Exam Preparation for AZ-900
Questions 101-125 (out of 185)
QUESTION 101
Your company plans to migrate all on-premises data to Azure. You need to identify whether Azure complies with the company’s regional requirements.
What should you use?
A. the Knowledge Center
B. Azure Marketplace
C. the Azure portal
D. the Trust Center
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure has more than 90 compliance certifications, including over 50 specific to global regions and countries,
such as the US, the European Union, Germany, Japan, the United Kingdom, India and China.
You can view a list of compliance certifications in the Trust Center to determine whether Azure meets your
regional requirements.
References:
https://azure.microsoft.com/en-gb/overview/trusted-cloud/compliance/
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal
QUESTION 102
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Key Vault is used to store secrets for Azure Active Directory (Azure AD) user accounts.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. Azure Active Directory (Azure AD) administrative accounts
C. Personally Identifiable Information (PII)
D. server applications
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault
greatly reduces the chances that secrets may be accidentally leaked. When using Key Vault, application
developers no longer need to store security information in their application. Not having to store security
information in applications eliminates the need to make this information part of the code. For example, an
application may need to connect to a database. Instead of storing the connection string in the app’s code, you
can store it securely in Key Vault.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/
QUESTION 103
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Authorization to access Azure resources can be provided by other identity providers by using federation. A
commonly used example of this is to federate your on-premises Active Directory environment with Azure AD
and use this federation for authentication and authorization.
Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure
resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically
includes authentication and almost always includes authorization. A typical federation might include a number
of organizations that have established trust for shared access to a set of resources.
Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in
authentication and authorization service to provide secure access to Azure resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
QUESTION 104
Your company plans to automate the deployment of servers to Azure.
Your manager is concerned that you may expose administrative credentials during the deployment.
You need to recommend an Azure solution that encrypts the administrative credentials during the deployment.
What should you include in the recommendation?
A. Azure Key Vault
B. Azure Information Protection
C. Azure Security Center
D. Azure Multi-Factor Authentication (MFA)
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Key Vault is a secure store for storage various types of sensitive information. In this question, we would
store the administrative credentials in the Key Vault. With this solution, there is no need to store the
administrative credentials as plain text in the deployment scripts.
All information stored in the Key Vault is encrypted.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API
keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware
security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2
validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can
get access. Authentication establishes the identity of the caller, while authorization determines the operations
that they are allowed to perform.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
QUESTION 105
You plan to deploy several Azure virtual machines.
You need to control the ports that devices on the Internet can use to access the virtual machines.
What should you use?
A. a network security group (NSG)
B. an Azure Active Directory (Azure AD) role
C. an Azure Active Directory group
D. an Azure key vault
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
A network security group works like a firewall. You can attach a network security group to a virtual network
and/or individual subnets within the virtual network. You can also attach a network security group to a network
interface assigned to a virtual machine. You can use multiple network security groups within a virtual network
to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security
group. A network security group contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 106
This question requires that you evaluate the underlined text to determine if it is correct.
If a resource group named RG1 has a delete lock, only a member of the global administrators group can delete
RG1.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. the delete lock must be removed before an administrator
C. an Azure policy must be modified before an administrator
D. an Azure tag must be added before an administrator
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
You can configure a lock on a resource group to prevent the accidental deletion of the resource group. The
lock applies to everyone, including global administrators. If you want to delete the resource group, the lock
must be removed first.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources. You can set the lock level
to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the
resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
QUESTION 107
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Germany can be used by legal residents of Germany only.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. no change is needed
B. only enterprises that are registered in Germany
C. only enterprises that purchase their azure licenses from a partner based in Germany
D. any user or enterprise that requires its data to reside in Germany
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/
EFTA, including the United Kingdom.
Azure Germany offers a separate instance of Microsoft Azure services from within German datacenters. The
datacenters are in two locations, Frankfurt/Main and Magdeburg. This placement ensures that customer data
remains in Germany and that the datacenters connect to each other through a private network. All customer
data is exclusively stored in those datacenters. A designated German company–the German data trustee–
controls access to customer data and the systems and infrastructure that hold customer data.
