NEW QUESTION 1
HOT SPOT
You configure the multi-factor authentication status for three users as shown in the following table.

You create a group named Group1 and add Admin1, Admin2, and Admin3 to the group.
For all cloud apps, you create a conditional access policy that includes Group1. The policy requires multi-factor authentication.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: No
Disabled is the default state for a new user not enrolled in Azure MFA. Box 2: Yes
Enforced: The user has been enrolled and has completed the registration process for Azure MFA. Web browser apps require login in this case.
Box 3: Yes
Enabled: The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in.
Web browser apps require login in this case. References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

NEW QUESTION 2
Note: This questions is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 3
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

• A. PTR
• B. MX
• C. NSEC3
• D. RRSIG

Answer: B

Explanation: To verify your custom domain name (example)
Sign in to the Azure portal using a Global administrator account for the directory. Select Azure Active Directory, and then select Custom domain names.
On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.

References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

NEW QUESTION 4
You have an Azure subscription named Subscription1 that is used be several departments at your company. Subscription1 contains the resources in the following table:

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?

• A. RG1
• B. VM1
• C. Storage1
• D. Container1

Answer: A

Explanation: 1. View template from deployment history
Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.

2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.

The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-managerexport- template

NEW QUESTION 5
You have an Azure subscription that contains two resource groups named RG1 and RG2. RG2 does not contain any resources. RG1 contains the resources in the following table.

Which resource can you move to RG2?

• A. W10_OsDisk
• B. VNet1
• C. VNet3
• D. W10

Answer: B

Explanation: When moving a virtual network, you must also move its dependent resources. For example, you must move gateways with the virtual network. VM W10, which is in Vnet1, is not a dependent resource.
Incorrect Answers:
A: Managed disks don't support move.
C: Virtual networks (classic) can't be moved.
D: Virtual machines with the managed disks cannot be moved.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-groupmove- resources#virtual-machines-limitations

NEW QUESTION 6
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi- factor authentication when authenticating from untrusted locations.
What should you do?

• A. From the multi-factor authentication page, modify the service settings.
• B. From the multi-factor authentication page, modify the user settings.
• C. From the Azure portal, modify grant control of Policy1.
• D. From the Azure portal, modify session control of Policy1.

Answer: C

Explanation: There are two types of controls: Grant controls – To gate access
Session controls – To restrict access to a session
Grant controls oversee whether a user can complete authentication and reach the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed. The current implementation of Azure Active Directory enables you to set the following grant control requirements:

References:
https://blog.lumen21.com/2021/12/15/conditional-access-in-azure-active-directory/

NEW QUESTION 7
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2021 and hosts 10 virtual machines that run Windows Server 2021.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery. You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1. You need to add Host1 to ASR1.
What should you do?

• A. Download the installation file for the Azure Site Recovery Provide
• B. Download the vault registration key.Install the Azure Site Recovery Provider on Host1 and register the server.
• C. Download the installation file for the Azure Site Recovery Provide
• D. Download the storage account key.Install the Azure Site Recovery Provider on Host1 and register the server.
• E. Download the installation file for the Azure Site Recovery Provide
• F. Download the vault registration key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
• G. Download the installation file for the Azure Site Recovery Provide
• H. Download the storage account key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machine

Answer: A

Explanation: Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.
Install the Provider on each VMM server. You don't need to explicitly install anything on Hyper-V hosts.
Incorrect Answers:
B, D: Use the Vault Registration Key, not the storage account key. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

NEW QUESTION 8
HOT SPOT
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Exhibit tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 9
You need to deploy an Azure load balancer named Ib 1015 to your Azure subscription. The solution must meet the following requirements:
-Support the load balancing of IP traffic from the Internet to Azure virtual machines connected to VNET1016 subnet0.
-Prov.de 4 Service level Agreement (SWJ of 99.99 percent ability for the Azure virtual machines.
-Minimize Azure-related costs.
What should you do from the Azure portal?
To complete this task, you do NOT need to wait for the deployment to complete. Once the deployment start in Azure, you can move to the next task.

Answer:

Explanation: Step 1:
On the top left-hand side of the screen, click Create a resource > Networking > Load Balancer. Step 2:
In the Create a load balancer page enter these values for the load balancer: myLoadBalancer - for the name of the load balancer.
Internal - for the type of the load balancer. Basic - for SKU version.
Microsoft guarantees that apps running in a customer subscription will be available 99.99% of the time.
VNET1016subnet0 - for subnet that you choose from the list of existing subnets.
Step 3: Accept the default values for the other settings and click Create to create the load balancer.

NEW QUESTION 10
HOT SPOT
You plan to use Azure Network Watcher to perform the following tasks:
Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Task 1: IP flow verify
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Task 2:
With the addition of Connection Troubleshoot, Network Watcher will see an incremental increase in its capabilities and ways for you to utilize it in your day to day operations. You can now, for example, check connectivity between source (VM) and destination (VM, URI, FQDN, IP Address). References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview https://azure.microsoft.com/en-us/blog/network-watcher-connection-troubleshoot-now-generallyavailable/

NEW QUESTION 11
HOT SPOT
You have an Azure Migrate project that has the following assessment properties: Target location: East US
Storage redundancy: Locally redundant. Comfort factor: 2.0
Performance history: 1 month Percentile utilization: 95th
Pricing tier: Standard Offer: Pay as you go
You discover the following two virtual machines:
A virtual machine named VM1 that runs Windows Server 2021 and has 10 CPU cores at 20 percent utilization
A virtual machine named VM2 that runs Windows Server 2012 and has four CPU cores at 50 percent utilization
How many CPU cores will Azure Migrate recommend for each virtual machine? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 2: 4
4 *0.50 * 0.95* 2 = 3.8
Note: The number of cores in the machines must be equal to or less than the maximum number of cores (128 cores) supported for an Azure VM.
If performance history is available, Azure Migrate considers the utilized cores for comparison. If a comfort factor is specified in the assessment settings, the number of utilized cores is multiplied by the comfort factor.
If there's no performance history, Azure Migrate uses the allocated cores, without applying the comfort factor.
References:
https://docs.microsoft.com/en-us/azure/migrate/concepts-assessment-calculation

NEW QUESTION 12
You plan to connect a virtual network named VNET1017 to your on-premises network by using both an Azure ExpressRoute and a site-to-site VPN connection.
You need to prepare the Azure environment for the planned deployment. The solution must maximize the IP address space available to Azure virtual machines.
What should you do from the Azure portal before you create the ExpressRoute are the VPN gateway?

Answer:

Explanation: We need to create a Gateway subnet Step 1:
Go to More Services > Virtual Networks Step 2:
Then click on the VNET1017, and click on subnets. Then click on gateway subnet.
Step 3:
In the next window define the subnet for the gateway and click OK

It is recommended to use /28 or /27 for gateway subnet.
As we want to maximize the IP address space we should use /27. References:
https://blogs.technet.microsoft.com/canitpro/2021/06/28/step-by-step-configuring-a-site-to-sitevpn- gateway-between-azure-and-on-premise/

NEW QUESTION 13
You discover that VM3 does NOT meet the technical requirements. You need to verify whether the issue relates to the NSGs.
What should you use?

• A. Diagram in VNet1
• B. the security recommendations in Azure Advisor
• C. Diagnostic settings in Azure Monitor
• D. Diagnose and solve problems in Traffic Manager Profiles
• E. IP flow verify in Azure Network Watcher

Answer: E

Explanation: Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

NEW QUESTION 14
DRAG DROP
Your network is configured as shown in the following exhibit.

The firewalls are configured as shown in the following table.

Prod1 contains a vCenter server.
You install an Azure Migrate Collector on Test1. You need to discover the virtual machines.
Which TCP port should be allowed on each firewall? To answer, drag the appropriate ports to the correct firewalls. Each port may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: FW1: Outbound 443
Collector communicates with Azure Migrate service over SSL 443. FW2: Outbound 443
The Collector must be able to communicate with the vCenter Server. By default, it connects to vCenter on 443.
Note: The collector communicates as summarized in the following diagram.

References:
https://docs.microsoft.com/en-us/azure/migrate/concepts-collector

NEW QUESTION 15
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.
You need to ensure that 10 users can use all the Azure AD Premium features. What should you do?

• A. From the Groups blade of each user, invite the users to a group.
• B. From the Licenses blade of Azure AD, assign a license.
• C. From the Directory role blade of each user, modify the directory role.
• D. From the Azure AD domain, add an enterprise applicatio

Answer: B

Explanation: To assign a license, under Azure Active Directory > Licenses > All Products, select one or more
products, and then select Assign on the command bar.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-usersgroups

NEW QUESTION 16
DRAG DROP
You need to prepare the New York office infrastructure for the migration of the on-premises virtual machines to Azure.
Which four actions you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Box 1:
From the Azure portal, download the OVF file.
In the vCenter Server, import the Collector appliance as a virtual machine using the Deploy OVF Template wizard.
In vSphere Client console, click File > Deploy OVF Template.
In the Deploy OVF Template Wizard > Source, specify the location for the .ovf file. Box 2: From VM1, connect to the collector virtual machine
After you've created the Collector virtual machine, connect to it and run the Collector. Box 3: From the ASRV1 blade in the Azure portal, select a protection goal.
Box 4: From VM1, register the configuration server. Register the configuration server in the vault
Scenario: The Azure infrastructure and the on-premises infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure. References:
Migrate Your Virtual Machines to Microsoft Azure, Includes guidance for optional data migration, Proof of Concept guide, September 2021 https://azuremigrate.blob.core.windows.net/publicpreview/Azure%20Migrate%20-
%20Preview%20User%20Guide.pdf

NEW QUESTION 17
You need to create a function app named corp7509086nl that supports sticky sessions. The solution must minimize the Azure-related costs of the App Service plan.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Select the New button found on the upper left-hand corner of the Azure portal, then select Compute
> Function App. Step 2:
Use the function app settings as listed below. App name: corp7509086n1
Hosting plan: Azure App Service plan (need this for the sticky sessions)
Pricing tier of the the App Service plan: Shared compute: Free Step 3:
Select Create to provision and deploy the function app. References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal

NEW QUESTION 18
Which blade should you instruct the finance department auditors to use?

• A. invoices
• B. partner information
• C. cost analysis
• D. External services

Answer: A

NEW QUESTION 19
You have a public load balancer that balancer ports 80 and 443 across three virtual machines. You need to direct all the Remote Desktop protocol (RDP) to VM3 only.
What should you configure?

• A. an inbound NAT rule
• B. a load public balancing rule
• C. a new public load balancer for VM3
• D. a new IP configuration

Answer: A

Explanation: To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
Incorrect Answers:
B: Load-balancing rule to distribute traffic that arrives at frontend to backend pool instances. References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

NEW QUESTION 20
You have an Azure subscription.
You enable multi-factor authentication for all users.
Some users report that the email applications on their mobile device cannot co browser and from Microsoft Outlook 2021 on their computer.
You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do?
The users can access Exchange Online by using a web

• A. Enable self-service password reset.
• B. Create an app password.
• C. Reset the Azure Active Directory (Azure AD) password.
• D. Reinstall the Microsoft Authenticator app.

Answer: A

Explanation: References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks