AZ-303 Exam - Microsoft Azure Architect Technologies (beta)

NEW QUESTION 1

You have two Azure SQL Database managed instances in different Azure regions. You plan to configure the managed instances in an instance failover group.
What should you configure before you can add the managed instances to the instance failover group?

• A. Azure Private Link that has endpoints on two virtual networks
• B. an internal Azure Load Balancer instance that has managed instance endpoints in a backend pool
• C. an Azure Application Gateway that has managed instance endpoints in a backend pool
• D. a Site-to-Site VPN between the virtual networks that contain the instances

Answer: D

Explanation:
For two managed instances to participate in a failover group, there must be either ExpressRoute or a gateway configured between the virtual networks of the two managed instances to allow network communication.
You create the two VPN gateways and connect them.
Create a bidirectional connection between the two gateways of the two virtual networks.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/failover-group-add-instance-tutorial?tabs=az

NEW QUESTION 2

You have an Azure subscription.
You plan to deploy an app that has a web front end and an application tier.
You need to recommend a load balancing solution that meets the following requirements:
Internet to web tier:
- Provides URL-based routing
- Supports connection draining
- Prevents SQL injection attacks
Web tier to application tier:
- Provides port forwarding
- Supports HTTPS health probes
- Supports an availability set as a backend pool
Which load balancing solution should you recommend for each tier? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: An Azure Application Gateway that has a web application firewall (WAF)
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC). It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.
Box 2: An internal Azure Standard Load Balancer
The internet to web tier is the public interface, while the web tier to application tier should be internal. Note: When using load-balancing rules with Azure Load Balancer, you need to specify a health probes to
allow Load Balancer to detect the backend endpoint status.
Health probes support the TCP, HTTP, HTTPS protocols. References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

NEW QUESTION 3

You have SQL Server on an Azure virtual machine named SQL1.
You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for the virtual machines. The backups must meet the following requirements:
• Meet a recovery point objective (RPO) of 15 minutes.
• Retain the backups for 30 days.
• Encrypt the backups at rest.
What should you provision as part of the backup solution?

• A. Azure Key Vault
• B. an Azure Storage account
• C. a Recovery Services vault
• D. Elastic Database jobs

Answer: B

Explanation:
An Azure storage account is used for storing Automated Backup files in blob storage. A container is created at this location to store all backup files. The backup file naming convention includes the date, time, and database GUID.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/automated-backup

NEW QUESTION 4

You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the following table.

You enable self-service password reset (SSPR) for Group1.
You configure the Notifications settings as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Yes
Notify all admins when other admins reset their passwords: Yes. Box 2: No
Notify users on password resets: No. Box 3: No
Notify users on password resets
If this option is set to Yes, then users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.
Notify all admins when other admins reset their passwords
If this option is set to Yes, then all administrators receive an email to their primary email address on file in Azure AD. The email notifies them that another administrator has changed their password by using SSPR.
Example: There are four administrators in an environment. Administrator A resets their password by using SSPR. Administrators B, C, and D receive an email alerting them of the password reset.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

NEW QUESTION 5

Your network contains an on-premises Active Directory domain named contoso.com that contains a member server named Server1.
You have the accounts shown in the following table.

You are installing Azure AD Connect on Server1.
You need to specify the account for Azure AD Connect synchronization.
The solution must use the principle of least privilege.
Which account should you specify?

• A. CONTOSOUser2
• B. SERVER1User4
• C. CONTOSOUser1
• D. CONTOSOUser3

Answer: A

Explanation:
The default Domain User permissions are sufficient Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

NEW QUESTION 6

You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings to the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies

NEW QUESTION 7

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more
than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles. You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You purchase an Azure Directory Premium P2 license for contoso.com. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 8

You have an on-premises virtual machine named VM1 configured as shown in the following exhibit.

VM is started.
You need to create a new virtual machine image in Azure from VM1.
Which three actions should you perform before you create the new image? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Remove the Backup (volume shadow copy) integration service
• B. Generalize VM1
• C. Run Add-AzureRmVhd and specify a blob service container as the destination
• D. Run Add-AzureRmVhd and specify a file share as the destination
• E. Reduce the amount of memory to 16 GB
• F. Convert the disk type to VHD

Answer: BCF

NEW QUESTION 9

You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit. The subscription contains the Azure SQL databases shown in the following table.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.
Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot be reduced to 0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns

NEW QUESTION 10

Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company’s help desk reports an increase in calls from users who receive MFA requests while they work from the company’s main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office. What should you do?

• A. From Azure Active Directory (Azure AD), configure organizational relationships.
• B. From the MFA service settings, create a trusted IP range.
• C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
• D. From Conditional access in Azure Active Directory (Azure AD), create a named location.

