Question 1

DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The
subscription contains 10 resource groups. Each department uses resources in several
resource groups.
You need to send a report to the finance department. The report must detail the costs
for each department.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:

Answer
:

Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into
a taxonomy. After you apply tags, you can retrieve all the resources in your subscription
with that tag name and value. Each resource or resource group can have a maximum of
15 tag name/value pairs. Tags applied to the resource group are not inherited by the
resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You
can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait
24 hours after you add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click
Apply to confirm the filters and Download if you want to export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-
using-tags https://docs.microsoft.com/en-us/azure/billing/billing-getting-started

Question 2

You have an Azure subscription named Subscription1 that contains an Azure Log
Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

• A. Get-Event Event | where {$_.EventType == "error"}

• B. search in (Event) "error"
• C. select * from Event where EventType == "error"
• D. search in (Event) * | where EventType -eq "error"

Answer : B

To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible
correct answers:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. search in (Event) * | where EventType ‫ג‬€"eq "error"
4. select * from Event where EventType is "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-
explorer/kusto/query/searchoperator?pivots=azuredataexplorer

Next Question
Question 3

HOTSPOT -
You have an Azure subscription that contains a virtual network named VNET1 in the
East US 2 region. A network interface named VM1-NI is connected to
VNET1.
You successfully deploy the following Azure Resource Manager template.
For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: Yes -

Box 2: Yes -
VM1 is in Zone1, while VM2 is on Zone2.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-
region

Next Question
Question 4

You have an Azure subscription named Subscription1. Subscription1 contains the

resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?

• A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies
to WebApp1.
• B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies
to WebApp1.
• C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies
to WebApp1.
• D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies
to WebApp1.

Answer : A

You can move an app to another App Service plan, as long as the source plan and the
target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However,
you cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

Next Question
Question 5

HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of
c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following
requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the
resource groups
What should you specify in the assignable scopes and the permission elements of the
definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
:

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-
operations#microsoftresources

Next Question
Question 6

You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites.
From home, users must establish a point-to-site VPN to access the Azure resources.
The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual
machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual
machines.
What are two possible Azure services that you can use? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.
 • A. an internal load balancer
• B. a public load balancer
• C. an Azure Content Delivery Network (CDN)
• D. Traffic Manager
• E. an Azure Application Gateway

Answer : AE

Network traffic from the VPN gateway is routed to the cloud application through an
internal load balancer. The load balancer is located in the front-end subnet of the
application.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/vpn https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-
overview https://docs.microsoft.com/en-us/azure/application-gateway/overview

Next Question
Question 7

You have an Azure subscription.

You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service
tier changed to a less expensive offering.
Which blade should you use?

• A. Monitor
• B. Advisor
• C. Metrics
• D. Customer insights

Answer : B

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and
underutilized resources. You can get cost recommendations from the Cost tab on the
Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

Next Question
Question 8

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor
authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings
in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer :

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-
based-mfa

Next Question
Question 9

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and
receives the following error message: `Unable to invite user [email protected] `"
Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure
AD tenant.
What should you do?

• A. From the Users settings blade, modify the External collaboration settings.
• B. From the Custom domain names blade, add a custom domain.
• C. From the Organizational relationships blade, add an identity provider.
• D. From the Roles and administrators blade, assign the Security administrator
role to Admin1.

Answer : A

Reference:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-
authorization-exception-inviting-Azure-AD-gests/td-p/274742

Next Question
Question 10

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant
includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management
group.
What should you do?

• A. Assign the Owner role for the Azure Subscription to User1, and then modify
the default conditional access policies.
• B. Assign the Owner role for the Azure subscription to User1, and then instruct
User1 to configure access management for Azure resources.
• C. Assign the Global administrator role to User1, and then instruct User1 to
configure access management for Azure resources.
• D. Create a new management group and delegate User1 as the owner of the
new management group.

Answer : B

The following chart shows the list of roles and the supported actions on management
groups.
Note:
Each directory is given a single top-level management group called the "Root"
management group. This root management group is built into the hierarchy to have all
management groups and subscriptions fold up to it. This root management group
allows for global policies and Azure role assignments to be applied at the directory
level. The Azure AD Global Administrator needs to elevate themselves to the User
Access Administrator role of this root group initially. After elevating access, the
administrator can assign any Azure role to other directory users or groups to manage
the hierarchy. As administrator, you can assign your own account as owner of the root
management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

Next Question
Question 11

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named adatum.com.
Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

Of which groups are User1 and User2 members? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer :
Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -

Both membership rules apply.
Reference:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-
collections

Next Question
Question 12

HOTSPOT -
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the
users shown in the following table.

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer :

Box 1: User1 and User3 only -

You must use Windows Server Active Directory to update the identity, contact info, or
job info for users whose source of authority is Windows Server Active
Directory.

Box 2: User1, User2, and User3 -

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-users-profile-azure-portal

Next Question
Question 13

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No
Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Next Question
Question 14

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Next Question
Question 15

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Question 1 ( Question Set 1 )

Your company has serval departments. Each department has a number of virtual
machines (VMs).
The company has an Azure subscription that contains a resource group named RG1.
All VMs are located in RG1.
You want to associate each VM with its respective department.
What should you do?

• A. Create Azure Management Groups for each department.

• B. Create a resource group for each department.
• C. Assign tags to the virtual machines.
• D. Modify the settings of the virtual machines.

Answer : C

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-
tags

Next Question
Question 2 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group
to use Multi-Factor Authentication and an Azure AD-joined device when they connect
to Azure AD from untrusted locations.
Solution: You access the multi-factor authentication page to alter the user settings.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Next Question
Question 3 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group
to use Multi-Factor Authentication and an Azure AD-joined device when they connect
to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the session control of the Azure AD
conditional access policy.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Next Question
Question 4 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) subscription.
You want to implement an Azure AD conditional access policy.
The policy must be configured to require members of the Global Administrators group
to use Multi-Factor Authentication and an Azure AD-joined device when they connect
to Azure AD from untrusted locations.
Solution: You access the Azure portal to alter the grant control of the Azure AD
conditional access policy.
Does the solution meet the goal?

• A. Yes
• B. No
Answer : A

Next Question
Question 5 ( Question Set 1 )

You are planning to deploy an Ubuntu Server virtual machine to your company's Azure
subscription.
You are required to implement a custom deployment that includes adding a particular
trusted root certification authority (CA).
Which of the following should you use to create the virtual machine?

• A. The New-AzureRmVm cmdlet.

• B. The New-AzVM cmdlet.
• C. The Create-AzVM cmdlet.
• D. The az vm create command.

