DUMPS

BASE
EXAM DUMPS

MICROSOFT
AZ-305
28% OFF Automatically For You

Designing Microsoft Azure Infrastructure

Solutions
1.Topic 1, Litware, Inc

Case Study
This is a case study. Case studies are not timed separately. You can use as much
exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to
ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference
information that is provided in the case study. Case studies might contain exhibits and
other resources that provide more information about the scenario that is described in
the case study. Each question is independent of the other questions in this case

e
in
study.

nl
O
ps
um
At the end of this case study, a review screen will appear. This screen allows you to

D
ee
review your answers and to make changes before you move to the next section of the

Fr
05
exam. After you begin a new section, you cannot return to this section.

-3
Z
A
d
ea
To start the case study
-R
2

To display the first question in this case study, click the Next button. Use the buttons
.0
10

in the left pane to explore the content of the case study before you answer the
V
ns
io

questions. Clicking these buttons displays information such as business

st
ue

requirements, existing environment, and problem statements. If the case study has an
Q
ps

All Information tab, note that the information displayed is identical to the information
um
D

displayed on the subsequent tabs. When you are ready to answer a question, click
05
-3

the Question button to return to the question.

Z
A
f t
so
ro

Overview. General Overview

ic
M

Litware, Inc. is a medium-sized finance company.

]
22
20
ed

Overview. Physical Locations

at
pd

Litware has a main office in Boston.

[U

Existing Environment. Identity Environment

The network contains an Active Directory forest named Litware.com that is linked to
an Azure Active Directory (Azure AD) tenant named Litware.com. All users have
Azure Active Directory Premium P2 licenses.

Litware has a second Azure AD tenant named dev.Litware.com that is used as a

development environment.

The Litware.com tenant has a conditional acess policy named capolicy1. Capolicy1
requires that when users manage the Azure subscription for a production environment
by
using the Azure portal, they must connect from a hybrid Azure AD-joined device.

Existing Environment. Azure Environment

Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five
Azure subscriptions that are linked to the dev.Litware.com tenant. All the
subscriptions are in an Enterprise Agreement (EA).

The Litware.com tenant contains a custom Azure role-based access control (Azure
RBAC) role named Role1 that grants the DataActions read permission to the blobs
and files in Azure Storage.

e
in
Existing Environment. On-premises Environment

nl
O
The on-premises network of Litware contains the resources shown in the following

ps
um
table.

D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro

Existing Environment. Network Environment

ic
M
]

Litware has ExpressRoute connectivity to Azure.

22
20
ed
at

Planned Changes and Requirements. Planned Changes

pd
[U

Litware plans to implement the following changes:

✑ Migrate DB1 and DB2 to Azure.
✑ Migrate App1 to Azure virtual machines.
✑ Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.

Planned Changes and Requirements. Authentication and Authorization Requirements

Litware identifies the following authentication and authorization requirements:

✑ Users that manage the production environment by using the Azure portal must
connect from a hybrid Azure AD-joined device and authenticate by using Azure Multi-
Factor Authentication (MFA).
✑ The Network Contributor built-in RBAC role must be used to grant permission to all
the virtual networks in all the Azure subscriptions.
✑ To access the resources in Azure, App1 must use the managed identity of the
virtual machines that will host the app.
✑ Role1 must be used to assign permissions to the storage accounts of all the Azure
subscriptions.
✑ RBAC roles must be applied at the highest level possible.

Planned Changes and Requirements. Resiliency Requirements

Litware identifies the following resiliency requirements:
✑ Once migrated to Azure, DB1 and DB2 must meet the following requirements:
- Maintain availability if two availability zones in the local Azure region fail.
- Fail over automatically.

e
in
- Minimize I/O latency.

nl
O
ps
um
✑ App1 must meet the following requirements:

D
ee
- Be hosted in an Azure region that supports availability zones.

Fr
05
- Be hosted on Azure virtual machines that support automatic scaling.

-3
Z
A
- Maintain availability if two availability zones in the local Azure region fail.
d
ea
-R
2

Planned Changes and Requirements. Security and Compliance Requirements

.0
10

Litware identifies the following security and compliance requirements:

V
ns
io

✑ Once App1 is migrated to Azure, you must ensure that new data can be written to
st
ue

the app, and the modification of new and existing data is prevented for a period of
Q
ps

three years.
um
D

✑ On-premises users and services must be able to access the Azure Storage account
05
-3

that will host the data in App1.

Z
A

✑ Access to the public endpoint of the Azure Storage account that will host the App1
f t
so
ro

data must be prevented.

ic
M

✑ All Azure SQL databases in the production environment must have Transparent
]
22
20

Data Encryption (TDE) enabled.

ed

✑ App1 must not share physical hardware with other workloads.

at
pd
[U

Planned Changes and Requirements. Business Requirements

Litware identifies the following business requirements:
✑ Minimize administrative effort.
✑ Minimize costs.

HOTSPOT
You need to ensure that users managing the production environment are registered
for Azure MFA and must authenticate by using Azure MFA when they sign in to the
Azure portal. The solution must meet the authentication and authorization
requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue

Explanation:
Q
ps

Graphical user interface, text, application

um
D

Description automatically generated

05
-3

Box 1: Azure AD Identity Protection

Z
A
t

Azure AD Identity Protection helps you manage the roll-out of Azure AD Multi-Factor
f
so
ro

Authentication (MFA) registration by configuring a Conditional Access policy to

ic
M

require MFA registration no matter what modern authentication app you are signing in
]
22
20

to.
ed
at

Scenario: Users that manage the production environment by using the Azure portal
pd
[U

must connect from a hybrid Azure AD-joined device and authenticate by using Azure
Multi-Factor Authentication (MFA).
Box 2: Sign-in risk policy...
Scenario: The Litware.com tenant has a conditional access policy named capolicy1.
Capolicy1 requires that when users manage the Azure subscription for a production
environment by using the Azure portal, they must connect from a hybrid Azure AD-
joined device.
Identity Protection policies we have two risk policies that we can enable in our
directory.
✑ Sign-in risk policy
✑ User risk policy
2. HOTSPOT
How should the migrated databases DB1 and DB2 be implemented in Azure?

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q

Answer:
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U
Explanation:
Table
Description automatically generated
Box 1: SQL Managed Instance
Scenario: Once migrated to Azure, DB1 and DB2 must meet the following
requirements:
✑ Maintain availability if two availability zones in the local Azure region fail.
✑ Fail over automatically.
✑ Minimize I/O latency.
The auto-failover groups feature allows you to manage the replication and failover of
a group of databases on a server or all databases in a managed instance to another
region. It is a declarative abstraction on top of the existing active geo-replication

e
in
feature, designed

nl
O
to simplify deployment and management of geo-replicated databases at scale. You

ps
um
can initiate a geo-failover manually or you can delegate it to the Azure service based

D
ee
on a user-defined policy. The latter option allows you to automatically recover multiple

Fr
05
related databases in a secondary region after a catastrophic failure or other

-3
Z
A
unplanned event that results in full or partial loss of the SQL Database or SQL
d
ea
Managed Instance availability in the primary region.
-R
2

Box 2: Business critical

.0
10

SQL Managed Instance is available in two service tiers:

V
ns
io

General purpose: Designed for applications with typical performance and I/O latency
st
ue

requirements.
Q
ps

Business critical: Designed for applications with low I/O latency requirements and
um
D

minimal impact of underlying maintenance operations on the workload.

05
-3
Z
A
f t
so
ro

3. You migrate App1 to Azure. You need to ensure that the data storage for App1
ic
M

meets the security and compliance requirement

]
22
20

What should you do?

ed

A. Create an access policy for the blob

at
pd

B. Modify the access level of the blob service.

[U

C. Implement Azure resource locks.

D. Create Azure RBAC assignments.
Answer: A
Explanation:
Scenario: Once App1 is migrated to Azure, you must ensure that new data can be
written to the app, and the modification of new and existing data is prevented for a
period of three years.
As an administrator, you can lock a subscription, resource group, or resource to
prevent other users in your organization from accidentally deleting or modifying critical
resources. The lock overrides any permissions the user might have.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/lock-resources

4. HOTSPOT
You plan to migrate App1 to Azure.
You need to recommend a high-availability solution for App1. The solution must meet
the resiliency requirements.
What should you include in the recommendation? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro

Answer:
ic
M
]
22
20
ed
at
pd
[U
 e
in
nl
O
ps
um
D
ee
Fr
05
Explanation:

-3
Z
A
Graphical user interface, text, application, email
d
ea
Description automatically generated
-R
2

Box 1: 3
.0
10
V

Scenario: App1 must meet the following requirements:

ns
io

✑ Be hosted in an Azure region that supports availability zones.

st
ue

✑ Maintain availability if two availability zones in the local Azure region fail.
Q
ps

A host group is a resource that represents a collection of dedicated hosts. You create
um
D

a host group in a region and an availability zone, and add hosts to it.
05
-3

Use Availability Zones for fault isolation

Z
A
t

Availability zones are unique physical locations within an Azure region. Each zone is
f
so
ro

made up of one or more datacenters equipped with independent power, cooling, and
ic
M

networking. A host group is created in a single availability zone. Once created, all
]
22
20

hosts will be placed within that zone. To achieve high availability across zones, you
ed
at

need to create multiple host groups (one per zone) and spread your hosts
pd
[U

accordingly.
Box 2: 1
Scenario: App1 must meet the following requirements:
✑ Be hosted on Azure virtual machines that support automatic scaling.
An Azure virtual machine scale set can automatically increase or decrease the
number of VM instances that run your application. This automated and elastic
behavior reduces the management overhead to monitor and optimize the
performance of your application.

