Topic 1 - Question Set 1

Question #1Topic 1
You have an Azure subscription that contains a custom application named Application1.
Application1 was developed by an external company named Fabrikam,
Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to
the Application1 components. All users are licensed for the
Microsoft 365 E5 plan.
You need to recommend a solution to verify whether the Fabrikam developers still require
permissions to Application1. The solution must meet the following requirements:
✑ To the manager of the developers, send a monthly email message that lists the access
permissions to Application1.
✑ If the manager does not verify an access permission, automatically revoke that permission.
✑ Minimize development effort.
What should you recommend?
• A. In Azure Active Directory (Azure AD), create an access review of Application1. Most
Voted
• B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
• C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a
custom role assignment for the Application1 resources.
• D. Create an Azure Automation runbook that runs the Get-
AzureADUserAppRoleAssignment cmdlet.
Hide Solution Discussion 58
Correct Answer: A 🗳️
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-user-access-
with-access-reviews
Community vote distribution
A (100%)

Question #2Topic 1
You have an Azure subscription. The subscription has a blob container that contains multiple
blobs.
Ten users in the finance department of your company plan to access the blobs during the
month of April.
You need to recommend a solution to enable access to the blobs during the month of April
only.
Which security solution should you include in the recommendation?
• A. shared access signatures (SAS) Most Voted
• B. Conditional Access policies
• C. certificates
• D. access keys

Hide Solution Discussion 37

Correct Answer: A 🗳️
Shared Access Signatures (SAS) allows for limited-time fine grained access control to
resources. So you can generate URL, specify duration (for month of April) and disseminate URL
to 10 team members. On May 1, the SAS token is automatically invalidated, denying team
members continued access.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Community vote distribution
A (100%)

Question #3Topic 1
You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active
Directory domain.
You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses
Integrated Windows authentication.
Some users work remotely and do NOT have VPN access to the on-premises network.
You need to provide the remote users with single sign-on (SSO) access to WebApp1.
Which two features should you include in the solution? Each correct answer presents part of
the solution.
NOTE: Each correct selection is worth one point.
• A. Azure AD Application Proxy Most Voted
• B. Azure AD Privileged Identity Management (PIM)
• C. Conditional Access policies
• D. Azure Arc
• E. Azure AD enterprise applications Most Voted
• F. Azure Application Gateway

Hide Solution Discussion 66

Correct Answer: AE 🗳️
A: Application Proxy is a feature of Azure AD that enables users to access on-premises web
applications from a remote client. Application Proxy includes both the
Application Proxy service which runs in the cloud, and the Application Proxy connector which
runs on an on-premises server.
You can configure single sign-on to an Application Proxy application.
E: Add an on-premises app to Azure AD
Now that you've prepared your environment and installed a connector, you're ready to add on-
premises applications to Azure AD.
1. Sign in as an administrator in the Azure portal.
2. In the left navigation panel, select Azure Active Directory.
3. Select Enterprise applications, and then select New application.
4. Select Add an on-premises application button which appears about halfway down the page in
the On-premises applications section. Alternatively, you can select Create your own application
at the top of the page and then select Configure Application Proxy for secure remote access to
an on-premise application.
5. In the Add your own on-premises application section, provide the following information about
your application.
6. Etc.
Incorrect:
Not C: Conditional Access policies are not required.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-
premises-application
Community vote distribution
AE (95%)
3%

Question #4Topic 1
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security
group named Group1. Group1 is configured for assigned membership. Group1 has 50
members, including 20 guest users.
You need to recommend a solution for evaluating the membership of Group1. The solution
must meet the following requirements:
✑ The evaluation must be repeated automatically every three months.
✑ Every member must be able to report whether they need to be in Group1.
✑ Users who report that they do not need to be in Group1 must be removed from Group1
automatically.
✑ Users who do not report whether they need to be in Group1 must be removed from Group1
automatically.
What should you include in the recommendation?
• A. Implement Azure AD Identity Protection.
• B. Change the Membership type of Group1 to Dynamic User.
• C. Create an access review. Most Voted
• D. Implement Azure AD Privileged Identity Management (PIM).

Hide Solution Discussion 43

Correct Answer: C 🗳️
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage
group memberships, access to enterprise applications, and role assignments. User's access
can be reviewed on a regular basis to make sure only the right people have continued access.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Community vote distribution
C (98%)
2%

Question #5Topic 1
HOTSPOT -
You plan to deploy Azure Databricks to support a machine learning application. Data engineers
will mount an Azure Data Lake Storage account to the Databricks file system. Permissions to
folders are granted directly to the data engineers.
You need to recommend a design for the planned Databrick deployment. The solution must
meet the following requirements:
✑ Ensure that the data engineers can only access folders to which they have permissions.
✑ Minimize development effort.
✑ Minimize costs.
What should you include in the recommendation? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 46

Correct
Answer:

Box 1: Premium -
Premium Databricks SKU is required for credential passhtrough.

Box 2: Credential passthrough -

Athenticate automatically to Azure Data Lake Storage Gen1 (ADLS Gen1) and Azure Data Lake
Storage Gen2 (ADLS Gen2) from Azure Databricks clusters using the same Azure Active
Directory (Azure AD) identity that you use to log into Azure Databricks. When you enable Azure
Data Lake Storage credential passthrough for your cluster, commands that you run on that
cluster can read and write data in Azure Data Lake Storage without requiring you to configure
service principal credentials for access to storage.
Reference:
https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-
passthrough
Question #6Topic 1
HOTSPOT -
You plan to deploy an Azure web app named App1 that will use Azure Active Directory (Azure
AD) authentication.
App1 will be accessed from the internet by the users at your company. All the users have
computers that run Windows 10 and are joined to Azure AD.
You need to recommend a solution to ensure that the users can connect to App1 without being
prompted for authentication and can access App1 only from company-owned computers.
What should you recommend for each requirement? To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 36

Correct
Answer:
Box 1: An Azure AD app registration
Azure active directory (AD) provides cloud based directory and identity management
services.You can use azure AD to manage users of your application and authenticate access to
your applications using azure active directory.
You register your application with Azure active directory tenant.
Box 2: A conditional access policy
Conditional Access policies at their simplest are if-then statements, if a user wants to access a
resource, then they must complete an action.
By using Conditional Access policies, you can apply the right access controls when needed to
keep your organization secure and stay out of your user's way when not needed.
Reference:
https://codingcanvas.com/using-azure-active-directory-authentication-in-your-web-application/
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Question #7Topic 1
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is
deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied
to the virtual machines.
Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.
Does this meet the goal?
• A. Yes
• B. No Most Voted

Hide Solution Discussion 42

Correct Answer: B 🗳️
Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic filtering
issues at a VM level.
Note: IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If
the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen, IP flow verify helps administrators
quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview
Community vote distribution
B (94%)
6%

Question #8Topic 1
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is
deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied
to the virtual machines.
Solution: Use Azure Advisor to analyze the network traffic.
Does this meet the goal?
• A. Yes
• B. No Most Voted

Hide Solution Discussion 20

Correct Answer: B 🗳️
Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic filtering
issues at a VM level.
Note: IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If
the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen, IP flow verify helps administrators
quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview
Community vote distribution
B (100%)
Question #9Topic 1
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is
deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied
to the virtual machines.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Does this meet the goal?
• A. Yes Most Voted
• B. No

Hide Solution Discussion 25

Correct Answer: A 🗳️
Azure Network Watcher IP Flow Verify allows you to detect traffic filtering issues at a VM level.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If
the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet
and from or to the on-premises environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview
Community vote distribution
A (100%)

Question #10Topic 1
DRAG DROP -
You have an Azure subscription. The subscription contains Azure virtual machines that run
Windows Server 2016 and Linux.
You need to use Azure Monitor to design an alerting strategy for security-related events.
Which Azure Monitor Logs tables should you query? To answer, drag the appropriate tables to
the correct log types. Each table may be used once, more than once, or not at all. You may need
to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Hide Solution Discussion 29

Correct
Answer:

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-
events https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog

Question #11Topic 1
You are designing a large Azure environment that will contain many subscriptions.
You plan to use Azure Policy as part of a governance solution.
To which three scopes can you assign Azure Policy definitions? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.
• A. Azure Active Directory (Azure AD) administrative units
• B. Azure Active Directory (Azure AD) tenants
• C. subscriptions Most Voted
• D. compute resources
• E. resource groups Most Voted
• F. management groups Most Voted

Hide Solution Discussion 75

Correct Answer: CEF 🗳️
Azure Policy evaluates resources in Azure by comparing the properties of those resources to
business rules. Once your business rules have been formed, the policy definition or initiative is
assigned to any scope of resources that Azure supports, such as management groups,
subscriptions, resource groups, or individual resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Community vote distribution
CEF (100%)

