Exam Preparation for AZ-900
Questions 126-150 (out of 185)
QUESTION 126
HOTSPOT
You create a resource group named RG1 in Azure Resource Manager.
You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use? To answer, select the appropriate setting in the answer area.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources. You can set the lock level
to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the
resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
QUESTION 127
Which Azure service should you use to store certificates?
A. Azure Security Center
B. an Azure Storage account
C. Azure Key Vault
D. Azure Information Protection
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Key Vault is a secure store for storage various types of sensitive information including passwords and
certificates.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API
keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware
security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2
validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can
get access. Authentication establishes the identity of the caller, while authorization determines the operations
that they are allowed to perform.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
QUESTION 128
You have a resource group named RG1.
You plan to create virtual networks and app services in RG1.
You need to prevent the creation of virtual machines only in RG1.
What should you use?
A. a lock
B. an Azure role
C. a tag
D. an Azure policy
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure policies can be used to define requirements for resource properties during deployment and for already
existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce
different rules and effects over your resources, so those resources stay compliant with your corporate
standards and service level agreements.
In this question, we would create a Azure policy assigned to the resource group that denies the creation of
virtual machines in the resource group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any
resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
References:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
QUESTION 129
What can Azure Information Protection encrypt?
A. network traffic
B. documents and email messages
C. an Azure Storage account
D. an Azure SQL database
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally,
protect its documents and emails by applying labels. Labels can be applied automatically by administrators who
define rules and conditions, manually by users, or a combination where users are given recommendations.
The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology
is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active
Directory.
This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are
applied, protection that is applied by using Rights Management stays with the documents and emails,
independently of the location—inside or outside your organization, networks, file servers, and applications.
References:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
https://docs.microsoft.com/en-us/azure/information-protection/quickstart-label-dnf-protectedemail
QUESTION 130
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
A. the Knowledge Center website
B. the Advisor blade from the Azure portal
C. Compliance Manager from the Security Trust Portal
D. the Security Center blade from the Azure portal
Correct Answer: D
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
The Security Center blade from the Azure portal includes the ‘regulatory compliance dashboard’.
The regulatory compliance dashboard provides insight into your compliance posture for a set of supported
standards and regulations, based on continuous assessments of your Azure environment.
In the Azure Security Center regulatory compliance blade, you can get an overview of key portions of your
compliance posture with respect to a set of supported standards. Currently supported standards are Azure CIS,
PCI DSS 3.2, ISO 27001, and SOC TSP.
In the dashboard, you will find your overall compliance score, and the number of passing versus failing
assessments with each standard. You can now focus your attention on the gaps in compliance for a standard or
regulation that is important to you.
References:
https://azure.microsoft.com/en-us/blog/regulatory-compliance-dashboard-in-azure-security-center-nowavailable/
QUESTION 131
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Azure Advisor does not generate a list of virtual machines that ARE protected by Azure Backup. Azure Advisor
does however, generate a list of virtual that ARE NOT protected by Azure Backup. You can view a list of virtual
machines that are protected by Azure Backup by viewing the Protected Items in the Azure Recovery Services
Vault.
Box 2: No
If you implement the security recommendations, you company’s score will increase, not decrease.
Box 3: No
There is no requirement to implement the security recommendations provided by Azure Advisor. The
recommendations are just that, ‘recommendations’. They are not ‘requirements’.
References:
https://azure.microsoft.com/en-gb/blog/advisor-backup-recommendations/
https://docs.microsoft.com/en-us/azure/advisor/advisor-overview
https://microsoft.github.io/AzureTipsAndTricks/blog/tip173.html
QUESTION 132
This question requires that you evaluate the underlined text to determine if it is correct.
Your company implements Azure policies to automatically add a watermark to Microsoft Word documents that
contain credit card information.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed.
B. DDoS protection
C. Azure Information Protection
D. Azure Active Directory (Azure AD) Identity Protection
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that
contain credit card information.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this,
the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can
include visual markings such as a header, footer, or watermark.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a
combination where users are given recommendations. In this question, we would configure a label to be
automatically applied to Microsoft Word documents that contain credit card information. The label would then
add the watermark to the documents.
References:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial
QUESTION 133
This question requires that you evaluate the underlined text to determine if it is correct.
From Azure Monitor, you can view which user turned off a specific virtual machine during the last 14 days.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. Azure Event Hubs
C. Azure Activity Log
D. Azure Service Health
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
You would use the Azure Activity Log, not Azure Monitor to view which user turned off a specific virtual machine
during the last 14 days.
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more
than 90 days in the past.
In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14
days.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit
QUESTION 134
This question requires that you evaluate the underlined text to determine if it is correct.
You have an Azure virtual network named VNET1 in a resource group named RG1.
You assign an Azure policy specifying that virtual networks are not an allowed resource type in RG1. VNET1 is
deleted automatically.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. is moved automatically to another resource group
C. continues to function normally
D. is now a read-only object
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
The VNet will be marked as ‘Non-compliant’ when the policy is assigned. However, it will not be deleted and
will continue to function normally.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce
different rules and effects over your resources, so those resources stay compliant with your corporate
standards and service level agreements.