5. DRAG DROP
You need to configure an Azure policy to ensure that the Azure SQL databases have
TDE enabled. The solution must meet the security and compliance requirements.
Which three actions should you perform in sequence? To answer, move the
appropriate actions from the list of actions to the answer area and arrange them in the
correct order.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue

Answer:
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U
Explanation:
A picture containing text
Description automatically generated
Scenario: All Azure SQL databases in the production environment must have
Transparent Data Encryption (TDE) enabled.
Step 1: Create an Azure policy definition that uses the deployIfNotExists identity.
The first step is to define the roles that deployIfNotExists and modify needs in the
policy definition to successfully deploy the content of your included template.
Step 2: Create an Azure policy assignment
When creating an assignment using the portal, Azure Policy both generates the
managed identity and grants it the roles defined in roleDefinitionIds.
Step 3: Invoke a remediation task
Resources that are non-compliant to a deployIfNotExists or modify policy can be put

e
in
into a compliant state through Remediation. Remediation is accomplished by

nl
O
instructing Azure Policy to run the deployIfNotExists effect or the modify operations of

ps
um
the assigned policy on your existing resources and subscriptions, whether that

D
ee
assignment is to a management group, a subscription, a resource group, or an

Fr
05
individual resource.

-3
Z
A
During evaluation, the policy assignment with deployIfNotExists or modify effects
d
ea
determines if there are non-compliant resources or subscriptions. When non-
-R
2

compliant resources or subscriptions are found, the details are provided on the
.0
10

Remediation page.
V
ns
io
st
ue
Q
ps

6. HOTSPOT
um
D

You plan to migrate DB1 and DB2 to Azure.

05
-3

You need to ensure that the Azure database and the service tier meet the resiliency
Z
A

and business requirements.

f t
so
ro

What should you configure? To answer, select the appropriate options in the answer
ic
M

area. NOTE: Each correct selection is worth one point.

]
22
20
ed
at
pd
[U
Answer:

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
7. HOTSPOT
A
d
ea
You plan to migrate App1 to Azure.
-R
2

You need to estimate the compute costs for App1 in Azure. The solution must meet
.0
10

the security and compliance requirements.

V
ns

What should you use to estimate the costs, and what should you implement to
io
st
ue

minimize the costs? To answer, select the appropriate options in the answer area.
Q
ps

NOTE: Each correct selection is worth one point.

um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Answer:
Explanation:
Text

e
in
nl
Description automatically generated

O
ps
Box 1: The Azure Total Cost of Ownership (TCO) Calculator

um
D
The Total Cost of Ownership (TCO) Calculator estimates the cost savings you can

ee
Fr
realize by migrating your workloads to Azure.

05
Note: The TCO Calculator recommends a set of equivalent services in Azure that will

-3
Z
A
support your applications. Our analysis will show each cost area with an estimate of
ea
d
-R

your on-premises spend versus your spend in Azure. There are several cost
2
.0

categories that either decrease or go away completely when you move workloads to
10
V

the cloud.
ns
io

Box 2: Azure Hybrid Benefit

st
ue

Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the
Q
ps

costs of running your workloads in the cloud. It works by letting you use your on-
um
D

premises Software Assurance-enabled Windows Server and SQL Server licenses on

05
-3

Azure. And now, this benefit applies to RedHat and SUSE Linux subscriptions, too.
Z
A
f t

Scenario:
so
ro

Litware identifies the following security and compliance requirements:

ic
M
]

✑ Once App1 is migrated to Azure, you must ensure that new data can be written to
22
20

the app, and the modification of new and existing data is prevented for a period of
ed
at

three years.
pd
[U

✑ On-premises users and services must be able to access the Azure Storage account
that will host the data in App1.
✑ Access to the public endpoint of the Azure Storage account that will host the App1
data must be prevented.
✑ All Azure SQL databases in the production environment must have Transparent
Data Encryption (TDE) enabled.
✑ App1 must not share physical hardware with other workloads.

8. You plan to migrate App1 to Azure.

You need to recommend a network connectivity solution for the Azure Storage
account that will host the App1 data. The solution must meet the security and
compliance requirements.
What should you include in the recommendation?
A. a private endpoint
B. a service endpoint that has a service endpoint policy
C. Azure public peering for an ExpressRoute circuit
D. Microsoft peering for an ExpressRoute circuit
Answer: A
Explanation:
Private Endpoint securely connect to storage accounts from on-premises networks
that connect to the VNet using VPN or ExpressRoutes with private-peering.
Private Endpoint also secure your storage account by configuring the storage firewall
to block all connections on the public endpoint for the storage service.

e
in
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs#microsoft-

nl
O
peering

ps
um
D
ee
Fr
05
9. You need to implement the Azure RBAC role assignments for the Network

-3
Z
A
Contributor role.
d
ea
The solution must meet the authentication and authorization requirements.
-R
2

What is the minimum number of assignments that you must use?

.0
10

A. 1
V
ns
io

B. 2
st
ue

C. 5
Q
ps

D. 10
um
D

E. 15
05
-3

Answer: A
Z
A

Explanation:
f t
so
ro

Scenario: The Network Contributor built-in RBAC role must be used to grant
ic
M

permissions to the network administrators for all the virtual networks in all the Azure
]
22
20

subscriptions. RBAC roles must be applied at the highest level possible.

ed
at
pd
[U

10. HOTSPOT
You plan to migrate App1 to Azure.
You need to recommend a storage solution for App1 that meets the security and
compliance requirements.
Which type of storage should you recommend, and how should you recommend
configuring the storage? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
 e
in
nl
O
ps
um
D
ee
Fr
05
Answer:

-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Text, table
Description automatically generated
Box 1: Standard general-purpose v2
Standard general-purpose v2 supports Blob Storage.
Azure Storage provides data protection for Blob Storage and Azure Data Lake
Storage Gen2.
Scenario:
Litware identifies the following security and compliance requirements:
✑ Once App1 is migrated to Azure, you must ensure that new data can be written to
the app, and the modification of new and existing data is prevented for a period of
three years.
✑ On-premises users and services must be able to access the Azure Storage account
that will host the data in App1.
✑ Access to the public endpoint of the Azure Storage account that will host the App1
data must be prevented.
✑ All Azure SQL databases in the production environment must have Transparent
Data Encryption (TDE) enabled.
✑ App1 must NOT share physical hardware with other workloads.

e
in
Box 2: NFSv3

nl
O
Scenario: Plan: Migrate App1 to Azure virtual machines.

ps
um
Blob storage now supports the Network File System (NFS) 3.0 protocol. This support

D
ee
provides Linux file system compatibility at object storage scale and prices and

Fr
05
enables Linux clients to mount a container in Blob storage from an Azure Virtual

-3
Z
A
Machine (VM) or a computer on-premises.
d
ea
-R
2
.0
10

11. You plan to migrate App1 to Azure. The solution must meet the authentication and
V
ns
io

authorization requirements.
st
ue

Which type of endpoint should App1 use to obtain an access token?

Q
ps

A. Azure Instance Metadata Service (IMDS)

um
D

B. Azure AD
05
-3

C. Azure Service Management

Z
A

D. Microsoft identity platform

f t
so
ro

Answer: D
ic
M

Explanation:
]
22
20

Scenario: To access the resources in Azure, App1 must use the managed identity of
ed

the virtual machines that will host the app.

at
pd

Managed identities provide an identity for applications to use when connecting to

[U

resources that support Azure Active Directory (Azure AD) authentication. Applications
may use the managed identity to obtain Azure AD tokens.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-
identities-azure-resources/overview

12. Topic 2, Fabrikam, inc Case Study A

Overview:
Existing Environment
Fabrikam, Inc. is an engineering company that has offices throughout Europe. The
company has a main office in London and three branch offices in Amsterdam Berlin,
and Rome.

Active Directory Environment:

The network contains two Active Directory forests named corp.fabnkam.com and
rd.fabrikam.com. There are no trust relationships between the forests.
Corp.fabrikam.com is a production forest that contains identities used for internal user
and computer authentication. Rd.fabrikam.com is used by the research and
development (R&D) department only. The R&D department is restricted to using on-
premises resources only.

Network Infrastructure:

e
in
Each office contains at least one domain controller from the corp.fabrikam.com

nl
O
domain.

ps
um
The main office contains all the domain controllers for the rd.fabrikam.com forest.

D
ee
All the offices have a high-speed connection to the Internet.

Fr
05
An existing application named WebApp1 is hosted in the data center of the London

-3
Z
A
office. WebApp1 is used by customers to place and track orders. WebApp1 has a
d
ea
web tier that uses Microsoft Internet Information Services (IIS) and a database tier
-R
2

that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed
.0
10

to virtual machines that run on Hyper-V.

