AZ-301 Exam Content Was Updated On 12/4/2019

1. Testlet 1

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment

Payment Processing System

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET. The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

– Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

– Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

– Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

– Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

– Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

– Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office. The data in the table storage is 50 GB and is not expected to increase.

Current Issues

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements

Planned Changes

Contoso plans to implement the following changes:

– Migrate the payment processing system to Azure.

– Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements

Contoso identifies the following general migration requirements:

– Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

– Whenever possible, Azure managed services must be used to minimize management overhead.

– Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

– If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

– Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

– Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

– Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

– Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

– Ensure that the payment processing system preserves its current compliance status.

– Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

– Minimize the use of on-premises infrastructure services.

– Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

– Minimize the frequency of table scans.

– If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for the collection of security logs for the middle tier of the payment processing system.

What should you include in the recommendation?

2. Question Set 2

HOTSPOT

You deploy several Azure SQL Database instances. You plan to configure the Diagnostics settings on the databases as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

3. Your company uses Microsoft System Center Service Manager on its on-premises network.

You plan to deploy several services to Azure.

You need to recommend a solution to push Azure service health alerts to Service Manager.

What should you include in the recommendation?

4. You have an on-premises Hyper-V cluster. The cluster contains Hyper-V hosts that run Windows Server 2016 Datacenter. The hosts are licensed under a Microsoft Enterprise Agreement that has Software Assurance.

The Hyper-V cluster hosts 30 virtual machines that run Windows Server 2012 R2. Each virtual machine runs a different workload. The workloads have predictable consumption patterns.

You plan to replace the virtual machines with Azure virtual machines that run Windows Server 2016. The virtual machines will be sized according to the consumption pattern of each workload.

You need to recommend a solution to minimize the compute costs of the Azure virtual machines.

Which two recommendations should you include in the solution? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

5. You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned a Premium P1 license.

You deploy Azure AD Connect.

Which two features are available in this environment that can reduce operational overhead for your company’s help desk? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

6. You are planning the implementation of an order processing web service that will contain microservices hosted in an Azure Service Fabric cluster.

You need to recommend a solution to provide developers with the ability to proactively identify and fix performance issues. The developers must be able to simulate user connections to the order processing web service from the Internet, as well as simulate user transactions. The developers must be notified if the goals for the transaction response times are not met.

What should you include in the recommendation?

7. You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription.

What should you include in the recommendation?

8. HOTSPOT

You have an Azure App Service Web App that includes Azure Blob storage and an Azure SQL Database instance. The application is instrumented by using the Application Insights SDK.

You need to design a monitoring solution for the web app.

Which Azure monitoring services should you use? To answer, select the appropriate Azure monitoring services in the answer area.

NOTE: Each correct selection is worth one point.

9. DRAG DROP

You have an Azure Active Directory (Azure AD) tenant. All user accounts are synchronized from an on-premises Active Directory domain and are configured for federated authentication. Active Directory Federation Services (AD FS) servers are published for external connections by using a farm of Web Application Proxy servers.

You need to recommend a solution to monitor the servers that integrate with Azure AD.

The solution must meet the following requirements:

– Identify any AD FS issues and their potential resolutions.

– Identify any directory synchronization configuration issues and their potential resolutions

– Notify administrators when there are any issues affecting directory synchronization or AD FS operations.

Which monitoring solution should you recommend for each server type? To answer, drag the appropriate monitoring solutions to the correct server types. Each monitoring solution may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

10. You plan to deploy 200 Microsoft SQL Server databases to Azure by using Azure SQL Database and Azure SQL Database Managed Instance.

You need to recommend a monitoring solution that provides a consistent monitoring approach for all deployments.

The solution must meet the following requirements:

– Support current-state analysis based on metrics collected near real-time, multiple times per minute, and maintained for up to one hour

– Support longer term analysis based on metrics collected multiple times per hour and maintained for up to two weeks.

– Support monitoring of the number of concurrent logins and concurrent sessions.

What should you include in the recommendation?

11. DRAG DROP

You plan to move several apps that handle critical line-of-business (LOB) services to Azure. Appropriate personnel must be notified if any critical resources become degraded or unavailable. You need to design a monitoring and notification strategy that can handle up to 100 notifications per hour.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate

actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

12. DRAG DROP

You manage a solution in Azure.

The solution is performing poorly.

You need to recommend tools to determine causes for the performance issues.

