NEW QUESTION 1

You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1. An administrator plans to manage Clus1 from an Azure AD-joined device.
You need to ensure that the administrator can deploy the YAML application manifest file for a container application.
You install the Azure CLI on the device. Which command should you run next?

• A. kubectl get nodes
• B. az aks install-cli
• C. kubectl apply –f app1.yaml
• D. az aks get-credentials --resource-group RG1 --name Clus1

Answer: C

Explanation:
kubectl apply –f appl.yaml applies a configuration change to a resource from a file or stdin. References:
https://kubernetes.io/docs/reference/kubectl/overview/ https://docs.microsoft.com/en-us/cli/azure/aks

NEW QUESTION 2

You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.

You need to ensure that all critical and security updates are applied to each virtual machine every month. What is the minimum number of update deployments you should create?

• A. 4
• B. 6
• C. 1
• D. 2

Answer: A

NEW QUESTION 3

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2021. Server1 is a container host. You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:Folder1 in the container image. Solution: You add the following line to the Dockerfile.
ADD File1.txt C:/Folder1/
You then build the container image. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Copy is the correct command to copy a file to the container image. The ADD command can also be used. However, the root directory is specified as '/' and not as 'C:/'.
Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy https://docs.docker.com/engine/reference/builder/

NEW QUESTION 4

You have a virtual network named VNet1 as shown in the exhibit.

No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named Vnet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering. What should you do first?

• A. Modify the address space of VNet1.
• B. Configure a service endpoint on VNet2
• C. Add a gateway subnet to VNet1.
• D. Create a subnet on VNet1 and VNet2.

Answer: A

Explanation:
The virtual networks you peer must have non-overlapping IP address spaces. References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-cons

NEW QUESTION 5

You network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege. Which user accounts should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: User5
In Express settings, the installation wizard asks for the following: AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains. Box 2: UserA
Azure AD Global Admin credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissio

NEW QUESTION 6

You have an Azure Resource Manager template named Template1 in the library as shown in the following
exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax

NEW QUESTION 7

You need to implement a backup solution for App1 after the application is moved. What should you create first?

• A. a recovery plan
• B. an Azure Backup Server
• C. a backup policy
• D. a Recovery Services vault

Answer: D

Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines. Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

NEW QUESTION 8

An administrator plans to create a function app in Azure that will have the following settings:
Runtime stack: .NET Core
Operating System: Linux
Plan type: Consumption
Enable Application Insights: Yes
You need to ensure that you can back up the function app.
Which settings should you recommend changing before creating the function app? D18912E1457D5D1DDCBD40AB3BF70D5D

• A. Runtime stack
• B. Enable Application Insights
• C. Operating System
• D. Plan type

Answer: D

Explanation:
The Backup and Restore feature requires the App Service plan to be in the Standard, Premium or Isolated tier. Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup#requirements-and-restrictions

NEW QUESTION 9

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2021 Datacenter image. You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A. Create a new virtual machine scale set in the Azure portal.
• B. Create an automation account.
• C. Upload a configuration script.
• D. Modify the extensionProfile section of the Azure Resource Manager template.
• E. Create an Azure policy.

Answer: AD

Explanation:
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

NEW QUESTION 10

You have an Azure virtual machine named VM1 and an Azure Active Directory (Azure AD) tenant named adatum.com.
D18912E1457D5D1DDCBD40AB3BF70D5D
VM1 has the following settings:
IP address: 10.10.0.10
System-assigned managed identity: On
You need to create a script that will run from within VM1 to retrieve the authentication token of VM1. Which address should you use in the script?

• A. vm1.adatum.com.onmicrosoft.com
• B. 169.254.169.254
• C. 10.10.0.10
• D. vm1.adatum.com

Answer: B

Explanation:
Your code that's
running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

NEW QUESTION 11

You have 10 Azure virtual machines on a subnet named Subnet1. Subnet1 is on a virtual network named VNet1.
You plan to deploy a public Azure Standard Load Balancer named LB1 to the same Azure region as the 10 virtual machines.
You need to ensure that traffic from all the virtual machines to the internet flows through LB1. The solution must prevent the virtual machines from being accessible on the internet.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Add health probes to LB1.
• B. Add the network interfaces of the virtual machines to the backend pool of LB1.
• C. Add an inbound rule to LB1.
• D. Add an outbound rule to LB1.
• E. Associate a network security group (NSG) to Subnet1.
• F. Associate a user-defined route to Subnet1.