Answer : C

Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet,
using the --custom-data parameter to provide the full path to the cloud- init.txt file.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-
deployment

Question 6 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company makes use of Multi-Factor Authentication for when users are not in the
office. The Per Authentication option has been configured as the usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure
Active Directory (Azure AD) obtains a different company and adding the new
employees to Azure Active Directory (Azure AD), you are informed that these
employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure portal.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B
Since it is not possible to change the usage model of an existing provider as it is right
now, you have to create a new one and reactivate your existing server with activation
credentials from the new provider.
Reference:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-
authentication-server/

Next Question
Question 7 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company's Azure solution makes use of Multi-Factor Authentication for when
users are not in the office. The Per Authentication option has been configured as the
usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure
Active Directory (Azure AD) obtains a different company and adding the new
employees to Azure Active Directory (Azure AD), you are informed that these
employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You reconfigure the existing usage model via the Azure CLI.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Since it is not possible to change the usage model of an existing provider as it is right
now, you have to create a new one and reactivate your existing server with activation
credentials from the new provider.
Reference:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-
authentication-server/

Next Question
Question 8 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company's Azure solution makes use of Multi-Factor Authentication for when
users are not in the office. The Per Authentication option has been configured as the
usage model.
After the acquisition of a smaller business and the addition of the new staff to Azure
Active Directory (Azure AD) obtains a different company and adding the new
employees to Azure Active Directory (Azure AD), you are informed that these
employees should also make use of Multi-Factor Authentication.
To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the
existing Multi-Factor Authentication provider data.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : A

Since it is not possible to change the usage model of an existing provider as it is right
now, you have to create a new one and reactivate your existing server with activation
credentials from the new provider.
Reference:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-
authentication-server/

Next Question
Question 9 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com
that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to
replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : A

Reference:
https://blog.kloud.com.au/2016/03/08/azure-ad-connect-manual-sync-cycle-with-
powershell-start-adsyncsynccycle/
Next Question
Question 10 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com
that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to
replicate the user information to Azure AD immediately.
Solution: You use Active Directory Sites and Services to force replication of the Global
Catalog on a domain controller.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Question 11 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an Azure Active Directory (Azure AD) tenant named weyland.com
that is configured for hybrid coexistence with the on-premises Active
Directory domain.
You have a server named DirSync1 that is configured as a DirSync server.
You create a new user account in the on-premise Active Directory. You now need to
replicate the user information to Azure AD immediately.
Solution: You restart the NetLogon service on a domain controller.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Next Question
Question 12 ( Question Set 1 )

Your company has a Microsoft Azure subscription.

The company has datacenters in Los Angeles and New York.
You are configuring the two datacenters as geo-clustered sites for site resiliency.
You need to recommend an Azure storage redundancy option.
You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location.
Which of the following Azure stored redundancy options should you recommend?

• A. Geo-redundant storage
• B. Read-only geo-redundant storage
• C. Zone-redundant storage
• D. Locally redundant storage

Answer : B

RA-GRS allows you to have higher read availability for your storage account by
providing ‫ג‬€read only‫ג‬€ access to the data replicated to the secondary location. Once
you enable this feature, the secondary location may be used to achieve higher
availability in the event the data is not available in the primary region. This is an
‫ג‬€opt-in‫ג‬€ feature which requires the storage account be geo-replicated.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Next Question
Question 13 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an azure subscription that includes a storage account, a resource
group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM)
template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Virtual Machine blade.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

You should use the Resource Group blade

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-
export-template
Next Question
Question 14 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an azure subscription that includes a storage account, a resource
group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM)
template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Resource Group blade.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : A

To view a template from deployment history:

1. Go to the resource group for your new resource group. Notice that the portal shows
the result of the last deployment. Select this link.

2. You see a history of deployments for the group. In your case, the portal probably lists
only one deployment. Select this deployment.

3. The portal displays a summary of the deployment. The summary includes the status
of the deployment and its operations and the values that you provided for parameters.
To see the template that you used for the deployment, select View template.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-
export-template
Next Question
Question 15 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-up.
However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has an azure subscription that includes a storage account, a resource
group, a blob container and a file share.
A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM)
template to deploy a virtual machine and an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross.
Solution: You access the Container blade.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

You should use the Resource Group blade

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-
export-template

Next Question

Question 16 ( Question Set 1 )

Your company has three virtual machines (VMs) that are included in an availability set.
You try to resize one of the VMs, which returns an allocation failure message.
It is imperative that the VM is resized.
Which of the following actions should you take?

• A. You should only stop one of the VMs.

• B. You should stop two of the VMs.
• C. You should stop all three VMs.
• D. You should remove the necessary VM from the availability set.

Answer : C

If the VM you wish to resize is part of an availability set, then you must stop all VMs in
the availability set before changing the size of any VM in the availability set.
The reason all VMs in the availability set must be stopped before performing the resize
operation to a size that requires different hardware is that all running VMs in the
availability set must be using the same physical hardware cluster. Therefore, if a change
of physical hardware cluster is required to change the VM size then all VMs must be
first stopped and then restarted one-by-one to a different physical hardware clusters.
Reference:
https://azure.microsoft.com/es-es/blog/resize-virtual-machines/

Next Question
Question 17 ( Question Set 1 )

You have an Azure virtual machine (VM) that has a single data disk. You have been
tasked with attaching this data disk to another Azure VM.
You need to make sure that your strategy allows for the virtual machines to be offline
for the least amount of time possible.
Which of the following is the action you should take FIRST?

• A. Stop the VM that includes the data disk.

• B. Stop the VM that the data disk must be attached to.
• C. Detach the data disk.
• D. Delete the VM that includes the data disk.

Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk
https://docs.microsoft.com/en-us/azure/lab-services/devtest-lab-attach-detach-data-disk

Next Question
Question 18 ( Question Set 1 )

Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource
Manager (ARM) templates. You have been informed that the VMs will be included in a
single availability set.
You are required to make sure that the ARM template you configure allows for as many
VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformFaultDomainCount property?

• A. 10
• B. 30
• C. Min Value
• D. Max Value

Answer : D

The number of fault domains for managed availability sets varies by region - either two
or three per region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

Next Question
Question 19 ( Question Set 1 )

Your company has an Azure subscription.

You need to deploy a number of Azure virtual machines (VMs) using Azure Resource
Manager (ARM) templates. You have been informed that the VMs will be included in a
single availability set.
You are required to make sure that the ARM template you configure allows for as many
VMs as possible to remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformUpdateDomainCount property?

• A. 10
• B. 20
• C. 30
• D. 40

Answer : B

Each virtual machine in your availability set is assigned an update domain and a fault
domain by the underlying Azure platform. For a given availability set, five non-user-
configurable update domains are assigned by default (Resource Manager deployments
can then be increased to provide up to 20 update domains) to indicate groups of virtual
machines and underlying physical hardware that can be rebooted at the same time.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview

Next Question
Question 20 ( Question Set 1 )

DRAG DROP -
You have downloaded an Azure Resource Manager (ARM) template to deploy
numerous virtual machines (VMs). The ARM template is based on a current VM, but
must be adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the
correct option from the list to the answer area.
Select and Place:
Answer
:

You can use a template that allows you to deploy a simple Windows VM by retrieving
the password that is stored in a Key Vault. Therefore, the password is never put in plain
text in the template parameter file.