What should you recommend? To answer, drag the appropriate monitoring solutions to the correct scenarios. Each monitoring solution may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

13. DRAG DROP

You have standard Load balancer configured to support three virtual machines on the same subnet. You need to recommend a solution to notify administrators when the load balancer fails.

Which metrics should you recommend using to test the load balancer? To answer, drag the appropriate metrics to the correct conditions. Each metric may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

14. Testlet 1

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment

Payment Processing System

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET. The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

– Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

– Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

– Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

– Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

– Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

– Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office. The data in the table storage is 50 GB and is not expected to increase.

Current Issues

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements

Planned Changes

Contoso plans to implement the following changes:

– Migrate the payment processing system to Azure.

– Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements

Contoso identifies the following general migration requirements:

– Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

– Whenever possible, Azure managed services must be used to minimize management overhead.

– Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

– If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

– Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

– Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

– Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

– Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

– Ensure that the payment processing system preserves its current compliance status.

– Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

– Minimize the use of on-premises infrastructure services.

– Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

– Minimize the frequency of table scans.

– If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

HOTSPOT

You need to recommend a solution for configuring the Azure Multi-Factor Authentication (MFA) settings.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

15. HOTSPOT

You need to design a solution for securing access to the historical transaction data.

What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

16. HOTSPOT

You need to recommend a solution for the users at Contoso to authenticate to the cloud-based services and the Azure AD-integrated applications.

What should you include in the recommendation? To answer, select the appropriate options in the answer

area. NOTE: Each correct selection is worth one point.

17. Testlet 2

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirement, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam, Berlin, and Rome.

Existing Environment

Active Directory Environment

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only.

Network Infrastructure

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders.

WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements

Planned Changes

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements

Fabrikam identifies the following technical requirements:

– Web site content must be easily updated from a single point.

– User input must be minimized when provisioning new app instances.

– Whenever possible, existing on-premises licenses must be used to reduce cost.

– Users must always authenticate by using their corp.fabrikam.com UPN identity.

– Any new deployments to Azure must be redundant in case an Azure region fails.

– Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

– An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

– Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on-premises network.

Database Requirements

Fabrikam identifies the following database requirements:

– Database metrics for the production instance of WebApp1 must be available for analysis so that database administrators can optimize the performance settings.

– To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

– Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements

Fabrikam identifies the following security requirements:

– Company information including policies, templates, and data must be inaccessible to anyone outside the company.

– Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

– Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

– All administrative access to the Azure portal must be secured by using multi-factor authentication.

– The testing of WebApp1 updates must not be visible to anyone outside the company.

What should you include in the identity management strategy to support the planned changes?

18. HOTSPOT

To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

19. Question Set 3

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: Create a new Azure subscription named Project2. Assign Project1admins the Owner role for the Project2 subscription. Assign App2Dev the Contributor role for the Project2 subscription.

Does this meet the goal?

20. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: Create a new Azure subscription named Project2. Assign Project1admins the User Access Administrator role for the Project2 subscription. Assign App2Dev the Owner role for the Project2 subscription.

Does this meet the goal?

21. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a resource group named Application2RG. Assign Project1admins the Owner role for Application2RG. Assign App2Dev the Contributor role for Application2RG.

Does this meet the goal?

22. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains a resource group named RG1. You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers. You need to recommend a solution that meets the following requirements:

– The researchers must be allowed to create Azure virtual machines.

– The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: Create a lab in Azure DevTest Lab. Configure the DevTest Labs settings. Assign the DevTest Labs User role to the ResearchUsers group.

Does this meet the goal?

23. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains a resource group named RG1. You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers. You need to recommend a solution that meets the following requirements:

– The researchers must be allowed to create Azure virtual machines.

– The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: Create an Azure DevOps Project. Configure the DevOps Project settings.

Does this meet the goal?

24. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains a resource group named RG1. You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers. You need to recommend a solution that meets the following requirements:

– The researchers must be allowed to create Azure virtual machines.

– The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.

Does this meet the goal?

25. A company named Contoso Ltd., has a single-domain Active Directory forest named contoso.com.

Contoso is preparing to migrate all workloads to Azure. Contoso wants users to use single sign-on (SSO) when they access cloud-based services that integrate with Azure Active Directory (Azure AD). You need to identify any objects in Active Directory that will fail to synchronize to Azure AD due to

formatting issues. The solution must minimize costs.

What should you include in the solution?

26. HOTSPOT

Your company has an API that returns XML data to internal applications. You plan to migrate the applications to Azure. You also plan to allow the company’s partners to access the API.