Answer: ABD

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal2

NEW QUESTION 12

You have an Azure logic app named App1 and an Azure Service Bus queue named Queue1.
You need to ensure that App1 can read messages from Queue1. App1 must authenticate by using Azure Active Directory (Azure AD).
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
On App1: Turn on the managed identity
To use Service Bus with managed identities, you need to assign the identity the role and the appropriate scope. The procedure in this section uses a simple application that runs under a managed identity and accesses Service Bus resources.
Once the application is created, follow these steps:
Go to Settings and select Identity.
Select the Status to be On.
Select Save to save the setting.
On Queue1: Configure Access Control (IAM)
Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Service Bus defines a set of built-in RBAC roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data.
Assign RBAC roles using the Azure portal
In the Azure portal, navigate to your Service Bus namespace. Select Access Control (IAM) on the left menu to display access control settings for the namespace. If you need to create a Service Bus namespace.
Select the Role assignments tab to see the list of role assignments. Select the Add button on the toolbar and then select Add role assignment.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/authenticate-application https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity

NEW QUESTION 13

You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 14

You create the Azure resources shown in the following table.

You attempt to add a role assignment to a resource group as shown in the following exhibit.


What should you do to ensure that you can assign VM2 the Reader role for the resource group?

• A. Modify the Reader role at the subscription level.
• B. Configure just in time (JIT) VM access on VM2.
• C. Configure Access control (IAM) on VM2.
• D. Assign a managed identity to VM2.

Answer: D

NEW QUESTION 15

Your company plans to develop an application that will use a NoSQL database. The database will be used to store transactions and customer information by using JSON documents. Which two Azure Cosmos DB APIs can developers use for the application? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

• A. Cassandra
• B. Gremlin (graph)
• C. MongoDB
• D. Azure Table
• E. Core (SQL)

Answer: DE

NEW QUESTION 16

You play to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager template. You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Within your template, the dependsOn element enables you to define one resource as a dependent on one or more resources. Its value can be a comma-separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources: Microsoft.Storage/storageAccounts Microsoft.Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more resources. The resource depends on two other resources: Microsoft.Network/publicIPAddresses Microsoft.Network/virtualNetworks

References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-create-templates-with

NEW QUESTION 17

Your network contains an on-premises Active Directory domain named contoso.com that contains a user named User1. The domain syncs to Azure Active Directory (Azure AD). You have the Windows 10 devices shown in the following table.

The User Sign-In settings are configured as shown in the following exhibit.


For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 18

You have several Azure virtual machines on a virtual network named VNet1. You configure an Azure Storage account as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Never
Box 2: Never
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account.

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-with-azure-storage

NEW QUESTION 19

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.

Which user can perform each configuration? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: User1 and User3 only.
The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them. Box 2: User1
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 20

You have an Azure key vault named KV1.
You need to ensure that applications can use KV1 to provision certificates automatically from an external
certification authority (CA).
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. From KV1, create a certificate issuer resource.
• B. Obtain the CA account credentials.
• C. Obtain the root CA certificate.
• D. From KV1, create a certificate signing request (CSR).
• E. From KV1, create a private key,

Answer: CD

Explanation:
C: Obtain the root CA certificate (step 4 in the picture below)
D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below) Note:
Creating a certificate with a CA not partnered with Key Vault
This method allows working with other CAs than Key Vault's partnered providers, meaning your organization can work with a CA of its choice.

The following step descriptions correspond to the green lettered steps in the preceding diagram.
In the diagram above, your application is creating a certificate, which internally begins by creating a key in your key vault.
Key Vault returns to your application a Certificate Signing Request (CSR).
Your application passes the CSR to your chosen CA.
Your chosen CA responds with an X509 Certificate.
Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios

NEW QUESTION 21

You create a container image named Image1 on a developer workstation.
You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1. You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use Image1. To which storage type should you upload Image1?

• A. Azure Container Registry
• B. an Azure Storage account that contains a blob container
• C. an Azure Storage account that contains a file share
• D. Azure Container Instances

Answer: A

Explanation:
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure portal, go to Container settings from the web app and update the Image source, Registry and save.
References:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux

NEW QUESTION 22

A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required. What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
(Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

NEW QUESTION 23
......