If there are any existing resources that aren’t compliant with a new policy assignment, they appear under Noncompliant resources.
References:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal
QUESTION 135
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Azure firewall does not encrypt network traffic. It is used to block or allow traffic based on source/destination IP
address, source/destination ports and protocol.
Box 2: No
A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used
to block or allow traffic based on source/destination IP address, source/destination ports and protocol.
Box 3: No
The question is rather vague as it would depend on the configuration of the host on the Internet. Windows
Server does come with a VPN client and it also supports other encryption methods such IPSec encryption or
SSL/TLS so it could encrypt the traffic if the Internet host was configured to require or accept the encryption.
However, the VM could not encrypt the traffic to an Internet host that is not configured to require the encryption.
References:
https://docs.microsoft.com/en-us/azure/security/azure-security-data-encryption-best-practices#protect-data-intransit
QUESTION 136
Your company has an Azure environment that contains resources in several regions.
A company policy states that administrators must only be allowed to create additional Azure resources in a
region in the country where their office is located.
You need to create the Azure resource that must be used to meet the policy requirement.
What should you create?
A. a read-only lock
B. an Azure policy
C. a management group
D. a reservation
Correct Answer: B
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure policies can be used to define requirements for resource properties during deployment and for already
existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce
different rules and effects over your resources, so those resources stay compliant with your corporate
standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
Azure Policy offers several built-in policies that are available by default. In this question, we would use the
‘Allowed Locations’ policy to define the locations where resources can be deployed.
References:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
QUESTION 137
This question requires that you evaluate the underlined text to determine if it is correct.
From Azure Cloud Shell, you can track your company’s regulatory standards and regulations, such as ISO
27001.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed.” If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed.
B. the Microsoft Cloud Partner Portal
C. Compliance Manager
D. the Trust Center
Correct Answer: C
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Microsoft Compliance Manager (Preview) is a free workflow-based risk assessment tool that lets you track,
assign, and verify regulatory compliance activities related to Microsoft cloud services. Azure Cloud Shell, on the
other hand, is an interactive, authenticated, browser-accessible shell for managing Azure resources.
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview
https://docs.microsoft.com/en-us/azure/cloud-shell/overview
QUESTION 138
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Azure AD join only applies to Windows 10 devices.
References:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy
https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan
QUESTION 139
This question requires that you evaluate the underlined text to determine if it is correct.
The Microsoft Online Services Privacy Statement explains what data Microsoft processes, how Microsoft
processes the data, and the purpose of processing the data.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed.” If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed.
B. Microsoft Online Services Terms
C. Microsoft Online Service Level Agreement
D. Online Subscription Agreement for Microsoft Azure
Correct Answer: A
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
The Microsoft Privacy Statement explains what personal data Microsoft processes, how Microsoft processes
the data, and the purpose of processing the data
References:
https://privacy.microsoft.com/en-us/privacystatement
QUESTION 140
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Security, Privacy, Compliance and Trust
Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
Azure Security Center is a unified infrastructure security management system that strengthens the security
posture of your data centers, and provides advanced threat protection across your hybrid workloads in the
cloud – whether they’re in Azure or not – as well as on premises.
Box 2: No
Only two features: Continuous assessment and security recommendations, and Azure secure score, are free.
Box 3: Yes
The advanced monitoring capabilities in Security Center also let you track and manage compliance and
governance over time. The overall compliance provides you with a measure of how much your subscriptions
are compliant with policies associated with your workload.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
QUESTION 141
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Box 1: No
The price of Azure storage varies by region. If you use the Azure storage pricing page, you can select different
regions and see how the price changes per region.
Box 2: No
You are charged for read and write operations in general-purpose v2 storage accounts.
Box 3: No
You would be charge for the read operations of the source storage account and write operations in the
destination storage account.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://azure.microsoft.com/en-gb/pricing/details/storage/blobs/
QUESTION 142
This question requires that you evaluate the underlined text to determine if it is correct.
You have several virtual machines in an Azure subscription. You create a new subscription. The virtual
machines cannot be moved to the new subscription.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed
B. The virtual machines can be moved to the new subscription
C. The virtual machines can be moved to the new subscription only if they are all in the same resource group
D. The virtual machines can be moved to the new subscription only if they run Windows Server 2016.
Correct Answer: B
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
You can move a VM and its associated resources to a different subscription by using the Azure portal.
Moving between subscriptions can be handy if you originally created a VM in a personal subscription and now
want to move it to your company’s subscription to continue your work. You do not need to start the VM in order
to move it and it should continue to run during the move.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
QUESTION 143
You attempt to create several managed Microsoft SQL Server instances in an Azure environment and receive a
message that you must increase your Azure subscription limits.
What should you do to increase the limits?
A. Create a service health alert
B. Upgrade your support plan
C. Modify an Azure policy
D. Create a new support request
Correct Answer: D
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Many Azure resource have quote limits. The purpose of the quota limits is to help you control your Azure costs.
However, it is common to require an increase to the default quota.