Question 21 ( Question Set 1 )

Your company has an Azure Active Directory (Azure AD) tenant that is configured for
hybrid coexistence with the on-premises Active Directory domain.
The on-premise virtual environment consists of virtual machines (VMs) running on
Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly
created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?

• A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts

directory.
• B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
 • C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
• D. Place the scripts in a new virtual hard disk (VHD).

Answer : A

After you deploy a Virtual Machine you typically need to make some changes before
it‫ג‬€™s ready to use. This is something you can do manually or you could use
Remote PowerShell to automate the configuration of your VM after deployment for
example.
But now there‫ג‬€™s a third alternative available allowing you customize your VM: the
CustomScriptextension.
This CustomScript extension is executed by the VM Agent and it‫ג‬€™s very
straightforward: you specify which files it needs to download from your storage
account and which file it needs to execute. You can even specify arguments that need
to be passed to the script. The only requirement is that you execute a .ps1 file.
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-
custom-script-to-windows-setup https://azure.microsoft.com/en-us/blog/automating-
vm-customization-tasks-using-custom-script-extension/

Next Question
Question 22 ( Question Set 1 )

Your company has an Azure Active Directory (Azure AD) tenant that is configured for
hybrid coexistence with the on-premises Active Directory domain.
You plan to deploy several new virtual machines (VMs) in Azure. The VMs will have the
same operating system and custom software requirements.
You configure a reference VM in the on-premise virtual environment. You then
generalize the VM to create an image.
You need to upload the image to Azure to ensure that it is available for selection when
you create the new Azure VMs.
Which PowerShell cmdlets should you use?

• A. Add-AzVM
• B. Add-AzVhd
• C. Add-AzImage
• D. Add-AzImageDataDisk

Answer : B

The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a
blob storage account as fixed virtual hard disks.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/upload-
generalized-managed

Next Question
Question 23 ( Question Set 1 )

DRAG DROP -
Your company has an Azure subscription that includes a number of Azure virtual
machines (VMs), which are all part of the same virtual network.
Your company also has an on-premises Hyper-V server that hosts a VM, named VM1,
which must be replicated to Azure.
Which of the following objects that must be created to achieve this goal? Answer by
dragging the correct option from the list to the answer area.
Select and Place:
Answer
:

Next Question
Question 24 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company's Azure subscription includes two Azure networks named
VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static
routing. Also, a site-to-site VPN connection exists between your company's on-
premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a
workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access
VirtualNetworkB from the company's on-premises network. However, you find that you
cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from
the Windows 10 workstation.
Solution: You choose the Allow gateway transit setting on VirtualNetworkA.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-
site-routing

Next Question
Question 25 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company's Azure subscription includes two Azure networks named
VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static
routing. Also, a site-to-site VPN connection exists between your company's on-
premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a
workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access
VirtualNetworkB from the company's on-premises network. However, you find that you
cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from
the Windows 10 workstation.
Solution: You choose the Allow gateway transit setting on VirtualNetworkB.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-
site-routing

Question 26 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company's Azure subscription includes two Azure networks named
VirtualNetworkA and VirtualNetworkB.
VirtualNetworkA includes a VPN gateway that is configured to make use of static
routing. Also, a site-to-site VPN connection exists between your company's on-
premises network and VirtualNetworkA.
You have configured a point-to-site VPN connection to VirtualNetworkA from a
workstation running Windows 10. After configuring virtual network peering between
VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access
VirtualNetworkB from the company's on-premises network. However, you find that you
cannot establish a connection to VirtualNetworkB from the Windows 10 workstation.
You have to make sure that a connection to VirtualNetworkB can be established from
the Windows 10 workstation.
Solution: You download and re-install the VPN client configuration package on the
Windows 10 workstation.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-
site-routing

Next Question
Question 27 ( Question Set 1 )

Your company has virtual machines (VMs) hosted in Microsoft Azure. The VMs are
located in a single Azure virtual network named VNet1.
The company has users that work remotely. The remote workers require access to the
VMs on VNet1.
You need to provide access for the remote workers.
What should you do?

• A. Configure a Site-to-Site (S2S) VPN.

• B. Configure a VNet-toVNet VPN.
• C. Configure a Point-to-Site (P2S) VPN.
• D. Configure DirectAccess on a Windows Server 2012 server VM.
• E. Configure a Multi-Site VPN
Answer : C

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to
your virtual network from an individual client computer.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-
vpngateways

Next Question
Question 28 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has a Microsoft SQL Server Always On availability group configured on
their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability
group.
Solution: You create an HTTP health probe on port 1433.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B

Next Question
Question 29 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has a Microsoft SQL Server Always On availability group configured on
their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability
group.
Solution: You set Session persistence to Client IP.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-
machines-windows-portal-sql-alwayson-int-listener

Next Question
Question 30 ( Question Set 1 )

Note: The question is included in a number of questions that depicts the identical set-
up. However, every question has a distinctive result. Establish if the solution satisfies the
requirements.
Your company has a Microsoft SQL Server Always On availability group configured on
their Azure virtual machines (VMs).
You need to configure an Azure internal load balancer as a listener for the availability
group.
Solution: You enable Floating IP.
Does the solution meet the goal?

• A. Yes
• B. No

Answer : A

Question 31 ( Question Set 1 )

Your company has two on-premises servers named SRV01 and SRV02. Developers have
created an application that runs on SRV01. The application calls a service on SRV02 by
IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have
configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?

• A. Run the New-AzureRMVMConfig PowerShell cmdlet.

• B. Run the Set-AzureSubnet PowerShell cmdlet.
• C. Modify the VM properties in the Azure Management Portal.
• D. Modify the IP properties in Windows Network and Sharing Center.
• E. Run the Set-AzureStaticVNetIP PowerShell cmdlet.

Answer : E

Specify a static internal IP for a previously created VM

If you want to set a static IP address for a VM that you previously created, you can do
so by using the following cmdlets. If you already set an IP address for the
VM and you want to change it to a different IP address, you‫ג‬€™ll need to remove the
existing static IP address before running these cmdlets. See the instructions below to
remove a static IP.
For this procedure, you‫ג‬€™ll use the Update-AzureVM cmdlet. The Update-AzureVM
cmdlet restarts the VM as part of the update process. The DIP that you specify will be
assigned after the VM restarts. In this example, we set the IP address for VM2, which is
located in cloud service StaticDemo.
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -
IPAddress 192.168.4.7 | Update-AzureVM

Next Question
Question 32 ( Question Set 1 )

Your company has an Azure Active Directory (Azure AD) subscription.

You need to deploy five virtual machines (VMs) to your company's virtual network
subnet.
The VMs will each have both a public and private IP address. Inbound and outbound
security rules for all of these virtual machines must be identical.
Which of the following is the least amount of network interfaces needed for this
configuration?

• A. 5
• B. 10
• C. 20
• D. 40

Answer : A

Next Question
Question 33 ( Question Set 1 )

Your company has an Azure Active Directory (Azure AD) subscription.