References:
https://docs.microsoft.com/en-us/azure/germany/germany-welcome?toc=%2fazure%2fgermany%2ftoc.json
https://docs.microsoft.com/en-us/azure/germany/germany-overview-data-trustee
QUESTION 108
This question requires that you evaluate the underlined text to determine if it is correct.
After you create a virtual machine, you need to modify the network security group (NSG) to allow connections to
TCP port 8080 on the virtual machine.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. virtual network gateway
C. virtual network
D. route table
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
When you create a virtual machine, the default setting is to create a Network Security Group attached to the
network interface assigned to a virtual machine.
A network security group works like a firewall. You can attach a network security group to a virtual network
and/or individual subnets within the virtual network. You can also attach a network security group to a network
interface assigned to a virtual machine. You can use multiple network security groups within a virtual network
to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security
group. A network security group contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual
machine on port 8080.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 109
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a network security group (NSG).
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
A network security group works like a firewall. You can attach a network security group to a virtual network
and/or individual subnets within the virtual network. You can also attach a network security group to a network
interface assigned to a virtual machine. You can use multiple network security groups within a virtual network
to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security
group. A network security group contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual
machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 110
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect
synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of
all the operations that are related to synchronize identity data between your on-premises environment and
Azure AD.
Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure
resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically
includes authentication and almost always includes authorization. A typical federation might include a number
of organizations that have established trust for shared access to a set of resources.
Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in
authentication and authorization service to provide secure access to Azure resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
QUESTION 111
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain controllers on virtual
machines.
Box 2: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in
authentication and authorization service to provide secure access to Azure resources and Microsoft 365.
Box 3: No
User accounts in Azure Active Directory can be assigned multiple licenses for different Azure or Microsoft 365
services.
QUESTION 112
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a DDoS protection plan.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
DDoS is a form of attack on a network resource. A DDoS protection plan is used to protect against DDoS
attacks; it does not provide connectivity to a virtual machine.
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a
network security group or Azure Firewall.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
QUESTION 113
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure firewall.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network
resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
In this question, we need to add a rule to Azure Firewall to allow the connection to the virtual machine on port
80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
QUESTION 114
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure Traffic Manager profile.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Traffic Manager is a DNS-based load balancing solution. It is not used to ensure that a virtual machine
named VM1 is accessible from the Internet over HTTP.
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a
network security group or Azure Firewall.
In this question, we need to add a rule to a network security group or Azure Firewall to allow the connection to
the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
QUESTION 115
Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct
answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a Canadian government contractor
B. a European government contractor
C. a United States government entity
D. a United States government contractor
E. a European government entity
Correct Answer: CD
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Government is a cloud environment specifically built to meet compliance and security requirements for
US government. This mission-critical cloud delivers breakthrough innovation to U.S. government customers
and their partners. Azure Government applies to government at any level — from state and local governments
to federal agencies including Department of Defense agencies.
The key difference between Microsoft Azure and Microsoft Azure Government is that Azure Government is a
sovereign cloud. It’s a physically separated instance of Azure, dedicated to U.S. government workloads only. It’s
built exclusively for government agencies and their solution providers.
References:
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-government/2-what-is-azure-government
QUESTION 116
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: No
It is not true that you must deploy a federation solution or sync on-premises identities to the cloud. You can
have a cloud-only environment and use MFA.
Box 2: No
Picture identification and passport numbers are not valid MFA authentication methods. Valid methods include:
Password, Microsoft Authenticator App, SMS and Voice call.
Box 3:
You can configure MFA to be required for administrator accounts only or you can configure MFA for any user
account.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 117
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet
by using an anonymous IP address, the users are prompted automatically to change their password.
Which Azure service should you use?
A. Azure AD Connect Health
B. Azure AD Privileged Identity Management
C. Azure Advanced Threat Protection (ATP)
D. Azure AD Identity Protection
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk
represents the probability that a given authentication request isn’t authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type
indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP
addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.)
for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password.
