Skill measure: Deploy and Configure Infrastructure
QUESTION 1
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table.
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment.
From the Azure Portal, for which blade can you view the template that was used for the deployment?
- Container1 B. VM1
- Storage2 D. RG1
Correct Answer: D
Explanation
You can verify the deployment by exploring the resource group from the Azure portal
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-manager-tutorial https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
QUESTION 2
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16. Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2.
What should you do first?
- Modify the IP addresss pace of VNet2.
- Move VM1 to Subscription2.
- Provision virtual network gateways.
- Move VNet1 to Subscription2.
Correct Answer: C Section: (none) Explanation
Explanation
We require a virtual network gateway for VNet-to-VNet connectivity.
Incorrect Answers:
A: There is no need to modify the address space. If you update the address space for one VNet, the other VNet automatically knows to route to the updated address space.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-cli
QUESTION 3
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.
What should you do?
- From the Azure portal, modify session control of Policy1.
- From multi-factor authentication page, modify the user settings.
- From multi-factor authentication page, modify the service settings.
- From the Azure portal, modify grant control of Policy1.
Correct Answer: D
Explanation
We need to modify the grant control of Policy1.
The grant control can trigger enforcement of one or more controls. Require multi-factor authentication (Azure Multi-Factor Authentication) Require device to be marked as compliant (Intune)
Require Hybrid Azure AD joined device
Require approved client app
Require app protection policy
Note: It is now possible to explicitly apply the Require MFA for admins rule.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
QUESTION 4
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1. VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. What should you do first?
- From the Azure portal, modify the Access control (IAM) settings of RG1.
- From the Azure portal, modify the Policies settings of RG1.
- From the Azure portal, modify the Access control (IAM) settings of VM1.
- From the Azure portal, modify the value of the Managed Service Identity option for VM1.
Correct Answer: D
Explanation
Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
QUESTION 5
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?
- From on-premises network, deploy Active Directory Federation Services (ADFS).
- From AzureAD, add and verify a custom domain name.
- From on-premises network, request a new certificate that contains the Active Directory domain name.
- From the server that runs Azure AD Connect, modify the filtering options.
Correct Answer: B
Explanation
The UPN is used by Azure AD to allow users to sign-in. The UPN that a user can use, depends on whether or not the domain has been verified. If the domain has been verified, then a user with that suffix will be allowed to sign-in to Azure AD.
To do so, you need to add and verify a custom domain in Azure AD before you can start syncing the users.
Reference:
Next: Sample Exam Questions 2: AZ-300: Microsoft Azure Architect Technologies