be deleted.

Solution: You define the following JSON in the template.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources. You can set the lock level to
CanNotDelete or ReadOnly.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying
this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

QUESTION 253
HOTSPOT

You plan to use Azure Resource Manager (ARM) templates to deploy resources in Azure. You define the
following variables in the template.
Use drop-down menus to select the answer choice that answers each question based on the information
presents in the template.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Box 1: One

Box 2: Two
We see the two lines Nic1NamePrefix and Nic2NamePrefix.

Box 3: Sent to the VM through a load balancer.

The variable lbID references a LoadBalancer.

References:
http://www.ravichaganti.com/blog/building-azure-resource-manager-templates-using-copy-object/
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#template-
deployment

QUESTION 254
HOTSPOT

You are implementing Azure Role-Based Access Control (RBAC).

You need to create two new administrator accounts. The accounts must meet the following requirements:
Admin1 must be able to manage only the storage accounts that are used by virtual machines (VMs) and
other resources.
Admin2 must be able to manage and delete resources in the Recovery Services vault.

Which role should you assign to each account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
Box 1: Storage Account Contributor
A Storage Account Contributor can manage storage accounts, but not access to them.

Incorrect Answers:
Not Data Factory Contributor: Can create and manage data factories, and child resources within them.

Not Virtual Machine Contributor: Can manage virtual machines, but not the virtual network or storage account
to which they are connected.

Box 2: Backup Contributor

A Backup Contributor can manage all backup management actions, except creating Recovery Services vault
and giving access to others.

Incorrect Answers:
Not Automation Operator: Able to start, stop, suspend, and resume jobs.

Not Backup Operator: Can manage backup except removing backup, in Recovery Services vault.

References: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

QUESTION 255
HOTSPOT

You are an Azure subscription administrator for your company.

Management asks you to add a contractor named User1 with a Microsoft account of [email protected] to
manage DNS records but have no other permissions. The contractor is not in your Azure Active Directory
(Azure AD) but must be able to manage all of the DNS records in the Adatum zone. The Adatum zone is in the
ITManaged Resource Group.

You need to add the contractor.

How should you configure the environment? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
Box 1: DNS Zone Contributor
The 'DNS Zone Contributor' role is a built-in role provided by Azure for managing DNS resources. Assigning
DNS Zone Contributor permissions to a user or group enables that group to manage DNS resources, but not
resources of any other type.

Box 2: Add [email protected]

The simplest way to assign RBAC permissions is via the Azure portal. Open the 'Access control (IAM)' blade for
the resource group, then click 'Add', then select the 'DNS Zone Contributor' role and select the required users
or groups to grant permissions.
You can search the directory with display names, email addresses, and object identifiers.

References: https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets

QUESTION 256
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this sections, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You use Azure Resource Manager (ARM) templates to deploy resources.

You need to ensure that storage resources defined in templates cannot be deleted.
Solution: You define the following JSON in the template.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 5, Design and Deploy ARM Templates
Explanation

Explanation/Reference:
Explanation:
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources. You can set the lock level to
CanNotDelete or ReadOnly.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the
resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

QUESTION 257
You administer an Access Control Service namespace named ContosoACS that is used by a web application.
ContosoACS currently utilizes Microsoft and Yahoo accounts.

Several users in your organization have Google accounts and would like to access the web application through
ContosoACS.

You need to allow users to access the application by using their Google accounts.

What should you do?

A. Register the application directly with Google.

B. Edit the existing Microsoft Account identity provider and update the realm to include Google.
C. Add a new Google identity provider.
D. Add a new WS-Federation identity provider and configure the WS-Federation metadata to point to the
Google sign-in URL.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Configuring Google as an identity provider eliminates the need to create and manage authentication and
identity management mechanism. It helps the end user experience if there are familiar authentication
procedures.

References: http://msdn.microsoft.com/en-us/library/azure/gg185976.aspx

QUESTION 258
Your company network includes users in multiple directories.

You plan to publish a software-as-a-service application named SaasApp1 to Azure Active Directory.
You need to ensure that all users can access SaasApp1.

What should you do?

A. Configure the Federation Metadata URL

B. Register the application as a web application.
C. Configure the application as a multi-tenant.
D. Register the application as a native client application.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
When you get deeper into using Windows Azure Active Directory, you’ll run into new terminology. For
instance, is called "directory" is also referred to as a Windows Azure AD Tenant or simply as "tenant." This
stems from the fact that WAAD () Windows Azure Active Directory is a shared service for many clients. In
this service, every client gets its own separate space for which the client is the tenant. In the case of WAAD
this space is a directory. This might be a little confusing, because you can create multiple directories, in
WAAD terminology multiple tenants, even though you are a single client.
Multitenant Applications in Azure
A multitenant application is a shared resource that allows separate users, or "tenants," to view the
application as though it was their own. A typical scenario that lends itself to a multitenant application is one
in which all users of the application may wish to customize the user experience but otherwise have the
same basic business requirements. Examples of large multitenant applications are Office 365, Outlook.com,
and visualstudio.com.

References: http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx

QUESTION 259
You administer a Microsoft Azure SQL Database data base in the US Central region named contosodb.
Contosodb runs on a Standard tier within the S1 performance level.

You have multiple business-critical applications that use contosodb.

You need to ensure that you can bring contosodb back online in the event of a natural disaster in the US
Central region. You want to achieve this goal with the least amount of downtime.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Upgrade to S2 performance level.

B. Use active geo-replication.
C. Use automated Export.
D. Upgrade to Premium tier.
E. Use point in time restore.
F. Downgrade to Basic tier.

Correct Answer: BD
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
B: The Active Geo-Replication feature implements a mechanism to provide database redundancy within the
same Microsoft Azure region or in different regions (geo-redundancy).
One of the primary benefits of Active Geo-Replication is that it provides a database-level disaster recovery
solution. Using Active Geo-Replication, you can configure a user database in the Premium service tier to
replicate transactions to databases on different Microsoft Azure SQL Database servers within the same or
different regions. Cross-region redundancy enables applications to recover from a permanent loss of a
datacenter caused by natural disasters, catastrophic human errors, or malicious acts.

D: Active Geo-Replication is available for databases in the Premium service tier only.

References: http://msdn.microsoft.com/en-us/library/azure/dn741339.aspx

QUESTION 260
You manage two datacenters in different geographic regions and one branch office.

You plan to implement a geo-redundant backup solution.

You need to ensure that each datacenter is a cold site for the other.

You create a recovery vault. What should you do next?

A. Install the provider.

B. Upload a certificate to the vault.
C. Generate a vault key.
D. Set all virtual machines to DHCP.
E. Prepare System Center Virtual Machine Manager (SCVMM) servers.
F. Create mappings between the virtual machine (VM) networks.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:

Step 1: Create a Recovery Services vault

Step 2: Set up the source environment

Install the Azure Site Recovery Provider on VMM servers, and discover and register servers in the vault.
1. Click Prepare Infrastructure > Source.
2. In Prepare source, click + VMM to add a VMM server.
3. In Add Server, check that System Center VMM server appears in Server type.
4. Download the Azure Site Recovery Provider installation file.
5. Download the registration key. You need this when you install the Provider. The key is valid for five days
after you generate it.
Step 3: Set up the target environment

Step 4: Set up a replication policy

References: http://msdn.microsoft.com/en-us/library/azure/dn337345.aspx

QUESTION 261
Your company has two physical locations configured in a geo-clustered environment that includes:
System Center 2012 R2 Virtual Machine Manager
System Center 2012 R2 Data Protection Manager
SQL Server 2012
Windows Server 2012 R2 with the Hyper-V role
Over 100 virtual machines (VMs) in each physical location

Your company has recently signed up for Azure.