Question #12Topic 1
DRAG DROP -
Your on-premises network contains a server named Server1 that runs an ASP.NET application
named App1.
You have a hybrid deployment of Azure Active Directory (Azure AD).
You need to recommend a solution to ensure that users sign in by using their Azure AD account
and Azure Multi-Factor Authentication (MFA) when they connect to App1 from the internet.
Which three features should you recommend be deployed and configured in sequence? To
answer, move the appropriate features from the list of features to the answer area and arrange
them in the correct order.
Select and Place:
Hide Solution Discussion 34
Correct
Answer:

Step 1: Azure AD Application Proxy

Start by enabling communication to Azure data centers to prepare your environment for Azure
AD Application Proxy.
Step 2: an Azure AD enterprise application
Add an on-premises app to Azure AD.
Now that you've prepared your environment and installed a connector, you're ready to add on-
premises applications to Azure AD.
1. Sign in as an administrator in the Azure portal.
2. In the left navigation panel, select Azure Active Directory.
3. Select Enterprise applications, and then select New application.
4. Etc.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-
premises-application
Question #13Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.
What should you include in the recommendation?
• A. Azure Activity Log Most Voted
• B. Azure Advisor
• C. Azure Analysis Services
• D. Azure Monitor action groups

Hide Solution Discussion 26

Correct Answer: A 🗳️
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting
date isn't more than 90 days in the past.
Through activity logs, you can determine:
✑ what operations were taken on the resources in your subscription
✑ who started the operation
✑ when the operation occurred
✑ the status of the operation
✑ the values of other properties that might help you research the operation
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-
logs
Community vote distribution
A (100%)

Question #14Topic 1
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is
deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied
to the virtual machines.
Solution: Install and configure the Azure Monitoring agent and the Dependency Agent on all the
virtual machines. Use VM insights in Azure Monitor to analyze the network traffic.
Does this meet the goal?
• A. Yes
• B. No Most Voted

Hide Solution Discussion 12

Correct Answer: B 🗳️
Use the Azure Monitor agent if you need to:
Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises.
Use the Dependency agent if you need to:
Use the Map feature VM insights or the Service Map solution.
Note: Instead use Azure Network Watcher IP Flow Verify allows you to detect traffic filtering
issues at a VM level.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If
the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet
and from or to the on-premises environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-
overview#dependency-agent
Community vote distribution
B (100%)

Question #15Topic 1
DRAG DROP -
You need to design an architecture to capture the creation of users and the assignment of
roles. The captured data must be stored in Azure Cosmos DB.
Which services should you include in the design? To answer, drag the appropriate services to
the correct targets. Each service may be used once, more than once, or not at all. You may need
to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Hide Solution Discussion 33

Correct
Answer:
Box 1: Azure Event Hubs -
You can route Azure Active Directory (Azure AD) activity logs to several endpoints for long term
retention and data insights.
The Event Hub is used for streaming.

Box 2: Azure Function -

Use an Azure Function along with a cosmos DB change feed, and store the data in Cosmos DB.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-
logs-azure-monitor
Question #16Topic 1
Your company, named Contoso, Ltd., implements several Azure logic apps that have HTTP
triggers. The logic apps provide access to an on-premises web service.
Contoso establishes a partnership with another company named Fabrikam, Inc.
Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-
party OAuth 2.0 identity management to authenticate its users.
Developers at Fabrikam plan to use a subset of the logic apps to build applications that will
integrate with the on-premises web service of Contoso.
You need to design a solution to provide the Fabrikam developers with access to the logic
apps. The solution must meet the following requirements:
✑ Requests to the logic apps from the developers must be limited to lower rates than the
requests from the users at Contoso.
✑ The developers must be able to rely on their existing OAuth 2.0 provider to gain access to
the logic apps.
✑ The solution must NOT require changes to the logic apps.
✑ The solution must NOT use Azure AD guest accounts.
What should you include in the solution?

• A. Azure Front Door

• B. Azure AD Application Proxy
• C. Azure AD business-to-business (B2B)
• D. Azure API Management Most Voted

Hide Solution Discussion 20

Correct Answer: D 🗳️
Many APIs support OAuth 2.0 to secure the API and ensure that only valid users have access,
and they can only access resources to which they're entitled. To use Azure API Management's
interactive developer console with such APIs, the service allows you to configure your service
instance to work with your OAuth 2.0 enabled API.
Incorrect:
Azure AD business-to-business (B2B) uses guest accounts.
Azure AD Application Proxy is for on-premises scenarios.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2
Community vote distribution
D (100%)

Question #17Topic 1
HOTSPOT -
You have an Azure subscription that contains 300 virtual machines that run Windows Server
2019.
You need to centrally monitor all warning events in the System logs of the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 20

Correct
Answer:

Box 1: A Log Analytics workspace

Send resource logs to a Log Analytics workspace to enable the features of Azure Monitor Logs.
You must create a diagnostic setting for each Azure resource to send its resource logs to a Log
Analytics workspace to use with Azure Monitor Logs.
Box 2: Install the Azure Monitor agent
Use the Azure Monitor agent if you need to:
Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises.
Manage data collection configuration centrally
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#azure-
monitor-agent
Question #18Topic 1
HOTSPOT -
You have several Azure App Service web apps that use Azure Key Vault to store data encryption
keys.
Several departments have the following requests to support the web app:

Which service should you recommend for each department's request? To answer, configure the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 32

Correct
Answer:

Box 1: Azure AD Privileged Identity Management

Privileged Identity Management provides time-based and approval-based role activation to
mitigate the risks of excessive, unnecessary, or misused access permissions on resources that
you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator role assignment

Box 2: Azure Managed Identity -

Managed identities provide an identity for applications to use when connecting to resources
that support Azure Active Directory (Azure AD) authentication.
Applications may use the managed identity to obtain Azure AD tokens. With Azure Key Vault,
developers can use managed identities to access resources. Key
Vault stores credentials in a secure manner and gives access to storage accounts.
Box 3: Azure AD Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to
mitigate the risks of excessive, unnecessary, or misused access permissions on resources that
you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/overview
Question #19Topic 1
HOTSPOT -
Your company has the divisions shown in the following table.

You plan to deploy a custom application to each subscription. The application will contain the
following:
✑ A resource group
✑ An Azure web app
✑ Custom role assignments
✑ An Azure Cosmos DB account
You need to use Azure Blueprints to deploy the application to each subscription.
What is the minimum number of objects required to deploy the application? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 67

Correct
Answer:
Box 1: 2 -
One management group for each Azure AD tenant
Azure management groups provide a level of scope above subscriptions.
All subscriptions within a management group automatically inherit the conditions applied to the
management group.
All subscriptions within a single management group must trust the same Azure Active Directory
tenant.

Box 2: 1 -
One single blueprint definition can be assigned to different existing management groups or
subscriptions.
When creating a blueprint definition, you'll define where the blueprint is saved. Blueprints can
be saved to a management group or subscription that you have
Contributor access to. If the location is a management group, the blueprint is available to
assign to any child subscription of that management group.

Box 3: 2 -

Blueprint assignment -
Each Published Version of a blueprint can be assigned (with a max name length of 90
characters) to an existing management group or subscription.
Assigning a blueprint definition to a management group means the assignment object exists at
the management group. The deployment of artifacts still targets a subscription.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Question #20Topic 1
HOTSPOT -
You need to design an Azure policy that will implement the following functionality:
✑ For new resources, assign tags and values that match the tags and values of the resource
group to which the resources are deployed.
✑ For existing resources, identify whether the tags and values match the tags and values of
the resource group that contains the resources.
✑ For any non-compliant resources, trigger auto-generated remediation tasks to create
missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 20

Correct
Answer:

Box 1: Modify -
Modify is used to add, update, or remove properties or tags on a subscription or resource
during creation or update. A common example is updating tags on resources such as
costCenter. Existing non-compliant resources can be remediated with a remediation task. A
single Modify rule can have any number of operations. Policy assignments with effect set as
Modify require a managed identity to do remediation.
Incorrect:
* The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy
* Append is used to add additional fields to the requested resource during creation or update. A
common example is specifying allowed IPs for a storage resource.
Append is intended for use with non-tag properties. While Append can add tags to a resource
during a create or update request, it's recommended to use the
Modify effect for tags instead.
Box 2: A managed identity with the Contributor role
The managed identity needs to be granted the appropriate roles required for remediating
resources to grant the managed identity.
Contributor - Can create and manage all types of Azure resources but can't grant access to
others.
Incorrect:
User Access Administrator: lets you manage user access to Azure resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Question #21Topic 1
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

You create an Azure SQL database named DB1 that is hosted in the East US Azure region.
To DB1, you add a diagnostic setting named Settings1. Settings1 archive SQLInsights to
storage1 and sends SQLInsights to Workspace1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:

Hide Solution Discussion 19

Correct
Answer:

Box 1: Yes -
A single diagnostic setting can define no more than one of each of the destinations. If you want
to send data to more than one of a particular destination type (for example, two different Log
Analytics workspaces), then create multiple settings.
Each resource can have up to 5 diagnostic settings.
Note: This diagnostic telemetry can be streamed to one of the following Azure resources for
analysis.
* Log Analytics workspace
* Azure Event Hubs
* Azure Storage

Box 2: Yes -

Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings
https://docs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-
logging-streaming-export-configure?tabs=azure-portal
Question #22Topic 1
You plan to deploy an Azure SQL database that will store Personally Identifiable Information
(PII).
You need to ensure that only privileged users can view the PII.
What should you include in the solution?