V
ns
io

The IT department currently uses a separate Hyper-V environment to test updates to

st
ue

WebApp1.
Q
ps

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement

um
D

that includes Software Assurance.

05
-3
Z
A

Problem Statement:
f t
so
ro

The use of Web App1 is unpredictable. At peak times, users often report delays. At
ic
M

other times, many resources for WebApp1 are underutilized.

]
22
20
ed

Requirements:
at
pd

Planned Changes:
[U

Fabrikam plans to move most of its production workloads to Azure during the next few
years.
As one of its first projects, the company plans to establish a hybrid identity model,
facilitating an upcoming Microsoft Office 365 deployment All R&D operations will
remain on-premises.
Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements:
Fabrikam identifies the following technical requirements:
• Web site content must be easily updated from a single point.
• User input must be minimized when provisioning new app instances.
• Whenever possible, existing on premises licenses must be used to reduce cost.
• Users must always authenticate by using their corp.fabrikam.com UPN identity.
• Any new deployments to Azure must be redundant in case an Azure region fails.
• Whenever possible, solutions must be deployed to Azure by using platform as a
service (PaaS).
• An email distribution group named IT Support must be notified of any issues relating
to the directory synchronization services.
• Directory synchronization between Azure Active Directory (Azure AD) and
corp.fabhkam.com must not be affected by a link failure between Azure and the on
premises network.

Database Requirements:

e
in
Fabrikam identifies the following database requirements:

nl
O
• Database metrics for the production instance of WebApp1 must be available for

ps
um
analysis so that database administrators can optimize the performance settings.

D
ee
• To avoid disrupting customer access, database downtime must be minimized when

Fr
05
databases are migrated.

-3
Z
A
• Database backups must be retained for a minimum of seven years to meet
d
ea
compliance requirement
-R
2
.0
10

Security Requirements:
V
ns
io

Fabrikam identifies the following security requirements:

st
ue

* Company information including policies, templates, and data must be inaccessible to

Q
ps

anyone outside the company

um
D

* Users on the on-premises network must be able to authenticate to

05
-3

corp.fabrikam.com if an Internet link fails.

Z
A

* Administrators must be able authenticate to the Azure portal by using their

f t
so
ro

corp.fabrikam.com credentials.
ic
M

* All administrative access to the Azure portal must be secured by using multi-factor
]
22
20

authentication.
ed

* The testing of WebApp1 updates must not be visible to anyone outside the
at
pd

company.
[U

You need to recommend a strategy for the web tier of WebApp1. The solution must
minimize What should you recommend?
A. Create a runbook that resizes virtual machines automatically to a smaller size
outside of business hours.
B. Configure the Scale Up settings for a web app.
C. Deploy a virtual machine scale set that scales out on a 75 percent CPU threshold.
D. Configure the Scale Out settings for a web app.
Answer: A
13. HOTSPOT
You design a solution for the web tier of WebApp1 as shown in the exhibit.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

For each of the following statements, select Yes if the statement is true. Otherwise,
select No.
Answer:

Explanation:

e
Box 1: Yes

in
nl
Any new deployments to Azure must be redundant in case an Azure region fails.

O
ps
um
Traffic Manager uses DNS to direct client requests to the most appropriate service

D
endpoint based on a traffic-routing method and the health of the endpoints. An

ee
Fr
endpoint is any Internet-facing service hosted inside or outside of Azure. Traffic

05
-3
Manager provides a range of traffic-routing methods and endpoint monitoring options

Z
A
d
to suit different application needs and automatic failover models. Traffic Manager is
ea
-R

resilient to failure, including the failure of an entire Azure region.

2
.0
10

Box 2: Yes
V
ns

Recent changes in Azure brought some significant changes in autoscaling options for
io
st

Azure Web Apps (i.e. Azure App Service to be precise as scaling happens on App
ue
Q

Service plan level and has effect on all Web Apps running in that App Service plan).
ps
um

Box 3: No
D
05

Traffic Manager provides a range of traffic-routing methods and endpoint monitoring

-3
Z

options to suit different application needs and automatic failover models. Traffic
A
f t
so

Manager is resilient to failure, including the failure of an entire Azure region.

ro
ic
M
]
22
20
ed

14. HOTSPOT
at
pd

To meet the authentication requirements of Fabrikam, what should you include in the
[U

solution? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
 Answer:
[U
pd
at
ed
20
22
]
M
ic
ro
so
ft
A
Z
-3
05
D
um
ps
Q
ue
st
io
ns
V
10
.0
2
-R
ea
d
A
Z
-3
05
Fr
ee
D
um
ps
O
nl
in
e
 e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed

15. You need to recommend a solution to meet the database retention requirement .
at
pd

What should you recommend?

[U

A. Configure a long-term retention policy for the database.

B. Configure Azure Site Recovery.
C. Configure geo replication of the database.
D. Use automatic Azure SQL Database backups.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/azure-sql/database/long-term-retention-
overview
In Azure SQL Database, you can configure a database with a long-term backup
retention policy (LTR) to automatically retain the database backups in separate Azure
Blob storage containers for up to 10 years

16. HOTSPOT
You are evaluating the components of the migration to Azure that require you to
provision an Azure Storage account.
For each of the following statements, select Yes if the statement is true. Otherwise,
select No. NOTE: Each correct selection is worth one point.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
Answer: d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

17. You need to recommend a data storage strategy for WebApp1.

What should you include in in the recommendation?
A. an Azure SQL Database elastic pool
B. a vCore-based Azure SQL database
C. an Azure virtual machine that runs SQL Server
D. a fixed-size DTU AzureSQL database.
Answer: B

18. You need to recommend a notification solution for the IT Support distribution
group.
What should you include in the recommendation?
A. Azure Network Watcher
B. an action group
C. a SendGrid account with advanced reporting
D. Azure AD Connect Health
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-
operations

19. You need to recommend a strategy for migrating the database content of

e
in
WebApp1 to Azure .

nl
O
What should you include in the recommendation?

ps
um
A. Use Azure Site Recovery to replicate the SQL servers to Azure.

D
ee
B. Use SQL Server transactional replication.

Fr
05
C. Copy the BACPAC file that contains the Azure SQL database file to Azure Blob

-3
Z
A
storage.
d
ea
D. Copy the VHD that contains the Azure SQL database files to Azure Blob storage
-R
2

Answer: D
.0
10

Explanation:
V
ns
io

Before you upload a Windows virtual machine (VM) from on-premises to Azure, you
st
ue

must prepare the virtual hard disk (VHD or VHDX).

Q
ps

Scenario: WebApp1 has a web tier that uses Microsoft Internet Information Services
um
D

(IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the
05
-3

database tier are deployed to virtual machines that run on Hyper-V.

Z
A

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-
f t
so
ro

for-upload-vhd-image
ic
M
]
22
20
ed

20. What should you include in the identity management strategy to support the
at
pd

planned changes?
[U

A. Move all the domain controllers from corp.fabrikam.com to virtual networks in

Azure.
B. Deploy domain controllers for corp.fabrikam.com to virtual networks in Azure.
C. Deploy a new Azure AD tenant for the authentication of new R&D projects.
D. Deploy domain controllers for the rd.fabrikam.com forest to virtual networks in
Azure.
Answer: B
Explanation:
Directory synchronization between Azure Active Directory (Azure AD) and
corp.fabrikam.com must not be affected by a link failure between Azure and the on-
premises network. (This requires domain controllers in Azure)
Users on the on-premises network must be able to authenticate to corp.fabrikam.com
if an Internet link fails. (This requires domain controllers on-premises)

21. Topic 3, Contoso

Case Study
This is a case study. Case studies are not timed separately. You can use as much
exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to
ensure that you are able to complete all questions included on this exam in the time
provided.

e
in
nl
O
To answer the questions included in a case study, you will need to reference

ps
um
information that is provided in the case study. Case studies might contain exhibits and

D
ee
other resources that provide more information about the scenario that is described in

Fr
05
the case study. Each question is independent of the other questions in this case

-3
Z
A
study.
d
ea
-R
2

At the end of this case study, a review screen will appear. This screen allows you to
.0
10

review your answers and to make changes before you move to the next section of the
V
ns
io

exam. After you begin a new section, you cannot return to this section.
st
ue
Q
ps

To start the case study

um
D

To display the first question in this case study, click the Next button. Use the buttons
05
-3

in the left pane to explore the content of the case study before you answer the
Z
A

questions. Clicking these buttons displays information such as business

f t
so
ro

requirements, existing environment, and problem statements. If the case study has an
ic
M

All Information tab, note that the information displayed is identical to the information
]
22
20

displayed on the subsequent tabs. When you are ready to answer a question, click
ed

the Question button to return to the question.

at
pd
[U

Existing Environment: Technical Environment

The on-premises network contains a single Active Directory domain named
contoso.com.
Contoso has a single Azure subscription.

Existing Environment: Business Partnerships

Contoso has a business partnership with Fabrikam, Inc. Fabrikam users access some
Contoso applications over the internet by using Azure Active Directory (Azure AD)
guest accounts.
Requirements: Planned Changes
Contoso plans to deploy two applications named App1 and App2 to Azure.

Requirements: App1
App1 will be a Python web app hosted in Azure App Service that requires a Linux
runtime.
Users from Contoso and Fabrikam will access App1.