You need to deploy five virtual machines (VMs) to your company's virtual network
subnet.
The VMs will each have both a public and private IP address. Inbound and outbound
security rules for all of these virtual machines must be identical.
Which of the following is the least amount of security groups needed for this
configuration?

• A. 4
• B. 3
• C. 2
• D. 1

Answer : D
Next Question
Question 34 ( Question Set 1 )

Your company's Azure subscription includes Azure virtual machines (VMs) that run
Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to
recover the VM's files.
Which of the following is TRUE in this scenario?

• A. You can only recover the files to the infected VM.

• B. You can recover the files to any VM within the company‫ג‬€™s subscription.
• C. You can only recover the files to a new VM.
• D. You will not be able to recover the files.

Answer : A

Next Question
Question 35 ( Question Set 1 )

Your company's Azure subscription includes Azure virtual machines (VMs) that run
Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you are required to
restore the VM.
Which of the following actions should you take?

• A. You should restore the VM after deleting the infected VM.

• B. You should restore the VM to any VM within the company‫ג‬€™s subscription.
• C. You should restore the VM to a new Azure VM.
• D. You should restore the VM to an on-premise Windows device.

Answer : B

Question 36 ( Question Set 1 )

You administer a solution in Azure that is currently having performance issues.

You need to find the cause of the performance issues pertaining to metrics on the
Azure infrastructure.
Which of the following is the tool you should use?

• A. Azure Traffic Analytics

• B. Azure Monitor
• C. Azure Activity Log
 • D. Azure Advisor

Answer : B

Metrics in Azure Monitor are stored in a time-series database which is optimized for
analyzing time-stamped data. This makes metrics particularly suited for alerting and
fast detection of issues.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform

Next Question
Question 37 ( Question Set 1 )

Your company has an Azure subscription that includes a Recovery Services vault.
You want to use Azure Backup to schedule a backup of your company's virtual
machines (VMs) to the Recovery Services vault.
Which of the following VMs can you back up? Choose all that apply.

• A. VMs that run Windows 10.

• B. VMs that run Windows Server 2012 or higher.
• C. VMs that have NOT been shut down.
• D. VMs that run Debian 8.2+.
• E. VMs that have been shut down.

Answer : ABCDE

Azure Backup supports backup of 64-bit Windows server operating system from
Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros

Next Question
Question 38 ( Question Set 1 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external
users.
Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for
each user.
Does this meet the goal?

• A. Yes
• B. No

Answer : B

The New-AzureADUser cmdlet creates a user in Azure Active Directory (Azure AD).
Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new
external user to your directory.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-
azureadmsinvitation

Next Question
Question 39 ( Question Set 1 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external
users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?

• A. Yes
• B. No

Answer : B

Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new

external user to your directory.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-
azureadmsinvitation

Next Question
Question 40 ( Question Set 1 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external
users.
Solution: You create a PowerShell script that runs the New-AzureADMSInvitation
cmdlet for each external user.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user
to your directory.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-
azureadmsinvitation

Question 41 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group
named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer
named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The
solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Next Question
Question 42 ( Question Set 2 )

You have an Azure subscription that contains an Azure Active Directory (Azure AD)
tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named
AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in
contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?

• A. From contoso.com, modify the Organization relationships settings.

• B. From contoso.com, create an OAuth 2.0 authorization endpoint.
• C. Recreate AKS1.
• D. From AKS1, create a namespace.

Answer : B

Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Next Question
Question 43 ( Question Set 2 )

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant
named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary
Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are
deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

• A. a Microsoft 365 group that uses the Assigned membership type

• B. a Security group that uses the Assigned membership type
• C. a Microsoft 365 group that uses the Dynamic User membership type
• D. a Security group that uses the Dynamic User membership type
• E. a Security group that uses the Dynamic Device membership type

Answer : AC

You can set expiration policy only for Office 365 groups in Azure Active Directory
(Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a
way to clean up unused groups. Expiration policies can help remove inactive groups
from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint
site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.
Incorrect Answers:
B, D, E: You can set expiration policy only for Office 365 groups in Azure Active
Directory (Azure AD).
Reference:
https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-
expiration-policy?view=o365-worldwide

Next Question
Question 44 ( Question Set 2 )

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that
contains the users shown in the following table:

User3 is the owner of Group1.

Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-
review

Next Question
Question 45 ( Question Set 2 )

HOTSPOT -
You have the Azure management groups shown in the following table:

You add Azure subscriptions to the management groups as shown in the following
table:
You create the Azure policies shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: No -
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed.

Box 2: Yes -
Virtual Machines can be created on a Management Group provided the user has the
required RBAC permissions.

Box 3: Yes -
Subscriptions can be moved between Management Groups provided the user has the
required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
https://docs.microsoft.com/en-us/azure/governance/management-
groups/manage#moving-management-groups-and-subscriptions

Question 46 ( Question Set 2 )

You have an Azure policy as shown in the following exhibit:

What is the effect of the policy?

• A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
• B. You can create Azure SQL servers in ContosoRG1 only.
• C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
• D. You can create Azure SQL servers in any resource group within Subscription 1.

Answer : B

You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the
exception of ContosoRG1

Next Question
Question 47 ( Question Set 2 )
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following
table:

You assign a policy to RG6 as shown in the following table:

To RG6, you apply the tag: RGroup: RG6.

You deploy a virtual network named VNET2 to RG6.
Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
:

VNET1: Department: D1, and Label:Value1 only.

Tags applied to the resource group or subscription are not inherited by the resources.
Note: Azure Policy allows you to use either built-in or custom-defined policy definitions
and assign them to either a specific resource group or across a whole
Azure subscription.
VNET2: Label:Value1 only.
Incorrect Answers:

RGROUP: RG6 -
Tags applied to the resource group or subscription are not inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
policies

Next Question
Question 48 ( Question Set 2 )

You have an Azure subscription named AZPT1 that contains the resources shown in the
following table:

You create a new Azure subscription named AZPT2.

You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
 • A. VM1, storage1, VNET1, and VM1Managed only
• B. VM1 and VM1Managed only
• C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
• D. RVAULT1 only

Answer : C

You can move a VM and its associated resources to a different subscription by using
the Azure portal.
You can now move an Azure Recovery Service (ASR) Vault to either a new resource
group within the current subscription or to a new subscription.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-
resource-group-and-subscription

Next Question
Question 49 ( Question Set 2 )

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource
Manager template. Admin1 deploys the template by using Azure
PowerShell and receives the following error message: `User failed validation to
purchase resources. Error message: `Legal terms have not been accepted for this item
on this subscription. To accept legal terms, please go to the Azure portal
(http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic
deployment for the Marketplace item or create it there for the first time.`
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

• A. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet

• B. From the Azure portal, register the Microsoft.Marketplace resource provider
• C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
• D. From the Azure portal, assign the Billing administrator role to Admin1

Answer : C

Reference:
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-
azmarketplaceterms?view=azps-4.1.0

Next Question
Question 50 ( Question Set 2 )
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user
accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

• A. From the Licenses blade, assign a new license

• B. From the Directory role blade, modify the directory role
• C. From the Groups blade, invite the user account to a new group

Answer : B

Assign a role to a user -

1. Sign in to the Azure portal with an account that's a global admin or privileged role
admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the
list.
3. For the selected user, select Directory role, select Add role, and then pick the
appropriate admin roles from the Directory roles list, such as Conditional access
administrator.
4. Press Select to save.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-users-assign-role-azure-portal

Question 51 ( Question Set 2 )

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com
that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?