You plan to leverage your current network environment to provide a backup solution for your VMs.

You need to recommend a solution that ensures all VMs are redundant and deployable between locations. You
also want the solution to minimize downtime in the event of an outage at either physical location.

Which solution should you recommend?

A. Configure a backup vault in Azure and use Data Protection Manager to back up The Windows Servers.
B. Use Data Protection Manager and back up the VMs in each location.
C. Use Azure site recovery in an on-premises to Azure protection configuration.
D. Use Azure site recovery in an on-premises to on-premises protection configuration.

Correct Answer: D
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
On-Premises to On-Premises (Hyper-V replication)
Replicated data is stored in location specified on target Hyper-V server.

References: http://azure.microsoft.com/en-us/documentation/articles/hyper-v-recovery-manager-configure-
vault/

QUESTION 262
Your company network has two physical locations configured in a geo-clustered environment. You create a
Blob storage account in Azure that contains all the data associated with your company.

You need to ensure that the data remains available in the event of a site outage.

Which storage option should you enable?

A. Locally redundant storage

B. Geo-redundant storage
C. Zone-redundant storage
D. Read-only geo-redundant storage

Correct Answer: D
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Introducing Read-only Access to Geo Redundant Storage (RA-GRS):
RA-GRS allows you to have higher read availability for your storage account by providing “read only” access to
the data replicated to the secondary location. Once you enable this feature, the secondary location may be
used to achieve higher availability in the event the data is not available in the primary region. This is an “opt-in”
feature which requires the storage account be geo-replicated.

References: https://msdn.microsoft.com/en-us/library/azure/dn727290.aspx

QUESTION 263
Your company has recently signed up for Azure.

You plan to register a Data Protection Manager (DPM) server with the Azure Backup service.

You need to recommend a method for registering the DPM server with the Azure Backup vault.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. Import a self-signed certificate created using the makecert tool.

B. Import a self-signed certificate created using the createcert tool.
C. Import an X.509 v3 certificate with valid client authentication EKU.
D. Import an X.509 v3 certificate with valid server authentication EKU.

Correct Answer: AC
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
A: You can create a self-signed certificate using the makecert tool, or use any valid SSL certificate issued by a
Certification Authority (CA) trusted by Microsoft, whose root certificates are distributed via the Microsoft Root
Certificate Program.

C: The certificate must have a valid Client Authentication EKU.

You can create a self-signed client certificate by using the Makecert.exe command-line utility.

References: https://www.techveze.com/configuring-windows-azure-backup/

QUESTION 264
You administer an Azure Active Directory (Azure AD) tenant where Box is configured for:
Application Access
Password Single Sign-on

An employee moves to an organizational unit that does not require access to Box through the Access Panel.

You need to remove only Box from the list of applications only for this user.

What should you do?

A. Delete the user from the Azure AD tenant.

B. Delete the Box Application definition from the Azure AD tenant.
C. From the Management Portal, remove the user's assignment to the application.
D. Disable the user's account in Windows AD.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation
Explanation/Reference:
Explanation:
Note: Use Azure AD to manage user access, provision user accounts, and enable single sign-on with Box.
Requires an existing Box subscription.

QUESTION 265
HOTSPOT

You have an Azure subscription that contains two Azure SQL Database servers named lpqd0zbr8y and
bk0b8kf65. lpqd0zbr8y contains a database named Orders.

You need to implement active geo-replication for the Orders database.

How should you construct the Azure PowerShell command? To answer, select the appropriate Azure
PowerShell segments in the answer area.

Hot Area:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References: https://msdn.microsoft.com/en-us/library/dn720220.aspx

QUESTION 266
DRAG DROP

You have an application that uses an Azure SQL Database.

The database becomes corrupt and is not usable.

You must configure point in time recovery to replace the database.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/blog/azure-sql-database-point-in-time-restore/

QUESTION 267
DRAG DROP

You are the server administrator for several on-premises systems.

You need to back up all the systems to the cloud by using Azure Backup.

In which order should you perform the actions? To answer, move all actions from the list of actions to the
answer area and arrange them in the correct order.

Select and Place:

Correct Answer:

Section: Topic 6, Manage Azure Security and Recovery Services

Explanation

Explanation/Reference:
Explanation:
References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault

QUESTION 268
You have an Azure subscription that contains a backup vault named BV1. BV1 contains five protected servers.
Backups run daily. You need to modify the storage replication settings for the backups.

What should you do first?

A. Create a new backup vault.

B. Run the Remove-OBPolicy cmdlet.
C. Configure the backup agent properties on all five servers.
D. Run the Remove-OBFileSpec cmdlet.

Correct Answer: A
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
First create a new backup vault, and edit the storage replication settings and choose the new vault.

Incorrect Answers:
B: The Remove-OBPolicy cmdlet removes the currently set backup policy (OBPolicy object). This stops the
existing scheduled daily backups. If the DeleteBackup parameter is specified, then any data backed up
according to this policy on the online backup server is deleted. If the DeleteBackup parameter is not specified,
the existing backups are retained in accordance with the retention policy in effect when the backup was
created.
C: First create a new backup vault.
D: The Remove-OBFileSpec cmdlet removes the list of items to include or exclude from a backup, as specified
by the OBFileSpec object, from a backup policy (OBPolicy object).

References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault
https://azure.microsoft.com/en-gb/documentation/articles/backup-azure-backup-cloud-as-tape/

QUESTION 269
DRAG DROP

An organization has several web applications and uses Azure Active Directory (Azure AD). You are developing
a new web application that supports sign-on using the WS-Federation to Azure AD.

You need to describe the authentication process flow to your team.

In which order are the actions performed? To answer, move all actions from the list of actions to the answer
area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-authentication-scenarios/

QUESTION 270
You administer an Azure Active Directory (Azure AD) tenant that hosts a Software as a Service (SaaS)
application named MyApp.

You control access to MyApp by using the following two Azure AD groups:
a group named SaaSApp that contains 200 users
a group named AdminSaaS that contains 20 users

You need to revoke all access to MyApp for the SaaSApp by using the least administrative effort.
What should you do?

A. Delete the tenant.

B. Revoke access to MyApp.
C. Delete the SaaSApp group from Azure AD.
D. Revoke application access from users belonging to the SaaSApp group.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Management groups are containers that help you manage access, policy, and compliance across multiple
subscriptions. You can change, delete, and manage these containers to have hierarchies that can be used with
Azure Policy and Azure Role Based Access Controls (RBAC).

References: https://docs.microsoft.com/en-us/azure/governance/management-groups/manage

QUESTION 271
You administer an Azure SQL Database that runs in the S0 service tier. The database stored mission-critical
data.

You must meet the following requirements:

minimize costs associated with hosting the database in Azure
minimize downtime in the event of an outage
protect the database from unplanned events

What should you do?