App1 will access several services that require third-party credentials and access
strings.
The credentials and access strings are stored in Azure Key Vault.

App1 will have six instances: three in the East US Azure region and three in the West

e
in
Europe Azure region.

nl
O
ps
um
App1 has the following data requirements:

D
ee
✑ Each instance will write data to a data store in the same availability zone as the

Fr
05
instance.

-3
Z
A
✑ Data written by any App1 instance must be visible to all App1 instances.
d
ea
-R
2

App1 will only be accessible from the internet. App1 has the following connection
.0
10

requirements:
V
ns
io

✑ Connections to App1 must pass through a web application firewall (WAF).

st
ue

✑ Connections to App1 must be active-active load balanced between instances.

Q
ps

✑ All connections to App1 from North America must be directed to the East US region.
um
D

All other connections must be directed to the West Europe region.

05
-3
Z
A

Every hour, you will run a maintenance task by invoking a PowerShell script that
f t
so
ro

copies files from all the App1 instances. The PowerShell script will run from a central
ic
M

location.
]
22
20
ed

Requirements: App2
at
pd

App2 will be a NET app hosted in App Service that requires a Windows runtime.
[U

App2 has the following file storage requirements:

✑ Save files to an Azure Storage account.
✑ Replicate files to an on-premises location.
✑ Ensure that on-premises clients can read the files over the LAN by using the SMB
protocol.

You need to monitor App2 to analyze how long it takes to perform different
transactions within the application. The solution must not require changes to the
application code.
Application Development Requirements
Application developers will constantly develop new versions of App1 and App2.
The development process must meet the following requirements:
✑ A staging instance of a new application version must be deployed to the application
host before the new version is used in production.
✑ After testing the new version, the staging version of the application will replace the
production version.
✑ The switch to the new application version from staging to production must occur
without any downtime of the application.

Identity Requirements
Contoso identifies the following requirements for managing Fabrikam access to
resources:

e
in
✑ uk.co.certification.simulator.questionpool.PList@1863e940

nl
O
✑ The solution must minimize development effort.

ps
um
D
ee
Security Requirement

Fr
05
All secrets used by Azure services must be stored in Azure Key Vault.

-3
Z
A
Services that require credentials must have the credentials tied to the service
d
ea
instance. The credentials must NOT be shared between services.
-R
2
.0
10

DRAG DROP
V
ns
io

You need to recommend a solution that meets the file storage requirements for App2.
st
ue

What should you deploy to the Azure subscription and the on-premises network? To
Q
ps

answer, drag the appropriate services to the correct locations. Each service may be
um
D

used once, more than once, or not at all. You may need to drag the split bar between
05
-3

panes or scroll to view content. NOTE: Each correct selection is worth one point.
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U
 Answer:
[U
pd
at
ed
20
22
]
M
ic
ro
so
ft
A
Z
-3
05
D
um
ps
Q
ue
st
io
ns
V
10
.0
2
-R
ea
d
A
Z
-3
05
Fr
ee
D
um
ps
O
nl
in
e
Explanation:
Graphical user interface, application
Description automatically generated
Box 1: Azure Files
Scenario: App2 has the following file storage requirements:
✑ Save files to an Azure Storage account.
✑ Replicate files to an on-premises location.
✑ Ensure that on-premises clients can read the files over the LAN by using the SMB
protocol.
Box 2: Azure File Sync
Use Azure File Sync to centralize your organization's file shares in Azure Files, while
keeping the flexibility, performance, and compatibility of an on-premises file server.

e
in
Azure File Sync transforms Windows Server into a quick cache of your Azure file

nl
O
share. You can use any protocol that's available on Windows Server to access your

ps
um
data locally, including SMB, NFS, and FTPS. You can have as many caches as you

D
ee
need across the world.

Fr
05
-3
Z
A
d
ea
22. You need to recommend a solution that meets the data requirements for App1.
-R
2

What should you recommend deploying to each availability zone that contains an
.0
10

instance of App1?
V
ns
io

A. an Azure Cosmos DB that uses multi-region writes

st
ue

B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)

Q
ps

C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)

um
D

D. an Azure SQL database that uses active geo-replication

05
-3

Answer: A
Z
A
f t
so
ro
ic
M

23. HOTSPOT
]
22
20

What should you implement to meet the identity requirements? To answer, select the
ed

appropriate options in the answer area. NOTE: Each correct selection is worth one
at
pd

point.
[U
 Answer:

Explanation:
[U
pd
at
ed
20
22
]
M
ic
ro
so
ft
A
Z
-3
05
D

Requirements: Identity Requirements

um
ps
Q
ue
st
io
ns
V
10
.0
2
-R
ea
d
A
Z
-3
05
Fr
ee
D
um
ps
O
nl
in
e
Contoso identifies the following requirements for managing Fabrikam access to
resources: Every month, an account manager at Fabrikam must review which
Fabrikam users have access permissions to App1. Accounts that no longer need
permissions must be removed as guests.
The solution must minimize development effort.
Box 1: The Azure AD Privileged Identity Management (PIM)
When should you use access reviews?
Too many users in privileged roles: It's a good idea to check how many users have
administrative access, how many of them are Global Administrators, and if there are
any invited guests or partners that have not been removed after being assigned to do
an administrative task. You can recertify the role assignment users in Azure AD roles
such as Global Administrators, or Azure resources roles such as User Access
Administrator in the Azure AD Privileged Identity Management (PIM) experience.

e
in
Box 2: Access reviews

nl
O
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently

ps
um
manage group memberships, access to enterprise applications, and role

D
ee
assignments. User's access can be reviewed on a regular basis to make sure only the

Fr
05
right people have continued access.

-3
Z
A
d
ea
-R
2

24. CORRECT TEXT

.0
10

You need to recommend a solution that meets the data requirements for App1.
V
ns
io

What should you recommend deploying to each availability zone that contains an
st
ue

instance of App1?
Q
ps

A. an Azure Cosmos DB that uses multi-region writes

um
D

B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)

05
-3

C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)

Z
A

D. an Azure SQL database that uses active geo-replication

f t
so
ro

Answer: A
ic
M

Explanation:
]
22
20

Scenario: App1 has the following data requirements:

ed

✑ Each instance will write data to a data store in the same availability zone as the
at
pd

instance.
[U

✑ Data written by any App1 instance must be visible to all App1 instances.
Azure Cosmos DB: Each partition across all the regions is replicated. Each region
contains all the data partitions of an Azure Cosmos container and can serve reads as
well as serve writes when multi-region writes is enabled.

25. HOTSPOT
You need to recommend a solution to ensure that App1 can access the third-party
credentials and access strings. The solution must meet the security requirements.
What should you include in the recommendation? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
Answer:
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text, application, table
Description automatically generated
Scenario: Security Requirement
All secrets used by Azure services must be stored in Azure Key Vault.
Services that require credentials must have the credentials tied to the service
instance. The credentials must NOT be shared between services.
Box 1: A service principal
A service principal is a type of security principal that identifies an application or
service, which is to say, a piece of code rather than a user or group. A service
principal's object ID is known as its client ID and acts like its username. The service
principal's client secret acts like its password.
Note: Authentication with Key Vault works in conjunction with Azure Active Directory
(Azure AD), which is responsible for authenticating the identity of any given security
principal.
A security principal is an object that represents a user, group, service, or application
that's requesting access to Azure resources. Azure assigns a unique object ID to
every security principal.
Box 2: A role assignment

e
in
You can provide access to Key Vault keys, certificates, and secrets with an Azure role-

nl
O
based access control.

ps
um
D
ee
Fr
05
26.HOTSPOT

-3
Z
A
You are evaluating whether to use Azure Traffic Manager and Azure Application
d
ea
Gateway to meet the connection requirements for App1.
-R
2

What is the minimum numbers of instances required for each service? To answer,
.0
10

select the appropriate options in the answer area. NOTE: Each correct selection is
V
ns
io

worth one point.

st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Answer:
 e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
27. You need to recommend an App Service architecture that meets the requirements
d
ea
-R

for Appl.
2
.0

The solution must minimize costs.

10
V

What should few recommend?

ns
io

A. one App Service Environment (ASE) per availability zone

st
ue

B. one App Service plan per availability zone

Q
ps

C. one App Service plan per region

um
D

D. one App Service Environment (ASE) per region

05
-3

Answer: A
Z
A
f t
so
ro
ic
M

28. Topic 4, HABInsurance

]
22
20
ed
at

Case Study
pd
[U

An insurance company, HABInsurance, operates in three states and provides home,

auto, and boat insurance. Besides the head office, HABInsurance has three regional
offices.

