Professional Documents
Culture Documents
PracticeTest AZ 104
PracticeTest AZ 104
Back to Report
Question 1 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.
You need to configure self-service password reset (SSPR) password writeback functionality. The solution must
minimize costs.
Your Answer
Microsoft Entra ID P1
Correct Answer
Microsoft Entra ID P1
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn
Question 2 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
"Id": null,
"IsCustom": true,
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a
complete solution.
Your Answer
Call Microsoft Support.
Correct Answer
Call Microsoft Support.
The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a
snapshot.
Question 3 of 50
You have the following resource groups, management groups, and Azure subscriptions:
Two resource groups named RG1 and RG2 that are associated with a subscription named 111-222-
Two resource groups named RG3 and RG4 that are associated with a subscription named 777-888-
Two resource groups named RG5 and RG6 that are associated with a subscription named 444-555-
Two resource group named RG11 and RG12 that are associated with a subscription named 555-666-
You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution
Your Answer
the Reader role for MG1 and MG2
Correct Answer
the Reader role for MG1 and MG2
Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access to all resources is
Question 4 of 50
You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use
Your Answer
Reader
Correct Answer
Reader
The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor
role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the
Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.
Question 5 of 50
The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
Contributor
Correct Answer
Contributor
Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other
users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users
with the API Management Service Contributor role can only manage API Management services and APIs. Users with
the Owner role provides full access to all resources, including the right to delegate access to others.
Question 6 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs
daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the
allocated budget.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Create an action group of type Runbook, and then select Scale Up VM.
Correct Answer
Create an action group of type Runbook, and then select **Stop VM** as an action.
You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the resource group
resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The
cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Configure subscriptions - Training | Microsoft Learn
Question 7 of 50
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Your Answer
management groups
Correct Answer
resource groups
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 8 of 50
You need to ensure that each virtual machine is associated to a specific department for reporting purposes.
Your Answer
tags
Correct Answer
tags
Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as
virtual machines and associating each resource to a department for billing and reporting purposes.
Administrative units are containers used for delegating administrative roles to manage a specific portion of Microsoft
Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure
subscriptions.
Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A
Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager | Microsoft
Learn
Question 9 of 50
You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory
and Compliance.
To which definition section should you add remediation information for Policy1?
Your Answer
metadata
Correct Answer
metadata
You must use the RemediationDescription field in the metadata section from properties to specify a custom
recommendation. The remaining options are Azure policies, but do not allow specific custom remediation
information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Question 10 of 50
All users in contoso.com are currently able to invite external users to B2B collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can
Your Answer
Conditional Access
This answer is incorrect.
Correct Answer
External collaboration settings
External collaboration settings let you specify which roles in your organization can invite external users for B2B
collaboration. These settings also include options for allowing or blocking specific domains and options for restricting
which external guest users can see in your Microsoft Entra directory.
Conditional Access allows you to apply rules to strengthen authentication and block access to resources from
unknown locations.
Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra organization.
Access reviews are not used to control who can invite guest users.
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 11 of 50
Your company has several offices in the same region. Each office has a dedicated IT staff.
You need to ensure that the IT staff in each office can manage passwords for their users and administrators.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Assign the Helpdesk Administrator role.
Correct Answer
Assign the Helpdesk Administrator role.
You must create an administrative unit and the Helpdesk role assignment allows members to change password for
Question 12 of 50
You need to generate the shared access signature (SAS) token required to authorize a request to a resource.
Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Your Answer
SignedIP (sip)
This answer is incorrect.
Correct Answer
SignedResourceTypes (srt)
SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required
to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the
SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the
request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept
requests.
Question 13 of 50
You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a complete solution.
Your Answer
premium block blobs
Correct Answer
premium block blobs
To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-
purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the
hierarchical namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn
Question 14 of 50
Your need to create an Azure Storage account that meets the following requirements:
Your Answer
locally-redundant storage (LRS)
Correct Answer
zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the
primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also
Question 15 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
Versioning: Disabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
Blob soft delete
Correct Answer
Versioning
Versioning must be enabled for both the source and destination accounts. In this scenario, versioning is currently
disabled.
Question 16 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
You need to configure object replication from storage1 to storage2.
Which three features should be enabled before configuring object replication? Each correct answer presents part of
the solution.
Your Answer
blob versioning for storage1
Correct Answer
blob versioning for storage1
Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you
must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
Question 17 of 50
You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been used for 30
days.
Your Answer
Enable versioning for blobs.
Correct Answer
Enable access tracking.
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time
the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the
access time, access tracking must be enabled. This can incur additional storage costs.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in Azure by using SMB protocol.
Which outbound port should you allow from the secure location?
Your Answer
80
Correct Answer
445
For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Microsoft Entra. It
is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs)
to verify TLS/SSL certificates. Port 443 is used for https traffic, for example to sync AD DS with Microsoft Entra.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn
Question 19 of 50
You have an Azure subscription and an on-premises Hyper-V virtual machine named VM1. VM1 contains a single
virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
Your Answer
Add-AzVhd
Correct Answer
Add-AzVhd
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines | Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure Virtual Machines | Microsoft Learn
You need to ensure that storage1 provides POSIX-compliant access control lists (ACLs).
Your Answer
access tier
Correct Answer
hierarchical namespace
To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace must be used. The remaining
options are valid for a storage account, but do not provide the POSIX-compliant feature.
Question 21 of 50
What are three requirements of storage1? Each correct answer presents part of a complete solution.
Your Answer
a container
Correct Answer
a container
Versioning must be enabled for the source and target. An object type container is needed to replicate the images.
You must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for
replication.
You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine
named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer presents a complete solution.
Your Answer
From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
AzResourceGroupDeployment cmdlets.
Correct Answer
From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-
AzResourceGroupDeployment cmdlets.
From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM)
template from the resource group properties. You can then deploy the ARM template by running the New-
AzResourceGroupDeployment cmdlet.
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy
From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 23 of 50
You have an Azure subscription that contains a resource group named RG1.
You have an Azure Resource Manager (ARM) template for an Azure virtual machine.
You need to use PowerShell to provision a virtual machine in RG1 by using the template.
Your Answer
New-AzResourceGroupDeployment
Correct Answer
New-AzResourceGroupDeployment
Virtual machines are deployed to resource groups, so you must run the New-AzResourceGroupDeployment cmdlet.
You can deploy virtual machines to subscriptions or management groups directly, therefore, New-
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 24 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage
container.
Your Answer
-TemplateUri
Correct Answer
-TemplateUri
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources
group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-
based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file.
You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 25 of 50
Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
Deployments
Correct Answer
Deployments
Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to
the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration,
are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource
group.
Question 26 of 50
You are creating an Azure virtual machine that will run Windows Server.
You need to ensure that VM1 will be part of a virtual machine scale set.
Which setting should you configure during the creation of the virtual machine?
Your Answer
Availability options
Correct Answer
Availability options
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add
virtual machines with a discounted price. Region will not affect the configuration of the availability options. The
management setting allows you to configure the monitoring and management options for the virtual machine.
Availability options for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 27 of 50
You have two Azure virtual machines named VM1 and VM2 that run Windows Server 2022.
VM1 has a single data disk that stores backup files.
You need to move the data disk from VM1 to VM2 as quickly as possible.
Your Answer
Detach the data disk from VM1.
Correct Answer
Detach the data disk from VM1.
You can detach a disk from a running virtual machine (hot removal). You do not need to stop VM2 or restart the VM1.
Detach a data disk from a Windows VM - Azure - Azure Virtual Machines | Microsoft Learn
Question 28 of 50
You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on
You need to move the virtual machine to a different host to avoid a service interruption.
Your Answer
Apply an Azure policy.
Correct Answer
Redeploy the virtual machine.