A. Implement a secondary database in the paired region.

B. Ensure that a secondary databases are online and readable at all times.
C. Create a continuously replicated copy.
D. Use backups in a geo-redundant Azure storage (GRS) location.

Correct Answer: A
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
An example of a paired region solution is Azure SQL Database Geo-Replication: you can configure
asynchronous replication of transactions to any region in the world; however, Microsoft recommends you to
deploy these resources in a paired region for most disaster recovery scenarios.

References: https://docs.microsoft.com/en-us/azure/best-practices-availability-paired-regions

QUESTION 272
DRAG DROP

You have an Azure Subscription.

You have an on-premises site that contains a server named Server1. Server1 runs Windows Server 2012 R2
and has computer digital certificate named Cert1.

You need to ensure that you can back up Server1 to Azure.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault-classic

QUESTION 273
HOTSPOT

You plan to deploy an Azure SQL Database instance.

After deployment, the solution must meet the following requirements:

You must be able to restore the database to any point in time for the last 30 days.
In the event of a restore, data must be recovered by using the fastest available method.
SQL backups must be stored in up four secondary regions.
You must minimize costs when configuring the databases.

You need to configure the secondary databases.

Which storage tier and method should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:

Box 1: Standard
Standard has 35 days of backup retention, which would suffice.
Box 2: Active geo-replication
Active geo-replication is designed as a business continuity solution that allows the application to perform quick
disaster recovery in case of a data center scale outage. If geo-replication is enabled, the application can initiate
failover to a secondary database in a different Azure region. Up to four secondaries are supported in the same
or different regions, and the secondaries can also be used for read-only access queries.

Incorrect:
Not Basic: Basic only has 7 days of backup retention and we need 30 days.

References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-service-tiers
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-geo-replication-overview#active-geo-
replication-capabilities

QUESTION 274
You have an application that uses SQL Server in an Azure virtual machine (VM) to store data.

If the VM running the primary instance of SQL Server fails:

The application must automatically begin using a backup copy of the SQL Server data.
The recovery solution must guarantee that no data is lost.

If the primary datacenter fails:

There must be a way to manually switch to a secondary data center.
Some data loss is acceptable.

You create an active datacenter named AD1 and a passive datacenter named PD1. AD1 has two SQL Server
instances. PD1 has one SQL Server instance.

You need to implement the replication and failover solutions for the application.

What should you do?

A. In AD1, configure asynchronous replication and automatic failover. In PD1, configure synchronous
replication and manual failover from AD1.
B. In AD1, configure synchronous replication and automatic failover. In PD1, configure synchronous replication
and manual failover from AD1.
C. In AD1, configure synchronous replication and manual failover. In PD1, configure asynchronous replication
and manual failover from AD1.
D. In AD1, configure asynchronous replication and manual failover. In PD1, configure asynchronous replication
and manual failover from AD1.

Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:

QUESTION 275
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You manage an Azure SQL Database. The database has weekly backups that are stored in an Azure Recovery
Services vault.

You need to maximize the time that previous backup versions are stored.

Solution: You configure a retention policy that is set to 10 years.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Store Azure SQL Database backups for up to 10 years.
Many applications have regulatory, compliance, or other business purposes that require you to retain database
backups beyond the 7-35 days provided by Azure SQL Database automatic backups. By using the long-term
backup retention feature, you can store your SQL database backups in an Azure Recovery Services vault for up
to 10 years.

References: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-long-term-retention

QUESTION 276
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You manage an Azure SQL Database. The database has weekly backups that are stored in an Azure Recovery
Services vault.

You need to maximize the time that previous backup versions are stored.

Solution: You configure a retention policy that is set to one year.

Does the solution meet the goal?

A. Yes
B. No
Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Store Azure SQL Database backups for up to 10 years.
Many applications have regulatory, compliance, or other business purposes that require you to retain database
backups beyond the 7-35 days provided by Azure SQL Database automatic backups. By using the long-term
backup retention feature, you can store your SQL database backups in an Azure Recovery Services vault for up
to 10 years.

References: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-long-term-retention

QUESTION 277
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You manage an Azure SQL Database. The database has weekly backups that are stored in an Azure Recovery
Services vault.

You need to maximize the time that previous backup versions are stored.

Solution: You configure a retention policy that is set to 20 years.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Store Azure SQL Database backups for up to 10 years.
Many applications have regulatory, compliance, or other business purposes that require you to retain database
backups beyond the 7-35 days provided by Azure SQL Database automatic backups. By using the long-term
backup retention feature, you can store your SQL database backups in an Azure Recovery Services vault for up
to 10 years.

References: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-long-term-retention

QUESTION 278
You create an Azure Recovery Services vault and download the backup agent installation file.

You need to complete the installation of the backup agent.

What should you do first?

A. Configure network throttling.

B. Set the storage replication option.
C. Download the vault credentials file.
D. Select the data to back up.

Correct Answer: C
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
After you have created the vault, prepare your infrastructure to back up files and folders by downloading and
installing the Microsoft Azure Recovery Services agent, downloading vault credentials, and then using those
credentials to register the agent with the vault.
You can install the agent after you have downloaded the vault credentials.

Note: On the Prepare infrastructure blade, click Download.

References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault

QUESTION 279
HOTSPOT

You plan to implement Azure Backup with virtual machines (VMs) that run Windows and Linux.
You need to ensure that the operating systems (OS) use supported encryption.

What should you use for each OS? To answer, select the appropriate encryption options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Azure back up and restore ofencrypted virtual machines is supported for both Windows and Linux virtual
machines using Azure Disk Encryption, which leverages the industry standard BitLocker feature of Windows
and DM-Crypt feature of Linux to provide encryption of disks.

References: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-vms-
encryption.md

QUESTION 280
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will
not appear in the review screen.

You manage an Azure SQL Database. The database has weekly backups that are stored in an Azure Recovery
Services vault.
You need to maximize the time that previous backup versions are stored.

Solution: You configure a retention policy that is set to three years.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:

QUESTION 281
DRAG DROP

A company plans to integrate Azure Active Directory (Azure AD) and Google Apps using single sign-on (SSO).

You need to configure the federation and demonstrate SSO with an account named User1.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
Steps involved consists of two main building blocks:

1. Adding G Suite from the gallery

2. Configuring and testing Azure AD single sign-in.

References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial

QUESTION 282
DRAG DROP

A company has the following virtual machines (VMs) that run on VMware vSphere 6.5:
The company plans to replicate VMs to Azure with Azure Site Recovery.

You need to determine which VMs can be replicated.

For each VM, identify whether the VM can be replicated. To answer, drag the appropriate option to each VM.
Each answer may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.

NOTE: each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:

VM1: Cannot be replicated

Windows Server 2008 R2 with at least SP1 required.

VM2: Can be replicated

Site Recovery supports replication of any workload running on a supported machine.

Windows operating system: 64-bit Windows Server 2016 (Server Core, Server with Desktop Experience),
Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 with at least SP1.

VM3: Can be replicated

Linux operating system: CentOS: 5.2 to 5.11, 6.1 to 6.10, 7.0 to 7.5

VM4: Can be replicated

Redhat Linux: Red Hat Enterprise Linux: 5.2 to 5.11, 6.1 to 6.10, 7.0 to 7.5

References: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-support-matrix-to-azure

QUESTION 283
DRAG DROP

You deploy resources to Azure by using both the classic portal and Azure Resource Manager.

You need to back up each resource type to Azure.

Which backup methods should you use? To answer, drag the appropriate backup methods to the correct
deployment types. Each method may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 6, Manage Azure Security and Recovery Services

Explanation

Explanation/Reference:
Explanation:
Classical portal: Azure StorSimple
Azure StorSimple, an integrated storage solution that manages storage tasks between on-premises devices
and Microsoft Azure cloud storage.
Resource Manager: Recovery Services vault

A Recovery Services vault is an entity that stores all the backups and recovery points you create over time. The
Recovery Services vault also contains the backup policy applied to the protected files and folders. When you
create a Recovery Services vault, you should also select the appropriate storage redundancy option.

References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault

QUESTION 284
A company plans to use Azure Active Directory (Azure AD) with Google Apps.

You add the Google Apps enterprise app to your Azure subscription and create the required user accounts.

You need to complete the single sign-on (SSO) configuration.

What should you do next?

A. Export the SAML signing certificate from Azure.

B. Add the Azure AD users to a security group to use by Google Apps.
C. Export the SAML signing certificate from Google Apps.
D. Assign an Azure AD Premium license to the Azure AD user accounts.

Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial

QUESTION 285
DRAG DROP

A company plans to use Azure Security Center to monitor virtual machines (VMs).

All VMs that are deployed must have data collection enabled automatically. Data collection must be sent to a
custom workspace. An administrator observes that the Azure Security Center is not collecting data on existing
VM deployments.

You need to ensure that data collection is enabled for all VMs.

For each requirement, what should you do? To answer, drag the appropriate actions to the correct
requirements. Each action may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:

QUESTION 286
You have an Azure subscription that contains a backup vault named BV1.

BV1 contains five protected servers. Backups run daily.

You need to modify the storage replication settings for the backups.

What should you do first?

A. Create a new backup vault.

B. Modify the policies associated to BV1.
C. Uninstall the backup agent from the five servers.
D. Run the Remove-OBFileSpec cmdlet.

Correct Answer: B
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
You can edit the storage replication setting.

References: https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault

QUESTION 287
You use Azure Backup to back up a System Center Data Protection Manager Server.

You create a backup vault and add it to DPM server.

You need to ensure that you don't accrue any extra cost.
What steps should you take? Select all that apply.

A. Disable the Azure Backup agent

B. Reissue the vault credential file
C. Change the storage redundancy option
D. Change the retention policy

Correct Answer: CD
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
System Center Data Protection Manager (DPM) is a Microsoft backup solution. The configuration of this backup
solution is based on Protection Groups. A protection group contains several data sources that share same
configuration such as backup duration (Short-term or Long-term), retention range etc.

References: https://www.tech-coffee.net/protection-groups-data-protection-manager/

QUESTION 288
DRAG DROP

You are designing the deployment of Azure Site Recovery with Hyper-V Replica. The environment does not
have System Center Virtual Machine Manager (VMM) deployed.

You need to instruct an implementation team to prepare the Azure environment for deployment.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial

QUESTION 289
You administer an Azure SQL Database that runs in the S0 service tier. The database stored mission-critical
data.

You must meet the following requirements:

minimize costs associated with hosting the database in Azure
minimize downtime in the event of an outage
protect the database from unplanned events

What should you do?

A. Implement self-service point-in-time restore.

B. Ensure that secondary databases are online and readable at all times.
C. Create a continuously replicated copy.
D. Implement geo-replication only.

Correct Answer: D
Section: Topic 6, Manage Azure Security and Recovery Services
Explanation

Explanation/Reference:
Explanation:
The data in your Microsoft Azure storage account is always replicated to ensure durability and high availability.
Azure Storage replication copies your data so that it is protected from planned and unplanned events ranging
from transient hardware failures, network or power outages, massive natural disasters, and so on. You can
choose to replicate your data within the same data center, across zonal data centers within the same region,
and even across regions.

When you create a storage account, you can select one of the following replication options:
Locally redundant storage (LRS)
Zone-redundant storage (ZRS)
Geo-redundant storage (GRS)
Read-access geo-redundant storage (RA-GRS)

The following table provides a quick overview of the scope of durability and availability that each replication
strategy will provide you for a given type of event (or event of similar impact).
References: https://docs.microsoft.com/en-us/azure/storage/storage-redundancy#geo-redundant-storage

QUESTION 290
DRAG DROP

You manage virtual machines (VMs) that have been deployed in Azure.

An application that runs on a VM has a memory leak. When memory usage exceeds 80 percent, multiple
services must be restarted.

You need to automate the VM maintenance.

What should you do? To answer, drag the appropriate actions to the correct options. Each action may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
Explanation:

Box 1: Create a Run As account

The runbook uses the AzureRunAsConnection Run As account to authenticate with Azure to perform the
management action against the VM.

Box 2: Create an alert

Box 3: Run a workbook

References: https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook

QUESTION 291
DRAG DROP

You have a runbook in Azure that evaluates the virtual machines (VMs) in a tenant and deallocates the VMs if
they are no longer needed. You use the PowerState to determine if a VM is running.

You need to deallocate only those VMs that are running at the time your runbook runs.

How should you complete the relevant Azure PowerShell script? To answer, drag the appropriate Azure
PowerShell cmdlets to the correct locations. Each Azure PowerShell cmdlet may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
References: https://social.msdn.microsoft.com/Forums/sqlserver/en-US/24a74571-a118-4e17-9adc-
308cc20b9d93/get-vm-powestate-in-stopstart-vms-runbook-arm-powershell-workflow-runbook?
forum=azureautomation

QUESTION 292
You plan to use an Azure PowerShell runbook to start a virtual machine (VM) named VM1.

You need to add the code to the runbook.

Which code segment should you use?

A. Workflow Runbook1 {
Start-AzureRmVM -Name 'VM1' -ResourceGroupName 'RG1'
}
B. Workflow {
Start-AzureRmVM -Name 'VM1' -ResourceGroupName 'RG1'
}
C. Runbook {
Start-AzureRmVM -Name 'VM1' -ResourceGroupName 'RG1'
}
D. Runbook Runbook1{
Start-AzureRmVM -Name 'VM1' -ResourceGroupName 'RG1'
}
Correct Answer: A
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/automation/automation-first-runbook-textual

QUESTION 293
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Azure Automation.

Automation runbooks must be started from a single HTTP request.

You need to create the automation design.

Solution: You start a runbook using schedules.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
Explanation:
The Schedule option does not allow for a runbook to be started from a single HTTP request.

References: https://docs.microsoft.com/en-us/azure/automation/automation-starting-a-runbook

QUESTION 294
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Azure Automation.

Automation runbooks must be started from a single HTTP request.

You need to create the automation design.

Solution: You start a runbook using the Azure portal.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
Explanation:
The Azure portal option does not allow for a runbook to be started from a single HTTP request.

References: https://docs.microsoft.com/en-us/azure/automation/automation-starting-a-runbook

QUESTION 295
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Azure Automation.

Automation runbooks must be started from a single HTTP request.

You need to create the automation design.

Solution: You start a runbook by using Windows PowerShell.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
Explanation:
The Windows PowerShell option does not allow for a runbook to be started from a single HTTP request.

References: https://docs.microsoft.com/en-us/azure/automation/automation-starting-a-runbook

QUESTION 296
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company plans to use Azure Automation.

Automation runbooks must be started from a single HTTP request.

You need to create the automation design.

Solution: You start a runbook using webhooks.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
With Webhooks you can Start runbook from single HTTP request.

References: https://docs.microsoft.com/en-us/azure/automation/automation-starting-a-runbook

QUESTION 297
DRAG DROP

You manage virtual machines (VMs) that are members of a VM scale set. You notice high memory utilization of
the VMs during peak times.

You create an Azure Automation account with run-as capabilities.

You need to scale the VMs only during peak times.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/automation/automation-webhooks
https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook

QUESTION 298
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are planning to utilize Azure Log Analytics and Azure Monitor.

You have the following requirements:

Create work items automatically based on Azure Log Analytics alerts.
Synchronize incident and change request data from an Azure Log Analytics workspace.

You need to configure the environment.

Solution: You create an Operations Management Suite (OMS) workspace.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 7, Manage Azure Operations
Explanation

Explanation/Reference:
Explanation:
Use IT Service Management Connector (ITSMC), not an Operations Management Suite (OMS) workspace.
With ITSMC, you can
 Create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log
Analytics alerts).
Optionally, you can sync your incident and change request data from your ITSM tool to an Azure Log
Analytics workspace.

References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-tutorial-response

QUESTION 299
DRAG DROP

You publish a multi-tenant application named MyApp to Azure Active Directory (Azure AD).

You need to ensure that only directory administrators from the other organizations can access MyApp's web
API.

How should you configure MyApp's manifest JSON file? To answer, drag the appropriate PowerShell command
to the correct location in the application's manifest JSON file. Each value may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 300
You administer a DirSync server configured with Azure Active Directory (Azure AD).

You need to provision a user in Azure AD without waiting for the default DirSync synchronization interval.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

A. Restart the DirSync server.

B. Run the Start-OnlineCoexistenceSync PowerShell cmdlet.
C. Run the Enable-SyncShare PowerShell cmdlet.
D. Run the Azure AD Sync tool ConfigurationWizard.
E. Replicate the Directory in Active Directory Sites and Services.

Correct Answer: BD
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
If you don’t want to wait for the recurring synchronizations that occur every three hours, you can force directory
synchronization at any time.

B: Force directory synchronization using Windows PowerShell

You can use the directory synchronization Windows PowerShell cmdlet to force synchronization. The cmdlet is
installed when you install the Directory Sync tool.
On the computer that is running the Directory Sync tool, start PowerShell, type Import-Module DirSync, and
then press ENTER.
Type Start-OnlineCoexistenceSync, and then press ENTER.

D: Azure Active Directory Sync Services (AAD Sync)

In September 2014 the Microsoft Azure AD Sync tool was released. This changed how manual sync requests
are issued.

To perform a manual update, we now use the DirectorySyncClientCmd.exe tool. The Delta and Initial
parameters are added to the command to specify the relevant task.

This tool is located in: C:\Program Files\Microsoft Azure AD Sync\Bin

You can use the directory synchronization Windows PowerShell cmdlet to force synchronization. The cmdlet is
installed when you install the Directory Sync tool.
On the computer that is running the Directory Sync tool, start PowerShell, type Import-Module DirSync, and
then press ENTER.

Type Start-OnlineCoexistenceSync, and then press ENTER.

References: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/

QUESTION 301
DRAG DROP

Fourth Coffee has an on-premises, multiple-forest Activity Directory (AD) domain. The company hosts web
applications and mobile application services. Fourth Coffee uses Microsoft Office 365 and uses Azure Active
Directory (Azure AD).

You have the following requirements:

The on-premises Active Directory and Azure AD need to be connected to provide a single sign-on
experience for users.
Users must be directed to your on-premises AD to login when they authenticate with cloud services.
Password changes that originate with Azure AD must be written back to your on-premises directory.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:

Section: Topic 8, Manage Azure Identities

Explanation
Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-passwords-getting-
started/#writeback-prerequisites
https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-get-started-custom/

QUESTION 302
A company is developing a new on-premises desktop application.

The app must be able to access Azure Active Directory (Azure AD) in addition to the on-premises Active
Directory.

You need to configure the application.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Install and run Azure AD Connect

B. Add an application manifest JSON file to the application and configure the oauth2Permissions section.
C. Update the application to be multi-tenant.
D. Update the application to use OAuth 2.0 authentication.
E. In the Azure Management portal, register the application.

Correct Answer: AE
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 303
You are the global administrator for a company’s Azure subscription. The company uses Azure Active Directory
Premium and the Application Access Panel. You are configuring access to a Software as a Service (SaaS)
application.

You need to ensure that the sales team lead is able to manage user access to the application but is unable to
modify administrative access to the application.

In the Azure portal, what should you do?

A. Create an Azure group and assign it to the SaaS application. Create an Azure user with the User Admin
role, and assign the user as the owner of the new group.
B. Create an Azure group and assign it to the SaaS application. Create an Azure user with the Service Admin
role, and assign the user as the owner of the new group.
C. Set the values of the Delegated group management and Users can create groups settings to Enabled.
D. Create an Azure group and assign it to the SaaS application. Create an Azure user with the Global Admin
role, and assign the user as the owner of the new group.

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 304
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1
You need to configure the integration of Tenant1 and Google Apps.

You perform the required configuration on the google apps tenant.

Which three actions should you perform from the Azure Management Portal? Each correct answer presents
part of the solution.

A. Configure directory integration.

B. Enable application integration
C. Add a custom domain.
D. Configure Single-Sign On (SSO)
E. Add a multi-factor authentication provider.

Correct Answer: ABD

Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-saas-google-apps-
tutorial/

QUESTION 305
HOTSPOT

You federate your on-premises Active Directory with Azure Active Directory (Azure AD) by using Active
Directory Federations Services (AD FS) 2.0. You plan to secure cloud and on-premises resources by using an
Azure Multi-Factor Authentication (MFA) server. You install the MFA server on the AD FS proxy server. You
configure the MFA server and successfully import all AD users into the MFA user database.

Development teams in your organization must be able to secure their non-browser based apps.
You need to document the authentication mechanisms.

For each requirement, which authentication mechanism is used. To answer, select the appropriate
authentication mechanism from each list in the answer area.

Hot Area:
Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-
get-started-adfs

QUESTION 306
You have an application that needs to use single sign-on (SSO) between the company’s Azure Active Directory
(Azure AD) and the on-premises Windows Server 2012 R2 Active Directory. You configure the application to
use Integrated Windows Authentication (IWA). You install an Application Proxy connector in the same domain
as the server that is publishing the application.

You need to configure the published application in Azure AD to enable SSO.

What should you do?

A. Set the external authentication method to IWA.

B. Set the preauthentication method to Pass through.
C. Set the internal authentication method to IWA.
D. Enable an access rule to require Multi-Factor Authentication.

Correct Answer: C
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-
using-kcd

QUESTION 307
You plan to implement Azure AD connect. You have an Active Directory Domain Services domain named
Contoso.

You need to determine if the organization’s Active Directory is compatible with Azure AD Connect.

Which command should you run?