Current environment
General
An insurance company, HABInsurance, operates in three states and provides home,
auto, and boat insurance. Besides the head office, HABInsurance has three regional
offices. Technology assessment
The company has two Active Directory forests: main.habinsurance.com and
region.habinsurance.com. HABInsurance's primary internal system is Insurance
Processing System (IPS). It is an ASP.Net/C# application running on IIS/Windows
Servers hosted in a data center. IPS has three tiers: web, business logic API, and a
datastore on a back end. The company uses Microsoft SQL Server and MongoDB for
the backend. The system has two parts: Customer data and Insurance forms and
documents. Customer data is stored in Microsoft SQL Server and Insurance forms
and documents ― in MongoDB.
The company also has 10 TB of Human Resources (HR) data stored on NAS at the
head office location. Requirements

General
HABInsurance plans to migrate its workloads to Azure. They purchased an Azure
subscription. Changes
During a transition period, HABInsurance wants to create a hybrid identity model

e
in
along with a Microsoft Office 365 deployment. The company intends to sync its AD

nl
O
forests to Azure AD and benefit from Azure AD administrative units functionality.

ps
um
HABInsurance needs to migrate the current IPSCustomers SQL database to a new

D
ee
fully managed SQL database in Azure that would be budget-oriented, balanced with

Fr
05
scalable compute and storage options. The management team expects the Azure

-3
Z
A
database service to scale the database resources dynamically with minimal
d
ea
downtime. The technical team proposes implementing a DTU-based purchasing
-R
2

model for the new database. HABInsurance wants to migrate Insurance forms and
.0
10

documents to Azure database service. HABInsurance plans to move IPS first two tiers
V
ns
io

to Azure without any modifications. The technology team discusses the possibility of
st
ue

running IPS tiers on a set of virtual machines instances. The number of instances
Q
ps

should be adjusted automatically based on the CPU utilization. An SLA of 99.95%

um
D

must be guaranteed for the compute infrastructure. The company needs to move HR
05
-3

data to Azure File shares.

Z
A

In their new Azure ecosystem, HABInsurance plans to use internal and third-party
f t
so
ro

applications. The company considers adding user consent for data access to the
ic
M

registered applications
]
22
20

Later, the technology team contemplates adding a customer self-service portal to IPS
ed

and deploying a new IPS to multi-region ASK. But the management team is worried
at
pd

about performance and availability of the multi-region AKS deployments during

[U

regional outages.

What two parameters would you recommend set up to ensure that the new
IPSCustomers database will scale to meet the workload demands?
A. Define the maximum of CPU cores
B. Define the maximum resource limit per group of databases
C. Define the maximum of Database Transaction Units
D. Define the maximum of the allocated storage
E. Define the maximum size for a database
Answer: C,E
29. A company has an on-premises file server cbflserver that runs Windows Server
2019.
Windows Admin Center manages this server. The company owns an Azure
subscription.
You need to provide an Azure solution to prevent data loss if the file server fails.
Solution: You decide to register Windows Admin Center in Azure and then configure
Azure Backup.
Would this meet the requirement?
A. Yes
B. No
Answer: A

e
in
nl
O
ps
um
30. A company is planning on deploying an application onto Azure. The application

D
ee
will be based on the .Net core programming language. The application would be

Fr
05
hosted using Azure Web apps. Below is part of the various requirements for the

-3
Z
A
application
d
ea
Give the ability to correlate Azure resource usage and the performance data with the
-R
2

actual application configuration and performance data

.0
10

Give the ability to visualize the relationships between application components

V
ns
io

Give the ability to track requests and exceptions to specific lines of code from within
st
ue

the application Give the ability to actually analyse how uses return to an application
Q
ps

and see how often they only select a particular drop-down value
um
D

Which of the following service would be best suited for fulfilling the requirement of
05
-3

“Give the ability to correlate Azure resource usage and the performance data with the
Z
A

actual application configuration and performance data”

f t
so
ro

A. Azure Application Insights

ic
M

B. Azure Service Map

]
22
20

C. Azure Log Analytics

ed

D. Azure Activity Log

at
pd

Answer: C
[U

31. A company has an on-premises file server cbflserver that runs Windows Server
2019.
Windows Admin Center manages this server. The company owns an Azure
subscription.
You need to provide an Azure solution to prevent data loss if the file server fails.
Solution: You decide to create an Azure Recovery Services vault. You then decide to
install the Azure Backup agent and then schedule the backup.
Would this meet the requirement?
A. Yes
B. No
Answer: A

32. Topic 5, Misc. Questions

You plan to deploy 10 applications to Azure. The applications will be deployed to two
Azure Kubernetes Service (AKS) clusters. Each cluster will be deployed to a separate
Azure region.
The application deployment must meet the following requirements:
• Ensure that the applications remain available if a single AKS cluster fails.
• Ensure that the connection traffic over the internet is encrypted by using SSL without

e
in
having to configure SSL on each container.

nl
O
Which service should you include in the recommendation?

ps
um
A. AKS ingress controller

D
ee
B. Azure Traffic Manager

Fr
05
C. Azure Front Door

-3
Z
A
D. Azure Load Balancer
d
ea
Answer: C
-R
2

Explanation:
.0
10

"Azure Front Door, which focuses on global load-balancing and site acceleration, and
V
ns
io

Azure CDN Standard, which offers static content caching and acceleration. The new
st
ue

Azure Front Door brings together security with CDN technology for a cloud-based
Q
ps

CDN with threat protection and additional capabilities. "

um
D
05
-3
Z
A

33. HOTSPOT
f t
so
ro

You have five .NET Core applications that run on 10 Azure virtual machines in the
ic
M

same subscription.
]
22
20

You need to recommend a solution to ensure that the applications can authenticate
ed

by using the same Azure Active Directory (Azure AD) identity.

at
pd

The solution must meet the following requirements:

[U

✑ Ensure that the applications can authenticate only when running on the 10 virtual
machines.
✑ Minimize administrative effort.
What should you include in the recommendation? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.
Answer:

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps

Explanation:
um
D

Graphical user interface, text, application, email

05
-3

Description automatically generated

Z
A
f t
so
ro
ic
M

34. HOTSPOT
]
22
20

You have an Azure Load Balancer named LB1 that balances requests to five Azure
ed

virtual machines.
at
pd

You need to develop a monitoring solution for LB1.

[U

The solution must generate an alert when any of the following conditions are met:
✑ A virtual machine is unavailable.
✑ Connection attempts exceed 50,000 per minute.
Which signal should you include in the solution for each condition? To answer, select
the appropriate options in the answer area. NOTE: Each correct selection is worth
one point.
 e
in
nl
O
ps
um
D
ee
Answer:

Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text, application
Description automatically generated
Box 1: Data path availability
Standard Load Balancer continuously exercises the data path from within a region to
the load balancer front end, all the way to the SDN stack that supports your VM. As
long as healthy instances remain, the measurement follows the same path as your
application's load-balanced traffic. The data path that your customers use is also
validated. The measurement is invisible to your application and does not interfere with
other operations.
Note: Load balancer distributes inbound flows that arrive at the load balancer's front
end to backend pool instances. These flows are according to configured load-
balancing rules and health probes. The backend pool instances can be Azure Virtual
Machines or instances in a virtual machine scale set.
Box 2: SYN count
SYN (synchronize) count: Standard Load Balancer does not terminate Transmission
Control Protocol (TCP) connections or interact with TCP or UDP packet flows. Flows
and their handshakes are always between the source and the VM instance. To better
troubleshoot your TCP protocol scenarios, you can make use of SYN packets
counters to understand how many TCP connection attempts are made. The metric
reports the number of TCP SYN packets that were received.

e
in
nl
O
35. You have to deploy an Azure SQL database named db1 for your company. The

ps
um
databases must meet the following security requirements

D
ee
When IT help desk supervisors query a database table named customers, they must

Fr
05
be able to see the full number of each credit card

-3
Z
A
When IT help desk operators query a database table named customers, they must
d
ea
only see the last four digits of each credit card number
-R
2

A column named Credit Card rating in the customers table must never appear in plain
.0
10

text
V
ns
io

in the database system. Only client applications must be able to decrypt the
st
ue

information that is stored in this column

Q
ps

Which of the following can be implemented for the Credit Card rating column security
um
D

requirement?
05
-3

A. Always Encrypted
Z
A

B. Azure Advanced Threat Protection

f t
so
ro

C. Transparent Data Encryption

ic
M

D. Dynamic Data Masking

]
22
20

Answer: A
ed

Explanation:
at
pd

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-
[U

encrypted-database-engine?view=sql-server-ver15

36. HOTSPOT
You have an Azure subscription that contains 300 Azure virtual machines that run
Windows Server 2016.
You need to centrally monitor all warning events in the System logs of the virtual
machines.
What should you include in the solutions? To answer, select the appropriate options
in the answer area. NOTE: Each correct selection is worth one point.
 e
in
nl
O
ps
Answer:

um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20

Explanation:
ed
at

Graphical user interface, text, application, email

pd
[U

Description automatically generated

References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-
events
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

37. HOTSPOT
You need to design an Azure policy that will implement the following functionality:
• For new resources, assign tags and values that match the tags and values of the
resource group to which the resources are deployed.
• For existing resources, identify whether the tags and values match the tags and
values of the resource group that contains the resources.
• For any non-compliant resources, trigger auto-generated remediation tasks to create
missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R

Answer:
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated
Box 1: Modify
Modify is used to add, update, or remove properties or tags on a resource during
creation or update. A common example is updating tags on resources such as
costCenter. Existing non-compliant resources can be remediated with a remediation
task. A single Modify rule can have any number of operations.
Box 2: A managed identity with the Contributor role
✑ Managed identity
How remediation security works: When Azure Policy runs the template in the
deployIfNotExists policy definition, it does so using a managed identity. Azure Policy
creates a managed identity for each assignment, but must have details about what
roles to grant the managed identity.
✑ Contributor role
The Contributor role grants the required access to apply tags to any entity.