You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down
the virtual machine and move the virtual machine to a new node within the Azure infrastructure.
Question 29 of 50
You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
Your Answer
a blob container
This answer is incorrect.
Correct Answer
a file share
An Azure container instance (Docker container) can mount Azure File Storage shares as directories and use them as
persistent storage. An Azure container instance cannot mount and use as persistent storage blob containers, queues
and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates | Microsoft Azure
Question 30 of 50
You have an Azure subscription that contains a Docker container image named container1.
You need to ensure that you can use container1 for WebApp1.
Your Answer
Continuous deployment
Correct Answer
Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish option and select
Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker
Question 31 of 50
You have an Azure subscription that contains an Azure App Service web app named App1.
Your Answer
Application Logging (Blob)
Correct Answer
Application Logging (Blob)
You must enable the Application Logging (Blob) diagnostic, which can be stored for more than a week. You must also
set the severity level to warning, to store warning, error, and critical log messages.
Question 32 of 50
You need to recommend a solution for the deployment of the web app that meets the following requirements:
Minimizes costs
Your Answer
Azure App Service
Correct Answer
Azure App Service
Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure Kubernetes Service
(AKS), and Azure Container Instances are more difficult to administer and more costly.
You have an Azure subscription that contains a resource group named RG1. RG1 contains an application named App1
App1 is experiencing performance issues when attempting to add messages to the containerapp1 queue.
You need to create a job to perform an application resource cleanup when a new message is added to a queue.
Your Answer
az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type
"Event" \ -replica-timeout 60 --replica-retry-limit 1 ...
Correct Answer
az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type
"Event" \ -replica-timeout 60 --replica-retry-limit 1 ...
Azure Container Apps jobs enable you to run containerized tasks that execute for a finite duration, and then exit. You
can use jobs to perform tasks such as data processing, machine learning, or any scenario where on-demand
processing is required. Container apps and jobs run in the same environment, allowing them to share capabilities such
A job's trigger type determines how the job is started. The following trigger types are available:
Schedule: Scheduled jobs are triggered at specific times and can run repeatedly.
Event: Event-driven jobs are triggered by events such as a message arriving in a queue.
Question 34 of 50
You have an Azure subscription that contains two resource groups named RG1 and RG2.
A network security group (NSG) named NSG1 located in the West US Azure region
Your Answer
the subnets of VNet1 only
This answer is incorrect.
Correct Answer
the subnets of VNet3 only
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West
US region.
Question 35 of 50
You have an Azure subscription that contains a network security group (NSG) named NSG1.
Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer
443
Correct Answer
443
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by
using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 36 of 50
You have a virtual machine named VM1 that is assigned to a network security group (NSG) named NSG1.
Rule1:
Priority: 900
Name: BlockInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Block
Rule2:
Priority: 1000
Name: AllowInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Allow
Your Answer
Change the action of Rule2.
Correct Answer
Change the priority of Rule2.
Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2, decrease the priority of
Question 37 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet.
Your Answer
Azure Bastion
Correct Answer
Azure Bastion
SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an
Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect
Question 38 of 50
You have three network security groups (NSGs) named NSG1, NSG2, and NSG3. Port 80 is blocked in NSG3 and
You have four Azure virtual machines that have the following configurations:
VM1:
Subnet: Subnet1
VM2:
Subnet: Subnet1
VM3:
Subnet: Subnet3
VM4:
Subnet: Subnet2
Which virtual machine will allow traffic from the internet on port 80?
Your Answer
VM2
Correct Answer
VM1
On VM1, both NSGs assigned to Subnet1 and the NIC1 card allow traffic on port 80. On VM2, NSG1 allows traffic, but
NSG3 blocks traffic for the network interface. On VM3 and VM4, NSG3 blocks traffic.
Question 39 of 50
Your company plans to migrate servers from on-premises to Azure. There will be dev, test, and production virtual
You need to restrict traffic between the dev, test, and production virtual machines to specific ports.
Your Answer
an Azure firewall
Correct Answer
a network security group (NSG)
Must configure network security group (NSG) rules to allow TCP or ICMP traffic for specific ports. Azure Firewall is a
managed service that protects your Azure services across multiple virtual networks. Load balancers are used to
distribute incoming traffic to available backend servers. Azure VPN is used to have a connection establishment
Question 40 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2. The solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
Azure Standard Load Balancer with Basic SKU public IP
Correct Answer
Basic Azure Load Balancer with Basic SKU public IP
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only
Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Question 41 of 50
You migrate a web app from on-premises to an Azure virtual machine. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server and must check
Your Answer
`Get-AzVirtualNetworkUsageList `
Correct Answer
netstat -an
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will perform a ping/ICMP
test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1 and a virtual machine named VM1.
An external contractor needs access to VM1. The solution must minimize administrative effort.
Your Answer
a public IP address
Correct Answer
a public IP address
To share a virtual machine with an external user, you must add a public IP address to the virtual machine. An
additional IP address or firewall configuration will not help in this case. Configuring a S2S VPN does not have minimal
administrative effort.
Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
Your Answer
Add an A record for test.contoso.com.
Correct Answer
Add an NS record set named test to the contoso.com zone.
You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex
of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be
created in contoso.com. You do not need to create or modify the DNS A record.
Question 44 of 50
You have a Log Analytics workspace that collects data from various data sources.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Your Answer
14
Correct Answer
14
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Question 45 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application that outputs log
Your Answer
the Log Analytics agent for Linux
Correct Answer
the Log Analytics agent for Linux
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual
machines.
The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor - Azure Monitor |
Microsoft Learn
Question 46 of 50
You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with
What is the retention period of virtual machine backups in the default backup policy?
Your Answer
30 days
Correct Answer
30 days
Question 47 of 50
You have an Azure subscription that contains two protected virtual machines named VM1 and VM2. VM1 and VM2
are backed up to a Recovery Service vault named Vault1 by using the same backup policy.
Your company plans to create additional virtual machines and Recovery Services vaults. During this process, Vault1
will be decommissioned.
solution.
Your Answer
Delete VM1 and VM2.
Correct Answer
Disable the soft delete feature and delete all data.
You must stop the backups so that you can prepare to move to the new policy. The soft delete feature is enabled by
default, so it must be disabled. You must remove all the items that are in the soft delete state. Deleting the virtual
machines is not required. You cannot delete the policy without deleting the vault and backup, and a new policy is not
required.
Delete a Microsoft Azure Recovery Services vault - Azure Backup | Microsoft Learn
Question 48 of 50
You have an Azure virtual machine named VM1 that is protected by using Azure site recovery.
You fail over VM1 from the primary region to the secondary region.
You need to reprotect VM1 after the failover so that VM1 will replicate back to the primary region.
Your Answer
Failover confirmed
Correct Answer
Failover committed
Before you begin, you must ensure that the virtual machine status is Failover committed. This will ensure replication
Question 49 of 50
You have an Azure virtual machine that you back up by using Azure Backup.
The backup policy sub type is Standard, and the backup policy has the following configurations:
You need to instance recovery snapshots to be retained for only two days.
Your Answer
Change Policy sub type to Enhanced.
Correct Answer
Change the backup schedule frequency to **Daily**.
You can choose to store between one and five instant recovery snapshots and the default value is two. However,
when the backup schedule frequency is weekly, you must retain five instant recovery snapshots.
Question 50 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two virtual machines
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure Monitor metrics.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Install AzureNetworkWatcherExtension.
Correct Answer
Install AzureNetworkWatcherExtension.
Azure Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and
from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal | Microsoft Learn
Learn
Documentation
Training
Credentials
Q&A
Code Samples
Assessments
Shows
Credentials
Browse Credentials
Certification Renewals
1. Learn
2. Credentials
3. Browse Credentials
Overall Results
To be better prepared for the exam, aim to achieve a score of 80% or higher in multiple attempts.