You can request a quota limit increase by opening a support request. In the support request, select ‘Service
and subscription limits (quotas)’ for the Issue type, select your subscription and the service you want to
increase the quota for. For this question, you would select ‘SQL Database Managed Instance’ as the quote
type.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-resourcelimits#obtaining-a-larger-quota-for-sql-managed-instance
QUESTION 144
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Azure Free Account gives you 12 months access to the most popular free services. It also gives you a credit
(150 GBP or 200 USD) to use on any Azure service for up to 30 days.
Box 2: Yes
All free accounts expire after 12 months.
Box 3: No
You can only create one free Azure account per Microsoft account.
References:
https://azure.microsoft.com/en-gb/free/
QUESTION 145
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
You can assign additional account administrators in the Azure Portal.
Box 2: No
You need an Azure Active Directory account to manage a subscription, not a Microsoft account.
An account is created in the Azure Active Directory when you create the subscription. Further accounts can be
created in the Azure Active Directory to manage the subscription.
Box 3: No
Resource groups are logical containers for Azure resources. However, resource groups do not contain
subscriptions. Subscriptions contain resource groups.
References:
https://docs.microsoft.com/en-us/office365/enterprise/subscriptions-licenses-accounts-and-tenants-formicrosoft-cloud-offerings
QUESTION 146
Your company has 10 offices. You plan to generate several billing reports from the Azure portal. Each report
will contain the Azure resource utilization of each office.
Which Azure Resource Manager feature should you use before you generate the reports?
A. tags
B. templates
C. locks
D. policies
Correct Answer: A
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
You can use resource tags to ‘label’ Azure resources. Tags are metadata elements attached to resources.
Tags consist of pairs of key/value strings. In this question, we would tag each resource with a tag to identify
each office. For example: Location = Office1. When all Azure resources are tagged, you can generate reports
to list all resources based on the value of the tag. For example: All resources used by Office1.
References:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging/
QUESTION 147
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
Microsoft guarantee at least 99.9% availability of the Azure Active Directory Basic and Premium services. The
services are considered available in the following scenarios:
Users are able to login to the service, login to the Access Panel, access applications on the Access Panel
and reset passwords.
IT administrators are able to create, read, write and delete entries in the directory or provision or deprovision users to applications in the directory.
Box 2: No
No SLA is provided for the Free tier of Azure Active Directory.
Box 3: Yes
You can claim credit if the availability falls below the SLA. The amount of credit depends on the availability. For
example: You can claim 25% credit if the availability is less than 99.9%, 50% credit for less than 99% and
100% for less than 95% availability.
References:
https://azure.microsoft.com/en-gb/support/legal/sla/active-directory/v1_0/
QUESTION 148
This question requires that you evaluate the underlined text to determine if it is correct.
You deploy an Azure resource. The resource becomes unavailable for an extended period due to a service
outage. Microsoft will automatically refund your bank account.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the
statement is incorrect, select the answer choice that makes the statement correct.
A. No change is needed.
B. automatically migrate the resource to another subscription
C. automatically credit your account
D. send you a coupon code that you can redeem for Azure credits
Correct Answer: C
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
If the SLA for an Azure service is not met, you receive credits for that service and that service only. The credits
are deducted from your monthly bill for that service. If you stopped using the service where the SLA was not
met, your account would remain in credit for that service. The credits would not be applied to any other
services that you may be using.
Service Credits apply only to fees paid for the particular Service, Service Resource, or Service tier for which a
Service Level has not been met. In cases where Service Levels apply to individual Service Resources or to
separate Service tiers, Service Credits apply only to fees paid for the affected Service Resource or Service tier,
as applicable. The Service Credits awarded in any billing month for a particular Service or Service Resource will
not, under any circumstance, exceed your monthly service fees for that Service or Service Resource, as
applicable, in the billing month.
References:
https://azure.microsoft.com/en-gb/support/legal/sla/analysis-services/v1_0/
QUESTION 149
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Public Preview means that the service is in public beta and can be tried out by anyone with an Azure
subscription. Services in public preview are often offered at a discount price.
Box 1: No
Services in private preview can be viewed in the regular Azure portal. However, you need to be signed up for
the feature in private preview before you can view it. Access to private preview features is usually by invitation
only.
Box 2: Yes
You can use services in public preview in production environments. However, you should be aware that the
service may have faults, is not subject to an SLA and may be withdrawn without notice.
Box 3: No
Public previews are excluded from SLAs and in some cases, no support is offered.
References:
https://www.neowin.net/news/several-more-azure-services-now-available-in-private-public-preview/
QUESTION 150
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: Understand Azure Pricing and Support
Explanation
Explanation/Reference:
Explanation:
Box 1: No
An Azure free account comes with a ‘basic’ support plan, not a ‘standard’ support plan.
Box 2: Yes
You can purchase the Professional Direct, Standard, and Developer support plans with the Microsoft Customer
Agreement. You can also purchase the Professional and Standard support plans with the Enterprise
Agreement.
Box 3: No
Users with any type of Azure subscription (pay-as-you-go, Enterprise Agreement, Microsoft Customer
Agreement etc.) can get support from the MSDN forums.
References:
https://azure.microsoft.com/en-us/support/plans/
No comments:
Post a Comment