NEW QUESTION 1
HOTSPOT
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer are
a.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: "*/read",
*/read lets you view everything, but not make any changes. Box 2: " Microsoft.Support/*"
The action Microsoft.Support/* enables creating and management of support tickets. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 2
You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscnption1 is associated to Tenant1 Multi-factor authentication (MFA) is enabled for all the users in Tenant1.
You need to enable MFA for the users in Tenant2. The solution must maintain MFA forTenant1. What should you do first?

• A. Transfer the administration of Subscription1 to a global administrator of Tenants.
• B. Configure the MFA Server setting in Tenant1.
• C. Create and link a subscription to Tenant2.
• D. Change the directory for Subscription1.

Answer: C

NEW QUESTION 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer
a question in this section, you will NOT be able to return to it As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscript contains a resource group named Dev.
d Subscription1. Adatum contains a group named Developers. Subscription!
You need to provide the Developers group with the ability to create Azure logic apps in the; Dev, resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

NEW QUESTION 4
HOTSPOT
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VMet1 contains one subnet named Subnet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions
Box 2: ILB1
References:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics

NEW QUESTION 5
You are the global administrator for an Azure Active Directory (Azure AD) tenet named adatum.com. You need to enable two-step verification for Azure users.
What should you do?

• A. Create a sign-in risk policy in Azure AD Identity Protection
• B. Enable Azure AD Privileged Identity Management.
• C. Create and configure the Identity Hub.
• D. Configure a security policy in Azure Security Center.

Answer: A

Explanation: With Azure Active Directory Identity Protection, you can:
require users to register for multi-factor authentication
handle risky sign-ins and compromised users References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/flows

NEW QUESTION 6
You are configuring Azure Active Directory (AD) Privileged Identity Management.
You need to provide a user named Admm1 with read access to a resource group named RG1 for only one month.
The user role must be assigned immediately.
What should you do?

• A. Assign an active role.
• B. Assign an eligible role.
• C. Assign a permanently active role.
• D. Create a custom role and a conditional access policy.

Answer: B

Explanation: Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not all-day, every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 7
You need to add a deployment slot named staging to an Azure web app named
corplod@lab.LabInstance.Idn4. The solution must meet the following requirements:
When new code is deployed to staging, the code must be swapped automatically to the production slot. Azure-related costs must be minimized.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Locate and open the corplod@lab.LabInstance.Idn4 web app.
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
Open your app's resource blade and Choose the Deployment slots option, then click Add Slot.

Step 3:
In the Add a slot blade, give the slot a name, and select whether to clone app configuration from another existing deployment slot. Click the check mark to continue.
The first time you add a slot, you only have two choices: clone configuration from the default slot in production or not at all.
References:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing

NEW QUESTION 8
You plan to support many connections to your company's automatically uses up to five instances when CPU utilization on the instances exceeds 70 percent for 10 minutes. When CPU utilization decreases, the solution must automatically reduce the number of instances.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Locate the Homepage App Service plan Step 2:
below.
Click Add a rule, and enter the appropriate fields, such as below, and the click Add. Time aggregation: average
Metric Name: Percentage CPU Operator: Greater than Threshold 70
Duration: 10 minutes Operation: Increase count by Instance count: 4

Step 3:
We must add a scale in rule as well. Click Add a rule, and enter the appropriate fields, such as below, then click Add.
Operator: Less than Threshold 70
Duration: 10 minutes Operation: Decrease count by Instance count: 4
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets- autoscale-portal
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-autoscale-best-practices

NEW QUESTION 9
You discover that VM3 does NOT meet the technical requirements. You need to verify whether the issue relates to the NSGs.
What should you use?

• A. Diagram in VNet1
• B. the security recommendations in Azure Advisor
• C. Diagnostic settings in Azure Monitor
• D. Diagnose and solve problems in Traffic Manager Profiles
• E. IP flow verify in Azure Network Watcher

Answer: E

Explanation: Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

NEW QUESTION 10
HOTSPOT
You have an Azure subscription named Subscription1 that contains the resources in the following table.

VM1 and VM2 run the websites in the following table.

AppGW1 has the backend pools in the following table.

DNS resolves site1.contoso.com, site2.contoso.com, and site3.contoso.com to the IP address of
AppGW1.
AppGW1 has the listeners in the following table.