38. HOTSPOT
You plan to create an Azure Storage account that will host file shares. The shares will
be accessed from on-premises applications that are transaction-intensive.
You need to recommend a solution to minimize latency when accessing the file

e
in
shares.

nl
O
The solution must provide the highest-level of resiliency for the selected storage tier.

ps
um
What should you include in the recommendation? To answer, select the appropriate

D
ee
options in the answer area. NOTE: Each correct selection is worth one point.

Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Answer:
 e
in
nl
O
ps
um
Explanation:

D
ee
Box 1: Premium

Fr
05
Premium: Premium file shares are backed by solid-state drives (SSDs) and provide

-3
Z
consistent high performance and low latency, within single-digit milliseconds for most
A
d
ea
IO operations, for IO-intensive workloads.
-R

Box 2: Zone-redundant storage (ZRS):

2
.0
10

Premium Azure file shares only support LRS and ZRS. Zone-redundant storage
V
ns

(ZRS): With ZRS, three copies of each file stored, however these copies are
io
st

physically isolated in three distinct storage clusters in different Azure availability

ue
Q

zones.
ps
um
D
05
-3
Z
A

39. HOTSPOT
f t
so

You plan to migrate on-premises Microsoft SQL Server databases to Azure.

ro
ic
M

You need to recommend a deployment and resiliency solution that meets the
]
22

following requirements:
20
ed

✑ Supports user-initiated backups

at
pd

✑ Supports multiple automatically replicated instances across Azure regions

[U

✑ Minimizes administrative effort to implement and maintain business continuity

What should you recommendation? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
 e
in
nl
Answer:

O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M

Explanation:
]
22

Graphical user interface, text, application, chat or text message

20
ed

Description automatically generated

at
pd

Box 1: An Azure SQL Database single database.

[U

SQL Server Managed instance versus SQL Server Virtual Machines

Active geo-replication is not supported by Azure SQL Managed Instance.
Box 2: Active geo-replication
Active geo-replication is a feature that lets you to create a continuously synchronized
readable secondary database for a primary database. The readable secondary
database may be in the same Azure region as the primary, or, more commonly, in a
different region. This kind of readable secondary databases are also known as geo-
secondaries, or geo-replicas.
40. You have an Azure subscription that contains a storage account.
An application sometimes writes duplicate files to the storage account.
You have a PowerShell script that identifies and deletes duplicate files in the storage
account. Currently, the script is run manually after approval from the operations
manager.
You need to recommend a serverless solution that performs the following actions:
✑ Runs the script once an hour to identify whether duplicate files exist
✑ Sends an email notification to the operations manager requesting approval to delete
the duplicate files
✑ Processes an email response from the operations manager specifying whether the
deletion was approved
✑ Runs the script if the deletion was approved
What should you include in the recommendation?

e
in
A. Azure Logic Apps and Azure Functions

nl
O
B. Azure Pipelines and Azure Service Fabric

ps
um
C. Azure Logic Apps and Azure Event Grid

D
ee
D. Azure Functions and Azure Batch

Fr
05
Answer: A

-3
Z
A
Explanation:
d
ea
You can schedule a powershell script with Azure Logic Apps.
-R
2

When you want to run code that performs a specific job in your logic apps, you can
.0
10

create your own function by using Azure Functions. This service helps you create
V
ns
io

Node.js, C#, and F# functions so you don't have to build a complete app or
st
ue

infrastructure to run code. You can also call logic apps from inside Azure functions.
Q
ps

Azure Functions provides serverless computing in the cloud and is useful for
um
D

performing tasks such as these examples:

05
-3

Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-
Z
A

functions
f t
so
ro
ic
M
]
22
20

41. You are planning an Azure IoT Hub solution that will include 50,000 IoT devices.
ed

Each device will stream data, including temperature, device ID, and time data.
at
pd

Approximately 50,000 records will be written every second. The data will be visualized
[U

in near real time.

You need to recommend a service to store and query the data.
Which two services can you recommend? Each correct answer presents a complete
solution. NOTE: Each correct selection is worth one point.
A. Azure Table Storage
B. Azure Event Grid
C. Azure Cosmos DB SQL API
D. Azure Time Series Insights
Answer: C,D
Explanation:
D: Time Series Insights is a fully managed service for time series data. In this
architecture, Time Series Insights performs the roles of stream processing, data store,
and analytics and reporting. It accepts streaming data from either IoT Hub or Event
Hubs and stores, processes, analyzes, and displays the data in near real time.
C: The processed data is stored in an analytical data store, such as Azure Data
Explorer, HBase, Azure Cosmos DB, Azure Data Lake, or Blob Storage.
Reference: https://docs.microsoft.com/en-us/azure/architecture/data-
guide/scenarios/time-series

42. You have an Azure subscription that contains a Windows Virtual Desktop tenant.
You need to recommend a solution to meet the following requirements:
✑ Start and stop Windows Virtual Desktop session hosts based on business hours.

e
in
✑ Scale out Windows Virtual Desktop session hosts when required.

nl
O
✑ Minimize compute costs.

ps
um
What should you include in the recommendation?

D
ee
A. Microsoft Intune

Fr
05
B. a Windows Virtual Desktop automation task

-3
Z
A
C. Azure Automation
d
ea
D. Azure Service Health
-R
2

Answer: C
.0
10

Explanation:
V
ns
io

Reference:
st
ue

https://www.ciraltos.com/automatically-start-and-stop-wvd-vms-with-azure-
Q
ps

automation/
um
D

https://wvdlogix.net/windows-virtual-desktop-host-pool-automation-2
05
-3

https://getnerdio.com/academy/how-to-optimize-windows-virtual-desktop-wvd-azure-
Z
A

costs-with-event-based-autoscaling-and-azure-vm-scale-sets/
f t
so
ro
ic
M
]
22
20

43. Your company plans to publish APIs for its services by using Azure API
ed

Management.
at
pd

You discover that service responses include the AspNet-Version header.

[U

You need to recommend a solution to remove AspNet-Version from the response of

the published APIs.
What should you include in the recommendation?
A. a new product
B. a modification to the URL scheme
C. a new policy
D. a new revision
Answer: C
Explanation:
References: https://docs.microsoft.com/en-us/azure/api-management/transform-api
44. HOTSPOT
Your company has the divisions shown in the following table.

You plan to deploy a custom application to each subscription.

The application will contain the following:
✑ A resource group

e
in
✑ An Azure web app

nl
O
ps
✑ Custom role assignments

um
✑ An Azure Cosmos DB account

D
ee
You need to use Azure Blueprints to deploy the application to each subscription.

Fr
05
What is the minimum number of objects required to deploy the application? To

-3
Z
A
answer, select the appropriate options in the answer area. NOTE: Each correct
d
ea
selection is worth one point.
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U
Answer:
[U
pd
at
ed
20
22
]
M
ic
ro
so
ft
A
Z
-3
05
D
um
ps
Q
ue
st
io
ns
V
10
.0
2
-R
ea
d
A
Z
-3
05
Fr
ee
D
um
ps
O
nl
in
e
 e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Box 1: 2
One management group for East, and one for West.
When creating a blueprint definition, you'll define where the blueprint is saved.
Blueprints can be saved to a management group or subscription that you have
Contributor access to. If the location is a management group, the blueprint is available
to assign to any child subscription of that management group.
Box 2: 2
Box 3: 4
One assignment for each subscription.
"Assigning a blueprint definition to a management group means the assignment
object exists at the management group. The deployment of artifacts still targets a
subscription. To perform a management group assignment, the Create Or Update
REST API must be used and the request body must include a value for
properties.scope to define the target subscription." https://docs.microsoft.com/en-
us/azure/governance/blueprints/overview#blueprint-assignment

45. You are designing an Azure solution.

The network traffic for the solution must be securely distributed by providing the

e
in
following features:

nl
O
✑ HTTPS protocol

ps
um
✑ Round robin routing

D
ee
✑ SSL offloading

Fr
05
You need to recommend a load balancing option.

-3
Z
A
What should you recommend?
d
ea
A. Azure Load Balancer
-R
2

B. Azure Traffic Manager

.0
10

C. Azure Internal Load Balancer (ILB)

V
ns
io

D. Azure Application Gateway

st
ue

Answer: D
Q
ps

Explanation:
um
D

If you are looking for Transport Layer Security (TLS) protocol termination ("SSL
05
-3

offload") or per-HTTP/HTTPS
Z
A

request, application-layer processing, review Application Gateway.

f t
so
ro

Application Gateway is a layer 7 load balancer, which means it works only with web
ic
M

traffic (HTTP, HTTPS, WebSocket, and HTTP/2). It supports capabilities such as SSL
]
22
20

termination, cookie-based session affinity, and round robin for load-balancing traffic.
ed

Load Balancer load-balances traffic at layer 4 (TCP or UDP).

at
pd

References: https://docs.microsoft.com/en-us/azure/application-gateway/application-
[U

gateway-faq

46. HOTSPOT
You have an Azure Active Directory (Azure AD) tenant.
You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on
specific user sign-in events.
You need to recommend a solution to trigger the alerts based on the events.
What should you include in the recommendation? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.
Answer:

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q

Explanation:
ps
um

Graphical user interface, text, application

D
05

Description automatically generated

-3
Z

Box 1: An Azure Log Analytics workspace

A
f t
so

To be able to create an alert we send the Azure AD logs to An Azure Log Analytics
ro
ic

workspace.
M
]
22

Note: You can forward your AAD logs and events to either an Azure Storage Account,
20

an Azure Event Hub, Log Analytics, or a combination of all of these.

ed
at
pd

Box 2: Log
[U

Ensure Resource Type is an analytics source like Log Analytics or Application

Insights and signal type as Log.

47. You need to deploy resources to host a stateless web app in an Azure
subscription.
The solution must meet the following requirements:
• Provide access to the full .NET framework.
• Provide redundancy if an Azure region fails.
• Grant administrators access to the operating system to install custom application
dependencies.
Solution: You deploy an Azure virtual machine to two Azure regions, and you deploy
an Azure Application Gateway.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
You need to deploy two Azure virtual machines to two Azure regions, but also create
a Traffic Manager profile.

48. Your company has 300 virtual machines hosted in a VMware environment. The

e
in
virtual machines vary in size and have various utilization levels.

nl
O
You plan to move all the virtual machines to Azure.

ps
um
You need to recommend how many and what size Azure virtual machines will be

D
ee
required to move the current workloads to Azure. The solution must minimize

Fr
05
administrative effort.

-3
Z
A
What should you use to make the recommendation?
d
ea
A. Azure Cost Management
-R
2

B. Azure Pricing calculator

.0
10

C. Azure Migrate
V
ns
io

D. Azure Advisor
st
ue

Answer: C
Q
ps

Explanation:
um
D

https://docs.microsoft.com/en-us/azure/migrate/migrate-appliance#collected-
05
-3

data---vmware
Z
A

"Metadata discovered by the Azure Migrate appliance helps you to figure out whether
f t
so
ro

servers are ready for migration to Azure, right-size servers, plans costs, and analyze
ic
M

application dependencies".
]
22
20

https://docs.microsoft.com/en-us/learn/modules/design-your-migration-to-azure/2-plan-
ed

your-azure-migration
at
pd
[U

49. You have an Azure Active Directory (Azure AD) tenant named contoso.com that
has a security group named Group'. Group i is configured Tor assigned membership.
Group I has 50 members. including 20 guest users.
You need To recommend a solution for evaluating the member ship of Group1.
The solution must meet the following requirements:
• The evaluation must be repeated automatically every three months
• Every member must be able to report whether they need to be in Group1
• Users who report that they do not need to be in Group 1 must be removed from
Group1 automatically
• Users who do not report whether they need to be m Group1 must be removed from
Group1 automatically.
What should you include in me recommendation?
A. implement Azure AU Identity Protection.
B. Change the Membership type of Group1 to Dynamic User.
C. Implement Azure AD Privileged Identity Management.
D. Create an access review.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-
overview#learn-about-access-reviews
Have reviews recur periodically: You can set up recurring access reviews of users at
set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will

e
in
be notified at the start of each review. Reviewers can approve or deny access with a

nl
O
friendly interface and with the help of smart recommendations.

ps
um
An administrator creates an access review of Group C with 50 member users and 25

D
ee
guest users. Makes it a self-review. 50 licenses for each user as self-reviewers.* https

Fr
05
://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-

-3
Z
A
overview#example-license-scenarios
d
ea
There are 4 requirements and every single one is only met by access reviews.
-R
2

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-
.0
10

overview#when-should-you-use-access-reviews
V
ns
io

Dynamic User is needed if a user must be automatically granted access on base of its
st
ue

attributes (department, jobtitle, location, etc.)

Q
ps

https://techcommunity.microsoft.com/t5/itops-talk-blog/dynamic-groups-in-azure-ad-
um
D

and-microsoft-365/ba-p/2267494
05
-3

Implementing Azure AD PIM is no solution and absolutely not necessary for access
Z
A

reviews.
f t
so
ro

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-
ic
M

overview#where-do-you-create-reviews
]
22
20
ed
at
pd

50. DRAG DROP

[U

A company has an existing web application that runs on virtual machines (VMs) in
Azure.
You need to ensure that the application is protected from SQL injection attempts and
uses a layer-7 load balancer. The solution must minimize disruption to the code for
the existing web application.
What should you recommend? To answer, drag the appropriate values to the correct
items. Each value may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content. NOTE: Each correct
selection is worth one point.
 e
in
nl
O
ps
um
D
ee
Fr
Answer:

05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text, application
Description automatically generated
Box 1: Azure Application Gateway
Azure Application Gateway provides an application delivery controller (ADC) as a
service. It offers various layer 7 load-balancing capabilities for your applications.
Box 2: Web Application Firwewall (WAF)
Application Gateway web application firewall (WAF) protects web applications from
common vulnerabilities and exploits.
This is done through rules that are defined based on the OWASP core rule sets 3.0 or
2.2.9.
There are rules that detects SQL injection attacks.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

51. You plan provision a High Performance Computing (HPC) cluster in Azure that will
use a third-party scheduler.
You need to recommend a solution to provision and manage the HPC cluster node.
What should you include in the recommendation?

e
in
A. Azure Lighthouse

nl
O
B. Azure CycleCloud

ps
um
C. Azure Purview

D
ee
D. Azure Automation

Fr
05
Answer: B

-3
Z
A
Explanation:
d
ea
You can dynamically provision Azure HPC clusters with Azure CycleCloud.
-R
2

Azure CycleCloud is the simplest way to manage HPC workloads.

.0
10

Note: Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing

V
ns
io

High Performance Computing (HPC) environments on Azure. With CycleCloud, users

st
ue

can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and
Q
ps

automatically scale the infrastructure to run jobs efficiently at any scale. Through
um
D

CycleCloud, users can create different types of file systems and mount them to the
05
-3

compute cluster nodes to support HPC workloads.

Z
A

Reference: https://docs.microsoft.com/en-us/azure/cyclecloud/overview
f t
so
ro
ic
M
]
22
20

52. HOTSPOT
ed

Your company deploys an Azure App Service Web App.

at
pd

During testing the application fails under load. The application cannot handle more
[U

than 100 concurrent user sessions. You enable the Always On feature. You also
configure auto-scaling to increase counts from two to 10 based on HTTP queue
length.
You need to improve the performance of the application.
Which solution should you use for each application scenario? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one
point.
 e
in
nl
O
ps
um
D
ee
Fr
05
Answer:

-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text
Description automatically generated with medium confidence
Box 1: Content Delivery Network
A content delivery network (CDN) is a distributed network of servers that can
efficiently deliver web content to users. CDNs store cached content on edge servers
in point-of-presence (POP) locations that are close to end users, to minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly
delivering high-bandwidth content to users by caching their content at strategically
placed physical nodes across the world. Azure CDN can also accelerate dynamic
content, which cannot be cached, by leveraging various network optimizations using
CDN POPs. For example, route optimization to bypass Border Gateway Protocol
(BGP).
Box 2: Azure Redis Cache
Azure Cache for Redis is based on the popular software Redis. It is typically used as
a cache to improve the performance and scalability of systems that rely heavily on
backend data-stores. Performance is improved by temporarily copying frequently
accessed data to fast storage located close to the application. With Azure Cache for
Redis, this fast storage is located in-memory with Azure Cache for Redis instead of
being loaded from disk by a database.

e
in
References: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-

nl
O
overview

ps
um
D
ee
Fr
05
53. You ate designing a SQL database solution. The solution will include 20

-3
Z
A
databases that will be 20 GB each and have varying usage patterns. You need to
d
ea
recommend a database platform to host the databases.
-R
2

The solution must meet the following requirements:

.0
10

• The compute resources allocated to the databases must scale dynamically.

V
ns
io

• The solution must meet an SLA of 99.99% uptime.

st
ue

• The solution must have reserved capacity.

Q
ps

• Compute charges must be minimized.

um
D

What should you include in the recommendation?

05
-3

A. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine

Z
A

B. 20 instances of Azure SQL Database serverless

f t
so
ro

C. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine in

ic
M

an availability set
]
22
20

D. an elastic pool that contains 20 Azure SQL databases

ed

Answer: D
at
pd

Explanation:
[U

Azure SQL Database elastic pools are a simple, cost-effective solution for managing
and scaling multiple databases that have varying and unpredictable usage demands.
The databases in an elastic pool are on a single server and share a set number of
resources at a set price. Elastic pools in Azure SQL Database enable SaaS
developers to optimize the price performance for a group of databases within a
prescribed budget while delivering performance elasticity for each database.
Guaranteed 99.995 percent uptime for SQL Database
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-pool-overview
https://azure.microsoft.com/en-us/pricing/details/sql-database/elastic/
https://www.azure.cn/en-us/support/sla/virtual-machines/
https://techcommunity.microsoft.com/t5/azure-sql/optimize-price-performance-with-
compute-auto-scaling-in-azure/ba-p/966149

54. A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant
that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes
servers that run Active Directory Domain Services (AD DS), and Azure AD Connect
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an
Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises
identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be

e
in
hosted in the Azure subscription of Contoso. The developers must be added to the

nl
O
Contributor role for a resource in the Contoso subscription.

ps
um
You need to recommend a solution to ensure that Contoso can assign the role to the

D
ee
10 Fabrikam developers. The solution must ensure that the Fabrikam developers use

Fr
05
their existing credentials to access resources.