You need to recommend an API management solution that meets the following requirements:

– Internal applications must receive data in the JSON format once the applications migrate to Azure.

– Partner applications must have their header information stripped before the applications receive the data.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

27. You have an Azure subscription. You need to recommend a solution to provide developers with the ability to provision Azure virtual machines.

The solution must meet the following requirements:

– Only allow the creation of the virtual machines in specific regions.

– Only allow the creation of specific sizes of virtual machines.

What should include in the recommendation?

28. HOTSPOT

Your company has 20 web APIs that were developed in-house.

The company is developing 10 web apps that will use the web APIs. The web apps and the APIs are registered in the company’s Azure Active Directory (Azure AD) tenant. The web APIs are published by using Azure API Management.

You need to recommend a solution to block unauthorized requests originating from the web apps from reaching the web APIs.

The solution must meet the following requirements:

– Use Azure AD-generated claims.

– Minimize configuration and management effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

29. HOTSPOT

You are designing an access policy for the sales department at your company. Occasionally, the developers at the company must stop, start, and restart Azure virtual machines. The development team changes often. You need to recommend a solution to provide the developers with the required access to the virtual machines.

The solution must meet the following requirements:

– Provide permissions only when needed.

– Use the principle of least privilege.

– Minimize costs.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

30. Your network contains an on-premises Active Directory forest.

You discover that when users change jobs within your company, the membership of the user groups are not being updated. As a result, the users can access resources that are no longer relevant to their job. You plan to integrate Active Directory and Azure Active Directory (Azure AD) by using Azure AD Connect. You need to recommend a solution to ensure that group owners are emailed monthly about the group

memberships they manage.

What should you include in the recommendation?

31. HOTSPOT

You are designing a software as a service (SaaS) application that will enable Azure Active Directory (Azure AD) users to create and publish surveys. The SaaS application will have a front-end web app and a back-end web API. The web app will rely on the web API to handle updates to customer surveys.

You need to design an authorization flow for the SaaS application.

The solution must meet the following requirements:

– To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens.

– The web app must authenticate by using the identities of individual users.

What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

32. HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity.

The solution must meet the following requirements:

– Ensure that the applications can authenticate only when running on the 10 virtual machines.

– Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

33. A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

34. You have a hybrid deployment of Azure Active Directory (Azure AD).

You need to recommend a solution to ensure that the Azure AD tenant can be managed only from the computers on your on-premises network.

What should you include in the recommendation?

35. You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains two administrative user accounts named Admin1 and Admin2.

You create two Azure virtual machines named VM1 and VM2.

You need to ensure that Admin1 and Admin2 are notified when more than five events are added to the security log of VM1 or VM2 during a period of 120 seconds. The solution must minimize administrative tasks.

What should you create?

36. You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains several administrative user accounts.

You need to recommend a solution to identify which administrative user accounts have NOT signed in during the previous 30 days.

Which service should you include in the recommendation?

37. HOTSPOT

Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys.

Several departments have the following requests to support the applications:

You need to recommend the appropriate Azure service for each department request.

What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area. NOTE: Each correct selection is worth one point.

38. You manage a single-domain, on-premises Active Directory forest named contoso.com. The forest functional level is Windows Server 2016. You have several on-premises applications that depend on Active Directory. You plan to migrate the applications to Azure. You need to recommend an identity solution for the applications.

The solution must meet the following requirements:

– Eliminate the need for hybrid network connectivity.

– Minimize management overhead for Active Directory.

What should you recommend?

39. Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory (Azure AD) group named App2Dev.

You identify the following requirements for Application2:

– The members of App2Dev must be prevented from changing the role assignments in Azure.

– The members of App2Dev must be able to create new Azure resources required by Application2.

– All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a network security group (NSG) named NSG1. Assign Project1admins the Owner role for NSG1. Assign the App2Dev the Contributor role for NSG1.

Does this meet the goal?

40. HOTSPOT

You manage a network that includes an on-premises Active Directory Domain Services domain and an Azure Active Directory (Azure AD).

Employees are required to use different accounts when using on-premises or cloud resources. You must recommend a solution that lets employees sign in to all company resources by using a single account. The solution must implement an identity provider.

You need provide guidance on the different identity providers.

How should you describe each identity provider? To answer, select the appropriate description from each list in the answer area. NOTE: Each correct selection is worth one point.