• A. From the Licenses blade of Azure AD, assign a license

• B. From the Groups blade of each user, invite the users to a group
• C. From the Azure AD domain, add an enterprise application
• D. From the Directory role blade of each user, modify the directory role

Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-
groups
Next Question
Question 52 ( Question Set 2 )

You have an Azure subscription named Subscription1 and an on-premises deployment

of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1.
You need to ensure that an alert is set in Service Manager when the amount of
available memory on VM1 is below 10 percent.
What should you do first?

• A. Create an automation runbook

• B. Deploy a function app
• C. Deploy the IT Service Management Connector (ITSM)
• D. Create a notification

Answer : C

The IT Service Management Connector (ITSMC) allows you to connect Azure and a
supported IT Service Management (ITSM) product/service, such as the
Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric
alerts, Activity Log alerts and Log Analytics alerts).
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

Next Question
Question 53 ( Question Set 2 )

You sign up for Azure Active Directory (Azure AD) Premium P2.
You need to add a user named [email protected] as an administrator on all the
computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?

• A. Device settings from the Devices blade

• B. Providers from the MFA Server blade
• C. User settings from the Users blade
• D. General settings from the Groups blade

Answer : A

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD
adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page.
To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on
Azure AD joined devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

Next Question
Question 54 ( Question Set 2 )

HOTSPOT -
You have Azure Active Directory tenant named Contoso.com that includes following
users:

Contoso.com includes following Windows 10 devices:

You create following security groups in Contoso.com:

For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: Yes -
User1 is a Cloud Device Administrator.
Device2 is Azure AD joined.
Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group.
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in
Azure AD

Box 2: No -
User2 is a User Administrator.
Device1 is Azure AD registered.
Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this
account is either a Microsoft account or another locally managed credential.

Box 3: Yes -
User2 is a User Administrator.
Device2 is Azure AD joined.
Group2 has the Dynamic Device join type, and the owner is User2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
Next Question
Question 55 ( Question Set 2 )

You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a
project. RG26 contains the resources shown in the following table.

SQLDB01 is backed up to RGV1.

When the project is complete, you attempt to delete RG26 from the Azure portal. The
deletion fails.
You need to delete RG26.
What should you do first?

• A. Delete VM1
• B. Stop VM1
• C. Stop the backup of SQLDB01
• D. Delete sa001

Answer : C

Question 56 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains a virtual network
named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

• A. Remove User1 from the Security Reader and Reader roles for Subscription1.
• B. Assign User1 the User Access Administrator role for VNet1.
• C. Assign User1 the Network Contributor role for VNet1.
• D. Assign User1 the Network Contributor role for RG1.

Answer : B
Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question has two possible
correct answers:
✑ Assign User1 the User Access Administrator role for VNet1.
✑ Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
✑ Assign User1 the Contributor role for VNet1.
✑ Remove User1 from the Security Reader and Reader roles for Subscription1. Assign
User1 the Contributor role for Subscription1.
✑ Remove User1 from the Security Reader role for Subscription1. Assign User1 the
Contributor role for RG1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Next Question
Question 57 ( Question Set 2 )

You have an Azure Active Directory (Azure AD) tenant named

contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?

• A. MX
• B. NSEC
• C. PTR
• D. RRSIG

Answer : A

To verify your custom domain name (example)

1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name,
Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly
registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two
correct answers:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

Next Question
Question 58 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure
Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in
the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers
group.
Does this meet the goal?

• A. Yes
• B. No

Answer : B

DevTest Labs User role only lets you connect, start, restart, and shutdown virtual
machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It
provides access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

Next Question
Question 59 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure
Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in
the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers
group.
Does this meet the goal?

• A. Yes
• B. No

Answer : B

You would need the Logic App Contributor role.

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

Next Question
Question 60 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure
Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in
the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

The Contributor role can manage all resources (and add resources) in a Resource Group.

Question 61 ( Question Set 2 )

DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The
subscription contains 10 resource groups. Each department uses resources in several
resource groups.
You need to send a report to the finance department. The report must detail the costs
for each department.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:

Answer
:

Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into
a taxonomy. After you apply tags, you can retrieve all the resources in your subscription
with that tag name and value. Each resource or resource group can have a maximum of
15 tag name/value pairs. Tags applied to the resource group are not inherited by the
resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You
can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait
24 hours after you add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click
Apply to confirm the filters and Download if you want to export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-
using-tags https://docs.microsoft.com/en-us/azure/billing/billing-getting-started

Next Question
Question 62 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains an Azure Log
Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

• A. Get-Event Event | where {$_.EventType == "error"}

• B. search in (Event) "error"
• C. select * from Event where EventType == "error"
• D. search in (Event) * | where EventType -eq "error"

Answer : B

To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible
correct answers:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. search in (Event) * | where EventType ‫ג‬€"eq "error"
4. select * from Event where EventType is "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-
explorer/kusto/query/searchoperator?pivots=azuredataexplorer

Next Question
Question 63 ( Question Set 2 )
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNET1 in the
East US 2 region. A network interface named VM1-NI is connected to
VNET1.
You successfully deploy the following Azure Resource Manager template.
For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: Yes -

Box 2: Yes -
VM1 is in Zone1, while VM2 is on Zone2.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/recovery-loss-azure-
region

Question 64 ( Question Set 2 )

You have an Azure subscription named Subscription1. Subscription1 contains the

resource groups in the following table.

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?

• A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to
WebApp1.
• B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to
WebApp1.
• C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to
WebApp1.
• D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to
WebApp1.

Answer : A

You can move an app to another App Service plan, as long as the source plan and the
target plan are in the same resource group and geographical region.
The region in which your app runs is the region of the App Service plan it's in. However,
you cannot change an App Service plan's region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

Next Question
Question 65 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of
c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following
requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the
resource groups
What should you specify in the assignable scopes and the permission elements of the
definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
:

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-
operations#microsoftresources

Question 66 ( Question Set 2 )

You have an Azure subscription.

Users access the resources in the subscription from either home or from customer sites.
From home, users must establish a point-to-site VPN to access the Azure resources.
The users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual
machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual
machines.
What are two possible Azure services that you can use? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.

• A. an internal load balancer

 • B. a public load balancer
• C. an Azure Content Delivery Network (CDN)
• D. Traffic Manager
• E. an Azure Application Gateway

Answer : AE

Network traffic from the VPN gateway is routed to the cloud application through an
internal load balancer. The load balancer is located in the front-end subnet of the
application.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/vpn https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-
overview https://docs.microsoft.com/en-us/azure/application-gateway/overview

Next Question
Question 67 ( Question Set 2 )

You have an Azure subscription.

