Case study Overview

Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5,000 users. Existing Environment Active Directory Environment Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012. You recently provisioned an Azure Active Directory (Azure AD) tenant. Network Infrastructure Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet. Each office has several link load balancers that provide access to the servers. Active Directory Issue Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD. Licensing Issue You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License assignment failed for one user." You verify that the Azure subscription has the available licenses. Requirements Planned Changes Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure. Planned Azure AD Infrastructure The on-premises Active Directory domain will be synchronized to Azure AD. All client computers in the Paris office will be joined to an Azure AD domain. Planned Azure Networking Infrastructure You plan to create the following networking resources in a resource group named All_Resources: Default Azure system routes that will be the only routes used to route traffic A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2 A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4 You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings. You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network. Planned Azure Computer Infrastructure Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux. Department Requirements Humongous Insurance identifies the following requirements for the company's departments: Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups. During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week. Authentication Requirements Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure. Deploy and manage virtual machines (VMs)

Question Set 1

QUESTION 1

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately. Solution: From the Overview blade, you move the virtual machine to a different subscription. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: You would need to redeploy the VM. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new- node

QUESTION 2

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately. Solution: From the Redeploy blade, you click Redeploy. Does this meet the goal? A. Yes B. No Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your configuration options and associated resources. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new- node

QUESTION 3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately. Solution: From the Update management blade, you click Enable. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: You would need to redeploy the VM. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new- node

QUESTION 4

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password? A. an Azure Key Vault and an access policy B. a Recovery Services vault and a backup policy C. Azure Active Directory (AD) Identity Protection and an Azure policy D. an Azure Storage account and an access policy Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the password is never put in plain text in the template parameter file. References: https://azure.microsoft.com/en-us/resources/templates/101-vm-secure- password/

QUESTION 5

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image. You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Modify the section of the Azure Resource Manager template. B. Create an automation account. C. Upload a configuration script. D. Create a new virtual machine scale set in the Azure portal. E. Create an Azure policy. Correct Answer: AD Section: (none) Explanation Explanation/Reference: Explanation: Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to configure the VMs as they come online so they are running the production software. References: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine- scale-sets-dsc

QUESTION 6

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size. You plan to make the following changes to VM1: Change the size to D8s v3. Add a 500-GB managed disk. Add the Puppet Agent extension. Attach an additional network interface. Which change will cause downtime for VM1? A. Add the Puppet Agent extension. B. Change the size to D8s v3. C. Add a 500-GB managed disk. D. Attach an additional network interface. Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: While resizing the VM it must be in a stopped state. References: https://azure.microsoft.com/en-us/blog/resize-virtual- machines/ QUESTION 7 You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup. You delete VM1. You need to remove the backup data stored for VM1. What should you do first? A. Delete the Recovery Services vault. B. Delete the storage account. C. Stop the backup D. Modify the backup policy. Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Azure Backup provides backup for virtual machines created through both the classic deployment model and the Azure Resource Manager deployment model
by using custom-defined backup policies in a Recovery Services vault. With the release of backup policy management, customers can manage backup policies and model them to meet their changing requirements from a single window. Customers can edit a policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their compliance requirements. Incorrect Answers: B: You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data. References: https://azure.microsoft.com/en-in/updates/azure-vm-backup-policy- management/ QUESTION 8 You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use? A. the AzurePerformanceDiagnostics extension B. Azure HDInsight C. Linux Diagnostic Extension (LAD) 3.0 D. Azure Analysis Services Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: You can use extensions to configure diagnostics on your VMs to collect additional metric data. The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM. References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial- monitoring QUESTION 9 You have an Azure subscription that contains 100 virtual machines. You regularly create and delete virtual machines. You need to identify unattached disks that can be deleted. What should you do? A. From Microsoft Azure Storage Explorer, view the Account Management properties. B. From the Azure portal, configure the Advisor recommendations. C. From Azure Cost Management, view Advisor Recommendations. D. From Azure Cost Management, view Cost Analysis. Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation:
You can find unused disks in the Azure Storage Explorer console.Once you drill down to the Blob containers under a storage account, you can see the lease state of the residing VHD (the lease state determines if the VHD is being used by any resource) and the VM to which it is leased out. If you find that the lease state and the VM fields are blank, it means that the VHD in question is unused. The screenshot below shows two active VHDs being used by VMs as data and OS disks. The name of the VM and lease state are shown in the "VM Name" and "Lease State" columns, respectively. Reference: https://cloud.netapp.com/blog/reduce-azure-storage-costs QUESTION 10 You have an Azure virtual machine named VM1. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1. You need to specify which resource type to monitor. What should you specify? A. metric alert B. Azure Log Analytics workspace C. virtual machine D. virtual machine extension Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation:
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for detailed analysis and correlation. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs. Incorrect Answers: B: Azure Log Analytics workspace is used for on-premises computers monitored by System Center Operations Manager. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm QUESTION 11 You plan to back up an Azure virtual machine named VM1. You discover that the Backup Pre-Check status displays a status of Warning. What is a possible cause of the Warning status? A. VM1 is stopped. B. VM1 does not have the latest version of WaAppAgent.exe installed. C. VM1 has an unmanaged disk. D. A Recovery Services vault is unavailable. Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: ded steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues. References: https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre- checks/ QUESTION 12 You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table.