References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
QUESTION 118
DRAG DROP
Match the term to the correct definition.
Instructions: To answer, drag the appropriate term from the column on the left to its description on the right.
Each term may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: ISO
ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for
example ISO 9001 or 27001 are commonly used in IT companies.
Box 2: NIST
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a nonregulatory agency of the United States Department of Commerce.
Box 3: GDPR
GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and
replaces the now deprecated Data Protection Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy
in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal
data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal
data and to simplify the regulatory environment for international business by unifying the regulation within the
EU.
Box 4: Azure Government
US government agencies or their partners interested in cloud services that meet government security and
compliance requirements, can be confident that Microsoft Azure Government provides world-class security,
protection, and compliance services. Azure Government delivers a dedicated cloud enabling government
agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services
handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST
800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and
compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only).
References:
https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-welcome
QUESTION 119
Your company plans to deploy several web servers and several database servers to Azure.
You need to recommend an Azure solution to limit the types of connections from the web servers to the
database servers.
What should you include in the recommendation?
A. network security groups (NSGs)
B. Azure Service Bus
C. a local network gateway
D. a route filter
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
A network security group works like a firewall. You can attach a network security group to a virtual network
and/or individual subnets within the virtual network. You can also attach a network security group to a network
interface assigned to a virtual machine. You can use multiple network security groups within a virtual network
to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security
group. A network security group contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
QUESTION 120
To what should an application connect to retrieve security tokens?
A. an Azure Storage account
B. Azure Active Directory (Azure AD)
C. a certificate store
D. an Azure key vault
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure AD authenticates users and provides access tokens. An access token is a security token that is issued
by an authorization server. It contains information about the user and the app for which the token is intended,
which can be used to access Web APIs and other protected resources.
Instead of creating apps that each maintain their own username and password information, which incurs a high
administrative burden when you need to add or remove users across multiple apps, apps can delegate that
responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and
authorization to it enables scenarios such as Conditional Access policies that require a user to be in a specific
location, the use of multi-factor authentication, as well as enabling a user to sign in once and then be
automatically signed in to all of the web apps that share the same centralized directory. This capability is
referred to as Single Sign On (SSO).
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
QUESTION 121
This question requires that you evaluate the underlined text to determine if it is correct.
Resource groups provide organizations with the ability to manage the compliance of Azure resources across
multiple subscriptions.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. Management groups
C. Azure policies
D. Azure App Service plans
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure policies can be used to define requirements for resource properties during deployment and for already
existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce
different rules and effects over your resources, so those resources stay compliant with your corporate
standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment.
Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type
of policy, existing resources can be brought into compliance.
References:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
QUESTION 122
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data
center.
You need to recommend a solution to minimize the impact on users after the planned migration.
What should you recommend?
A. Implement Azure Multi-Factor Authentication (MFA)
B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
C. Instruct all users to change their password
D. Create a guest user account in Azure Active Directory (Azure AD) for each user
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user
accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to
Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on
users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect
synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of
all the operations that are related to synchronize identity data between your on-premises environment and
Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
QUESTION 123
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting
on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD
activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is
performing and the resources that it’s consuming.
Box 2: No
Azure Monitor cannot monitor resources in multiple subscriptions.
Box 3: Yes
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective
action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based
on logs allow for complex logic across data from multiple sources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
QUESTION 124
This question requires that you evaluate the underlined text to determine if it is correct.
From Access Control (IAM), you can view which user turned off a specific virtual machine during the last 14
days.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. Azure Event Hubs
C. Azure Activity Log
D. Azure Service Health
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
You would use the Azure Activity Log, not Access Control to view which user turned off a specific virtual
machine during the last 14 days.
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more
than 90 days in the past.
In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14
days.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit
QUESTION 125
Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?
A. Azure Firewall
B. an application security group
C. Azure DDoS protection
D. a network security group (NSG)
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
You can restrict traffic to multiple virtual networks in multiple subscriptions with a single Azure firewall.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network
resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions
and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing
outside firewalls to identify traffic originating from your virtual network.
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
No comments:
Post a Comment