NEW QUESTION 1
You need to meet the technical requirement for VM4. What should you create and configure?

• A. an Azure Notification Hub
• B. an Azure Event Hub
• C. an Azure Logic App
• D. an Azure services Bus

Answer: B

Explanation:
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic- app

NEW QUESTION 2
HOTSPOT
You need to prepare the environment to implement the planned changes for Server2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal. Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure. Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
Case Study: 5
Mix Questions Set C (Evaluate and perform server migration to Azure)

NEW QUESTION 3
Note This question is part of a series of questions that present the same seer Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS) Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
You should use Azure Network Watcher. References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

NEW QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to these questions will not appear m the review screen.
You manage a virtual network named VNetl1 that is hosted in the West US Azure region.
VNetl1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.
Capture packets to and from a VM
Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. The capture can be stored in Azure Storage, on the VM's disk, or both. You can then analyze the capture file using several standard network capture analysis tools.
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactivity.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

NEW QUESTION 5
HOTSPOT
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer are
a.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: "*/read",
*/read lets you view everything, but not make any changes. Box 2: " Microsoft.Support/*"
The action Microsoft.Support/* enables creating and management of support tickets. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 6
You need to create a web app named corp7509086n2 that can be scaled horizontally. The solution must use the lowest possible pricing tier for the App Service plan.
What should you do from the Azure portal?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Step 1:
In the Azure Portal, click Create a resource > Web + Mobile > Web App. Step 2:
Use the Webb app settings as listed below. Web App name: corp7509086n2
Hosting plan: Azure App Service plan Pricing tier of the Pricing Tier: Standard
Change your hosting plan to Standard, you can't setup auto-scaling below standard tier.
Step 3:
Select Create to provision and deploy the Web app.
References:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a- web-app-in-an-ase
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/

NEW QUESTION 7
You plan to grant the member of a new Azure AD group named crop 75099086 the right to delegate administrative access to any resource in the resource group named 7509086.
You need to create the Azure AD group and then to assign the correct to e to the group. The solution must use the principle of least privilege and minimize the number of role assignments.
What should you do from the Azure portal?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Step 1:
Click Resource groups from the menu of services to access the Resource Groups blade

Step 2:
Click Add (+) to create a new resource group. The Create Resource Group blade appears. Enter corp7509086 as the Resource group name, and click the Create button.

Step 3:
Select Create.
Your group is created and ready for you to add members. Now we need to assign a role to this resource group scope. Step 4:
Choose the newly created Resource group, and Access control (IAM) to see the current list of role assignments at the resource group scope. Click +Add to open the Add permissions pane.

Step 5:
In the Role drop-down list, select a role Delegate administration, and select Assign access to: resource group corp7509086

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-azure- marketplace-resource-group.html
Case Study: 8
Mix Questions Set E (Security Identities)

NEW QUESTION 8
HOTSPOT
You have an Azure subscription named Subscription1 that contains the resources in the following table.

VM1 and VM2 run the websites in the following table.

AppGW1 has the backend pools in the following table.

DNS resolves site1.contoso.com, site2.contoso.com, and site3.contoso.com to the IP address of
AppGW1.
AppGW1 has the listeners in the following table.

AppGW1 has the rules in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Vm1 is in Pool1. Rule2 applies to Pool1, Listener 2, and site2.contoso.com

NEW QUESTION 9
You are the global administrator for an Azure Active Directory (Azure AD) tenet named adatum.com. You need to enable two-step verification for Azure users.
What should you do?

• A. Create a sign-in risk policy in Azure AD Identity Protection
• B. Enable Azure AD Privileged Identity Management.
• C. Create and configure the Identity Hub.
• D. Configure a security policy in Azure Security Center.

Answer: A

Explanation:
With Azure Active Directory Identity Protection, you can:
require users to register for multi-factor authentication
handle risky sign-ins and compromised users References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/flows

NEW QUESTION 10
A web developer creates a web application that you plan to deploy as an Azure web app.
Users must enter credentials to access the web application.
You create a new web app named WebAppl1 and deploy the web application to WebApp1.
You need to disable anonymous access to WebApp1. What should you configure?

• A. Advanced Tools
• B. Authentication/ Authorization
• C. Access control (IAM)
• D. Deployment credentials

Answer: B

Explanation:
Anonymous access is an authentication method. It allows users to establish an anonymous connection.
References:
https://docs.microsoft.com/en-us/biztalk/core/guidelines-for-resolving-iis-permissions-problems

NEW QUESTION 11
HOTSPOT
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: 4
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET. The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

Box 2: 2
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
Box 3: 2
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

NEW QUESTION 12
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?

• A. Modify the address space of the local network gateway.
• B. Remove the public IP addresses from the virtual machines.
• C. Modify the address space of Subnet1.
• D. Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Answer: D

Explanation:
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

NEW QUESTION 13
HOTSPOT
Your company has offices in New York and Los Angeles.
You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1.
Each network uses the address spaces shown in the following table.

You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office.
What should you do? To answer, select the appropriate options in the answer are a.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Incorrect Answers:
Not: New-AzureRmVirtualNetworkGatewayConnection
This command creates the Site-to-Site VPN connection between the virtual network gateway and the on-prem VPN device. We already have Site-to-Site VPN connections.
Box 2: 192.168.0.0/20
Specify the VNET1 address. References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set- azurermvirtualnetworkgatewaydefaultsite

NEW QUESTION 14
HOTSPOT
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.

