AZ-100 Exam - Microsoft Azure Infrastructure and Deployment

NEW QUESTION 1
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server 2021 Datacenter by using an Azure Marketplace image.
You need to complete the storageProfile section of the template.
How should you complete the storageProfile section? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: … "storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer", "offer": "WindowsServer",
"sku": "2021-Datacenter", "version": "latest"
},
… References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate

NEW QUESTION 2
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.



When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to protect on-premises virtual machines and Azure virtual machines by using Azure Backup. You need to prepare the backup infrastructure in Azure. The solution must minimize the cost of storing the backups in Azure.
What should you do from the Azure portal?

Answer:

Explanation: First, create Recovery Services vault.
Step 1: On the left-hand menu, select All services and in the services list, type Recovery Services. As you type, the list of resources filters. When you see Recovery Services vaults in the list, select it to open the Recovery Services vaults menu.

Step 2: In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.

Step 3: In the Recovery Services vault menu, for example, Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription. If you have additional subscriptions, you could choose another subscription for the new vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't exist, select Create new and type myResourceGroup.
From the Location drop-down menu, choose West Europe. Click Create to create your Recovery Services vault.
References: https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale

NEW QUESTION 3
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: User5
In Express settings, the installation wizard asks for the following: AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.
Box 2: UserA
Azure AD Global Admin credentials credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissio

NEW QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription. Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 5
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.






When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to create several virtual machines in different availability zones, and then to configure the virtual machines for load balanced connections from the Internet.
You need to create an IP address resource named ip1006 to support the planned load balancing solution. The solution must minimize costs.
What should you do from the Azure portal?

Answer:

Explanation: We should create a public IP address.
At the top, left corner of the portal, select + Create a resource.
Enter public ip address in the Search the Marketplace box. When Public IP address appears in the search results, select it.
Under Public IP address, select Create.
Enter, or select values for the following settings, under Create public IP address, then select Create: Name: ip1006
SKU: Basic SKU IP Version: IPv6
IP address assignment: Dynamic Subscription: Select appropriate Resource group: Select appropriate
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address

NEW QUESTION 6
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. an XML manifest file
• B. a driveset CSV file
• C. a dataset CSV file
• D. a PowerShell PS1 file
• E. a JSON configuration file

Answer: BC

Explanation: B: Modify the driveset.csv file in the root folder where the tool resides.
C: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

NEW QUESTION 7
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties?

• A. From the Directory role blade, modify the directory role.
• B. From the Groups blade, invite the user account to a new group.
• C. From the Licenses blade, assign a new license.

Answer: A

Explanation: Assign a role to a user
Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
Select Azure Active Directory, select Users, and then select a specific user from the list.
For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
Press Select to save. References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-p

NEW QUESTION 8
You have an Azure subscription named Subscription1.
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit.

To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Will be prompted for credentials
Azure Storage Explorer is a standalone app that enables you to easily work with Azure Storage data on Windows, macOS, and Linux. It is used for connecting to and managing your Azure storage accounts.
Box 2: Will have read, write, and list access
The net use command is used to connect to file shares. References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1 https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

NEW QUESTION 9
You have an Azure subscription.
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Select two alternatives below.

• A. platformFaultDomainCount: 0
• B. platformFaultDomainCount: 1
• C. platformFaultDomainCount: 2
• D. platformFaultDomainCount: 3
• E. platformFaultDomainCount: 4
• F. platformUpdateDomainCount: 10
• G. platformUpdateDomainCount: 20
• H. platformUpdateDomainCount: 25
• I. platformUpdateDomainCount: 30
• J. platformUpdateDomainCount: 40
• K. platformUpdateDomainCount: 50

Answer: CG

Explanation: Use two fault domains.
2 or 3 is max, depending on which region you are in. Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
References:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disk https://github.com/Azure/acs-engine/issues/1030

NEW QUESTION 10
You have 100 Azure subscriptions. All the subscriptions are associated to the same Azure Active Directory (Azure AD) tenant named contoso.com.
You are a global administrator.
You plan to create a report that lists all the resources across all the subscriptions. You need to ensure that you can view all the resources in all the subscriptions.
What should you do?

• A. From the Azure portal, modify the profile settings of your account.
• B. From Windows PowerShell, run the Add-AzureADAdministrativeUnitMember cmdlet.
• C. From Windows PowerShell, run the New-AzureADUserAppRoleAssignment cmdlet.
• D. From the Azure portal, modify the properties of the Azure AD tenant.

Answer: C

Explanation: The New-AzureADUserAppRoleAssignment cmdlet assigns a user to an application role in Azure Active Directory (AD). Use it for the application report.
References:
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azuread

NEW QUESTION 11
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault. What should you do first?

• A. From the Recovery Service vault, stop the backup of each backup item.
• B. From the Recovery Service vault, delete the backup data.
• C. Modify the disaster recovery properties of each virtual machine.
• D. Modify the locks of each virtual machine.

Answer: A

Explanation: You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.

References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

NEW QUESTION 12
Your company registers a domain name of contoso.com.
You create an Azure DNS named contoso.com and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10.
You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue.
Solution: You add an NS record to the contoso.com zone. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: Before you can delegate your DNS zone to Azure DNS, you need to know the name servers for your zone. The NS record set contains the names of the Azure DNS name servers assigned to the zone.
References: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

NEW QUESTION 13
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.






When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to create 100 Azure virtual machines on each of the following three virtual networks:
VNET1005a
VNET1005b
VNET1005c
All the network traffic between the three virtual networks will be routed through VNET1005a.
You need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect to other virtual machines by using their private IP address. The solution must NOT require any virtual network gateways and must minimize costs.
What should you do from the Azure portal before you configure IP routing?

Answer:

Explanation: Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create: Name: VNET1005a
Address space: 10.0.0.0/16 Subnet name: subnet0 Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: Repeat steps 3-5 for VNET1005b (10.1.0.0/16, 10.1.0.0/24), and for VNET1005c 10.2.0.0/16, 10.2.0.0/24).
References: https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic

NEW QUESTION 14
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.



When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255.
You need to ensure that only devices from the on-premises network can connect to the rg1lod7523691n1 storage account.
What should you do from the Azure portal?

Answer:

Explanation: Step 1: Navigate to the rg1lod7523691n1 storage account.
Step 2: Click on the settings menu called Firewalls and virtual networks.
Step 3: Ensure that you have elected to allow access from 'Selected networks'.
Step 4: To grant access to an internet IP range, enter the address range of 131.107.2.0 to 131.107.2.255 (in CIDR format) under Firewall, Address Ranges.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

NEW QUESTION 15
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

• A. PTR
• B. MX
• C. NSEC3
• D. RRSIG

Answer: B

NEW QUESTION 16
You have an Azure Storage accounts as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: storageaccount1 and storageaccount2 only Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options

NEW QUESTION 17
You need to recommend an identify solution that meets the technical requirements. What should you recommend?

• A. federated single-on (SSO) and Active Directory Federation Services (AD FS)
• B. password hash synchronization and single sign-on (SSO)
• C. cloud-only user accounts
• D. Pass-through Authentication and single sign-on (SSO)

Answer: A

Explanation: Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.
Scenario: Technical Requirements include:
Prevent user passwords or hashes of passwords from being stored in Azure. References: https://www.sherweb.com/blog/active-directory-federation-services/

Topic 3, Mix Questions

NEW QUESTION 18
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?

• A. From the on-premises network, deploy Active Directory Federation Services (AD FS).
• B. From Azure AD, add and verify a custom domain name.
• C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
• D. From the server that runs Azure AD Connect, modify the filtering options.

Answer: B

Explanation: Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:
State: Verified
Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.
State: Not verified
Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified.
Action Required: Verify the custom domain in Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

NEW QUESTION 19
You have an Azure subscription.
You need to implement a custom policy that meet the following requirements:
*Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso.
*Ensures that resource group can be created from the Azure portal.
*Ensures that compliance reports in the Azure portal are accurate.
How should you complete the policy? To answer, select the appropriate options in the answers area.

Answer:

Explanation: References: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

NEW QUESTION 20
You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup. You delete VM1.
You need to remove the backup data stored for VM1. What should you do first?

• A. Modify the backup policy.
• B. Delete the Recovery Services vault.
• C. Stop the backup.
• D. Delete the storage account.

Answer: A

Explanation: Azure Backup provides backup for virtual machines — created through both the classic deployment model and the Azure Resource Manager deployment model — by using custom-defined backup policies in a Recovery Services vault.
With the release of backup policy management, customers can manage backup policies and model them to meet their changing requirements from a single window. Customers can edit a policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their compliance requirements.