Score: 44%
Show My Answers
To further strengthen your skills in the following areas, refer to the Customized Learning Material section below.
o Automate Azure tasks using scripts with PowerShell
o 71 mins
o Allow users to reset their password with Microsoft Entra self-service password reset
o 31 mins
o Create Azure users and groups in Microsoft Entra ID
o 41 mins
o Introduction to Azure Advisor
o 16 mins
o Configure Azure alerts
o 19 mins
o Configure Azure Policy
o 40 mins
o Configure role-based access control
o 46 mins
o Configure subscriptions
o 27 mins
o Configure user and group accounts
o 50 mins
o Configure virtual machines
o 40 mins
o Use Azure Resource Manager
o 30 mins
o Configure Azure Files and Azure File Sync
o 21 mins
o Configure Azure Blob Storage
o 45 mins
o Configure storage accounts
o 38 mins
o Configure Azure Storage security
o 55 mins
o Configure Azure Storage with tools
o 20 mins
o Configure virtual machines
o 40 mins
Because you scored lower in "Deploy and manage Azure compute resources":
o Automate Azure tasks using scripts with PowerShell
o 71 mins
o Deploy Azure infrastructure by using JSON ARM templates
o 43 mins
o Configure Azure App Service plans
o 21 mins
o Configure Azure App Service
o 62 mins
o Configure Azure Container Instances
o 26 mins
o Configure Azure resources with tools
o 46 mins
o Configure resources with Azure Resource Manager templates
o 41 mins
o Configure storage accounts
o 38 mins
o Configure virtual machine availability
o 63 mins
o Configure virtual machines
o 40 mins
o Configure virtual networks
o 35 mins
o Host your domain on Azure DNS
o 43 mins
o Configure Azure DNS
o 31 mins
o Configure Azure Load Balancer
o 70 mins
o Configure network routing and endpoints
o 51 mins
o Configure network security groups
o 36 mins
o Configure virtual networks
o 35 mins
o Configure Azure Virtual Network peering
o 41 mins
o Configure Azure alerts
o 19 mins
o Configure Azure Monitor
o 59 mins
o Configure file and folder backups
o 63 mins
o Configure Log Analytics
o 24 mins
o Configure Network Watcher
o 19 mins
o Configure virtual machine backups
o 76 mins
Theme
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2023
Answer Summary
Back to Report
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the
tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the
HR department.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Assign the licenses to the dynamic groups.
Correct Answer
Assign the licenses to the dynamic groups.
To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and
configure rules based on custom attributes. The dynamic group must be added to a license group for automatic
synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the
organization that are in scope for an assignment policy rule and creates assignments for the users who don't have
assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Question 2 of 50
You have a Microsoft Entra tenant that uses Microsoft Entra Connect to sync with an Active Directory Domain Services
You need to ensure that users can reset their AD DS password from the Azure portal. The users must be able to use
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
From Password reset in the Azure portal, configure the Authentication methods settings.
Correct Answer
From Password reset in the Azure portal, configure the Authentication methods settings.
Enable Azure Active Directory password writeback - Microsoft Entra | Microsoft Learn
Question 3 of 50
From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details:
Id: 8755b347-3545-3876-3987-999999999999
Mail: bsmith@contoso.com
UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
Your Answer
The user was a guest in the tenant.
Correct Answer
The user was a guest in the tenant.
For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed
by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a
format of user@fabrikam.com.
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 4 of 50
Which user attribute should be configured for User1 before you can assign the license?
Your Answer
Usage location
Correct Answer
Usage location
This answer is correct.
Not all Microsoft 365 services are available in all locations. Before a license can be assigned to a user, you must
specify the Usage location. The attributes of First name, Last name, Other email address, and User type are not
Question 5 of 50
Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users.
You need to configure self-service password reset (SSPR) password writeback functionality. The solution must
minimize costs.
Your Answer
Microsoft Entra ID P1
Correct Answer
Microsoft Entra ID P1
Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.
Enable Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Learn
What is self-service password reset in Azure Active Directory? - Training | Microsoft Learn
Question 6 of 50
You have an Azure subscription that contains multiple users and administrators.
You are creating a new custom role by using the following JSON.
{
"Id": null,
"IsCustom": true,
"Actions": [
"Microsoft.Compute/*/read",
“Microsoft.Compute/snapshots/write”,
“Microsoft.Compute/snapshots/read”,
"Microsoft.Support/*"
],
"NotActions": [
“Microsoft.Compute/snapshots/delete”
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
Which three actions can be performed by a user that is assigned the custom role? Each correct answer presents a
complete solution.
Your Answer
Call Microsoft Support.
Correct Answer
Call Microsoft Support.
The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a
snapshot.
Question 7 of 50
You need to provide a user with the ability to perform the following tasks:
Manage containers within the storage accounts.
Your Answer
Storage Account Contributor
Correct Answer
Storage Account Contributor
Storage Account Contributor allows the management of storage accounts. It provides access to the account key,
which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to
read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow
you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in
Azure RBAC.
Question 8 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs
daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the
allocated budget.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Create an action group of type Runbook, and then select **Stop VM** as an action.
Correct Answer
Create an action group of type Runbook, and then select **Stop VM** as an action.
resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The
cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local
datacenter.
Your Answer
Cost
Correct Answer
Cost
The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual
machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High
availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency,
Question 10 of 50
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Your Answer
resource groups
subscriptions
virtual machines
Correct Answer
resource groups
subscriptions
virtual machines
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 11 of 50
Your company has several offices in the same region. Each office has a dedicated IT staff.
You need to ensure that the IT staff in each office can manage passwords for their users and administrators.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Assign the Helpdesk Administrator role.
Correct Answer
Assign the Helpdesk Administrator role.
You must create an administrative unit and the Helpdesk role assignment allows members to change password for
Question 12 of 50
You need to generate the shared access signature (SAS) token required to authorize a request to a resource.
Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Your Answer
SignedResourceTypes (srt)
Correct Answer
SignedResourceTypes (srt)
`SignedServices (ss) `
SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required
to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the
SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the
request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept
requests.
Question 13 of 50
You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a complete solution.
Your Answer
premium block blobs
standard general-purpose v2
Correct Answer
premium block blobs
standard general-purpose v2
To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-
purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the
hierarchical namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn
Question 14 of 50
Your need to create an Azure Storage account that meets the following requirements:
Your Answer
read-access geo-redundant storage (RA-GRS)
Correct Answer
zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the
primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also
Question 15 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder named \\server1\images.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
`Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -recursive `
Correct Answer
`Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -recursive `
The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with
the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Question 16 of 50
You have two premium block blob Azure Storage accounts named storage1 and storage2.
Which three features should be enabled before configuring object replication? Each correct answer presents part of
the solution.
Your Answer
blob versioning for storage1
Correct Answer
blob versioning for storage1
Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you
must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
Question 17 of 50
A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.
Your Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
Correct Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You
do not need to change the type of storage account, and you are updating the existing share.
Question 18 of 50
You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been used for 30
days.
Your Answer
Enable access tracking.
Correct Answer
Enable access tracking.
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time
the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the
access time, access tracking must be enabled. This can incur additional storage costs.
Question 19 of 50
You have an Azure subscription and an on-premises Hyper-V virtual machine named VM1. VM1 contains a single
virtual disk.
You plan to use VM1 as a template to deploy 25 new Azure virtual machines.
Your Answer
Add-AzVhd
Correct Answer
Add-AzVhd
Create a VM from an uploaded generalized Windows VHD - Azure Virtual Machines | Microsoft Learn
Upload a VHD to Azure or copy a disk across regions - Azure PowerShell - Azure Virtual Machines | Microsoft Learn
Question 20 of 50
You have an Azure subscription that contains a storage account named storage1 and a Microsoft Entra tenant named
contoso.com.