You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service
tier changed to a less expensive offering.
Which blade should you use?

• A. Monitor
• B. Advisor
• C. Metrics
• D. Customer insights

Answer : B

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and
underutilized resources. You can get cost recommendations from the Cost tab on the
Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

Next Question
Question 68 ( Question Set 2 )

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor
authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings
in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer :

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-
based-mfa

Next Question
Question 69 ( Question Set 2 )

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and
receives the following error message: `Unable to invite user [email protected] `"
Generic authorization exception.`
You need to ensure that Admin1 can invite the external partner to sign in to the Azure
AD tenant.
What should you do?

• A. From the Users settings blade, modify the External collaboration settings.
• B. From the Custom domain names blade, add a custom domain.
• C. From the Organizational relationships blade, add an identity provider.
• D. From the Roles and administrators blade, assign the Security administrator role
to Admin1.

Expose Correct Answer Next Question

Question 70 ( Question Set 2 )

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant
includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management
group.
What should you do?

• A. Assign the Owner role for the Azure Subscription to User1, and then modify the
default conditional access policies.
• B. Assign the Owner role for the Azure subscription to User1, and then instruct
User1 to configure access management for Azure resources.
• C. Assign the Global administrator role to User1, and then instruct User1 to
configure access management for Azure resources.
• D. Create a new management group and delegate User1 as the owner of the new
management group.

Answer : B

The following chart shows the list of roles and the supported actions on management
groups.

Note:
Each directory is given a single top-level management group called the "Root"
management group. This root management group is built into the hierarchy to have all
management groups and subscriptions fold up to it. This root management group
allows for global policies and Azure role assignments to be applied at the directory
level. The Azure AD Global Administrator needs to elevate themselves to the User
Access Administrator role of this root group initially. After elevating access, the
administrator can assign any Azure role to other directory users or groups to manage
the hierarchy. As administrator, you can assign your own account as owner of the root
management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Question 71 ( Question Set 2 )

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named adatum.com.
Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

Of which groups are User1 and User2 members? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer :

Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -

Both membership rules apply.
Reference:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-
collections

Next Question
Question 72 ( Question Set 2 )

HOTSPOT -
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains the
users shown in the following table.

You need to modify the JobTitle and UsageLocation attributes for the users.
For which users can you modify the attributes from Azure AD? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer :

Box 1: User1 and User3 only -

You must use Windows Server Active Directory to update the identity, contact info, or
job info for users whose source of authority is Windows Server Active
Directory.

Box 2: User1, User2, and User3 -

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-users-profile-azure-portal

Next Question
Question 73 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Next Question
Question 74 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No
Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Next Question
Question 75 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Reader role at the subscription level to Admin1.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope:
owner, contributor, reader, or network contributor.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Question 76 ( Question Set 2 )

You have an Azure subscription that contains a user named User1.

You need to ensure that User1 can deploy virtual machines and manage virtual
networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?

• A. Owner
• B. Virtual Machine Contributor
• C. Contributor
• D. Virtual Machine Administrator Login
Answer : C

Contributor: Grants full access to manage all resources, but does not allow you to
assign roles in Azure RBAC
Incorrect Answers:
A: Owner: Grants full access to manage all resources, including the ability to assign
roles in Azure RBAC.
B: Virtual Machine Contributor: Lets you manage virtual machines, but not access to
them, and not the virtual network or storage account they're connected to.
D: Virtual Machine Administrator Login: View Virtual Machines in the portal and login as
administrator.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Next Question
Question 77 ( Question Set 2 )

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global
administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is
configured as shown in the Access control exhibit. (Click the Access
Control tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the
Tenant exhibit. (Click the Tenant tab.)
For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
:

Box 1: No -
Only Admin3, the owner, can assign ownership.

Box 2: Yes -

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-
change-subscription-administrator

Next Question
Question 78 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains an Azure virtual
machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by
using the identity of VM1.
What should you do first?

• A. From the Azure portal, modify the Managed Identity settings of VM1
• B. From the Azure portal, modify the Access control (IAM) settings of RG1
• C. From the Azure portal, modify the Access control (IAM) settings of VM1
• D. From the Azure portal, modify the Policies settings of RG1

Answer : A

Managed identities for Azure resources provides Azure services with an automatically
managed identity in Azure Active Directory. You can use this identity to authenticate to
any service that supports Azure AD authentication, without having credentials in your
code.
You can enable and disable the system-assigned managed identity for VM using the
Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/qs-configure-portal-windows-vm

Next Question
Question 79 ( Question Set 2 )

You have an Azure subscription that contains a resource group named TestRG.
You use TestRG to validate an Azure deployment.
TestRG contains the following resources:

You need to delete TestRG.

What should you do first?

• A. Modify the backup configurations of VM1 and modify the resource lock type of
VNET1
• B. Remove the resource lock from VNET1 and delete all data in Vault1
• C. Turn off VM1 and remove the resource lock from VNET1
• D. Turn off VM1 and delete all data in Vault1

Answer : C

When you delete a resource group, all of its resources are also deleted. Deleting a
resource group deletes all of its template deployments and currently stored operations.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/delete-
resource-group?tabs=azure-powershell

Next Question
Question 80 ( Question Set 2 )

You have an Azure DNS zone named adatum.com.

You need to delegate a subdomain named research.adatum.com to a different DNS
server in Azure.
What should you do?

• A. Create an NS record named research in the adatum.com zone.

• B. Create a PTR record named research in the adatum.com zone.
• C. Modify the SOA record of adatum.com.
• D. Create an A record named *.research in the adatum.com zone.
Answer : A

You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

Question 81 ( Question Set 2 )

DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the
contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a
suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:
Answer
:

1. Add the custom domain name to your directory

2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

Next Question
Question 82 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains an Azure Log
Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

• A. Get-Event Event | where {$_.EventType == "error"}

• B. Event | search "error"
• C. select * from Event where EventType == "error"
• D. search in (Event) * | where EventType ‫ג‬€"eq ‫ג‬€error‫ג‬€

Answer : B

The search operator provides a multi-table/multi-column search experience.

The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible
correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ‫ג‬€"eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType ‫ג‬€"eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-
explorer/kusto/query/searchoperator?pivots=azuredataexplorer

Next Question
Question 83 ( Question Set 2 )

You have a registered DNS domain named contoso.com.

You create a public Azure DNS zone named contoso.com.
You need to ensure that records created in the contoso.com zone are resolvable from
the internet.
What should you do?

• A. Create NS records in contoso.com.

• B. Modify the SOA record in the DNS domain registrar.
• C. Create the SOA record in contoso.com.
• D. Modify the NS records in the DNS domain registrar.

Answer : D

Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

Next Question
Question 84 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription that contains a storage account named storage1. The
subscription is linked to an Azure Active Directory (Azure AD) tenant named
contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2.