Which user can perform each configuration? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: User1 and User3 only.
The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them. Box 2: User1 and User2 only
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 15
DRAG DROP
You create an Azure Migrate project named TestMig in a resource group named test-migration.
You need to discover which on-premises virtual machines to assess for migration. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Step 1: Download the OVA file for the collection appliance
Azure Migrate uses an on-premises VM called the collector appliance, to discover information about your on-premises machines. To create the appliance, you download a setup file in Open Virtualization Appliance (.ova) format, and import it as a VM on your on-premises vCenter Server.
Step 2: Create a migration group in the project
For the purposes of assessment, you gather the discovered VMs into groups. For example, you might group VMs that run the same application. For more precise grouping, you can use dependency visualization to view dependencies of a specific machine, or for all machines in a group and refine the
group.
Step 3: Create an assessment in the project
After a group is defined, you create an assessment for it. References:
https://docs.microsoft.com/en-us/azure/migrate/migrate-overview
Case Study: 6
Mix Questions Set D (Implement advanced networking)

NEW QUESTION 16
You plan to deploy a site-to-site VPN connection from on-premises network to your
Azure environment. The VPN connection will be established to the VNET01-USEA2 virtual network.
You need to create the required resources in Azure for the planned site-to-site VPN. The solution must minimize costs.
What should you do from the Azure portal?
NOTE: This task may a very long time to complete. You do NOT need to wait for the deployment to complete this task successfully.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
We create a VPN gateway. Step 1:
On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway.
Step 2:
At the bottom of the 'Virtual network gateway' page, click Create. This opens the Create virtual network gateway page.
Step 3:
On the Create virtual network gateway page, specify the values for your virtual network gateway. Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
Virtual network: Choose the existing virtual network VNET01-USEA2
Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network.
Step 4:
Select the default values for the other setting, and click create.

The settings are validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes.
Note: This task may take a very long time to complete. You do NOT need to wait for the deployment to complete this task successfully.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Case Study: 4 Contoso Case Study
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).
Planned Changes
Contoso plans to implement the following changes:
• Deploy Azure ExpressRoute to the Montreal office.
• Migrate the virtual machines hosted on Server1 and Server2 to Azure.
• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Contoso must meet the following technical requirements:
• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
• Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com.
• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
• Create a workflow to send an email message when the settings of VM4 are
modified.
• Cre3te a custom Azure role named Role1 that is based on the Reader role.
• Minimize costs whenever possible.

NEW QUESTION 17
You recently deployed a web app named homepagelod7509087.
You need to back up the code used for the web app and to store the code in the homepagelod7509Q87 storage account. The solution must ensure that a new backup is created daily.
What should you do from the Azure portal?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Step 1:
Locate and select the web app homepagelod7509087, select Backups. The Backups page is displayed.

Step 2:
In the Backup page, Click Configure. Step 3:
In the Backup Configuration page, click Storage: Not configured to configure a storage account.

Step 4:
Choose your backup destination by selecting a Storage Account and Container. Select the homepagelod7509087 storage account.
Step 5:
In the Backup Configuration page that is still left open, select Scheduled backup On, and configure daily backups.

Step 6:
In the Backup Configuration page, click Save. Step 7:
In the Backups page, click Backup. References:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

NEW QUESTION 18
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
The Logic App Operator role only lets you read, enable and disable logic app. With it you can view the logic app and run history, and enable/disable. Cannot edit or update the definition.
You would need the Logic App Contributor role. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

NEW QUESTION 19
DRAG DROP
You have an Azure subscription that contains an Azure Service Bus named Bus1.
Your company plans to deploy two Azure web apps named App1 and App2. The web apps will create messages that have the following requirements:
Each message created by App1 must be consumed by only a single consumer
Each message created by App2 will be consumed by multiple consumers.
Which resource should you create for each web app? To answer, drag the appropriate resources to the correct web apps. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 20
You plan to move services from your on-premises network to Azure.
You identify several virtual machines that you believe can be hosted in Azure. The virtual machines are shown in the following table.

Which two virtual machines can you access by using Azure migrate? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Sea-CA0l
• B. Hou-NW01
• C. NYC-FS01
• D. Sea-DC01
• E. BOS-DB01

Answer: CE

NEW QUESTION 21
HOTSPOT
You create an Azure web app named WebApp1. WebApp1 has the autoscale settings shown in the following exhibit.


The scale out and scale in rules are configured to have a duration of 10 minutes and a cool down time of five minutes.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 22
You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named You enable Azure AD Privileged Identity Management.
You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs.
What should you do first?

• A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.
• B. From Subscription1 edit the members of the Lab Creator role.
• C. From Azure AD Identity Protection, creates a user risk policy.
• D. From Azure AD Privileged Identity Management, discover the Azure resources of Conscription.

Answer: A

Explanation:
As a Privileged Role Administrator you can:
Enable approval for specific roles
Specify approver users and/or groups to approve requests
View request and approval history for all privileged roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 23
You have an Azure App Service plan named AdatumASP1 that uses the P2v2 pricing tier. AdatumASP1 hosts Ml Azure web app named adatumwebapp1. You need to delegate the management of adatumwebapp1 to a group named Devs. Devs must be able to perform the following tasks:
• Add deployment slots.
• View the configuration of AdatumASP1.
• Modify the role assignment for adatumwebapp1. Which role should you assign to the Devs group?

• A. Owner
• B. Contributor
• C. Web Plan Contributor
• D. Website Contributor

Answer: B

Explanation:
The Contributor role lets you manage everything except access to resources. Incorrect Answers:
A: The Owner role lets you manage everything, including access to resources.
C: The Web Plan Contributor role lets you manage the web plans for websites, but not access to them.
D: The Website Contributor role lets you manage websites (not web plans), but not access to them. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 24
......