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment. From which blade can you view the template that was used for the deployment? A. Container1 B. RG1 C. VM1 D. Storage2 Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: View template from deployment history

Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.

References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export- template

QUESTION 13

VM1 connects to VNET1. You need to connect VM1 to VNET2. Solution: You create a new network interface, and then you add the network interface to VM1. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation:
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1. Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network- overview

QUESTION 14

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Use the Connection Monitor feature of Azure Network Watcher. References: https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public- regions/

QUESTION 15

VM1 connects to VNET1. You need to connect VM1 to VNET2. Solution: You move the VM1 to RG2, and then you add a new network interface to VM1. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: You cannot move a VM. Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1. Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the subnet a VM is connected to after it's created, but you cannot change the VNet. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network- overview

QUESTION 16

This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1. Solution: You create NIC2 in RG1 and Central US. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region. References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

QUESTION 17

VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1. Solution: You create NIC2 in RG2 and Central US. Does this meet the goal? A. Yes B. No Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region. References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

QUESTION 18

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

You create virtual machines in Subscription1 as shown in the following table.

You plan to use Vault1 for the backup of as many virtual machines as possible. Which virtual machines can be backed up to Vault1? A. VM1, VM3, VMA, and VMC only B. VM1 and VM3 only C. VM1, VM2, VM3, VMA, VMB, and VMC D. VM1 only E. VM3 and VMC only Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation:
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several regions, create a Recovery Services vault in each region. References: https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs- vault

QUESTION 19

You have an azure subscription named Subscription1 that has the following providers registered: Authorization Automation Resources
Compute KeyVault Network Storage Billing Web Subscription1 contains an Azure virtual machine named VM1 that has the following configurations: Private IP address: 10.0.0.4 (dynamic) Network security group (NSG): NSG1 Public IP address: None Availability set: AVSet Subnet: 10.0.0.0/24 Managed disks: No
Location: East US You need to record all the successful and failed connection attempts to VM1. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Create an Azure Storage account. B. Register the Microsoft.Insights resource provider. C. Add an Azure Network Watcher connection monitor. D. Enable Azure Network Watcher in the East US Azure region. E. Enable Azure Network Watcher flow logs. F. Register the Microsoft.LogAnalytics provider. Correct Answer: ABD Section: (none) Explanation Explanation/Reference: Explanation:
A: NSG flow log data is written to an Azure Storage account. You need to create an Azure Storage account, With an Azure Storage account NSG flow logs can be enabled. D: Enable network watcher in the East US region. B: NSG flow logging requires the Microsoft.Insights provider. References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow- logging-portal

QUESTION 20

You have an Azure virtual machine named VM1. You use Azure Backup to create a backup of VM1 named Backup1. After creating Backup1, you perform the following changes to VM1: Modify the size of VM1. Copy a file named Budget.xls to a folder named Data. Reset the password for the built-in administrator account.
Add a data disk to VM1. An administrator uses the Replace existing option to restore VM1 from Backup1. You need to ensure that all the changes to VM1 are restored. Which change should you perform again? A. Modify the size of VM1. B. Add a data disk. C. Reset the password for the built-in administrator account. D. Copy Budget.xls to Data. Correct Answer: D Section: (none) Explanation Explanation/Reference: References: https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing- disks

QUESTION 21

You have an Azure subscription that contains the resources shown in the following table.

You need to create a network interface named NIC1. In which location can you create NIC1? A. East US and North Europe only. B. East US and West Europe only. C. East US, West Europe, and North Europe. D. East US only. Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation:
A virtual network is required when you create a NIC. Select the virtual network for the network interface. You can only assign a network interface to a virtual network that exists in the same subscription and location as the network interface. Once a network interface is created, you cannot change the virtual network it is assigned to. The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface. References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network- interface

QUESTION 22

VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1. Solution: You create NIC2 in RG1 and West US. Does this meet the goal? A. Yes B. No Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation:
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region. References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network- interface