The storage1 account contains a file share named share1 and has the following
configurations.

For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-
assign-permissions?tabs=azure-portal

Next Question
Question 85 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription named Subscription1 that contains a virtual network
VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: User1 and User3 only.

User1: The Owner Role lets you manage everything, including access to resources.
User3: The Network Contributor role lets you manage networks, including creating
subnets.
Box 2: User1 only.
The Security Admin role: In Security Center only: Can view security policies, view
security states, edit security policies, view alerts and recommendations, dismiss alerts
and recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-
operations#microsoftnetwork

Question 86 ( Question Set 2 )

HOTSPOT -
You have the Azure resources shown on the following exhibit.

You plan to track resource usage and prevent the deletion of resources.
To which resources can you apply locks and tags? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
:

Box 1: Sub1, RG1, and VM1 only -

You can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources.

Box 2: Sub1, RG1, and VM1 only -

You apply tags to your Azure resources, resource groups, and subscriptions.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-
resources?tabs=json https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/tag-resources?tabs=json

Next Question
Question 87 ( Question Set 2 )

You have an Azure Active Directory (Azure AD) tenant.

You plan to delete multiple users by using Bulk delete in the Azure Active Directory
admin center.
You need to create and upload a file for the bulk delete.
Which user attributes should you include in the file?

• A. The user principal name and usage location of each user only
• B. The user principal name of each user only
• C. The display name of each user only
• D. The display name and usage location of each user only
 • E. The display name and user principal name of each user only

Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-
delete

Next Question
Question 88 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription named Sub1 that contains the Azure resources shown
in the following table.

You assign an Azure policy that has the following settings:

✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: No -
The Azure Policy will add Tag4 to RG1.

Box 2: No -
Tags applied to the resource group or subscription aren't inherited by the resources
although you can enable inheritance with Azure Policy. Storage1 has Tag3:
Value1 and the Azure Policy will add Tag4.

Box 3: No -
Tags applied to the resource group or subscription aren't inherited by the resources so
VNET1 does not have Tag2.
VNET1 has Tag3:value2. VNET1 is excluded from the Azure Policy so Tag4 will not be
added to VNET1.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
resources?tabs=json

Next Question
Question 89 ( Question Set 2 )
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is
assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to
Admin1.
Does this meet the goal?

• A. Yes
• B. No

Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

Next Question
Question 90 ( Question Set 2 )

You have three offices and an Azure subscription that contains an Azure Active
Directory (Azure AD) tenant.
You need to grant user management permissions to a local administrator in each office.
What should you use?

• A. Azure AD roles
• B. administrative units
• C. access packages in Azure AD entitlement management
• D. Azure roles

Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

Question 91 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure
Subscription named Subscription1. Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in
the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?

• A. Yes
• B. No

Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Next Question
Question 92 ( Question Set 2 )

HOTSPOT -
You have an Azure Load Balancer named LB1.
You assign a user named User1 the roles shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement
based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles#virtual-machine-contributor https://docs.microsoft.com/en-us/azure/role-based-
access-control/rbac-and-directory-admin-roles

Next Question
Question 93 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains a virtual network
named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

• A. Remove User1 from the Security Reader role for Subscription1. Assign User1
the Contributor role for RG1.
• B. Assign User1 the Owner role for VNet1.
 • C. Assign User1 the Contributor role for VNet1.
• D. Assign User1 the Network Contributor role for VNet1.

Answer : B

Has full access to all resources including the right to delegate access to others.
Note:
There are several versions of this question in the exam. The question has two possible
correct answers:
✑ Assign User1 the User Access Administrator role for VNet1.
✑ Assign User1 the Owner role for VNet1.
Other incorrect answer options you may see on the exam include the following:
✑ Remove User1 from the Security Reader and Reader roles for Subscription1. Assign
User1 the Contributor role for Subscription1.
✑ Remove User1 from the Security Reader and Reader roles for Subscription1.
✑ Assign User1 the Network Contributor role for RG1.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-
admin-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/overview

Next Question
Question 94 ( Question Set 2 )

HOTSPOT -
You configure the custom role shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement
based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: roletype -
You need to configure Azure RBAC policy to determine who can log in to the VM. Two
Azure roles are used to authorize VM login:
Virtual Machine Administrator Login: Users with this role assigned can log in to an
Azure virtual machine with administrator privileges.
Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual
machine with regular user privileges.
Note, example roletype:
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"

Box 2: assignableScopes -
Azure role-based access control (Azure RBAC) is the authorization system you use to
manage access to Azure resources. To grant access, you assign roles to users, groups,
service principals, or managed identities at a particular scope.
When you assign roles, you must specify a scope. Scope is the set of resources the
access applies to. In Azure, you can specify a scope at four levels from broad to narrow:
management group, subscription, resource group, and resource.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-
azure-ad-windows https://docs.microsoft.com/en-us/azure/role-based-access-
control/built-in-roles https://docs.microsoft.com/en-us/azure/role-based-access-
control/role-assignments-portal

Next Question
Question 95 ( Question Set 2 )

You have an Azure subscription that contains a storage account named storage1. The
storage1 account contains a file share named share1.
The subscription is linked to a hybrid Azure Active Directory (Azure AD) tenant that
contains a security group named Group1.
You need to grant Group1 the Storage File Data SMB Share Elevated Contributor role
for share1.
What should you do first?

• A. Enable Active Directory Domain Service (AD DS) authentication for storage1.
• B. Grant share-level permissions by using File Explorer.
• C. Mount share1 by using File Explorer.
• D. Create a private endpoint.

Answer : A

Before you enable Azure AD over SMB for Azure file shares, make sure you have
completed the following prerequisites:
1. Select or create an Azure AD tenant.
2. To support authentication with Azure AD credentials, you must enable Azure AD
Domain Services for your Azure AD tenant.
Etc.
Note: The Storage File Data SMB Share Elevated Contributor allows read, write, delete
and modify NTFS permissions in Azure Storage file shares over SMB.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-
directory-domain-service-enable

Question 96 ( Question Set 2 )

You have 15 Azure subscriptions.

You have an Azure Active Directory (Azure AD) tenant that contains a security group
named Group1.
You plan to purchase additional Azure subscription.
You need to ensure that Group1 can manage role assignments for the existing
subscriptions and the planned subscriptions. The solution must meet the following
requirements:
✑ Use the principle of least privilege.
✑ Minimize administrative effort.
What should you do?

• A. Assign Group1 the Owner role for the root management group.
• B. Assign Group1 the User Access Administrator role for the root management
group.
• C. Create a new management group and assign Group1 the User Access
Administrator role for the group.
• D. Create a new management group and assign Group1 the Owner role for the
group.