Your Answer
file shares
Correct Answer
file shares
File shares can be configured to use Microsoft Entra Kerberos to provide identity-based access to data storage.
Compare storage for file shares and blob data - Training | Microsoft Learn
Question 21 of 50
You have an Azure subscription.
What are three requirements of storage1? Each correct answer presents part of a complete solution.
Your Answer
a container
blob versioning
standard general-purpose v2
Correct Answer
a container
blob versioning
standard general-purpose v2
Versioning must be enabled for the source and target. An object type container is needed to replicate the images. You
must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for replication.
Question 22 of 50
You plan to use the following two Azure Resource Manager (ARM) templates to provision virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Virtual Machine."
},
"adminPassword": {
"type": "securestring",
"metadata": {
},
"dnsLabelPrefix": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual
Machine."
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
Which two resources should you provision to ensure that the password can be stored securely?
Your Answer
Access Policy
Correct Answer
Access Policy
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Question 23 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage
container.
Your Answer
-TemplateUri
Correct Answer
-TemplateUri
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources
group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-
based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file.
You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 24 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure Resource Manager (ARM)
library.
Your Answer
the resource group
Correct Answer
the resource group
resource group is a container for Azure resources and makes it easier to manage the resources.
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 25 of 50
Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
Deployments
Correct Answer
Deployments
Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to
the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration,
are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource
group.
Question 26 of 50
You have two Azure virtual machines named VM1 and VM2 that run Windows Server 2022.
You need to move the data disk from VM1 to VM2 as quickly as possible.
Your Answer
Detach the data disk from VM1.
Correct Answer
Detach the data disk from VM1.
This answer is correct.
You can detach a disk from a running virtual machine (hot removal). You do not need to stop VM2 or restart the VM1.
Detach a data disk from a Windows VM - Azure - Azure Virtual Machines | Microsoft Learn
Question 27 of 50
Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution.
Your Answer
the Azure capacity needs
Correct Answer
the Azure capacity needs
Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be
stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot
instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Question 28 of 50
Your development team plans to deploy an Azure container instance. The container needs a persistent storage layer.
Your Answer
Azure Blob storage
Correct Answer
Azure Files
shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol.
Mount Azure Files volume to container group - Azure Container Instances | Microsoft Learn
Question 29 of 50
You have an Azure subscription that contains a Docker container image named container1.
You need to ensure that you can use container1 for WebApp1.
Your Answer
Publish
Correct Answer
Publish
If you want to run a Docker container as an Azure web service, you must configure the Publish option and select
Docker container.
Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as
Pricing plan specifies the location, features, and costs of the web app.
Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker
Question 30 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service Bus.
Your Answer
event-driven
Correct Answer
event-driven
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure Service Bus, an event-
driven trigger can be used to run the escalation method. The remaining scale triggers cannot use a scale rule based
Question 31 of 50
You have an Azure subscription that contains an Azure App Service web app named App1.
Your Answer
Application Logging (Blob)
Warning
Correct Answer
Application Logging (Blob)
Warning
You must enable the Application Logging (Blob) diagnostic, which can be stored for more than a week. You must also
set the severity level to warning, to store warning, error, and critical log messages.
Question 32 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage goes beyond 80 percent for a
duration of 15 minutes.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Configure a scaling condition to scale based on a metric, and then add the rules.
Correct Answer
Configure a scaling condition to scale based on a metric, and then add the rules.
Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement. Increase the number of
virtual machine instances that run the app. The scale settings take only seconds to apply and affect all the apps in the
App Service plan. Then, you must set up a scaling condition with the required metrics to scale up/down and scale
Question 33 of 50
You have an Azure subscription that contains a container app named App1. App1 is configured to use cached data.
You need to ensure that the new container automatically refreshes the cache used by App1.
Your Answer
sidecar
Correct Answer
sidecar
Azure Container Apps manages the details of Kubernetes and container orchestration. Containers in Azure Container
Apps can use any runtime, programming language, or development stack of your choice. You can define multiple
containers in a single container app to implement the sidecar pattern, for example, an agent that reads logs from the
primary app container in a shared volume and forwards them to a logging service.
Question 34 of 50
You have an Azure subscription that contains network security groups (NSGs).
Which two resources can be associated with a NSG? Each correct answer presents a complete solution.
Your Answer
network interfaces
subnets
Correct Answer
network interfaces
subnets
You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with
subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the
access control list (ACL) rules apply to all virtual machine instances of that subnet.
Question 35 of 50
You have an Azure subscription that contains two resource groups named RG1 and RG2.
A network security group (NSG) named NSG1 located in the West US Azure region
Your Answer
the subnets of VNet3 only
Correct Answer
the subnets of VNet3 only
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West US
region.
Question 36 of 50
You have an Azure subscription that contains a network security group (NSG) named NSG1.
Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer
443
3389
Correct Answer
443
3389
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by
using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Question 37 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual
possible.
Your Answer
an application security group
Correct Answer
an application security group
Application security groups allow you to group together the network interfaces from multiple virtual machines, and
then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual
network.
You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual
machine.
Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
Question 38 of 50
You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet.
Your Answer
Azure Bastion
Correct Answer
Azure Bastion
Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without exposing RDP and
SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an
Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect
Question 39 of 50
You have an Azure subscription that contains an ASP.NET application. The application is hosted on four Azure virtual
You have a load balancer named LB1 to load balances requests to the virtual machines.
You need to ensure that site users connect to the same web server for all requests made to the application.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Configure an inbound NAT rule.
Correct Answer
Set Session persistence to Client IP.
By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the same web server for
all requests made to the application. Setting Session persistence to None disables sticky sessions and an inbound NAT
rule is used to forward traffic from a load balancer frontend to a backend pool.
Question 40 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual network named VNet3, a
virtual machine named VM1, and a public IP address named PubIP1. All the resources are in the West US Azure
region.
You plan to create and configure a network security group (NSG) named NSG1 for the following types of traffic:
HTTP
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
New-AzNetworkSecurityGroup
New-AzNetworkSecurityRuleConfig
Correct Answer
New-AzNetworkSecurityGroup
New-AzNetworkSecurityRuleConfig
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol, direction, and port
number. New-AzNetworkSecurityGroup creates a network security group (NSG). -SecurityRules specifies a list of
Question 41 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly between both
networks.
Your Answer
peerings
Correct Answer
peerings
You can connect virtual networks to each other with virtual network peering. Once the virtual networks are peered,
the resources on both virtual networks can communicate with each other with the same latency and bandwidth as
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1.
You plan to deploy a virtual machine named VM1 to be used as a network inspection appliance.
You need to ensure that all network traffic passes through VM1.
Your Answer
Configure a user-defined route.
Correct Answer
Configure a user-defined route.
Azure automatically creates a route table for each subnet on an Azure virtual network and adds system default routes
to the table. You can override some of the Azure system routes with custom user-defined routes and add more
custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes on a subnet's route
table.
Question 43 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
Your Answer
Add an NS record set named test to the contoso.com zone.
Correct Answer
Add an NS record set named test to the contoso.com zone.
You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex
of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be
created in contoso.com. You do not need to create or modify the DNS A record.
Question 44 of 50
You need to create Azure alerts based on metric values and activity log events.
Which two resources should you create? Each correct answer presents part of the solution.
Your Answer
an action group
an alert rule
Correct Answer
an action group
an alert rule
You must create an action group to set up an action and create an alert rule to set the severity of the errors. A
notification is only used to send email and you do not need to call a webhook.
Manage action groups in the Azure portal - Azure Monitor | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
Your Answer
Azure Monitor
Correct Answer
Azure Monitor
logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage
metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.