-3
Z
A
What should you recommend?
d
ea
A. Configure a forest trust between the on-premises Active Directory forests of
-R
2

Contoso and Fabrikam.

.0
10

B. Configure an organization relationship between the Office 365 tenants of Fabrikam

V
ns
io

and Contoso.
st
ue

C. In the Azure AD tenant of Contoso, use MIM to create guest accounts for the
Q
ps

Fabrikam developers.
um
D

D. Configure an AD FS relying party trust between the fabrikam and Contoso AD FS

05
-3

infrastructures.
Z
A

Answer: A
f t
so
ro

Explanation:
ic
M

Trust configurations - Configure trust from managed forests(s) or domain(s) to the

]
22
20

administrative forest
ed

✑ A one-way trust is required from production environment to the admin forest.

at
pd

✑ Selective authentication should be used to restrict accounts in the admin forest to

[U

only logging on to the appropriate production hosts.

References:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-
access/securing-privileged-access-reference-material

55. You are developing a sales application that will contain several Azure cloud
services and will handle different components of a transaction. Different cloud
services will process customer orders, billing, payment, inventory, and shipping.
You need to recommend a solution to enable the cloud services to asynchronously
communicate transaction information by using REST messages.
What should you include in the recommendation?
A. Azure Service Bus
B. Azure Blob storage
C. Azure Notification Hubs
D. Azure Application Gateway
Answer: A
Explanation:
Service Bus is a transactional message broker and ensures transactional integrity for
all internal operations against its message stores. All transfers of messages inside of
Service Bus, such as moving messages to a dead-letter queue or automatic
forwarding of messages between entities, are transactional.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-

e
in
bus-transactions

nl
O
ps
um
D
ee
56. Note: This question is part of a series of questions that present the same

Fr
05
scenario. Each question in the series contains a unique solution that might meet the

-3
Z
A
stated goals. Some question sets might have more than one correct solution, while
d
ea
others might not have a correct solution.
-R
2

After you answer a question in this section, you will NOT be able to return to it. As a
.0
10

result, these questions will not appear in the review screen.

V
ns
io

Your company has deployed several virtual machines (VMs) on-premises and to
st
ue

Azure. Azure ExpressRoute has been deployed and configured for on-premises to
Q
ps

Azure connectivity.
um
D

Several VMs are exhibiting network connectivity issues.

05
-3

You need to analyze the network traffic to determine whether packets are being
Z
A

allowed or denied to the VMs.

f t
so
ro

Solution: Use the Azure Traffic Analytics solution in Azure Log Analytics to analyze
ic
M

the network traffic.

]
22
20

Does the solution meet the goal?

ed

A. Yes
at
pd

B. No
[U

Answer: B
Explanation:
Instead use Azure Network Watcher to run IP flow verify to analyze the network
traffic.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-
overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-
verify-overview
57. DRAG DROP
You are designing a virtual machine that will run Microsoft SQL Server and will
contain two data disks. The first data disk will store log files, and the second data disk
will store data. Both disks are P40 managed disks.
You need to recommend a caching policy for each disk. The policy must provide the
best overall performance for the virtual machine.
Which caching policy should you recommend for each disk? To answer, drag the
appropriate policies to the correct disks. Each policy may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view
content. NOTE: Each correct selection is worth one point.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps

Answer:
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, application
Description automatically generated
References: https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/sql/virtual-machines-windows-sql-performance
58. You have an Azure subscription.
You need to deploy an Azure Kubernetes Service (AKS) solution that will use Linux
nodes.
The solution must meet the following requirements:
✑ Minimize the time it takes to provision compute resources during scale-out
operations.
✑ Support autoscaling of Linux containers.
✑ Minimize administrative effort.
Which scaling option should you recommend?
A. Virtual Kubelet
B. cluster autoscaler

e
in
C. horizontal pod autoscaler

nl
O
D. AKS virtual nodes

ps
um
Answer: D

D
ee
Explanation:

Fr
05
https://docs.microsoft.com/en-us/azure/aks/virtual-nodes

-3
Z
A
d
ea
-R
2

59. HOTSPOT
.0
10

Your on-premises network contains a file server named Server1 that stores 500 GB of
V
ns
io

data.
st
ue

You need to use Azure Data Factory to copy the data from Server1 to Azure Storage.
Q
ps

You add a new data factory.

um
D

What should you do next? To answer, select the appropriate options in the answer
05
-3

area. NOTE: Each correct selection is worth one point.

Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Answer:
Explanation:
Graphical user interface, text, application, email
Description automatically generated

e
in
nl
Box 1: Install a self-hosted integration runtime

O
ps
The Integration Runtime is a customer-managed data integration infrastructure used

um
D
by Azure Data Factory to provide data integration capabilities across different network

ee
Fr
environments.

05
Box 2: Create a pipeline

-3
Z
A
With ADF, existing data processing services can be composed into data pipelines that
ea
d
-R

are highly available and managed in the cloud. These data pipelines can be
2
.0

scheduled to ingest, prepare, transform, analyze, and publish data, and ADF
10
V

manages and orchestrates the complex data and processing dependencies

ns
io

References:
st
ue

https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-
Q
ps

process/move-sql-azure-adf
um
D

https://docs.microsoft.com/pl-pl/azure/data-factory/tutorial-hybrid-copy-data-
05
-3

toolsyu31svc 3 months, 4 weeks ago

Z
A
f t

https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-
so
ro

runtime?tabs=data-factory
ic
M
]

"A self-hosted integration runtime can run copy activities between a cloud data store
22
20

and a data store in a private network"

ed
at

https://docs.microsoft.com/en-us/azure/data-factory/introduction
pd
[U

"With Data Factory, you can use the Copy Activity in a data pipeline to move data
from both on-premises and cloud source data stores to a centralization data store in
the cloud for further analysis"

60. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that might meet the
stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure.
ExpressRoute is being deployed and configured for on-premises to Azure
connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed
or denied to the virtual machines.
Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the
network traffic.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:

e
in
Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic

nl
O
filtering issues at a VM level.

ps
um
Note: IP flow verify checks if a packet is allowed or denied to or from a virtual

D
ee
machine. The information consists of direction, protocol, local IP, remote IP, local

Fr
05
port, and remote port. If the packet is denied by a security group, the name of the rule

-3
Z
A
that denied the packet is returned. While any source or destination IP can be chosen,
d
ea
IP flow verify helps administrators quickly diagnose connectivity issues from or to the
-R
2

internet and from or to the on-premises environment.

.0
10

Reference:
V
ns
io

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-
st
ue

verify-overview
Q
ps

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
um
D
05
-3
Z
A

61. HOTSPOT
f t
so
ro

You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The
ic
M

tenant uses password hash synchronization.

]
22
20

You need to recommend a solution to meet the following requirements:

ed

✑ Prevent Active Directory domain user accounts from being locked out as the result
at
pd

of brute force attacks targeting Azure AD user accounts.

[U

✑ Block legacy authentication attempts to Azure AD integrated apps.

✑ Minimize costs.
What should you recommend for each requirement? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one
point.
 e
in
nl
O
ps
um
D
ee
Answer:

Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U

Explanation:
Graphical user interface, text, application
Description automatically generated
Box 1: Smart lockout
Smart lockout helps lock out bad actors that try to guess your users' passwords or
use brute-force methods to get in. Smart lockout can recognize sign-ins that come
from valid users and treat them differently than ones of attackers and other unknown
sources.
Attackers get locked out, while your users continue to access their accounts and be
productive.
Box 2: Conditional access policies
If your environment is ready to block legacy authentication to improve your tenant's
protection, you can accomplish this goal with Conditional Access.
How can you prevent apps using legacy authentication from accessing your tenant's
resources? The recommendation is to just block them with a Conditional Access
policy. If necessary, you allow only certain users and specific network locations to use
apps that are based on legacy authentication.

62. HOTSPOT
You have an Azure subscription that contains the resources shown in the following
table.

e
in
nl
O
ps
um
D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D

You create an Azure SQL database named DB1 that is hosted in the East US region.
05
-3

To DB1, you add a diagnostic setting named Settings1. Settings1 archives

Z
A
t

SQLInsights to storage1 and sends SQLInsights to Workspace1.

f
so
ro

For each of the following statements, select Yes if the statement is true. Otherwise,
ic
M

select No. NOTE: Each correct selections is worth one point.

]
22
20
ed
at
pd
[U

Answer:
Explanation:
Box 1: Yes
Box 2: Yes
Box 3: Yes

e
For more information on Azure SQL diagnostics, you can visit the below link https://do

in
nl
cs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-

O
ps
um
logging-streaming-export-configure

D
ee
Fr
05
-3
Z
A
d
ea
-R
2
.0
10
V
ns
io
st
ue
Q
ps
um
D
05
-3
Z
A
f t
so
ro
ic
M
]
22
20
ed
at
pd
[U
GET FULL VERSION OF AZ-305 DUMPS