Answer: B

Explanation:
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to consider configuring some of the available settings. One of the most important features is a trusted IPs list. This will allow you to whitelist a range of IPs for your network. This way, when users are in the office, they will not get prompted with MFA, and when they take their devices elsewhere, they will. Here’s how to do it:
Log in to your Azure Portal.
Navigate to Azure AD > Conditional Access > Named locations. From the top toolbar select Configure MFA trusted IPs. References:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/

NEW QUESTION 11

You have Azure virtual machines deployed to three Azure regions. Each region contains a single virtual network that has four virtual machines on the same subnet. Each virtual machine runs an application named App1. App1 is accessible by using HTTPS. Currently, the virtual machines are inaccessible from the internet.
You need to use Azure Front Door to load balance requests for App1 across all the virtual machines. Which additional Azure service should you provision?

• A. a public Azure Load Balancer
• B. Azure Traffic Manager
• C. an internal Azure Load Balancer
• D. Azure Private Link

Answer: A

NEW QUESTION 12

You network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege. Which user accounts should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: User5
In Express settings, the installation wizard asks for the following: AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains. Box 2: UserA
Azure AD Global Admin credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissio

NEW QUESTION 13

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company is deploying an on-premises application named Appl. Users will access App1 by using a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the My Apps portal for all the users.
Solution: You create an offer for App1 and publish the offer to Azure Marketplace.

• A. Yes
• B. No

Answer: A

NEW QUESTION 14

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more
than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles. You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

NEW QUESTION 15

Your company has the groups shown in the following table.

The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD. You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming. What should you do?

• A. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
• B. Purchase an Azure AD Premium P1 license for each user in the Managers group.
• C. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
• D. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.

Answer: B

Explanation:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility
+ Security (EMS) license.
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-enable

NEW QUESTION 16

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Create a VPN gateway that uses the VpnGw1 SKU.
• B. Create a connection.
• C. Create a local site VPN gateway.
• D. Create a gateway subnet.
• E. Create a VPN gateway that uses the Basic SKU.

Answer: ABC

Explanation:
References:
https://docs.microsoft.com/en-za/archive/blogs/canitpro/step-by-step-configuring-a-site-to-site-vpn-gateway-bet

NEW QUESTION 17

You have an Azure Resource Manager template named Template1 in the library as shown in the following
exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax

NEW QUESTION 18

You have an Azure Active Directory (Azure AD) tenant linked to an Azure subscription. The tenant contains a group named Admins.
You need to prevent users, except for the members of Admins, from using the Azure portal and Azure PowerShell to access the subscription.
What should you do?

• A. From Azure AD, configure the User settings.
• B. From the Azure subscription, assign an Azure policy.
• C. From Azure AD, create a conditional access policy.
• D. From the Azure subscription, configure Access control (IAM).

Answer: D

NEW QUESTION 19

You have a web server app named App1 that is hosted in three Azure regions. You plan to use Azure Traffic Manager to distribute traffic optimally for App1.
You need to enable Real User Measurements to monitor the network latency data for App1. What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Select Generate key
You can configure your web pages to send Real User Measurements to Traffic Manager by obtaining a Real User Measurements (RUM) key and embedding the generated code to web page.
Obtain a Real User Measurements key
The measurements you take and send to Traffic Manager from your client application are identified by the service using a unique string, called the Real User Measurements (RUM) Key. You can get a RUM key using the Azure portal, a REST API, or by using the PowerShell or Azure CLI.
To obtain the RUM Key using Azure portal:
From a browser, sign in to the Azure portal. If you don’t already have an account, you can sign up for a free one-month trial.
In the portal’s search bar, search for the Traffic Manager profile name that you want to modify, and then click the Traffic Manager profile in the results that the displayed.
In the Traffic Manager profile blade, click Real User Measurements under Settings.
Click Generate Key to create a new RUM Key.
Box 2: Embed the Traffic Manager JavaScript code snippet. Embed the code to an HTML web page
After you have obtained the RUM key, the next step is to embed this copied JavaScript into an HTML page that your end users visit.
This example shows how to update an HTML page to add this script. You can use this guidance to adapt it to your HTML source management workflow.
Open the HTML page in a text editor
Paste the JavaScript code you had copied in the earlier step to the BODY section of the HTML (the copied code is on line 8 & 9, see figure 3).

Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-create-rum-web-pages

NEW QUESTION 20

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it As a result, these questions will not appear in the review screen.
You have an Azure Active Directory {Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin 1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned The User administrator. Compliance administrator, and Security administrator roles. You need to ensure that Admin1 can create access reviews in contoso.com. .
Solution: You assign the Global administrator role to Admin1. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 21

You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 22

You are planning the move of App1 to Azure. You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1. What should you recommend?

• A. Create an outgoing security rule for port 443 from the Interne
• B. Associate the NSG to all the subnets.
• C. Create an incoming security rule for port 443 from the Interne
• D. Associate the NSG to all the subnets.
• E. Create an incoming security rule for port 443 from the Interne
• F. Associate the NSG to the subnet that contains the web servers.
• G. Create an outgoing security rule for port 443 from the Interne
• H. Associate the NSG to the subnet that contains the web servers.

Answer: C

Explanation:
As App1 is public-facing we need an incoming security rule, related to the access of the web servers. Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a SQL database, a web front end, and a processing middle tier.
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

NEW QUESTION 23
......