Question 46 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application that outputs log
Your Answer
the Log Analytics agent for Linux
Correct Answer
the Log Analytics agent for Linux
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual
machines.
The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor - Azure Monitor |
Microsoft Learn
Question 47 of 50
You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts configured for CPU and memory
You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines.
Your Answer
An administrator manually changed the state of the alerts.
Correct Answer
An administrator manually changed the state of the alerts.
The alert state is manually set by the user and does not have any automated logic behind it. The alert state can be
Question 48 of 50
You have an Azure virtual machine named Server1 that runs Windows Server.
Your Answer
the Microsoft Azure Recovery Services (MARS) agent
Correct Answer
the Microsoft Azure Recovery Services (MARS) agent
The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers. The MARS agent is mandatory
Question 49 of 50
24 virtual machines
16 storage accounts
You need to implement a monitoring solution that provides the ability to view diagnostics and telemetry data
Your Answer
a Log Analytics workspace
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as
Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration
Question 50 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains two virtual machines named
You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure Monitor metrics.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Configure a log alert.
Correct Answer
Install AzureNetworkWatcherExtension.
Azure Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and
from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.
Tutorial: Monitor network communication between two virtual machines using the Azure portal | Microsoft Learn
Documentation
Training
Credentials
Q&A
Code Samples
Assessments
Shows
Credentials
Browse Credentials
Certification Renewals
1. Learn
2. Credentials
3. Browse Credentials
Overall Results
To be better prepared for the exam, aim to achieve a score of 80% or higher in multiple attempts.
Score: 90%
Show My Answers
To further strengthen your skills in the following areas, refer to the Customized Learning Material section below.
Manage Azure identities and governance
Congratulations, you passed all the sections! If you have passed multiple attempts, consider scheduling an exam.
Go to exam details
Theme
Previous Versions
Blog
Contribute
Privacy
Terms of Use
Trademarks
© Microsoft 2023
Answer Summary
Below is a summary of your answers.
Back to Report
Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the
tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the
HR department.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Assign the licenses to the security groups.
This answer is incorrect.
Create an automatic assignment policy.
This answer is incorrect.
Correct Answer
Assign the licenses to the dynamic groups.
This answer is correct.
To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and
configure rules based on custom attributes. The dynamic group must be added to a license group for automatic
synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the
organization that are in scope for an assignment policy rule and creates assignments for the users who don't have
assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
You have an Azure subscription that contains multiple virtual machines.
You need to ensure that a user named User1 can view all the resources in a resource group named RG1. You must use
the principle of least privilege.
Which role should you assign to User1?
Your Answer
Contributor
This answer is incorrect.
Correct Answer
Reader
This answer is correct.
The Reader role allows you to view all the resources but does not allow you to make any changes. The Contributor
role allows you to manage all the resources, the Billing Reader role provides read access only to billing data, and the
Tag Contributor role allows you to manage entity tags without providing access to the entities themselves.
Azure built-in roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 3 of 50
You have an Azure subscription that contains several storage accounts.
You need to provide a user with the ability to perform the following tasks:
Manage containers within the storage accounts.
View storage account access keys.
The solution must use the principle of least privilege.
Which role should you assign to the user?
Your Answer
Owner
This answer is incorrect.
Correct Answer
Storage Account Contributor
This answer is correct.
Storage Account Contributor allows the management of storage accounts. It provides access to the account key,
which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to
read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow
you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in
Azure RBAC.
Azure built-in roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 4 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named
VM1 connected to a virtual network named Network1.
A user named Admin1 must be able to change the settings of Network1.
You need to use PowerShell to assign Admin1 the appropriate role and permissions.
Which two PowerShell statements should you use to complete the task? Each correct answer presents part of the
solution.
Your Answer
New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Network Contributor" ` -
ResourceName Network1 ` -ResourceType Microsoft.Network/virtualNetworks ` -
ResourceGroupName RG1
This answer is correct.
Correct Answer
New-AzRoleAssignment -ObjectId $User.id ` -RoleDefinitionName "Network Contributor" ` -
ResourceName Network1 ` -ResourceType Microsoft.Network/virtualNetworks ` -
ResourceGroupName RG1
This answer is correct.
Before assigning an RBAC role to a user, you must use the Get-AzADUser cmdlet to obtain the ID of the user. The
New-AzRoleAssignment cmdlet can be used to assign an RBAC role to any resource. If you assign the Virtual Machine
Contributor role to RG1, it will only allow changes to the virtual machine, it will not allow Admin1 to manage the
virtual network. To modify network settings, you must assign the Network Contributor role.
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
Question 5 of 50
You have an Azure subscription and a user named User1.
You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription.
The solution must prevent User1 from assigning roles to other users.
Which Azure role-based access control (RBAC) role should you assign to User1?
Your Answer
Owner
This answer is incorrect.
Correct Answer
Contributor
This answer is correct.
Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other
users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users
with the API Management Service Contributor role can only manage API Management services and APIs. Users with
the Owner role provides full access to all resources, including the right to delegate access to others.
Azure built-in roles - Azure RBAC | Microsoft Learn
Configure role-based access control - Training | Microsoft Learn
Question 6 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine that runs
daily reports.
You need to ensure that the virtual machine shuts down when resource group costs exceed 75 percent of the
allocated budget.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Create an action group of type Runbook, and then select Scale Up VM.
This answer is incorrect.
Create an action group of type Runbook, and then select **Stop VM** as an action.
This answer is correct.
Correct Answer
Create an action group of type Runbook, and then select **Stop VM** as an action.
This answer is correct.
You must go to Cost Management + Billing, and then Budgets to edit the budget associated with the resource group
resources. You must also create a new action group of the Runbook type, and then choose Stop VM as an action. The
cost analysis will not stop the virtual machine from running and the Scale Up VM action group is not required.
Tutorial - Create and manage Azure budgets - Microsoft Cost Management | Microsoft Learn
Configure subscriptions - Training | Microsoft Learn
Question 7 of 50
You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local
datacenter.
You need to identify which virtual machines are underutilized.
Which Azure Advisor settings should you use?
Your Answer
High Availability
This answer is incorrect.
Correct Answer
Cost
This answer is correct.
The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual
machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High
availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency,
resource manageability, and deployment best practices.
Introduction to Azure Advisor - Training | Microsoft Learn
Question 8 of 50
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
Your Answer
resource groups
This answer is correct.
Correct Answer
resource groups
This answer is correct.
subscriptions
This answer is correct.
virtual machines
This answer is correct.
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use
delete locks on management groups or storage account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Use Azure Resource Manager - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must
minimize administrative effort.
What should you configure?
Your Answer
an action group
This answer is correct.
Correct Answer
an action group
This answer is correct.
Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log.
You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource
group to specify the resources for which you want to receive alerts. You also need to create an action group that will
contain all the users to be notified.
Create action groups - Training | Microsoft Learn
Create Azure Advisor alerts for new recommendations using Azure portal - Azure Advisor | Microsoft Learn
Question 10 of 50
You have an Azure subscription.
You plan to create an Azure Policy definition named Policy1.
You need to include remediation information to indicate when users use Microsoft Defender for Cloud Regulatory and
Compliance.
To which definition section should you add remediation information for Policy1?
Your Answer
metadata
This answer is correct.
Correct Answer
metadata
This answer is correct.
You must use the RemediationDescription field in the metadata section from properties to specify a custom
recommendation. The remaining options are Azure policies, but do not allow specific custom remediation
information.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Configure Azure Policy - Training | Microsoft Learn
Question 11 of 50
You have a Microsoft Entra tenant.
Your company has several offices in the same region. Each office has a dedicated IT staff.
You need to ensure that the IT staff in each office can manage passwords for their users and administrators.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Assign the Helpdesk Administrator role.
This answer is correct.
Correct Answer
Assign the Helpdesk Administrator role.
This answer is correct.
You must create an administrative unit and the Helpdesk role assignment allows members to change password for
both users and other administrators.
Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 12 of 50
You need to generate the shared access signature (SAS) token required to authorize a request to a resource.
Which two parameters are required for the SAS token? Each correct answer presents part of the solution
Your Answer
SignedResourceTypes (srt)
This answer is correct.
Correct Answer
SignedResourceTypes (srt)
This answer is correct.
`SignedServices (ss) `
This answer is correct.
SignedServices (ss) is required to refer blobs, queues, tables, and files. SignedResourceTypes (srt) is required
to refer services, containers, or objects. SignedStart (st) is an optional parameter that refers to the time when the
SAS becomes valid. If unmentioned, the start time is assumed to be the time when the storage service receives the
request. SignedIP (sip) is an optional parameter that refers to the range of IP addresses from which to accept
requests.
Create an account SAS - Azure Storage | Microsoft Learn
Configure Azure Storage security - Training | Microsoft Learn
Question 13 of 50
You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities.
Which two types of storage accounts can you use? Each correct answer presents a complete solution.
Your Answer
standard general-purpose v2
This answer is correct.
Correct Answer
premium block blobs
This answer is correct.
standard general-purpose v2
This answer is correct.
To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-
purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the
hierarchical namespace.
Create a storage account for Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn
Determine storage account types - Training | Microsoft Learn
Question 14 of 50
Your need to create an Azure Storage account that meets the following requirements:
Stores data in a minimum of two availability zones
Provides high availability
Which type of storage redundancy should you use?
Your Answer
locally-redundant storage (LRS)
This answer is incorrect.
Correct Answer
zone-redundant storage (ZRS)
This answer is correct.
Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the
primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also
replicating to a secondary region.
Data redundancy - Azure Storage | Microsoft Learn
Determine replication strategies - Training | Microsoft Learn
Question 15 of 50
You have an Azure Storage account named corpimages and an on-premises shared folder named \\server1\images.
You need to migrate all the contents from \\server1\images to corpimages.
Which two commands can you use? Each correct answer presents a complete solution?
Your Answer
Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container "
corpimages"
This answer is correct.
Correct Answer
`Azcopy copy \\server1\images https://corpimages.blog.core.windows.net/public -recursive `
This answer is correct.
The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with
the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.
Copy or move data to Azure Storage by using AzCopy v10 | Microsoft Learn
Set-AzureStorageBlobContent (Azure.Storage) | Microsoft Learn
Configure Azure Storage with tools - Training | Microsoft Learn
Question 16 of 50
You plan to configure object replication between two Azure Storage accounts.
The Blob service of the source storage account has the following settings:
Hierarchical namespace: Disabled
Default access tier: Hot
Blob public access: Enabled
Blob soft delete: Enabled (7 days)
Container soft delete: Enabled (7 days)
Versioning: Disabled
Change feed: Enabled
NFS v3: Disabled
Allow cross-tenant replication: Enabled
Which setting should be modified on the source storage account to support object replication?
Your Answer
Blob soft delete
This answer is incorrect.
Correct Answer
Versioning
This answer is correct.
Versioning must be enabled for both the source and destination accounts. In this scenario, versioning is currently
disabled.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 17 of 50
You have an Azure subscription that contains multiple storage accounts.
A storage account named storage1 has a file share that stores marketing videos. Users reported that 99 percent of the
assigned storage is used.
You need to ensure that the file share can support large files and store up to 100 TiB.
Which two PowerShell commands should you run? Each correct answer presents part of the solution.
Your Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
This answer is correct.
Correct Answer
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare
This answer is correct.
You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You
do not need to change the type of storage account, and you are updating the existing share.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 18 of 50
You have an Azure Storage account that contains a file share.
Several users work from a secure location that limits outbound traffic to the internet.
You need to ensure that the users at the secure location can access the file share in Azure by using SMB protocol.
Which outbound port should you allow from the secure location?
Your Answer
80
This answer is incorrect.
Correct Answer
445
This answer is correct.
For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Microsoft Entra. It
is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs)
to verify TLS/SSL certificates. Port 443 is used for https traffic, for example to sync AD DS with Microsoft Entra.
Hybrid Identity required ports and protocols - Azure - Microsoft Entra | Microsoft Learn
Configure Azure Storage security - Training | Microsoft Learn
Question 19 of 50
You have an Azure Storage account named storage1.
You plan to store long-term backups in storage1. The solution must minimize costs.
Which storage tier should you use for the backups?
Your Answer
Cold
This answer is incorrect.
Correct Answer
Archive
This answer is correct.
Archive is an offline tier that is optimized for storing data that is rarely accessed and has flexible latency requirements.
Data in the Archive tier must be stored for a minimum of 180 days.
Hot, cool, and archive access tiers for blob data - Azure Storage | Microsoft Learn
Assign blob access tiers - Training | Microsoft Learn
Question 20 of 50
You have an Azure subscription that contains a storage account named storage1.
You need to provide storage1 with access to a partner organization. Access to storage1 must expire after 24 hours.
What should you configure?
Your Answer
a shared access signature (SAS)
This answer is correct.
Correct Answer
a shared access signature (SAS)
This answer is correct.
A SAS provides secure delegated access to resources in a storage account. With a SAS, you have granular control over
how a client can access data, including time restrictions.
Access keys and Azure CDN provide permanent access to resources. They will require manual steps to remove access.
Lifecycle management is not needed.
Configure Azure Storage security - Training | Microsoft Learn
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
Question 21 of 50
You have an Azure subscription.
You plan to create a storage account named storage1 to store images.
You need to replicate the images to a new storage account.
What are three requirements of storage1? Each correct answer presents part of a complete solution.
Your Answer
a file share
This answer is incorrect.
blob versioning
This answer is correct.
Correct Answer
a container
This answer is correct.
blob versioning
This answer is correct.
standard general-purpose v2
This answer is correct.
Versioning must be enabled for the source and target. An object type container is needed to replicate the images. You
must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for replication.
Object replication overview - Azure Storage | Microsoft Learn
Configure Azure Blob Storage - Training | Microsoft Learn
Question 22 of 50
You plan to use the following two Azure Resource Manager (ARM) templates to provision virtual machines:
Template.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
},
"adminPassword": {
"type": "securestring",
"metadata": {
},
"dnsLabelPrefix": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual
Machine."
},
...
"apiVersion": "2019-12-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('storageAccountName')]",
"[variables('nicName')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
...
Template.parameters.json
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"value": ""
},
"adminPassword": {
...
}
}
}
Which two resources should you provision to ensure that the password can be stored securely?
Your Answer
Access Policy
This answer is correct.
Correct Answer
Access Policy
This answer is correct.
You must create a new key vault, create the password from there, and then specify the parameters. You must also
create a Key Vault access policy to use in the template.
ARM template documentation | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Question 23 of 50
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage
container.
You plan to deploy the template by running the New-AzDeployment cmdlet.
Which parameter should you use to reference the template?
Your Answer
`-Templatefile `
This answer is incorrect.
Correct Answer
-TemplateUri
This answer is correct.
The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources
group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-
based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file.
You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.
Deploy resources with PowerShell and template - Azure Resource Manager | Microsoft Learn
Deploy Azure infrastructure by using JSON ARM templates - Training | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Question 24 of 50
You plan to deploy an Azure virtual machine based on a basic template stored in the Azure Resource Manager (ARM)
library.
What can you configure during the deployment of the template?
Your Answer
the disk assigned to virtual machine
This answer is incorrect.
Correct Answer
the resource group
This answer is correct.
When you deploy a resource by using a template, you can mention the resource group for the deployment. The
resource group is a container for Azure resources and makes it easier to manage the resources.