A. dsquery * cn=schema,cn=configuration,dc=contoso,dc=local -scope base -attr objectVersion

B. nslookup finger contoso/objectVersion > > scope
C. ldifde -scope contoso -o domain -l objectVersion -p schema
D. csvde -i -s -j domain/schema -r objectVersion -b contoso -o local

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References:
http://rickardnobel.se/verify-schema-versions-on-all-domain-controllers/
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-prerequisites

QUESTION 308
A company has an existing on-premises Active Directory environment that is synchronized using DirSync. They
plan to transition the DirSync deployment to Azure Active Directory (Azure AD) Connect.

You need to identify a transition path for the company.

What should you do?

A. Install a new on-premises domain controller.

B. Create a new Azure AD instance.
C. Upgrade the on-premises Active Directory Domain Service (AD DS) forest functional level to Windows
Server 2016.
D. Deploy Azure AD Connect in parallel.

Correct Answer: D
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: https://docs.microsoft.com/gl-es/azure/active-directory/connect/active-directory-aadconnect-
dirsync-deprecated#how-to-transition-to-azure-ad-connect

QUESTION 309
HOTSPOT
You plan to use Azure Active Directory (Azure AD) Connect Health to monitor Azure AD and on-premises
Active Directory Domain Services (AD DS).

You need to obtain the appropriate license type and ensure that you monitor the servers.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: https://azure.microsoft.com/en-us/pricing/details/active-directory/

QUESTION 310
DRAG DROP

You plan to integrate Azure Active Directory (Azure AD) with the following custom applications:

You need to configure the web API permissions for the apps.

Which permission type should you use for each app? To answer, drag the appropriate permission types to the
correct apps. Each permission type may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 8, Manage Azure Identities

Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-apps-permissions-consent
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/web-api

QUESTION 311
A company has an Azure subscription and plans to deploy virtual machines (VMs).

The company needs to use an Azure Active Directory Domain Services (Azure AD DS) domain with the VMs.

You need to ensure that you can join the VMs to the Azure AD DS domain.

What should you do?

A. Place the VMs in the same resource group as a domain controller.

B. Place the VMs on the same virtual network as the Azure AD DS domain.
C. Create an AD DS domain controller on a VM.
D. Create a custom domain in the Azure subscription.

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-
windows-vm-portal

QUESTION 312
HOTSPOT

А company plans to use Facebook to integrate authentication.

You need to configure the business-to-consumer (B2C) connection.

Which two security settings must you obtain? To answer, configure the appropriate options in the dialog box in
the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:
Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
To use Facebook as an identity provider in Azure Active Directory (Azure AD) B2C, you need to create a
Facebook application and supply it with the right parameters. You need a Facebook account to do this.
See step 10 below: - 10. Copy the value of App ID. Click Show and copy the value of App Secret. You will need
both of them to configure Facebook as an identity provider in your tenant. App Secret is an important security
credential.)

Note:
1. Go to the Facebook for developers website and sign in with your Facebook account credentials.
2. If you have not already done so, you need to register as a Facebook developer. To do this, click Register
(on the upper-right corner of the page), accept Facebook's policies, and complete the registration steps.
3. Click My Apps and then click Add a New App.
4. In the form, provide a Display Name and a valid Contact Email.
5. Click Create App ID. This may require you to accept Facebook platform policies and complete an online
security check.
6. In the left column, click Settings and then select Basic if not selected already.
7. Select a Category.
8. Click + Add Platform and select Website.
9. Enter https://login.microsoftonline.com/ in the Site URL field and then click Save Changes at the bottom of
the page.
10. Copy the value of App ID. Click Show and copy the value of App Secret. You will need both of them to
configure Facebook as an identity provider in your tenant. App Secret is an important security credential.
11. Click + Add Product on the left navigation and then the Set Up button for Facebook Login.
12. Click Settings on the right nav under Facebook Login

References: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-fb-app

QUESTION 313
A Company has an Azure subscription and plans to deploy virtual machines (VMS).

The company needs to use an Azure Active Directory Domain Services (Azure AD DS) domain with the VMS.
You need to ensure that you can join the VMS to the Azure AD DS domain.

Solution: Create a dedicated virtual network for Azure AD DS.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:

You need to enable Azure AD DS for the existing directory.

References:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started

QUESTION 314
A company has an Azure subscription and plans to deploy virtual machines (VMS), he company needs to use
an Azure Active Directory Domain Services (Azure AD DS) domain with the VMS.

You need to ensure that you can join the VMS to the Azure AD DS domain.

Solution: Create an on-premises AD DS domain.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Azure AD Domain Services must be enabled for the Azure AD directory. If you haven't done so, follow all the
tasks outlined in the Getting Started guide.

References: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-
admin-guide-administer-domain

QUESTION 315
A company uses Azure AD Connect to synchronize on-premises and Azure identities. The company uses
Active Directory Federation Services (AD FS) for external users. The AD FS servers run on Windows Server
2016.
You need to ensure that Azure AD Connect Health can analyze all AD FS audit logs.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. On the AD FS servers, enable security auditing.

B. On the Azure AD Connect server, enable security auditing.
C. On the Azure AD Connect server, set the audit level to Verbose.
D. On the AD FS servers, set the audit level to Verbose.

Correct Answer: AD
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explonation:
A: In order for the Usage Analytics feature to gather and analyze data, the Azure AD Connect Health agent
needs the information in the AD FS Audit Logs. These logs are not enabled by default. Use the following
procedures to enable AD FS auditing and to locate the AD FS audit logs, on your AD FS servers.
Etc.

D: -- The following steps are only required for primary AD FS servers. --

Open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
In the Actions pane, click Edit Federation Service Properties.
In the Federation Service Properties dialog box, click the Events tab.
Select the Success audits and Failure audits check boxes and then click OK. This should be enabled by
default.
Open a PowerShell window and run the following command: Set-AdfsProperties -AuditLevel Verbose.

References: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-
aadconnect-health-agent-install#enable-auditing-for-ad-fs

QUESTION 316
You plan to use azure active directory connect health to monitor azure ad and on-premises active directory
domain services.

You need to obtain the appropriate license type and ensure that you monitor the server.

What should you do?

A. azure ad standard
B. azure ad premium
C. enterprise mobility + security
D. operations management suite

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Azure Ad Premium enables hybrid users to seamlessly access on-premises and cloud capabilities.

References: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis
QUESTION 317
A company synchronizes on-premises Active Directory Domain Services (AD DS) user accounts to Azure
Active Directory (Azure AD).

You need to monitor the latency of synchronization operations.

Which tool should you use?

A. Azure AD Connect Health

B. DirSync
C. Azure AD Connect
D. Azure AD Sync

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
You can monitor Active Directory Domain Services and Azure AD Connect (Sync) with Azure AD Connect
Health.

References: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-
aadconnect-health-sync

QUESTION 318
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution. Determine whether the solution meets the stated goals.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company has deployed web apps by using Azure Active Directory (Azure AD) Application Proxy. The
company plans to enable multi-factor authentication for the web apps. All users have Microsoft Exchange
Online email accounts using Office 365.

You need to ensure that users in Azure AD and on-premises Active Directory Domain Services (AD DS) can
authenticate with the web apps.

Solution: You synchronize on-premises and Azure passwords with Azure AD Connect.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 319
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution. Determine whether the solution meets the stated goals.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company has deployed web apps by using Azure Active Directory (Azure AD) Application Proxy. The
company plans to enable multi-factor authentication for the web apps. All users have Microsoft Exchange
Online email accounts using Office 365.

You need to ensure that users in Azure AD and on-premises Active Directory Domain Services (AD DS) can
authenticate with the web apps.

Solution: You deploy Office 365 Multi-Factor Authentication for Exchange Online.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 320
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution. Determine whether the solution meets the stated goals.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company has deployed web apps by using Azure Active Directory (Azure AD) Application Proxy. The
company plans to enable multi-factor authentication for the web apps. All users have Microsoft Exchange
Online email accounts using Office 365.

You need to ensure that users in Azure AD and on-premises Active Directory Domain Services (AD DS) can
authenticate with the web apps.

Solution: You deploy an Azure Multi-Factor Authentication server on-premises.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 321
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
A company has an Azure subscription and plans to deploy virtual machines (VMs).

The company needs to use an Azure Active Directory Domain Services (Azure AD DS) domain with the VMs.

You need to ensure that you can join the VMs to the Azure AD DS domain.

Solution: Install AD DS on an Azure VM.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:

QUESTION 322
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some questions sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

A company has an Azure subscription and plans to deploy virtual machines (VMs).

The company needs to use an Azure Active Directory Domain Services (Azure AD DS) domain with the VMs.

You need to ensure that you can join the VMs to the Azure AD DS domain.

Solution: Enable Azure AD DS for the existing directory.

Does the solution meet the goal?

A. Yes
B. No

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started

QUESTION 323
HOTSPOT

A company uses Azure to host virtual machines (VMs) and web apps. You have the following web apps: App1
and App2. You deploy the web apps as app services.

You need to ensure that you can enable multi-factor authentication (MFA) for App1 and App2.
What solution should you implement for each requirement? To answer, select the appropriate option in the
answer are.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Box 1: Enterprise Mobility + Security
The Enterprise Mobility Suite (EMS) subscription, includes Azure AD Premium, which include Multi-factor
Authentication feature.
Box 2: user accounts
Configure the mobile app settings in the Azure Multi-Factor Authentication Server

References: https://blogs.technet.microsoft.com/hybridcloudbp/2016/08/19/hybrid-cloud-identity-part-3-multi-
factor-authentication/

QUESTION 324
Your company network includes an On-Premises Windows Active Directory (AD) that has a DNS domain
named contoso.local and an email domain named contoso.com. You plan to migrate from On-Premises
Exchange to Office 365.

You configure DirSync and set all Azure Active Directory (Azure AD) usernames as %username%
@contoso.com

You need to ensure that each user is able to log on by using the email domain as the username.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Verify the email domain in Azure AD domains.

B. Run the Set-MsolUserPrincipalName -UserPrincipalName %username%@contoso.onmicrosoft.com -
NewUserPrincipalName %username %@contoso.com PowerShell cmdlet.
C. Edit the ProxyAddress attribute on the On-Premises Windows AD user account.
D. Verify the Windows AD DNS domain in Azure AD domains.
E. Update the On-Premises Windows AD user account UPN to match the email address.

Correct Answer: AB
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
If you have already set up Active Directory synchronization, the user’s UPN may not match the user’s on-
premises UPN defined in Active Directory. To fix this, rename the user’s UPN using the Set-
MsolUserPrincipalName cmdlet in the Microsoft Azure Active Directory Module for Windows PowerShell.
The email domain (Contoso.com) needs to be verified in Office 365.

References: https://msdn.microsoft.com/en-us/library/azure/jj151786.aspx

QUESTION 325
You develop a Windows Store application that has a web service backend.
You plan to use the Azure Active Directory Authentication Library to authenticate users to Azure Active
Directory (Azure AD) and access directory data on behalf of the user.

You need to ensure that users can log in to the application by using their Azure AD credentials.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Create a native client application in Azure AD.

B. Configure directory integration.
C. Create a web application in Azure AD.
D. Enable workspace join.
E. Configure an Access Control namespace.

Correct Answer: BC
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
B: An application that wants to outsource authentication to Azure AD must be registered in Azure AD, which
registers and uniquely identifies the app in the directory.

C: The Windows Store application calls a web API that is secured with Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
https://github.com/AzureADSamples/NativeClient-WindowsStore

QUESTION 326
Your company plans to migrate from On-Premises Exchange to Office 365.

The existing directory has numerous service accounts in your On-Premises Windows Active Directory (AD),
stored in separate AD Organizational Units (OU) for user accounts.

You need to prevent the service accounts in Windows AD from syncing with Azure AD.

What should you do?

A. Create an OU filter in the Azure AD Module for Windows PowerShell.

B. Configure directory partitions in miisclient.exe.
C. Set Active Directory ACLs to deny the DirSync Windows AD service account MSOL_AD_SYNC access to
the service account OUs.
D. Create an OU filter in the Azure Management Portal.

Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
One customer, who was looking for OU level filtering to import selected users from On-Premises active
directory to Office365.

Configure OU level filtering for Office365 directory synchronization.

1. Logged in to your Domain controller
2. Created an OU (Organisational Unit) from your AD (Active Directory) a. In my case I named it "DirSync"
3. Move all those users you want to sync, to that DirSync OU.
4. From your DirSync Server navigate to <Drive>\Program Files\Microsoft Online Directory Sync\SYNCBUS
\Synchronization Service\UIShell
5. Double click on miisclient.exe
6. This opens a console something similar to the below screen capture
7. Identity Manager, click Management Agents, and then double-click SourceAD.
8. Click Configure Directory Partitions, and then click Containers, as shown in the below screen capture.
9. Click OK on the SourceAD Properties page.
10. Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full
Sync, and then click OK.

References: http://blogs.msdn.com/b/denotation/archive/2012/11/21/installing-and-configure-dirsync-with-ou-
level-filtering-for-office365.aspx

QUESTION 327
You manage an Azure Active Directory (AD) tenant

You plan to allow users to log in to a third-party application by using their Azure AD credentials.

To access the application, users will be prompted for their existing third-party user names and passwords.

You need to add the application to Azure AD.

Which type of application should you add?

A. Existing Single Sign-On with identity provisioning

B. Password Single Sign-On with identity provisioning
C. Existing Single Sign-On without identity provisioning
D. Password Single Sign-On without identity provisioning

Correct Answer: D
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Configuring password-based single sign-on enables the users in your organization to be automatically signed in
to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS
application. When you enable this feature, Azure AD collects and securely stores the user account information
and the related password.

References: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-appssoaccess-whatis/

QUESTION 328
You plan to use Password Sync on your DirSync Server with Azure Active Directory (Azure AD) on your
company network. You configure the DirSync server and complete an initial synchronization of the users.

Several remote users are unable to log in to Office 365. You discover multiple event log entries for "Event ID
611 Password synchronization failed for domain."

You need to resolve the password synchronization issue.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Restart Azure AD Sync Service.

B. Run the Set-FullPasswordSync PowerShell cmdlet.
C. Force a manual synchronization on the DirSync server.
D. Add the DirSync service account to the Schema Admins domain group.

Correct Answer: BC
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
To perform a full password sync, follow these steps, as appropriate for the Azure AD sync appliance that you're
using.
If you're using the Azure Active Directory Sync tool
1. On the server where the tool is installed, open PowerShell, and then run the following command:
Import-Module DirSync
2. Run the following commands:
Set-FullPasswordSync
Restart-Service FIMSynchronizationService -Force

Note: Forefront Identity Manager Synchronization Service (FIM Synchronization Service) is a component of
Forefront Identity Manager (FIM). It is a centralized service that stores and integrates information for
organizations that have multiple directories.

References: https://365lab.net/tag/set-fullpasswordsync/

QUESTION 329
DRAG DROP

Your company network includes a single forest with multiple domains. You plan to migrate from On-Premises
Exchange to Exchange Online.

You want to provision the On-Premises Windows Active Directory (AD) and Azure Active Directory (Azure AD)
service accounts.

You need to set the required permissions for the Azure AD service account.
Which settings should you use? To answer, drag the appropriate permission to the service account. Each
permission may be used once, more than once, or not at all. You may need to drag the split bar between panes
or scroll to view content.

Select and Place:

Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
When you run the Directory Sync tool Configuration Wizard, you must provide the following information:
Enterprise admin credentials for the on-premises Active Directory schema
Global admin credentials for the Microsoft cloud service

References: https://support.microsoft.com/kb/2684395?wa=wsignin1.0

QUESTION 330
HOTSPOT

You administer an Azure Active Directory (Azure AD) tenant.

You add a custom application to the tenant.

The application must be able to:

Read data from the tenant directly.
Write data to the tenant on behalf of a user.

In the table below, identify the permission that must be granted to the application. Make only one selection in
each column.

Hot Area:
Correct Answer:
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:

You can select from two types of permissions in the drop-down menus next to the desired Web API:
Application Permissions: Your client application needs to access the Web API directly as itself (no user
context). This type of permission requires administrator consent and is also not available for Native client
applications.
Delegated Permissions: Your client application needs to access the Web API as the signed-in user, but with
access limited by the selected permission. This type of permission can be granted by a user unless the
permission is configured as requiring administrator consent.

References: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

QUESTION 331
Your company plans to migrate from On-Premises Exchange to Exchange Online in Office 365.

You plan to integrate your existing Active Directory Domain Services (AD DS) infrastructure with Azure AD.

You need to ensure that users can log in by using their existing AD DS accounts and passwords. You need to
achieve this goal by using minimal additional systems.

Which two actions should you perform? Each answer presents part of the solution.
A. Configure Password Sync.
B. Set up a DirSync Server.
C. Set up an Active Directory Federation Services Server.
D. Set up an Active Directory Federation Services Proxy Server.

Correct Answer: AB
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
References: http://msdn.microsoft.com/en-us/library/azure/dn441214.aspx

QUESTION 332
You manage a software-as-a-service application named SaasApp1 that provides user management features in
a multi-directory environment.

You plan to offer SaasApp1 to other organizations that use Azure Active Directory.

You need to ensure that SaasApp1 can access directory objects.

What should you do?

A. Configure the Federation Metadata URL.

B. Register SaasApp1 as a native client application.
C. Register SaasApp1 as a web application.
D. Configure the Graph API.

Correct Answer: D
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API
endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations
on directory data and objects. For example, the Graph API supports the following common operations for a
user object:
Create a new user in a directory
Get a user’s detailed properties, such as their groups
Update a user’s properties, such as their location and phone number, or change their password
Check a user’s group membership for role-based access
Disable a user’s account or delete it entirely

References: http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx

QUESTION 333
DRAG DROP

You plan to enable self-service password reset (SSRP) for users in Azure Active Directory (Azure AD). You
have the following requirements:
Users must configure the maximum number of security questions to register for SSPR.
Users must be prompted with the least number of security questions to perform a password reset.

You need to configure SSPR.

How should you configure the security questions? To answer, drag the appropriate values to the correct
settings. Each value may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: Topic 8, Manage Azure Identities

Explanation

Explanation/Reference:
Explanation:
Q: Is it possible to set a minimum limit of security questions for registration and reset?

A: Yes, one limit can be set for registration and another for reset. Three to five security questions can be
required for registration, and three to five questions can be required for reset.

References: https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-
faq

QUESTION 334
A company plans to use Azure Active Directory (Azure AD) Connect Health to monitor Usage Analytics with
Active Directory Federation Services (AD FS). Single sign-on (SSO) has been configured with Azure AD
Connect and AD FS.

You need to ensure that monitoring data is displayed in Azure AD Connect Health.

What should you do?

A. Subscribe to an Azure AD Premium P1 plan.

B. Subscribe to an Azure AD Premium P2 plan.
C. Enable auditing for AD FS.
D. Create an Operation Management Suite (OMS) workspace

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Azure Ad Premium enables hybrid users to seamlessly access on-premises and cloud capabilities.
Note: How many licenses do I need to monitor my infrastructure?
The first Connect Health Agent requires at least one Azure AD Premium license.
Each additional registered agent requires 25 additional Azure AD Premium licenses.

Connect Health is supported both by the P1 and P2 plan.

References: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

QUESTION 335
DRAG DROP

You manage virtual machines (VMs) that are joined to an Azure Active Directory (Azure AD) Domain Services
domain.

A dedicated account must be used to modify the default Group Policy applied to the VM. The account must
follow the principle of least privileges.

You need to modify the policy.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:

Section: Topic 8, Manage Azure Identities

Explanation
Explanation/Reference:
Explanation:

Box 1: Add the user account to the AAD DC Administrators group

You need the credentials of a user account belonging to the 'AAD DC Administrators' group in your directory, to
administer Group Policy for your managed domain.

Box 2: Launch the Group Policy Management Console on a domain-joined VM.

Box 3: Customize the AADDC Computers Group Policy Object

Azure Active Directory Domain Services includes built-in Group Policy Objects (GPOs) for the 'AADDC Users'
and 'AADDC Computers' containers. You can customize these built-in GPOs to configure Group Policy on the
managed domain.

References: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-
admin-guide-administer-group-policy

QUESTION 336
You have an Azure subscription.

You create an Azure Active Directory (Azure AD) tenant named Tenant1 that has a domain name of
tenant1.onmicrosoft.com. You need to add the contoso.com domain name to Tenant1.

Which DNS record should you add to the contoso.com zone to be able to verify from Azure whether you own
the contoso.com domain?

A. text (TXT)
B. host (AAAA)
C. host information (HINFO)
D. standard alias (CNAME)

Correct Answer: A
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
You can use a txt record or alternatively an MX record. As MX record isn’t an option, the only option left is TXT.
You would add the MS=xxxxxxxxx into these record.

References:
https://stackoverflow.com/questions/22380653/verify-a-domain-name-in-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/add-custom-domain#add-a-dns-entry-forthe-domain-
name-at-the-domain-name-registrar

QUESTION 337
A company plans to deploy Linux virtual machines (VM) in Azure.

The VM configuration and applications must be managed automatically.

You need to propose a solution to configure and manage the VMs.

What should you recommend?

A. Resource Manager Templates

B. Puppet
C. Xplat Command-Line Interface (CLI)
D. Application Gateway
Correct Answer: B
Section: Topic 8, Manage Azure Identities
Explanation

Explanation/Reference:
Explanation:
Deploying Puppet-managed virtual machines is now as easy as deploying any VM in Azure.
Creating a virtual Linux machine (using Ubuntu 14.04) takes about five minutes. Once the machine has been
created, Puppet will run a set of install scripts for approximately 10 minutes.

References: https://puppet.com/blog/get-started-azure-puppet