AppGW1 has the rules in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Vm1 is in Pool1. Rule2 applies to Pool1, Listener 2, and site2.contoso.com

NEW QUESTION 11
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it As a result these questions will not appear in the review screen.
You have an Azure wet) app named Appl. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan1 to Shared. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You should switch to the Basic Tier.
The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Shared Tier provides 240 CPU minutes / day. The Basic tier has no such cap.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

NEW QUESTION 12
You plan to move services from your on-premises network to Azure.
You identify several virtual machines that you believe can be hosted in Azure. The virtual machines are shown in the following table.

Which two virtual machines can you access by using Azure migrate? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Sea-CA0l
• B. Hou-NW01
• C. NYC-FS01
• D. Sea-DC01
• E. BOS-DB01

Answer: CE

NEW QUESTION 13
Your Azure environment contains an application gateway and custom apps.
Another administrator modifies the application gateway and the apps to use HTTP over TCP port 8080.
Users report that they can no longer connect to the apps.
You suspect that the cause of the issue is a change in the configuration of the application gateway.
You need to modify the application gateway to resolve the issue. What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Select Networking and then select Application Gateway in the Featured list, and select the application gateway, and select the settings.
Step 2:
Click HTTP for the protocol of the listener and make sure that the port is defined as 443.

References:
https://docs.microsoft.com/en-us/azure/application-gateway/create-ssl-portal

NEW QUESTION 14
You need to create a web app named corp7509086n2 that can be scaled horizontally. The solution must use the lowest possible pricing tier for the App Service plan.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
In the Azure Portal, click Create a resource > Web + Mobile > Web App. Step 2:
Use the Webb app settings as listed below. Web App name: corp7509086n2
Hosting plan: Azure App Service plan Pricing tier of the Pricing Tier: Standard
Change your hosting plan to Standard, you can't setup auto-scaling below standard tier.
Step 3:
Select Create to provision and deploy the Web app.
References:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a- web-app-in-an-ase
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/

NEW QUESTION 15
You have an Azure App Service plan that hosts an Azure App Service named App1. You configure one production slot and four staging slots for App1.
You need to allocate 10 percent of the traffic to each staging slot and 60 percent of the traffic to the production slot.
What should you add to Appl1?

• A. slots to the Testing in production blade
• B. a performance test
• C. a WebJob
• D. templates to the Automation script blade

Answer: A

Explanation: Besides swapping, deployment slots offer another killer feature: testing in production. Just like the name suggests, using this, you can actually test in production. This means that you can route a specific percentage of user traffic to one or more of your deployment slots.
Example:

References:
https://stackify.com/azure-deployment-slots/

NEW QUESTION 16
You create an Azure subscription that is associated to a basic Azure Active Directory (Azure AD) tenant. You need to receive an email notification when any user activates an administrative role.
What should you do?

• A. Purchase Azure AD Premium 92 and configure Azure AD Privileged Identity Management,
• B. Purchase Enterprise Mobility + Security E3 and configure conditional access policies.
• C. Purchase Enterprise Mobility + Security E5 and create a custom alert rule in Azure Security Center.
• D. Purchase Azure AD Premium PI and enable Azure AD Identity Protection.

Answer: A

Explanation: When key events occur in Azure AD Privileged Identity Management (PIM), email notifications are sent. For example, PIM sends emails for the following events:
When a privileged role activation is pending approval
When a privileged role activation request is completed
When a privileged role is activated
When a privileged role is assigned
When Azure AD PIM is enabled References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim- email-notifications

NEW QUESTION 17
DRAG DROP
You create an Azure Migrate project named TestMig in a resource group named test-migration.
You need to discover which on-premises virtual machines to assess for migration. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Step 1: Download the OVA file for the collection appliance
Azure Migrate uses an on-premises VM called the collector appliance, to discover information about your on-premises machines. To create the appliance, you download a setup file in Open Virtualization Appliance (.ova) format, and import it as a VM on your on-premises vCenter Server.
Step 2: Create a migration group in the project
For the purposes of assessment, you gather the discovered VMs into groups. For example, you might group VMs that run the same application. For more precise grouping, you can use dependency visualization to view dependencies of a specific machine, or for all machines in a group and refine the
group.
Step 3: Create an assessment in the project
After a group is defined, you create an assessment for it. References:
https://docs.microsoft.com/en-us/azure/migrate/migrate-overview

Case Study: 6
Mix Questions Set D (Implement advanced networking)