Deploy template - Azure portal - Azure Resource Manager | Microsoft Learn
New-AzResourceGroupDeployment (Az.Resources) | Microsoft Learn
Configure resources with Azure Resource Manager templates - Training | Microsoft Learn
Question 25 of 50
Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource
group named app-grp1 by using Azure Resource Manager (ARM) templates.
You need to verify the date and the time that the resources in app-grp1 were created.
Which blade should you review for app-grp1 in the Azure portal?
Your Answer
Deployments
This answer is correct.
Correct Answer
Deployments
This answer is correct.
Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to
the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource
group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration,
are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource
group.
Azure AD deployment checklist - Microsoft Entra | Microsoft Learn
Configure Azure resources with tools - Training | Microsoft Learn
Question 26 of 50
You are creating an Azure virtual machine that will run Windows Server.
You need to ensure that VM1 will be part of a virtual machine scale set.
Which setting should you configure during the creation of the virtual machine?
Your Answer
Region
This answer is incorrect.
Correct Answer
Availability options
This answer is correct.
You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add
virtual machines with a discounted price. Region will not affect the configuration of the availability options. The
management setting allows you to configure the monitoring and management options for the virtual machine.
Availability options for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 27 of 50
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You have a virtual machine
named VM1 that is connected to Subnet1. VM1 runs Windows Server.
You need to ensure that VM1 is connected directly to both subnets.
What should you do first?
Your Answer
From the Azure portal, create an IP group.
This answer is incorrect.
Correct Answer
From the Azure portal, add a network interface.
This answer is correct.
A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to Subnet1, VM1
already has a network interface attached that is connected to Subnet1. To connect VM1 directly to Subnet2, you must
create a new network interface that is connected to Subnet2. Next, you must attach the new network interface to
VM1.
An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network bridge allows you to
connect multiple existing network connection in Windows together. Changing the IP configurations of the existing
network interface results in VM1 being connected to Subnet2 but not to Subnet1.
Virtual networks and virtual machines in Azure | Microsoft Learn
Configure virtual networks - Training | Microsoft Learn
Question 28 of 50
You have an Azure virtual machine.
You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on
the physical infrastructure.
You need to move the virtual machine to a different host to avoid a service interruption.
What should you do?
Your Answer
Apply an Azure tag.
This answer is incorrect.
Correct Answer
Redeploy the virtual machine.
This answer is correct.
You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down
the virtual machine and move the virtual machine to a new node within the Azure infrastructure.
Redeploy Windows virtual machines in Azure - Virtual Machines | Microsoft Learn
Configure virtual machines - Training | Microsoft Learn
Question 29 of 50
You plan to deploy an Azure virtual machine.
You are evaluating whether to use an Azure Spot instance.
Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution.
Your Answer
the average CPU usages of the instance
This answer is incorrect.
Correct Answer
the Azure capacity needs
This answer is correct.
Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be
stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot
instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for
workloads that do not require any specific SLA.
Use Azure Spot Virtual Machines - Azure Virtual Machines | Microsoft Learn
Configure virtual machine availability - Training | Microsoft Learn
Question 30 of 50
You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1?
Your Answer
a file share
This answer is correct.
Correct Answer
a file share
This answer is correct.
An Azure container instance (Docker container) can mount Azure File Storage shares as directories and use them as
persistent storage. An Azure container instance cannot mount and use as persistent storage blob containers, queues
and tables.
Persistent Docker volumes with Azure File Storage | Azure Blog and Updates | Microsoft Azure
Configure Azure Container Instances - Training | Microsoft Learn
Question 31 of 50
You have an Azure subscription that contains an Azure container app named cont1.
You plan to add scaling rules to cont1.
You need to ensure that cont1 replicas are created based on received messages in Azure Service Bus.
Which scale trigger should you use?
Your Answer
CPU usage
This answer is incorrect.
Correct Answer
event-driven
This answer is correct.
Azure Container Apps allows a set of triggers to create new instances, called replicas. For Azure Service Bus, an event-
driven trigger can be used to run the escalation method. The remaining scale triggers cannot use a scale rule based
on messages in an Azure service bus.
Scaling in Azure Container Apps | Microsoft Learn
Configure Azure Container Instances - Training | Microsoft Learn
Question 32 of 50
You have a Basic Azure App Service plan that contains a web app.
You need to ensure that the web app can scale automatically when the CPU percentage goes beyond 80 percent for a
duration of 15 minutes.
Which two actions should you perform? Each correct answer presents part of the solution.
Your Answer
Configure a scaling condition to scale based on an instance count, and then set the instance count.
This answer is incorrect.
Correct Answer
Configure a scaling condition to scale based on a metric, and then add the rules.
This answer is correct.
Scale up the web app by adding more CPU, memory, and disk space to fulfill the requirement. Increase the number of
virtual machine instances that run the app. The scale settings take only seconds to apply and affect all the apps in the
App Service plan. Then, you must set up a scaling condition with the required metrics to scale up/down and scale
out/in when certain thresholds are met.
Scale up features and capacities - Azure App Service | Microsoft Learn
Configure Azure App Service - Training | Microsoft Learn
Question 33 of 50
You need to create an Azure App Service web app that runs on Windows. The web app requires scaling to five
instances, 45 GB of storage, and a custom domain name. The solution must minimize costs.
Which App Service plan should you use?
Your Answer
Standard
This answer is correct.
Correct Answer
Standard
This answer is correct.
The Standard service plan can host unlimited web apps, up to 50 GB of disk space, and up to 10 instances. The plan
will cost approximately $0.10/hour. The Free plan only offers 1 GB of disk size and 0 instances to host the app. The
Premium plan offers 250 GB of disk space and up to 30 instances and will cost approximately $0.20/hour. The Basic
plan offers 10 GB of disk space and up to three virtual machines.
App Service Pricing | Microsoft Azure
Configure Azure App Service plans - Training | Microsoft Learn
Question 34 of 50
You have an Azure subscription that contains two resource groups named RG1 and RG2.
RG1 contains the following resources:
A virtual network named VNet1 located in the East US Azure region
A network security group (NSG) named NSG1 located in the West US Azure region
RG2 contains the following resources:
A virtual network named VNet2 located in the East US Azure region
A virtual network named VNet3 located in the West US Azure region
You need to apply NSG1.
To which subnets can you apply NSG1?
Your Answer
the subnets of VNet1 and VNet2
This answer is incorrect.
Correct Answer
the subnets of VNet3 only
This answer is correct.
You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West US
region.
Plan Azure virtual networks | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 35 of 50
You have an Azure subscription that contains a network security group (NSG) named NSG1.
You plan to configure NSG1 to allow the following types of traffic:
Remote Desktop Management
Secured HTTPS
Which two ports should you allow in NSG1? Each correct answer presents part of the solution.
Your Answer
443
This answer is correct.
3389
This answer is correct.
Correct Answer
443
This answer is correct.
3389
This answer is correct.
You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by
using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 36 of 50
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines.
You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual
machines on each subnet. The NSG will be associated to each subnet.
You need to recommend a solution to configure the inbound access by using the fewest number of NSG rules
possible.
What should you use as the destination in the NSG?
Your Answer
an application security group
This answer is correct.
Correct Answer
an application security group
This answer is correct.
Application security groups allow you to group together the network interfaces from multiple virtual machines, and
then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual
network.
You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual
machine.
Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets.
Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
Azure application security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 37 of 50
You have a virtual machine named VM1 that is assigned to a network security group (NSG) named NSG1.
NSG1 has the following outbound security rules:
Rule1:
Priority: 900
Name: BlockInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Block
Rule2:
Priority: 1000
Name: AllowInternet
Port: 80
Protocol: TCP
Source: Any
Destination: Any
Action: Allow
You need to ensure that internet access to VM1 on port 80 is allowed.
What should you do?
Your Answer
Change the priority of Rule2.
This answer is correct.
Correct Answer
Change the priority of Rule2.
This answer is correct.
Rule1 has higher priority, so the action will be blocked. You can increase the priority of Rule2, decrease the priority of
Rule1, or change the action of Rule1 to achieve the goal.
Azure network security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 38 of 50
You deploy web servers to two virtual machines named VM1 and VM2 in an availability set named AVSet1.
You need to configure Azure Load Balancer with a backend pool of VM1 and VM2. The solution must minimize costs.
Which SKU should you use for the Azure Load Balancer configuration?
Your Answer
Azure Standard Load Balancer with Basic SKU public IP
This answer is incorrect.
Correct Answer
Basic Azure Load Balancer with Basic SKU public IP
This answer is correct.
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only
Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.
Azure Load Balancer SKUs | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 39 of 50
You migrate a web app from on-premises to an Azure virtual machine. The web app was configured by using load
balancing in Azure.
Users experience issues when accessing the web app. You suspect an issue with the web server and must check
whether the server is listening on port 80.
Which command should you run?
Your Answer
`nbtstat -c `
This answer is incorrect.
Correct Answer
netstat -an
This answer is correct.
Using netstat -an will list the ports that the server is listening on. Test-NetConnection will perform a ping/ICMP
test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
Troubleshoot Azure Load Balancer | Microsoft Learn
Configure Azure Load Balancer - Training | Microsoft Learn
Question 40 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 has a virtual network named VNet3, a
virtual machine named VM1, and a public IP address named PubIP1. All the resources are in the West US Azure
region.
You plan to create and configure a network security group (NSG) named NSG1 for the following types of traffic:
Remote Desktop Management
HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution.
Your Answer
Add-AzNetworkInterfaceTapConfig
This answer is incorrect.
Correct Answer
New-AzNetworkSecurityGroup
This answer is correct.
New-AzNetworkSecurityRuleConfig
This answer is correct.
New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol, direction, and port
number. New-AzNetworkSecurityGroup creates a network security group (NSG). -SecurityRules specifies a list of
network security rule objects to create in a NSG.
New-AzNetworkSecurityRuleConfig (Az.Network) | Microsoft Learn
New-AzNetworkSecurityGroup (Az.Network) | Microsoft Learn
Azure network security groups overview | Microsoft Learn
Configure network security groups - Training | Microsoft Learn
Question 41 of 50
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.
You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly between both
networks.
What should you configure from the Azure portal?
Your Answer
peerings
This answer is correct.
Correct Answer
peerings
This answer is correct.
You can connect virtual networks to each other with virtual network peering. Once the virtual networks are peered,
the resources on both virtual networks can communicate with each other with the same latency and bandwidth as
though the resources were on the same virtual network.
Configure Azure Virtual Network peering - Training | Microsoft Learn
Connect virtual networks with VNet peering - Azure PowerShell | Microsoft Learn
Question 42 of 50
You have an Azure subscription that contains a virtual network named VNet1.
You plan to deploy a virtual machine named VM1 to be used as a network inspection appliance.
You need to ensure that all network traffic passes through VM1.
What should you do?
Your Answer
Configure a user-defined route.
This answer is correct.
Correct Answer
Configure a user-defined route.
This answer is correct.
Azure automatically creates a route table for each subnet on an Azure virtual network and adds system default routes
to the table. You can override some of the Azure system routes with custom user-defined routes and add more
custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes on a subnet's route
table.
Configure network routing and endpoints - Training | Microsoft Learn
Azure virtual network traffic routing | Microsoft Learn
Question 43 of 50
You have an Azure subscription that contains an Azure DNS zone named contoso.com.
You add a new subdomain named test.contoso.com.
You plan to delegate test.contoso.com to a different DNS server.
How should you configure the domain delegation?
Your Answer
Add an A record for test.contoso.com.
This answer is incorrect.
Correct Answer
Add an NS record set named test to the contoso.com zone.
This answer is correct.
You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex
of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be
created in contoso.com. You do not need to create or modify the DNS A record.
Delegate a subdomain - Azure DNS | Microsoft Learn
Host your domain on Azure DNS - Training | Microsoft Learn
Question 44 of 50
You have a Log Analytics workspace that collects data from various data sources.
You create a new Azure Monitor log query.
You plan to view data pinned as a chart to a shared dashboard.
What is the maximum number of days for which data can be pinned as a chart on the dashboard?
Your Answer
30
This answer is incorrect.
Correct Answer
14
This answer is correct.
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
Azure Monitor workbook chart visualizations - Azure Monitor | Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 45 of 50
You have an Azure virtual machine that hosts a third-party application named App1.
Users report that they experience performance issues when they use the application.
You need to find the root cause of the performance issue.
What should you use?
Your Answer
activity logs
This answer is incorrect.
Correct Answer
Azure Monitor
This answer is correct.
Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. Activity
logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage
metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.
Overview of Azure Monitor Alerts - Azure Monitor | Microsoft Learn
Configure Azure alerts - Training | Microsoft Learn
Question 46 of 50
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application that outputs log
data in the JSON format.
You need to recommend a solution to collect the logs in Azure Monitor.
What should you include in the recommendation?
Your Answer
the Log Analytics agent for Linux
This answer is correct.
Correct Answer
the Log Analytics agent for Linux
This answer is correct.
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual
machines.
The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other
configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development
infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or
perform disk-level maintenance.
Collecting custom JSON data sources with the Log Analytics agent for Linux in Azure Monitor - Azure Monitor |
Microsoft Learn
Configure Azure Monitor - Training | Microsoft Learn
Question 47 of 50
You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with
the default backup policy.
What is the retention period of virtual machine backups in the default backup policy?
Your Answer
90 days
This answer is incorrect.
Correct Answer
30 days
This answer is correct.
Correct Answer
a Log Analytics workspace
This answer is correct.
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as
Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration
and can combine data from multiple services.
Log Analytics workspace overview - Azure Monitor | Microsoft Docs
Determine Log Analytics uses - Training | Microsoft Learn
Question 49 of 50
You plan to provision an Azure subscription that will contain the following virtual networks:
VNet1 in the East US Azure region with two subnets
VNet2 in the East US region with four subnets
VNet3 in the West Europe Azure region with four subnets
VNet4 in the West Europe region with two subnets
How many Azure Network Watcher instances will be provisioned as part of the deployment?
Your Answer
2
This answer is correct.
Correct Answer
2
This answer is correct.
Azure Network Watcher is a regional service that allows you to monitor and diagnose conditions at a network
scenario level in, to, and from Azure. When you create or update a virtual network in a subscription, Network Watcher
will be enabled automatically in the virtual network's region. There is no impact on resources or associated charges for
automatically enabling Network Watcher.
Create an Azure Network Watcher instance | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Question 50 of 50
You have an Azure subscription that contains virtual machines, virtual networks, application gateways, and load
balancers.
You need to monitor the network health of the resources.
Which Azure service should you use?
Your Answer
Azure Network Watcher
This answer is correct.
Correct Answer
Azure Network Watcher
This answer is correct.
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources on
an Azure virtual network. Azure Resource Manager is the deployment and management service for Azure. Network
security groups (NSGs) are used only for security, not monitoring. Azure Monitor is used for the HTTP Data Collector
API to send log data to Log Analytics.
Azure Network Watcher | Microsoft Learn
Configure Network Watcher - Training | Microsoft Learn
Skip to main content
Learn
Documentation
Training
Credentials
Q&A
Code Samples
Assessments
Shows
Credentials
Browse Credentials
Certification Renewals
FAQ & Help
1. Learn
2. Credentials
3. Browse Credentials
Show My Answers
Implement and