Answer : B

The User Access Administrator role enables the user to grant other users access to
Azure resources. This switch can be helpful to regain access to a subscription.
Management groups give you enterprise-grade management at scale no matter what
type of subscriptions you might have.
Each directory is given a single top-level management group called the "Root"
management group. This root management group is built into the hierarchy to have all
management groups and subscriptions fold up to it. This root management group
allows for global policies and Azure role assignments to be applied at the directory
level.
Incorrect:
Not C: A few directories that started using management groups early in the preview
before June 25 2018 could see an issue where not all the subscriptions were within the
hierarchy. The process to have all subscriptions in the hierarchy was put in place after a
role or policy assignment was done on the root management group in the directory.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-
admin-roles https://docs.microsoft.com/en-us/azure/governance/management-
groups/overview
Next Question
Question 97 ( Question Set 2 )

HOTSPOT -
You have an Azure subscription that contains the hierarchy shown in the following
exhibit.

You create an Azure Policy definition named Policy1.

To which Azure resources can you assign Policy1 and which Azure resources can you
specify as exclusions from Policy1? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer
:

Box 1: Tenant Root Group, ManagementGroup1, Subscription1, RG1, and VM1

Once your business rules have been formed, the policy definition or initiative is
assigned to any scope of resources that Azure supports, such as management groups,
subscriptions, resource groups, or individual resources.
Note: Azure provides four levels of scope: management groups, subscriptions, resource
groups, and resources. The following image shows an example of these layers.

Box 2: ManagementGroup1, Subscription1, RG1, and VM1

You can exclude a subscope from the assignment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/overview
Next Question
Question 98 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active
Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named

external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?

• A. Yes
• B. No

Answer : A

Only a global administrator can add users to this tenant.

Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-
azure-ad

Next Question
Question 99 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active
Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named
external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?

• A. Yes
• B. No

Answer : B

Only a global administrator can add users to this tenant.

Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-
azure-ad

Next Question
Question 100 ( Question Set 2 )

Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active
Directory tenant named contoso.onmicrosoft.com:

User1 creates a new Azure Active Directory tenant named

external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?

• A. Yes
• B. No

Answer : B
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-
azure-ad

Question 101 ( Question Set 2 )

You have two Azure subscriptions named Sub1 and Sub2.

An administrator creates a custom role that has an assignable scope to a resource
group named RG1 in Sub1.
You need to ensure that you can apply the custom role to any resource group in Sub1
and Sub2. The solution must minimize administrative effort.
What should you do?

• A. Select the custom role and add Sub1 and Sub2 to the assignable scopes.
Remove RG1 from the assignable scopes.
• B. Create a new custom role for Sub1. Create a new custom role for Sub2. Remove
the role from RG1.
• C. Create a new custom role for Sub1 and add Sub2 to the assignable scopes.
Remove the role from RG1.
• D. Select the custom role and add Sub1 to the assignable scopes. Remove RG1
from the assignable scopes. Create a new custom role for Sub2.

Answer : A

Can be used as:

"AssignableScopes": [
"/subscriptions/{Sub1}",
"/subscriptions/{Sub2}",
Note: Custom role example:
The following shows what a custom role looks like as displayed using Azure PowerShell
in JSON format. This custom role can be used for monitoring and restarting virtual
machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Next Question
Question 102 ( Question Set 2 )

You have an Azure Subscription that contains a storage account named

storageacct1234 and two users named User1 and User2.
You assign User1 the roles shown in the following exhibit.

Which two actions can User1 perform? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

• A. Assign roles to User2 for storageacct1234.

• B. Upload blob data to storageacct1234.
• C. Modify the firewall of storageacct1234.
• D. View blob data in storageacct1234.
• E. View file shares in storageacct1234.
Answer : AE

Next Question
Question 103 ( Question Set 2 )

You have an Azure subscription named Subscription1 that contains an Azure Log
Analytics workspace named Workspace1.

You need to view the error events from a table named Event.

Which query should you run in Workspace1?

• A. select * from Event where EventType == "error"

• B. Event | search "error"
• C. Event | where EventType is "error"
• D. Get-Event Event | where {$_.EventType == "error"}

Answer : B

Next Question
Question 104 ( Question Set 2 )

You have an Azure App Services web app named App1.

You plan to deploy App1 by using Web Deploy.

You need to ensure that the developers of App1 can use their Azure AD credentials to
deploy content to App1. The solution must use the principle of least privilege.

What should you do?

• A. Assign the Owner role to the developers

• B. Configure app-level credentials for FTPS
• C. Assign the Website Contributor role to the developers
• D. Configure user-level credentials for FTPS

Answer : B

Next Question
Question 105 ( Question Set 2 )
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not
have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a guest user account in contoso.com for each of the 500 external
users.

Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.

Does this meet the goal?

• A. Yes
• B. No

Answer : B

Question 106 ( Question Set 2 )

HOTSPOT
-

You have an Azure subscription that is linked to an Azure AD tenant. The tenant
contains the custom role-based access control (RBAC) roles shown in the following
table.

From the Azure portal, you need to create two custom roles named Role3 and Role4.
Role3 will be an Azure subscription role. Role4 will be an Azure AD role.

Which roles can you clone to create the new roles? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Answer
:

Next Question
Question 107 ( Question Set 2 )

DRAG DROP
-

You have an Azure subscription named Sub1 that contains two users named User1 and
User2.

You need to assign role-based access control (RBAC) roles to User1 and User2. The
users must be able to perform the following tasks in Sub1:

• User1 must view the data in any storage account.

• User2 must assign users the Contributor role for storage accounts.
The solution must use the principle of least privilege.

Which RBAC role should you assign to each user? To answer, drag the appropriate
roles to the correct users. Each role may be used once, more than once, or not at all. You
may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Answer :

Next Question
Question 108 ( Question Set 2 )

You have an Azure subscription that contains 10 virtual machines, a key vault named
Vault1, and a network security group (NSG) named NSG1. All the resources are
deployed to the East US Azure region.

The virtual machines are protected by using NSG1. NSG1 is configured to block all
outbound traffic to the internet.

You need to ensure that the virtual machines can access Vault1. The solution must use
the principle of least privilege and minimize administrative effort

What should you configure as the destination of the outbound security rule for NSG1?

• A. an application security group

• B. a service tag
• C. an IP address range
Answer : B

Next Question
Question 109 ( Question Set 2 )

You have an Azure AD tenant named adatum.com that contains the groups shown in the
following table.

Adatum.com contains the users shown in the following table.

You assign the Azure Active Directory Premium Plan 2 license to Group1 and User4.

Which users are assigned the Azure Active Directory Premium Plan 2 license?

• A. User4 only
• B. User1 and User4 only
• C. User1, User2, and User4 only
• D. User1, User2, User3, and User4

Answer : B

Next Question
Question 110 ( Question Set 2 )

HOTSPOT
-

You have an Azure AD tenant named contoso.com.

You have two external partner organizations named fabrikam.com and litwareinc.com.
Fabrikam.com is configured as a connected organization.
You create an access package as shown in the Access package exhibit. (Click the
Access package tab.)

You configure the external user lifecycle settings as shown in the Lifecycle exhibit.
(Click the Lifecycle tab.)
For each of the following statements, select Yes if the statement is true. Otherwise,
select No.

NOTE: Each correct selection is worth one point.

Answer
: