AZ-101 Exam - Microsoft Azure Integration and Security

NEW QUESTION 1
You are the global administrator for an Azure Active Directory (Azure AD) tenet named adatum.com. You need to enable two-step verification for Azure users.
What should you do?

• A. Create a sign-in risk policy in Azure AD Identity Protection
• B. Enable Azure AD Privileged Identity Management.
• C. Create and configure the Identity Hub.
• D. Configure a security policy in Azure Security Center.

Answer: A

Explanation: With Azure Active Directory Identity Protection, you can:
require users to register for multi-factor authentication
handle risky sign-ins and compromised users References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/flows

NEW QUESTION 2
HOTSPOT
Your company has offices in New York and Los Angeles.
You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1.
Each network uses the address spaces shown in the following table.

You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office.
What should you do? To answer, select the appropriate options in the answer are a.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Incorrect Answers:
Not: New-AzureRmVirtualNetworkGatewayConnection
This command creates the Site-to-Site VPN connection between the virtual network gateway and the on-prem VPN device. We already have Site-to-Site VPN connections.
Box 2: 192.168.0.0/20
Specify the VNET1 address. References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set- azurermvirtualnetworkgatewaydefaultsite

NEW QUESTION 3
You are configuring Azure Active Directory (AD) Privileged Identity Management.
You need to provide a user named Admm1 with read access to a resource group named RG1 for only one month.
The user role must be assigned immediately.
What should you do?

• A. Assign an active role.
• B. Assign an eligible role.
• C. Assign a permanently active role.
• D. Create a custom role and a conditional access policy.

Answer: B

Explanation: Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not all-day, every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 4
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com. From the Azure Active Directory blade, you assign the Conditional Access Administrator role to a user You need to ensure that Admin1 has just-in-time access as a conditional access administrator.
What should you do next?

• A. Enable Azure AD Multi-Factor Authentication (MFA).
• B. Set Admin1 as Eligible for the Privileged Role Administrator role.
• C. Admin1 as Eligible for the Conditional Access Administrator role.
• D. Enable Azure AD Identity Protection.

Answer: A

Explanation: Require MFA for admins is a baseline policy that requires MFA for the following directory roles:
Global administrator 
SharePoint administrator 
Exchange administrator 
Conditional access administrator 
Security administrator References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/baseline-protection

NEW QUESTION 5
You plan to move services from your on-premises network to Azure.
You identify several virtual machines that you believe can be hosted in Azure. The virtual machines are shown in the following table.

Which two virtual machines can you access by using Azure migrate? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Sea-CA0l
• B. Hou-NW01
• C. NYC-FS01
• D. Sea-DC01
• E. BOS-DB01

Answer: CE

NEW QUESTION 6
You have an Azure subscription.
You enable multi-factor authentication for all users.
Some users report that the email applications on their mobile device cannot co browser and from Microsoft Outlook 2021 on their computer.
You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do?
The users can access Exchange Online by using a web

• A. Enable self-service password reset.
• B. Create an app password.
• C. Reset the Azure Active Directory (Azure AD) password.
• D. Reinstall the Microsoft Authenticator app.

Answer: A

Explanation: References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

NEW QUESTION 7
A web developer creates a web application that you plan to deploy as an Azure web app.
Users must enter credentials to access the web application.
You create a new web app named WebAppl1 and deploy the web application to WebApp1.
You need to disable anonymous access to WebApp1. What should you configure?

• A. Advanced Tools
• B. Authentication/ Authorization
• C. Access control (IAM)
• D. Deployment credentials

Answer: B

Explanation: Anonymous access is an authentication method. It allows users to establish an anonymous connection.
References:
https://docs.microsoft.com/en-us/biztalk/core/guidelines-for-resolving-iis-permissions-problems

NEW QUESTION 8
From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.

What caused AlexW to be blocked?

• A. An administrator manually blocked the user.
• B. The user reports a fraud alert when prompted for additional authentication.
• C. The user account password expired.
• D. The user entered an incorrect PIN four times within 10 minutes.

Answer: B

NEW QUESTION 9
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click the Exhibit tab.)

You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You should use Azure Network Watcher. References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

Case Study: 2
Mix Questions Set B (Implement advanced networking)

NEW QUESTION 11
You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscnption1 is associated to Tenant1 Multi-factor authentication (MFA) is enabled for all the users in Tenant1.
You need to enable MFA for the users in Tenant2. The solution must maintain MFA forTenant1. What should you do first?

• A. Transfer the administration of Subscription1 to a global administrator of Tenants.
• B. Configure the MFA Server setting in Tenant1.
• C. Create and link a subscription to Tenant2.
• D. Change the directory for Subscription1.

Answer: C

NEW QUESTION 12
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
You would need the Logic App Contributor role. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

NEW QUESTION 13
HOTSPOT
You need to prepare the environment to implement the planned changes for Server2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal. Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure. Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Case Study: 5
Mix Questions Set C (Evaluate and perform server migration to Azure)

NEW QUESTION 14
You have an azure subscription that contain a virtual named VNet1. VNet1. contains four subnets named Gatesway, perimeter, NVA, and production.
The NVA contain two network virtual appliance (NVAs) that will network traffic inspection between the perimeter subnet and the production subnet.
You need o implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
The NVAs must run in an active-active configuration that uses automatic failover.
The NVA must load balance traffic to two services on the Production subnet. The services have different IP addresses
Which three actions should you perform? Each correct answer presents parts of the solution.
NOTE: Each correct selection is worth one point.

• A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.
• B. Deploy a standard load balancer.
• C. Add a frontend IP configuration, two backend pools, and a health prob.
• D. Add a frontend IP configuration, a backend pool, and a health probe.
• E. Add two load balancing rules that have HA Ports and Floating IP enabled.
• F. Deploy a basic load balancer.

Answer: BCE

Explanation: A standard load balancer is required for the HA ports.
-Two backend pools are needed as there are two services with different IP addresses.
-Floating IP rule is used where backend ports are reused. Incorrect Answers:
F: HA Ports are not available for the basic load balancer. References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview

NEW QUESTION 15
You need to deploy an application gateway named appgwl015 to meet the following requirements: Load balance internal IP traffic to the Azure virtual machines connected to subnet0.
Provide a Service Level Agreement (SLA) of 99.99 percent availability for the Azure virtual machines.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Click New found on the upper left-hand corner of the Azure portal.
Step 2:
Select Networking and then select Application Gateway in the Featured list.
Step 3:
Enter these values for the application gateway: appgw1015 - for the name of the application gateway. SKU Size: Standard_V2
The new SKU [Standard_V2] offers autoscaling and other critical performance enhancements.

Step 4:
Accept the default values for the other settings and then click OK.
Step 5:
Click Choose a virtual network, and select subnet0. References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway- portal

NEW QUESTION 16
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it As a result these questions will not appear in the review screen.
You have an Azure wet) app named Appl. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan1 to Shared. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You should switch to the Basic Tier.
The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Shared Tier provides 240 CPU minutes / day. The Basic tier has no such cap.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

NEW QUESTION 17
You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named You enable Azure AD Privileged Identity Management.
You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs.
What should you do first?

• A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.
• B. From Subscription1 edit the members of the Lab Creator role.
• C. From Azure AD Identity Protection, creates a user risk policy.
• D. From Azure AD Privileged Identity Management, discover the Azure resources of Conscription.

Answer: A

Explanation: As a Privileged Role Administrator you can:
Enable approval for specific roles
Specify approver users and/or groups to approve requests
View request and approval history for all privileged roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure