AZ-301 Exam - Microsoft Azure Architect Design

NEW QUESTION 1
You are designing a data protection strategy for Azure virtual machines. All the virtual machines are in the Standard tier and use managed disks.
You need to recommend a solution that meets the following requirements:
The use of encryption keys is audited.
All the data is encrypted at rest always.
You manage the encryption keys, not Microsoft.
What should you include in the recommendation?

• A. BitLocker Drive Encryption (BitLocker)
• B. Azure Storage Service Encryption
• C. client-side encryption
• D. Azure Disk Encryption

Answer: D

Explanation: References:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

NEW QUESTION 2
To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 3
Your company has three branch offices and an Azure subscription. Each branch office contains a Hyper-V host that hosts application servers.
You need to recommend a storage solution for the branch offices. The solution must ensure that the application servers can connect to a central storage device by using iSCSI connections. Data saved to the iSCSI storage device from the application servers must be uploaded to Azure automatically.
Which components should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/azure/storsimple/storsimple-ova-overview

NEW QUESTION 4
You need to recommend a disaster recovery solution for the back-end tier of the payment processing system. What should you include in the recommendation?

• A. Always On Failover Cluster Instances
• B. active geo-replication
• C. Azure Site Recovery
• D. an auto-failover group

Answer: D

Explanation: References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auto-failover-group

NEW QUESTION 5
You need to recommend a solution to meet the database retention requirement. What should you recommend?

• A. Configure a long-term retention policy for the database.
• B. Configure Azure Site Recovery.
• C. Configure geo replication of the database.
• D. Use automatic Azure SQL Database backups.

Answer: A

NEW QUESTION 6
You plan to deploy logical Azure SQL Database servers to The East US Azure region and the Wen US Azure region. Each server will contain 20 database accessed by a different user who reads in a different on premises location. The databases will be configured to use active geo-replication.
You need to recommend a solution that meets the following requirement!;
• Restricts user access to each database
• Restricts network access to each database based on each user's respective location
• Ensures that the databases remain accessible from down applications if the local Azure region fails
What should you include in the recommendation? To answer, select the appropriate options m the answer area NOTE: Each correct selection is worth one point.

Answer:

Explanation:


Topic 3, Case Study B
Overview
Contoso,Ltd is a US-base finance service company that has a main office New York and an office in San Francisco.
Payment Processing Query System
Contoso hosts a business critical payment processing system in its New York data center. The system has three tiers a front-end web app a middle -tier API and a back end data store implemented as a Microsoft SQL Server 2014 database All servers run Windows Server 2012 R2.
The front -end and middle net components are hosted by using Microsoft Internet Inform-non Services (IK) The application rode is written in C# and middle- tier API uses the Entity framework to communicate the SQL Server database. Maintenance of the database e performed by using SQL Server Ago-
The database is currently J IB and is not expected to grow beyond 3 TB.
The payment processing system has the following compliance related requirement
• Encrypt data in transit and at test. Only the front-end and middle-tier components must be able to access the encryption keys that protect the date store.
• Keep backups of the two separate physical locations that are at last 200 miles apart and can be restored for op to seven years.
• Support blocking inbound and outbound traffic based on the source IP address, the description IP address, and the port number
• Collect Windows security logs from all the middle-tier servers and retain the log for a period of seven years,
• Inspect inbound and outbound traffic from the from-end tier by using highly available network appliances.
• Only allow all access to all the tiers from the internal network of Contoso.
Tape backups ate configured by using an on-premises deployment or Microsoft System Center Data protection Manager (DPMX and then shaped ofsite for long term storage
Historical Transaction Query System
Contoso recently migrate a business-Critical workload to Azure. The workload contains a NET web server for querying the historical transaction data residing in azure Table Storage. The NET service is accessible from a client app that was developed in-house and on the client computer in the New Your office. The data in the storage is 50 GB and is not except to increase.
Information Security Requirement
The IT security team wants to ensure that identity management n performed by using Active Directory. Password hashes must be stored on premises only.
Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger multi-factor authentication prompt automatically Legitimate users must be able to authenticate successfully by using multi-factor authentication.
Planned Changes
Contoso plans to implement the following changes:
* Migrate the payment processing system to Azure.
* Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.
Migration Requirements
Contoso identifies the following general migration requirements:
Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention
• Whenever possible. Azure managed serves must be used to management overhead
• Whenever possible, costs must be minimized.
Contoso identifies the following requirements for the payment processing system:
• If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations-
• If that the number of compute nodes of the from -end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.
• Ensure that each tier of the payment processing system is subject to a Service level Agreement (SLA) of 9959 percent availability
• Minimize the effort required to modify the middle tier API and the back-end tier of the payment processing system.
• Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.
• Insure that the payment processing system preserves its current compliance status.
• Host the middle tier of the payment processing system on a virtual machine.
Contoso identifies the following requirements for the historical transaction query system:
• Minimize the use of on-premises infrastructure service.
• Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.
• If a region fails, ensure that the historical transaction query system remains available without any administrative intervention.
Current Issue
The Contoso IT team discovers poor performance of the historical transaction query as the queries frequently cause table scans.
Information Security Requirements
The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.
Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

NEW QUESTION 7
You need to recommend a solution for the collection of security logs the middle tier of the payment processing system.
What should you include in the recommendation?

• A. Azure Notification Hubs
• B. the Azure Diagnostics agent
• C. Azure Event Hubs
• D. the Azure Log Analytics agent

Answer: D

Explanation: References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-overview

NEW QUESTION 8
You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned a Premium P1 license.
You deploy Azure AD Connect.
Which two features are available in this environment that can reduce operational overhead for your company’s help desk? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Azure AD Privileged Identity Management policies
• B. access reviews
• C. self-service password reset
• D. Microsoft Cloud App Security Conditional Access App Control
• E. password writeback

Answer: CE

NEW QUESTION 9
You need to recommend a solution for configuring the Azure Multi-Factor Authentication (MFA) settings. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-mfa-policy

NEW QUESTION 10
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers.
The solution must ensure that the Fabrikam developers use their existing credentials to access resources. What should you recommend?

• A. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
• B. Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
• C. In the Azure AD tenant of Contoso, enable Azure Active Directory Domain Services (Azure AD DS).Createa one-way forest trust that uses selective authentication between the Active Directory forests of Contoso and Fabrikam.
• D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.

Answer: D

Explanation: References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

NEW QUESTION 11
You have an Azure subscription that contains a custom application named Application was developed by an external company named fabric, Ltd. Developers at Fabrikam were assigned role-based access control (RBAV) permissions to the Application components. All users are licensed for the Microsoft 365 E5 plan.
You need to recommends a solution to verify whether the Faricak developers still require permissions to Application1. The solution must the following requirements.
* To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
* If the manager does not verify access permission, automatically revoke that permission.
* Minimize development effort. What should you recommend?

• A. Create an Azure Automation runbook that the Get-AureADUSAppRoleAssigmety cmdlet.
• B. In azure Active directory (Azure AD) create an access review of application1.
• C. In Azure Active Directory (AD) privileged identity Managed, create a custom roles assignment for the Application 1 resources.
• D. Create an Azure Automation runbook that runs the get-AzureRaRolesAssigned cmdlet.

Answer: A

NEW QUESTION 12
A company named Contoso Ltd., has a single-domain Active Directory forest named contoso.com.
Contoso is preparing to migrate all workloads to Azure. Contoso wants users to use single sign-on (SSO) when they access cloud-based services that integrate with Azure Active Directory (Azure AD).
You need to identify any objects in Active Directory that will fail to synchronize to Azure AD due to formatting issues. The solution must minimize costs.
What should you include in the solution?

• A. Azure Advisor
• B. Microsoft Office 365 IdFix
• C. Azure AD Connect Health
• D. Password Export Server version 3.1 (PES v3.1) in Active Directory Migration Tool (ADMT)

Answer: B

NEW QUESTION 13
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains a resource group named RG1.
You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.
You need to recommend a solution that meets the following requirements:
The researchers must be allowed to create Azure virtual machines.
The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
Solution: Create an Azure DevOps Project. Configure the DevOps Project settings. Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 14
You need to recommend a solution for implementing the back-end tier of the payment processing system in Azure.
What should you include in the recommendation?

• A. an Azure SQL Database managed instance
• B. a SQL Server database on an Azure virtual machine
• C. an Azure SQL Database single database
• D. an Azure SQL Database elastic pool

Answer: C

NEW QUESTION 15
You plan to create an Azure Cosmos DB account that uses the SQL API. The account will contain data added by a web application. The web application will send data daily.
You need to recommend a notification solution that meets the following requirements:
Sends email notification when data is received from IoT devices.
Minimizes compute cost.
What should you include in the recommendation?

• A. Deploy an Azure logic app that has the Azure Cosmos DB connector configured to use a SendGrid action.
• B. Deploy a function app that is configured to use the Consumption plan and a SendGrid binding.
• C. Deploy an Azure logic app that has a SendGrid connector configured to use an Azure Cosmos DB action.
• D. Deploy a function app that is configured to use the Consumption plan and an Azure Event Hubs binding.

Answer: B

NEW QUESTION 16
You need to recommend a compute solution for the middle tier of the payment processing system. What should you include in the recommendation?

• A. Azure Kubernetes Service (AKS)
• B. virtual machine scale sets
• C. availability sets
• D. App Service Environments (ASEs)

Answer: B