• A. dynamic data masking Most Voted

• B. role-based access control (RBAC)
• C. Data Discovery & Classification
• D. Transparent Data Encryption (TDE)
Hide Solution Discussion 18
Correct Answer: A 🗳️
Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling
customers to designate how much of the sensitive data to reveal with minimal impact on the
application layer. It's a policy-based security feature that hides the sensitive data in the result
set of a query over designated database fields, while the data in the database is not changed.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview
Community vote distribution
A (100%)

Question #23Topic 1
You plan to deploy an app that will use an Azure Storage account.
You need to deploy the storage account. The storage account must meet the following
requirements:
✑ Store the data for multiple users.
✑ Encrypt each user's data by using a separate key.
✑ Encrypt all the data in the storage account by using customer-managed keys.
What should you deploy?

• A. files in a premium file share storage account

• B. blobs in a general purpose v2 storage account Most Voted
• C. blobs in an Azure Data Lake Storage Gen2 account
• D. files in a general purpose v2 storage account

Hide Solution Discussion 27

Correct Answer: B 🗳️
You can specify a customer-provided key on Blob storage operations. A client making a read or
write request against Blob storage can include an encryption key on the request for granular
control over how blob data is encrypted and decrypted.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Community vote distribution
B (93%)
7%

Question #24Topic 1
HOTSPOT -
You have an Azure App Service web app that uses a system-assigned managed identity.
You need to recommend a solution to store the settings of the web app as secrets in an Azure
key vault. The solution must meet the following requirements:
✑ Minimize changes to the app code.
✑ Use the principle of least privilege.
What should you include in the recommendation? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 10

Correct
Answer:

Box 1: Key Vault references in Application settings

Source Application Settings from Key Vault.
Key Vault references can be used as values for Application Settings, allowing you to keep
secrets in Key Vault instead of the site config. Application Settings are securely encrypted at
rest, but if you need secret management capabilities, they should go into Key Vault.
To use a Key Vault reference for an app setting, set the reference as the value of the setting.
Your app can reference the secret through its key as normal. No code changes are required.

Box 2: Secrets: Get -

In order to read secrets from Key Vault, you need to have a vault created and give your app
permission to access it.
1. Create a key vault by following the Key Vault quickstart.
2. Create a managed identity for your application.
3. Key Vault references will use the app's system assigned identity by default, but you can
specify a user-assigned identity.
4. Create an access policy in Key Vault for the application identity you created earlier. Enable
the "Get" secret permission on this policy.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Question #25Topic 1
You plan to deploy an application named App1 that will run on five Azure virtual machines.
Additional virtual machines will be deployed later to run App1.
You need to recommend a solution to meet the following requirements for the virtual machines
that will run App1:
✑ Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to
gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
✑ Avoid assigning new roles and permissions for Azure services when you deploy additional
virtual machines.
✑ Avoid storing secrets and certificates on the virtual machines.
✑ Minimize administrative effort for managing identities.
Which type of identity should you include in the recommendation?

• A. a system-assigned managed identity

• B. a service principal that is configured to use a certificate
• C. a service principal that is configured to use a client secret
• D. a user-assigned managed identity Most Voted

Hide Solution Discussion 18

Correct Answer: D 🗳️
Managed identities provide an identity for applications to use when connecting to resources
that support Azure Active Directory (Azure AD) authentication.
A user-assigned managed identity:
Can be shared.
The same user-assigned managed identity can be associated with more than one Azure
resource.
Common usage:
Workloads that run on multiple resources and can share a single identity.
For example, a workload where multiple virtual machines need to access the same resource.
Incorrect:
Not A: A system-assigned managed identity can't be shared. It can only be associated with a
single Azure resource.
Typical usage:
Workloads that are contained within a single Azure resource.
Workloads for which you need independent identities.
For example, an application that runs on a single virtual machine.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/overview
Community vote distribution
D (100%)

Question #26Topic 1
You have the resources shown in the following table:

CDB1 hosts a container that stores continuously updated operational data.

You are designing a solution that will use AS1 to analyze the operational data daily.
You need to recommend a solution to analyze the data without affecting the performance of
the operational data store.
What should you include in the recommendation?

• A. Azure Cosmos DB change feed

• B. Azure Data Factory with Azure Cosmos DB and Azure Synapse Analytics connectors
• C. Azure Synapse Link for Azure Cosmos DB Most Voted
• D. Azure Synapse Analytics with PolyBase data loading

Hide Solution Discussion 12

Correct Answer: C 🗳️
Azure Synapse Link for Azure Cosmos DB creates a tight integration between Azure Cosmos DB
and Azure Synapse Analytics. It enables customers to run near real-time analytics over their
operational data with full performance isolation from their transactional workloads and without
an ETL pipeline.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/synapse-link-frequently-asked-questions
Community vote distribution
C (100%)

Question #27Topic 1
HOTSPOT -
You deploy several Azure SQL Database instances.
You plan to configure the Diagnostics settings on the databases as shown in the following
exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 24

Correct
Answer:
Box 1: 90 days -
As per exhibit.

Box 2: 730 days -

How long is the data kept?
Raw data points (that is, items that you can query in Analytics and inspect in Search) are kept
for up to 730 days.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-retention-privacy
Question #28Topic 1
You have an application that is used by 6,000 users to validate their vacation requests. The
application manages its own credential store.
Users must enter a username and password to access the application. The application does
NOT support identity providers.
You plan to upgrade the application to use single sign-on (SSO) authentication by using an
Azure Active Directory (Azure AD) application registration.
Which SSO method should you use?

• A. header-based
• B. SAML
• C. password-based Most Voted
• D. OpenID Connect

Hide Solution Discussion 10

Correct Answer: C 🗳️
Password - On-premises applications can use a password-based method for SSO. This choice
works when applications are configured for Application Proxy.
With password-based SSO, users sign in to the application with a username and password the
first time they access it. After the first sign-on, Azure AD provides the username and password
to the application. Password-based SSO enables secure application password storage and
replay using a web browser extension or mobile app. This option uses the existing sign-in
process provided by the application, enables an administrator to manage the passwords, and
doesn't require the user to know the password.
Incorrect:
Choosing an SSO method depends on how the application is configured for authentication.
Cloud applications can use federation-based options, such as OpenID
Connect, OAuth, and SAML.
Federation - When you set up SSO to work between multiple identity providers, it's called
federation.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on
Community vote distribution
C (100%)

Question #29Topic 1
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual
machines. The virtual machines are connected to VNET1.
You need to design a solution to manage the virtual machines from the internet. The solution
must meet the following requirements:
✑ Incoming connections to the virtual machines must be authenticated by using Azure Multi-
Factor Authentication (MFA) before network connectivity is allowed.
✑ Incoming connections must use TLS and connect to TCP port 443.
✑ The solution must support RDP and SSH.
What should you include in the solution? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 55

Correct
Answer:
Box 1: Just-in-time (JIT) VN access
Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud's
just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while
providing easy access when you need to connect to a VM.
Note: Threat actors actively hunt accessible machines with open management ports, like RDP
or SSH. Your legitimate users also use these ports, so it's not practical to keep them closed.
When you enable just-in-time VM access, you can select the ports on the VM to which inbound
traffic will be blocked.
To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the
inbound traffic to your VMs, reducing exposure to attacks while providing easy access to
connect to VMs when needed.
Box 2: A conditional Access policy that has Cloud Apps assignment set to Azure Windows VM
Sign-In
You can enforce Conditional Access policies such as multi-factor authentication or user sign-in
risk check before authorizing access to Windows VMs in Azure that are enabled with Azure AD
sign in. To apply Conditional Access policy, you must select the "Azure Windows VM Sign-In"
app from the cloud apps or actions assignment option and then use Sign-in risk as a condition
and/or require multi-factor authentication as a grant access control.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-
windows
Question #30Topic 1
You are designing an Azure governance solution.
All Azure resources must be easily identifiable based on the following operational information:
environment, owner, department and cost center.
You need to ensure that you can use the operational information when you generate reports for
the Azure resources.
What should you include in the solution?

• A. an Azure data catalog that uses the Azure REST API as a data source
• B. an Azure management group that uses parent groups to create a hierarchy
• C. an Azure policy that enforces tagging rules Most Voted
• D. Azure Active Directory (Azure AD) administrative units

Hide Solution Discussion 16

Correct Answer: C 🗳️
You apply tags to your Azure resources, resource groups, and subscriptions to logically
organize them into a taxonomy. Each tag consists of a name and a value pair.
You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid
the scenario of resources being deployed to your subscription that don't have the expected tags
for your organization. Instead of manually applying tags or searching for resources that aren't
compliant, you create a policy that automatically applies the needed tags during deployment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
Community vote distribution
C (100%)
Question #31Topic 1
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is
integrated with Microsoft 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run
Active Directory Domain Services (AD DS) and Azure AD Connect.
Contoso has a partnership with a company named Fabrikam. Inc. Fabrikam has an Active
Directory forest and a Microsoft 365 tenant. Fabrikam has the same on- premises identity
infrastructure components as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the
Azure subscription of Contoso. The developers must be added to the Contributor role for a
resource group in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10
Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing
credentials to access resources
What should you recommend?

• A. In the Azure AD tenant of Contoso. create cloud-only user accounts for the Fabrikam
developers.
• B. Configure a forest trust between the on-premises Active Directory forests of Contoso
and Fabrikam.
• C. Configure an organization relationship between the Microsoft 365 tenants of
Fabrikam and Contoso.
• D. In the Azure AD tenant of Contoso, create guest accounts for the Fabnkam
developers. Most Voted

Hide Solution Discussion 20

Correct Answer: D 🗳️
You can use the capabilities in Azure Active Directory B2B to collaborate with external guest
users and you can use Azure RBAC to grant just the permissions that guest users need in your
environment.
Incorrect:
Not B: Forest trust is used for internal security, not external access.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-
users
Community vote distribution
D (93%)
5%

Question #32Topic 1
Your company has the divisions shown in the following table.
Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.
You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.
What should you recommend?

• A. Configure the Azure AD provisioning service.

• B. Enable Azure AD pass-through authentication and update the sign-in endpoint.
• C. Use Azure AD entitlement management to govern external users. Most Voted
• D. Configure Azure AD join.

Hide Solution Discussion 32

Correct Answer: A 🗳️
You can enable automatic user provisioning for your multi-tenant application in Azure Active
Directory.
Automatic user provisioning is the process of automating the creation, maintenance, and
removal of user identities in target systems like your software-as-a- service applications.
Azure AD provides several integration paths to enable automatic user provisioning for your
application.
* The Azure AD Provisioning Service manages the provisioning and deprovisioning of users
from Azure AD to your application (outbound provisioning) and from your application to Azure
AD (inbound provisioning). The service connects to the System for Cross-Domain Identity
Management (SCIM) user management API endpoints provided by your application.
* Microsoft Graph
* The Security Assertion Markup Language Just in Time (SAML JIT) user provisioning.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/isv-automatic-
provisioning-multi-tenant-apps
Community vote distribution
C (100%)

Question #33Topic 1
HOTSPOT -
Your company has 20 web APIs that were developed in-house.
The company is developing 10 web apps that will use the web APIs. The web apps and the APIs
are registered in the company s Azure Active Directory (Azure
AD) tenant. The web APIs are published by using Azure API Management.
You need to recommend a solution to block unauthorized requests originating from the web
apps from reaching the web APIs. The solution must meet the following requirements:
✑ Use Azure AD-generated claims.
Minimize configuration and management effort.

What should you include in the recommendation? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 8

Correct
Answer:

Box 1: Azure AD -
Grant permissions in Azure AD.

Box 2: Azure API Management -

Configure a JWT validation policy to pre-authorize requests.
Pre-authorize requests in API Management with the Validate JWT policy, by validating the
access tokens of each incoming request. If a request does not have a valid token, API
Management blocks it.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-
backend-with-aad
Question #34Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.
What should you include in the recommendation?

• A. Azure Log Analytics Most Voted

• B. Azure Arc
• C. Azure Analysis Services
 • D. Application Insights

Hide Solution Discussion 10

Correct Answer: A 🗳️
The Activity log is a platform log in Azure that provides insight into subscription-level events.
Activity log includes such information as when a resource is modified or when a virtual
machine is started.
Activity log events are retained in Azure for 90 days and then deleted.
For more functionality, you should create a diagnostic setting to send the Activity log to one or
more of these locations for the following reasons: to Azure Monitor Logs for more complex
querying and alerting, and longer retention (up to two years) to Azure Event Hubs to forward
outside of Azure to Azure Storage for cheaper, long-term archiving
Note: Azure Monitor builds on top of Log Analytics, the platform service that gathers log and
metrics data from all your resources. The easiest way to think about it is that Azure Monitor is
the marketing name, whereas Log Analytics is the technology that powers it.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
Community vote distribution
A (100%)

Question #35Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.
You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.
What should you recommend?

• A. Configure the Azure AD provisioning service.

• B. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).
• C. Use Azure AD entitlement management to govern external users. Most Voted
• D. Configure Azure AD Identity Protection.

Hide Solution Discussion 20

Correct Answer: C 🗳️
Entitlement management is an identity governance capability that enables organizations to
manage identity and access lifecycle at scale by automating access request workflows, access
assignments, reviews, and expiration. Entitlement management allows delegated non-admins
to create access packages that external users from other organizations can request access to.
One and multi-stage approval workflows can be configured to evaluate requests, and provision
users for time-limited access with recurring reviews. Entitlement management enables policy-
based provisioning and deprovisioning of external accounts.

Note: Access Packages -

An access package is the foundation of entitlement management. Access packages are
groupings of policy-governed resources a user needs to collaborate on a project or do other
tasks. For example, an access package might include: access to specific SharePoint sites.
enterprise applications including your custom in-house and SaaS apps like Salesforce.
Microsoft Teams.
Microsoft 365 Groups.
Incorrect:
Not A: Automatic provisioning refers to creating user identities and roles in the cloud
applications that users need access to. In addition to creating user identities, automatic
provisioning includes the maintenance and removal of user identities as status or roles change.
Not B: Privileged Identity Management provides time-based and approval-based role activation
to mitigate the risks of excessive, unnecessary, or misused access permissions on resources
that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Etc.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/6-secure-access-
entitlement-managment https://docs.microsoft.com/en-us/azure/active-directory/app-
provisioning/how-provisioning-works https://docs.microsoft.com/en-us/azure/active-
directory/privileged-identity-management/pim-configure
Community vote distribution
C (100%)

Question #36Topic 1
You are developing an app that will read activity logs for an Azure subscription by using Azure
Functions.

You need to recommend an authentication solution for Azure Functions. The solution must
minimize administrative effort.

What should you include in the recommendation?

• A. an enterprise application in Azure AD

• B. system-assigned managed identities Most Voted
• C. shared access signatures (SAS)
• D. application registration in Azure AD

Hide Solution Discussion 15

Correct Answer: B 🗳️

Community vote distribution

B (100%)
Question #37Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Configure Azure AD join.

• B. Use Azure AD entitlement management to govern external users. Most Voted
• C. Enable Azure AD pass-through authentication and update the sign-in endpoint.
• D. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).

Hide Solution Discussion 14

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #38Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Configure Azure AD join.

 • B. Configure Azure AD Identity Protection.
• C. Use Azure AD entitlement management to govern external users. Most Voted
• D. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).

Hide Solution Discussion 6

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #39Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

• A. Azure Activity Log Most Voted

• B. Azure Arc
• C. Azure Analysis Services
• D. Azure Monitor metrics

Hide Solution Discussion 8

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #40Topic 1
HOTSPOT
-

You have an Azure subscription that contains an Azure key vault named KV1 and a virtual
machine named VM1. VM1 runs Windows Server 2022: Azure Edition.

You plan to deploy an ASP.Net Core-based application named App1 to VM1.

You need to configure App1 to use a system-assigned managed identity to retrieve secrets
from KV1. The solution must minimize development effort.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 22

Correct
Answer:

Question #41Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Configure Azure AD join.

• B. Configure Azure AD Identity Protection.
• C. Configure a Conditional Access policy.
 • D. Configure Supported account types in the application registration and update the
sign-in endpoint. Most Voted

Hide Solution Discussion 10

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #42Topic 1
You have an Azure AD tenant named contoso.com that has a security group named Group1.
Group1 is configured for assigned memberships. Group1 has 50 members, including 20 guest
users.

You need to recommend a solution for evaluating the membership of Group1. The solution
must meet the following requirements:

• The evaluation must be repeated automatically every three months.

• Every member must be able to report whether they need to be in Group1.
• Users who report that they do not need to be in Group1 must be removed from Group1
automatically.
• Users who do not report whether they need to be in Group1 must be removed from Group1
automatically.

What should you include in the recommendation?

• A. Implement Azure AD Identity Protection.

• B. Change the Membership type of Group1 to Dynamic User.
• C. Create an access review. Most Voted
• D. Implement Azure AD Privileged Identity Management (PIM).

Hide Solution Discussion 55

Correct Answer: D 🗳️

Community vote distribution

C (97%)
3%

Question #43Topic 1
HOTSPOT
-

You have an Azure subscription named Sub1 that is linked to an Azure AD tenant named
contoso.com.

You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to
100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com
credentials.
App1 requires read permissions to access the calendar of the signed-in user. App2 requires
write permissions to access the calendar of the signed-in user.

You need to recommend an authentication and authorization solution for the apps. The solution
must meet the following requirements:

• Use the principle of least privilege.

• Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 34

Correct Answer:

Question #44Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Enable Azure AD pass-through authentication and update the sign-in endpoint.

• B. Use Azure AD entitlement management to govern external users. Most Voted
• C. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).
• D. Configure Azure AD Identity Protection.

Hide Solution Discussion 7

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #45Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Configure the Azure AD provisioning service.

• B. Enable Azure AD pass-through authentication and update the sign-in endpoint.
 • C. Configure Supported account types in the application registration and update the
sign-in endpoint. Most Voted
• D. Configure Azure AD join.

Hide Solution Discussion 7

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #46Topic 1
HOTSPOT
-

You have an Azure AD tenant that contains a management group named MG1.

You have the Azure subscriptions shown in the following table.

The subscriptions contain the resource groups shown in the following table.

The subscription contains the Azure AD security groups shown in the following table.

The subscription contains the user accounts shown in the following table.
You perform the following actions:

Assign User3 the Contributor role for Sub1.

Assign Group1 the Virtual Machine Contributor role for MG1.
Assign Group3 the Contributor role for the Tenant Root Group.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 22

Correct Answer:

Question #47Topic 1
Your company has the divisions shown in the following table.
Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Configure Azure AD Identity Protection.

• B. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).
• C. Configure Supported account types in the application registration and update the
sign-in endpoint. Most Voted
• D. Configure a Conditional Access policy.

Hide Solution Discussion 7

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #48Topic 1
Your company has the divisions shown in the following table.

Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-
tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate
to App1.

What should you recommend?

• A. Use Azure AD entitlement management to govern external users. Most Voted

• B. Enable Azure AD pass-through authentication and update the sign-in endpoint.
• C. Configure a Conditional Access policy.
• D. Configure assignments for the fabrikam.com users by using Azure AD Privileged
Identity Management (PIM).

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #49Topic 1
You have an Azure subscription that contains 1,000 resources.

You need to generate compliance reports for the subscription. The solution must ensure that
the resources can be grouped by department.

What should you use to organize the resources?

• A. application groups and quotas

• B. Azure Policy and tags Most Voted
• C. administrative units and Azure Lighthouse
• D. resource groups and role assignments

Hide Solution Discussion 6

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #50Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

• A. Azure Arc
• B. Azure Monitor metrics
• C. Azure Advisor
• D. Azure Log Analytics Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #51Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

 • A. Azure Monitor action groups
• B. Azure Arc
• C. Azure Monitor metrics
• D. Azure Activity Log Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #52Topic 1
DRAG DROP
-

You have an Azure AD tenant that contains an administrative unit named MarketingAU.
MarketingAU contains 100 users.

You create two users named User1 and User2.

You need to ensure that the users can perform the following actions in MarketingAU:

• User1 must be able to create user accounts.

• User2 must be able to reset user passwords.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct
users. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct Answer:

Question #53Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

• A. Azure Arc
• B. Azure Log Analytics
• C. Application insights
• D. Azure Monitor action groups

Hide Solution Discussion 6

Correct Answer: B 🗳️

Question #54Topic 1
HOTSPOT
-

You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The
app will use a third-party email service to send email messages to users. The third-party email
service requires that the app authenticate by using an API key.

You need to recommend an Azure Key Vault solution for storing and accessing the API key. The
solution must minimize administrative effort.

What should you recommend using to store and access the key? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct Answer:

Question #55Topic 1
DRAG DROP
-

You have two app registrations named App1 and App2 in Azure AD. App1 supports role-based
access control (RBAC) and includes a role named Writer.

You need to ensure that when App2 authenticates to access App1, the tokens issued by Azure
AD include the Writer role claim.

Which blade should you use to modify each app registration? To answer, drag the appropriate
blades to the correct app registrations. Each blade may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct Answer:

Correct Answer:

Question #56Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

• A. Application Insights
• B. Azure Arc
• C. Azure Log Analytics
• D. Azure Monitor metrics

Hide Solution Discussion 3

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #57Topic 1
You have an Azure subscription.

You plan to deploy a monitoring solution that will include the following:

• Azure Monitor Network Insights

• Application Insights
• Microsoft Sentinel
• VM insights

The monitoring solution will be managed by a single team.

What is the minimum number of Azure Monitor workspaces required?

• A. 1 Most Voted
• B. 2
• C. 3
• D. 4

Hide Solution Discussion 15

Correct Answer: C 🗳️

Community vote distribution

A (82%)
C (18%)

Question #58Topic 1
You need to recommend a solution to generate a monthly report of all the new Azure Resource
Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

• A. Application Insights
• B. Azure Analysis Services
• C. Azure Advisor Most Voted
• D. Azure Activity Log Most Voted

Hide Solution Discussion 13

Correct Answer: D 🗳️

Community vote distribution

D (61%)
C (39%)

Question #59Topic 1
HOTSPOT
-

Case Study
-

This is a case study. Case studies are not timed separately. You can use as much exam time as
you would like to complete each case. However, there may be additional case studies and
sections on this exam. You must manage your time to ensure that you are able to complete all
questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is
provided in the case study. Case studies might contain exhibits and other resources that
provide more information about the scenario that is described in the case study. Each question
is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your
answers and to make changes before you move to the next section of the exam. After you
begin a new section, you cannot return to this section.

To start the case study

-
To display the first question in this case study, click the Next button. Use the buttons in the left
pane to explore the content of the case study before you answer the questions. Clicking these
buttons displays information such as business requirements, existing environment, and
problem statements. If the case study has an All Information tab, note that the information
displayed is identical to the information displayed on the subsequent tabs. When you are ready
to answer a question, click the Question button to return to the question.

Overview
-

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company
has a main office in London and three branch offices in Amsterdam, Berlin, and Rome.

Existing Environment: Active Directory Environment

The network contains two Active Directory forests named corp.fabrikam.com and
rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and
computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only. The R&D
department is restricted to using on-premises resources only.

Existing Environment: Network Infrastructure

Each office contains at least one domain controller from the corp.fabrikam.com domain. The
main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the internet.

An existing application named WebApp1 is hosted in the data center of the London office.
WebApp1 is used by customers to place and track orders. WebApp1 has a web tier that uses
Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server
2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that
includes Software Assurance.

Existing Environment: Problem Statements

The use of WebApp1 is unpredictable. At peak times, users often report delays. At other times,
many resources for WebApp1 are underutilized.

Requirements: Planned Changes

-

Fabrikam plans to move most of its production workloads to Azure during the next few years,
including virtual machines that rely on Active Directory for authentication.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating
an upcoming Microsoft 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Requirements: Technical Requirements

Fabrikam identifies the following technical requirements:

• Website content must be easily updated from a single point.

• User input must be minimized when provisioning new web app instances.
• Whenever possible, existing on-premises licenses must be used to reduce cost.
• Users must always authenticate by using their corp.fabrikam.com UPN identity.
• Any new deployments to Azure must be redundant in case an Azure region fails.
• Whenever possible, solutions must be deployed to Azure by using the Standard pricing tier of
Azure App Service.
• An email distribution group named IT Support must be notified of any issues relating to the
directory synchronization services.
• In the event that a link fails between Azure and the on-premises network, ensure that the
virtual machines hosted in Azure can authenticate to Active Directory.
• Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com
must not be affected by a link failure between Azure and the on-premises network.

Requirements: Database Requirements

Fabrikam identifies the following database requirements:

• Database metrics for the production instance of WebApp1 must be available for analysis so
that database administrators can optimize the performance settings.
• To avoid disrupting customer access, database downtime must be minimized when
databases are migrated.
• Database backups must be retained for a minimum of seven years to meet compliance
requirements.

Requirements: Security Requirements

Fabrikam identifies the following security requirements:

• Company information including policies, templates, and data must be inaccessible to anyone
outside the company.
• Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an
internet link fails.
• Administrators must be able authenticate to the Azure portal by using their
corp.fabrikam.com credentials.
• All administrative access to the Azure portal must be secured by using multi-factor
authentication (MFA).
• The testing of WebApp1 updates must not be visible to anyone outside the company.

To meet the authentication requirements of Fabrikam, what should you include in the solution?
To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct
Answer:

Question #60Topic 1
You have an Azure subscription that contains 10 web apps. The apps are integrated with Azure
AD and are accessed by users on different project teams.

The users frequently move between projects.

You need to recommend an access management solution for the web apps. The solution must
meet the following requirements:

• The users must only have access to the app of the project to which they are assigned
currently.
• Project managers must verify which users have access to their project’s app and remove
users that are no longer assigned to their project.
• Once every 30 days, the project managers must be prompted automatically to verify which
users are assigned to their projects.

What should you include in the recommendation?

• A. Azure AD Identity Protection

• B. Microsoft Defender for Identity
 • C. Microsoft Entra Permissions Management
• D. Azure AD Identity Governance Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #61Topic 1
HOTSPOT
-

You have an Azure subscription that contains 50 Azure SQL databases.

You create an Azure Resource Manager (ARM) template named Template1 that enables
Transparent Data Encryption (TDE).

You need to create an Azure Policy definition named Policy1 that will use Template1 to enable
TDE for any noncompliant Azure SQL databases.

How should you configure Policy1? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:
Question #62Topic 1
You have an Azure subscription. The subscription contains a tiered app named App1 that is
distributed across multiple containers hosted in Azure Container Instances.

You need to deploy an Azure Monitor monitoring solution for App. The solution must meet the
following requirements:

• Support using synthetic transaction monitoring to monitor traffic between the App1
components.
• Minimize development effort.

What should you include in the solution?

• A. Network insights
• B. Application Insights
• C. Container insights
• D. Log Analytics Workspace insights

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)
Question #63Topic 1
HOTSPOT
-

You have an Azure subscription that contains the resources shown in the following table:
Log files from App1 are registered to App1Logs. An average of 120 GB of log data is ingested
per day.

You configure an Azure Monitor alert that will be triggered if the App1 logs contain error
messages.

You need to minimize the Log Analytics costs associated with App1. The solution must meet
the following requirements:
• Ensure that all the log files from App1 are ingested to App1Logs.
• Minimize the impact on the Azure Monitor alert.

Which resource should you modify, and which modification should you perform? To answer,
select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 4

Correct Answer:

Question #64Topic 1
You have 12 Azure subscriptions and three projects. Each project uses resources across
multiple subscriptions.

You need to use Microsoft Cost Management to monitor costs on a per project basis. The
solution must minimize administrative effort.

Which two components should you include in the solution? Each correct answer presents part
of the solution.

NOTE: Each correct selection is worth one point.

• A. budgets Most Voted

• B. resource tags Most Voted
• C. custom role-based access control (RBAC) roles
• D. management groups
• E. Azure boards

Hide Solution Discussion 5

Correct Answer: BD 🗳️

Community vote distribution

AB (100%)

Topic 2 - Question Set 2

Question #1Topic 2
You have 100 servers that run Windows Server 2012 R2 and host Microsoft SQL Server 2014
instances. The instances host databases that have the following characteristics:
✑ Stored procedures are implemented by using CLR.
✑ The largest database is currently 3 TB. None of the databases will ever exceed 4 TB.
You plan to move all the data from SQL Server to Azure.
You need to recommend a service to host the databases. The solution must meet the following
requirements:
✑ Whenever possible, minimize management overhead for the migrated databases.
✑ Ensure that users can authenticate by using Azure Active Directory (Azure AD) credentials.
✑ Minimize the number of database changes required to facilitate the migration.
What should you include in the recommendation?

• A. Azure SQL Database elastic pools

• B. Azure SQL Managed Instance Most Voted
• C. Azure SQL Database single databases
• D. SQL Server 2016 on Azure virtual machines

Hide Solution Discussion 34

Correct Answer: B 🗳️
SQL Managed Instance allows existing SQL Server customers to lift and shift their on-premises
applications to the cloud with minimal application and database changes. At the same time,
SQL Managed Instance preserves all PaaS capabilities (automatic patching and version
updates, automated backups, high availability) that drastically reduce management overhead
and TCO.
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance
Community vote distribution
B (100%)

Question #2Topic 2
You have an Azure subscription that contains an Azure Blob Storage account named store1.
You have an on-premises file server named Server1 that runs Windows Server 2016. Server1
stores 500 GB of company files.
You need to store a copy of the company files from Server1 in store1.
Which two possible Azure services achieve this goal? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.

• A. an Azure Logic Apps integration account

• B. an Azure Import/Export job Most Voted
• C. Azure Data Factory Most Voted
• D. an Azure Analysis services On-premises data gateway
• E. an Azure Batch account

Hide Solution Discussion 37

Correct Answer: BC 🗳️
B: You can use the Azure Import/Export service to securely export large amounts of data
from Azure Blob storage. The service requires you to ship empty drives to the Azure
datacenter. The service exports data from your storage account to the drives and then ships
the drives back.
C: Big data requires a service that can orchestrate and operationalize processes to refine these
enormous stores of raw data into actionable business insights.
Azure Data Factory is a managed cloud service that's built for these complex hybrid extract-
transform-load (ETL), extract-load-transform (ELT), and data integration projects.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-from-
blobs https://docs.microsoft.com/en-us/azure/data-factory/introduction
Community vote distribution
BC (97%)
3%
Question #3Topic 2
You have an Azure subscription that contains two applications named App1 and App2. App1
is a sales processing application. When a transaction in App1 requires shipping, a message is
added to an Azure Storage account queue, and then App2 listens to the queue for relevant
transactions.
In the future, additional applications will be added that will process some of the shipping
requests based on the specific details of the transactions.
You need to recommend a replacement for the storage account queue to ensure that each
additional application will be able to read the relevant transactions.
What should you recommend?

• A. one Azure Data Factory pipeline

• B. multiple storage account queues
• C. one Azure Service Bus queue
• D. one Azure Service Bus topic Most Voted

Hide Solution Discussion 20

Correct Answer: D 🗳️
A queue allows processing of a message by a single consumer. In contrast to queues, topics
and subscriptions provide a one-to-many form of communication in a publish and subscribe
pattern. It's useful for scaling to large numbers of recipients. Each published message is made
available to each subscription registered with the topic. Publisher sends a message to a topic
and one or more subscribers receive a copy of the message, depending on filter rules set on
these subscriptions.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-
subscriptions
Community vote distribution
D (90%)
10%
Question #4Topic 2
HOTSPOT -
You need to design a storage solution for an app that will store large amounts of frequently
used data. The solution must meet the following requirements:
✑ Maximize data throughput.
✑ Prevent the modification of data for one year.
✑ Minimize latency for read and write operations.
Which Azure Storage account type and storage service should you recommend? To answer,
select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 42

Correct
Answer:

Box 1: BlockBlobStorage -
Block Blob is a premium storage account type for block blobs and append blobs.
Recommended for scenarios with high transactions rates, or scenarios that use smaller objects
or require consistently low storage latency.

Box 2: Blob -
The Archive tier is an offline tier for storing blob data that is rarely accessed. The Archive
tier offers the lowest storage costs, but higher data retrieval costs and latency compared to the
online tiers (Hot and Cool). Data must remain in the Archive tier for at least 180 days or be
subject to an early deletion charge.
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/archive-blob
Question #5Topic 2
HOTSPOT -
You have an Azure subscription that contains the storage accounts shown in the following
table.

You plan to implement two new apps that have the requirements shown in the following
table.

Which storage accounts should you recommend using for each app? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 48

Correct
Answer:

Box 1: Storage1 and storage3 only

Need to use Standard accounts.
Data stored in a premium block blob storage account cannot be tiered to hot, cool, or archive
using Set Blob Tier or using Azure Blob Storage lifecycle management
Box 2: Storage1 and storage4 only
Azure File shares requires Premium accounts. Only Storage1 and storage4 are premium.
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#feature-support
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-
share?tabs=azure-portal#basics
Question #6Topic 2
You are designing an application that will be hosted in Azure.
The application will host video files that range from 50 MB to 12 GB. The application will
use certificate-based authentication and will be available to users on the internet.
You need to recommend a storage option for the video files. The solution must provide the
fastest read performance and must minimize storage costs.
What should you recommend?

• A. Azure Files
• B. Azure Data Lake Storage Gen2
• C. Azure Blob Storage Most Voted
• D. Azure SQL Database

Hide Solution Discussion 22

Correct Answer: C 🗳️
Blob Storage: Stores large amounts of unstructured data, such as text or binary data, that can
be accessed from anywhere in the world via HTTP or HTTPS. You can use Blob storage to
expose data publicly to the world, or to store application data privately.
Max file in Blob Storage. 4.77 TB.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/digital-media-
video
Community vote distribution

Question #7Topic 2
You are designing a SQL database solution. The solution will include 20 databases that will be
20 GB each and have varying usage patterns.
You need to recommend a database platform to host the databases. The solution must meet
the following requirements:
✑ The solution must meet a Service Level Agreement (SLA) of 99.99% uptime.
✑ The compute resources allocated to the databases must scale dynamically.
✑ The solution must have reserved capacity.
Compute charges must be minimized.

What should you include in the recommendation?

• A. an elastic pool that contains 20 Azure SQL databases Most Voted

 • B. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine in an
availability set
• C. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine
• D. 20 instances of Azure SQL Database serverless

Hide Solution Discussion 24

Correct Answer: A 🗳️
The compute and storage redundancy is built in for business critical databases and elastic
pools, with a SLA of 99.99%.
Reserved capacity provides you with the flexibility to temporarily move your hot databases in
and out of elastic pools (within the same region and performance tier) as part of your normal
operations without losing the reserved capacity benefit.
Reference:
https://azure.microsoft.com/en-us/blog/understanding-and-leveraging-azure-sql-database-sla/
Community vote distribution
A (100%)
Question #8Topic 2
HOTSPOT -
You have an on-premises database that you plan to migrate to Azure.
You need to design the database architecture to meet the following requirements:
✑ Support scaling up and down.
✑ Support geo-redundant backups.
✑ Support a database of up to 75 TB.
✑ Be optimized for online transaction processing (OLTP).
What should you include in the design? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 24

Correct

Answer:
Box 1: Azure SQL Database -
Azure SQL Database:
Database size always depends on the underlying service tiers (e.g. Basic, Business Critical,
Hyperscale).
It supports databases of up to 100 TB with Hyperscale service tier model.
Active geo-replication is a feature that lets you to create a continuously synchronized readable
secondary database for a primary database. The readable secondary database may be in the
same Azure region as the primary, or, more commonly, in a different region. This kind of
readable secondary databases are also known as geo-secondaries, or geo-replicas.
Azure SQL Database and SQL Managed Instance enable you to dynamically add more resources
to your database with minimal downtime.

Box 2: Hyperscale -
Incorrect Answers:
✑ SQL Server on Azure VM: geo-replication not supported.
✑ Azure Synapse Analytics is not optimized for online transaction processing (OLTP).
✑ Azure SQL Managed Instance max database size is up to currently available instance size
(depending on the number of vCores).
Max instance storage size (reserved) - 2 TB for 4 vCores
- 8 TB for 8 vCores
- 16 TB for other sizes
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview
https://medium.com/awesome-azure/azure-difference-between-azure-sql-database-and-sql-
server-on-vm-comparison-azure-sql-vs-sql-server-vm-cf02578a1188
Question #9Topic 2
You are planning an Azure IoT Hub solution that will include 50,000 IoT devices.
Each device will stream data, including temperature, device ID, and time data. Approximately
50,000 records will be written every second. The data will be visualized in near real time.
You need to recommend a service to store and query the data.
Which two services can you recommend? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Azure Table Storage

• B. Azure Event Grid
• C. Azure Cosmos DB SQL API Most Voted
• D. Azure Time Series Insights Most Voted

Hide Solution Discussion 32

Correct Answer: CD 🗳️
D: Time Series Insights is a fully managed service for time series data. In this architecture,
Time Series Insights performs the roles of stream processing, data store, and analytics and
reporting. It accepts streaming data from either IoT Hub or Event Hubs and stores, processes,
analyzes, and displays the data in near real time.
C: The processed data is stored in an analytical data store, such as Azure Data Explorer, HBase,
Azure Cosmos DB, Azure Data Lake, or Blob Storage.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/time-series
Community vote distribution
CD (87%)
13%

Question #10Topic 2
You are designing an application that will aggregate content for users.
You need to recommend a database solution for the application. The solution must meet the
following requirements:
✑ Support SQL commands.
✑ Support multi-master writes.
✑ Guarantee low latency read operations.
What should you include in the recommendation?

• A. Azure Cosmos DB SQL API Most Voted

• B. Azure SQL Database that uses active geo-replication
• C. Azure SQL Database Hyperscale
• D. Azure Database for PostgreSQL

Hide Solution Discussion 16

Correct Answer: A 🗳️
With Cosmos DB's novel multi-region (multi-master) writes replication protocol, every region
supports both writes and reads. The multi-region writes capability also enables:
Unlimited elastic write and read scalability.
99.999% read and write availability all around the world.
Guaranteed reads and writes served in less than 10 milliseconds at the 99th percentile.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/distribute-data-globally
Community vote distribution
A (100%)

Question #11Topic 2
HOTSPOT -
You have an Azure subscription that contains the SQL servers on Azure shown in the following
table.

The subscription contains the storage accounts shown in the following table.
You create the Azure SQL databases shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 90

Correct
Answer:

Box 1: Yes -
Auditing works fine for a Standard account.

Box 2: No -
Auditing limitations: Premium storage is currently not supported.

Box 3: No -
Auditing limitations: Premium storage is currently not supported.
Reference:
https://docs.mi
Question #12Topic 2
DRAG DROP -
You plan to import data from your on-premises environment to Azure. The data is shown in the
following table.
What should you recommend using to migrate the data? To answer, drag the appropriate tools
to the correct data sources. Each tool may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Hide Solution Discussion 15

Correct
Answer:

Box 1: Data Migration Assistant -

The Data Migration Assistant (DMA) helps you upgrade to a modern data platform by detecting
compatibility issues that can impact database functionality in your new version of SQL Server
or Azure SQL Database. DMA recommends performance and reliability improvements for your
target environment and allows you to move your schema, data, and uncontained objects from
your source server to your target server.
Incorrect:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage
account.
Box 2: Azure Cosmos DB Data Migration Tool
Azure Cosmos DB Data Migration Tool can used to migrate a SQL Server Database table to
Azure Cosmos.
Reference:
https://docs.microsoft.com/en-us/sql/dma/dma-overview
https://docs.microsoft.com/en-us/azure/cosmos-db/cosmosdb-migrationchoices
Question #13Topic 2
You store web access logs data in Azure Blob Storage.
You plan to generate monthly reports from the access logs.
You need to recommend an automated process to upload the data to Azure SQL Database
every month.
What should you include in the recommendation?

• A. Microsoft SQL Server Migration Assistant (SSMA)

 • B. Data Migration Assistant (DMA)
• C. AzCopy
• D. Azure Data Factory Most Voted

Hide Solution Discussion 10

Correct Answer: D 🗳️
You can create Data Factory pipelines that copies data from Azure Blob Storage to Azure SQL
Database. The configuration pattern applies to copying from a file- based data store to a
relational data store.
Required steps:
Create a data factory.
Create Azure Storage and Azure SQL Database linked services.
Create Azure Blob and Azure SQL Database datasets.
Create a pipeline contains a Copy activity.
Start a pipeline run.
Monitor the pipeline and activity runs.
Reference:
https://docs.microsoft.com/en-us/azure/data-factory/tutorial-copy-data-dot-net
Community vote distribution
D (100%)

Question #14Topic 2
You have an Azure subscription.
Your on-premises network contains a file server named Server1. Server1 stores 5 ‫׀‬¢‫ ’׀‬of
company files that are accessed rarely.
You plan to copy the files to Azure Storage.
You need to implement a storage solution for the files that meets the following requirements:
✑ The files must be available within 24 hours of being requested.
✑ Storage costs must be minimized.
Which two possible storage solutions achieve this goal? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.

• A. Create an Azure Blob Storage account that is configured for the Cool default access
tier. Create a blob container, copy the files to the blob container, and set each file to the
Archive access tier. Most Voted
• B. Create a general-purpose v1 storage account. Create a blob container and copy the
files to the blob container.
• C. Create a general-purpose v2 storage account that is configured for the Cool default
access tier. Create a file share in the storage account and copy the files to the file
share.
• D. Create a general-purpose v2 storage account that is configured for the Hot default
access tier. Create a blob container, copy the files to the blob container, and set each
file to the Archive access tier. Most Voted
• E. Create a general-purpose v1 storage account. Create a fie share in the storage
account and copy the files to the file share.
Hide Solution Discussion 19
Correct Answer: AD 🗳️
To minimize costs: The Archive tier is optimized for storing data that is rarely accessed and
stored for at least 180 days with flexible latency requirements (on the order of hours).
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Community vote distribution
AD (91%)
9%

Question #15Topic 2
You have an app named App1 that uses two on-premises Microsoft SQL Server databases
named DB1 and DB2.
You plan to migrate DB1 and DB2 to Azure
You need to recommend an Azure solution to host DB1 and DB2. The solution must meet the
following requirements:
✑ Support server-side transactions across DB1 and DB2.
✑ Minimize administrative effort to update the solution.
What should you recommend?

• A. two Azure SQL databases in an elastic pool

• B. two databases on the same Azure SQL managed instance Most Voted
• C. two databases on the same SQL Server instance on an Azure virtual machine
• D. two Azure SQL databases on different Azure SQL Database servers

Hide Solution Discussion 13

Correct Answer: B 🗳️
Elastic database transactions for Azure SQL Database and Azure SQL Managed Instance allow
you to run transactions that span several databases.
SQL Managed Instance enables system administrators to spend less time on administrative
tasks because the service either performs them for you or greatly simplifies those tasks.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-transactions-
overview?view=azuresql
Community vote distribution
B (100%)

Question #16Topic 2
You need to design a highly available Azure SQL database that meets the following
requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?

• A. Azure SQL Database Hyperscale

• B. Azure SQL Database Premium Most Voted
 • C. Azure SQL Database Basic
• D. Azure SQL Managed Instance General Purpose

Hide Solution Discussion 12

Correct Answer: B 🗳️
Azure SQL Database Premium tier supports multiple redundant replicas for each database that
are automatically provisioned in the same datacenter within a region. This design leverages the
SQL Server AlwaysON technology and provides resilience to server failures with 99.99%
availability SLA and RPO=0.
With the introduction of Azure Availability Zones, we are happy to announce that SQL Database
now offers built-in support of Availability Zones in its Premium service tier.
Incorrect:
Not A: Hyperscale is more expensive than Premium.
Not C: Need Premium for Availability Zones.
Not D: Zone redundant configuration that is free on Azure SQL Premium is not available on
Azure SQL Managed Instance.
Reference:
https://azure.microsoft.com/en-us/blog/azure-sql-database-now-offers-zone-redundant-
premium-databases-and-elastic-pools/
Community vote distribution
B (100%)

Question #17Topic 2
HOTSPOT -
You are planning an Azure Storage solution for sensitive data. The data will be accessed daily.
The dataset is less than 10 GB.
You need to recommend a storage solution that meets the following requirements:
✑ All the data written to storage must be retained for five years.
✑ Once the data is written, the data can only be read. Modifications and deletion must be
prevented.
✑ After five years, the data can be deleted, but never modified.
✑ Data access charges must be minimized.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Hide Solution Discussion 28
Correct
Answer:

Box 1: General purpose v2 with Hot access tier for blobs

Note:
* All the data written to storage must be retained for five years.
* Data access charges must be minimized
Hot tier has higher storage costs, but lower access and transaction costs.
Incorrect:
Not Archive: Lowest storage costs, but highest access, and transaction costs.
Not Cool: Lower storage costs, but higher access and transaction costs.
Box 2: Storage account resource lock
As an administrator, you can lock a subscription, resource group, or resource to prevent other
users in your organization from accidentally deleting or modifying critical resources. The lock
overrides any permissions the user might have.
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-
resources
Question #18Topic 2
HOTSPOT -
You are designing a data storage solution to support reporting.
The solution will ingest high volumes of data in the JSON format by using Azure Event Hubs. As
the data arrives, Event Hubs will write the data to storage. The solution must meet the following
requirements:
✑ Organize data in directories by date and time.
✑ Allow stored data to be queried directly, transformed into summarized tables, and then
stored in a data warehouse.
✑ Ensure that the data warehouse can store 50 TB of relational data and support between 200
and 300 concurrent read operations.
Which service should you recommend for each type of data store? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 25

Correct
Answer:

Box 1: Azure Data Lake Storage Gen2

Azure Data Explorer integrates with Azure Blob Storage and Azure Data Lake Storage (Gen1 and
Gen2), providing fast, cached, and indexed access to data stored in external storage. You can
analyze and query data without prior ingestion into Azure Data Explorer. You can also query
across ingested and uningested external data simultaneously.
Azure Data Lake Storage is optimized storage for big data analytics workloads.
Use cases: Batch, interactive, streaming analytics and machine learning data such as log files,
IoT data, click streams, large datasets
Box 2: Azure SQL Database Hyperscale
Azure SQL Database Hyperscale is optimized for OLTP and high throughput analytics
workloads with storage up to 100TB.
A Hyperscale database supports up to 100 TB of data and provides high throughput and
performance, as well as rapid scaling to adapt to the workload requirements. Connectivity,
query processing, database engine features, etc. work like any other database in Azure SQL
Database.
Hyperscale is a multi-tiered architecture with caching at multiple levels. Effective IOPS will
depend on the workload.
Compare to:
General purpose: 500 IOPS per vCore with 7,000 maximum IOPS
Business critical: 5,000 IOPS with 200,000 maximum IOPS
Incorrect:
* Azure Synapse Analytics Dedicated SQL pool.

Max database size: 240 TB -

A maximum of 128 concurrent queries will execute and remaining queries will be queued.
Reference:
https://docs.microsoft.com/en-us/azure/data-explorer/data-lake-query-data
https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tier-hyperscale
https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-
warehouse-service-capacity-limits
Question #19Topic 2
You have an app named App1 that uses an on-premises Microsoft SQL Server database named
DB1.

You plan to migrate DB1 to an Azure SQL managed instance.

You need to enable customer managed Transparent Data Encryption (TDE) for the instance.
The solution must maximize encryption strength.

Which type of encryption algorithm and key length should you use for the TDE protector?

• A. RSA 3072 Most Voted

• B. AES 256
• C. RSA 4096
• D. RSA 2048

Hide Solution Discussion 26

Correct Answer: A 🗳️

Community vote distribution

A (87%)
13%

Question #20Topic 2
You are planning an Azure IoT Hub solution that will include 50,000 IoT devices.

Each device will stream data, including temperature, device ID, and time data. Approximately
50,000 records will be written every second. The data will be visualized in near real time.
You need to recommend a service to store and query the data.

Which two services can you recommend? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

• A. Azure Table Storage

• B. Azure Event Grid
• C. Azure Cosmos DB for NoSQL Most Voted
• D. Azure Time Series Insights Most Voted

Hide Solution Discussion 14

Correct Answer: CD 🗳️

Community vote distribution

CD (100%)

Question #21Topic 2
HOTSPOT
-

You are planning an Azure Storage solution for sensitive data. The data will be accessed daily.
The dataset is less than 10 GB.

You need to recommend a storage solution that meets the following requirements:

• All the data written to storage must be retained for five years.
• Once the data is written, the data can only be read. Modifications and deletion must be
prevented.
• After five years, the data can be deleted, but never modified.
• Data access charges must be minimized.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct Answer:
Correct
Answer:

Question #22Topic 2
HOTSPOT
-

You are designing a data analytics solution that will use Azure Synapse and Azure Data Lake
Storage Gen2.

You need to recommend Azure Synapse pools to meet the following requirements:

• Ingest data from Data Lake Storage into hash-distributed tables.

• Implement query, and update data in Delta Lake.

What should you recommend for each requirement? To answer, select the appropriate options
in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 30

Correct

Answer:

Question #23Topic 2
You have an on-premises storage solution.

You need to migrate the solution to Azure. The solution must support Hadoop Distributed File
System (HDFS).

What should you use?

• A. Azure Data Lake Storage Gen2 Most Voted

• B. Azure NetApp Files
• C. Azure Data Share
 • D. Azure Table storage

Hide Solution Discussion 9

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #24Topic 2
DRAG DROP
-

You have an on-premises app named App1.

Customers use App1 to manage digital images.

You plan to migrate App1 to Azure.

You need to recommend a data storage solution for App1. The solution must meet the
following image storage requirements:

• Encrypt images at rest.

• Allow files up to 50 MB.
• Manage access to the images by using Azure Web Application Firewall (WAF) on Azure Front
Door.

The solution must meet the following customer account requirements:

• Support automatic scale out of the storage.

• Maintain the availability of App1 if a datacenter fails.
• Support reading and writing data from multiple Azure regions.

Which service should you include in the recommendation for each type of data? To answer,
drag the appropriate services to the correct type of data. Each service may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.

NOTE: Each correct answer is worth one point.

Hide Solution Discussion 4

Correct Answer:

Question #25Topic 2
You are designing an application that will aggregate content for users.

You need to recommend a database solution for the application. The solution must meet the
following requirements:

• Support SQL commands.

• Support multi-master writes.
• Guarantee low latency read operations.

What should you include in the recommendation?

• A. Azure Cosmos DB for NoSQL Most Voted

• B. Azure SQL Database that uses active geo-replication
• C. Azure SQL Database Hyperscale
• D. Azure Cosmos DB for PostgreSQL

Hide Solution Discussion 12

Correct Answer: A 🗳️

Community vote distribution

A (100%)
Question #26Topic 2
You plan to migrate on-premises MySQL databases to Azure Database for MySQL Flexible
Server.

You need to recommend a solution for the Azure Database for MySQL Flexible Server
configuration. The solution must meet the following requirements:

• The databases must be accessible if a datacenter fails.

• Costs must be minimized.

Which compute tier should you recommend?

• A. Burstable
• B. General Purpose Most Voted
• C. Memory Optimized

Hide Solution Discussion 20

Correct Answer: A 🗳️

Community vote distribution

B (91%)
9%

Question #27Topic 2
You are designing an app that will use Azure Cosmos DB to collate sales from multiple
countries.

You need to recommend an API for the app. The solution must meet the following
requirements:

• Support SQL queries.

• Support geo-replication.
• Store and access data relationally.

Which API should you recommend?

• A. Apache Cassandra
• B. PostgreSQL Most Voted
• C. MongoDB
• D. NoSQL

Hide Solution Discussion 6

Correct Answer: B 🗳️

Community vote distribution

B (100%)
Question #28Topic 2
HOTSPOT
-

You have an app that generates 50,000 events daily.

You plan to stream the events to an Azure event hub and use Event Hubs Capture to implement
cold path processing of the events. The output of Event Hubs Capture will be consumed by a
reporting system.

You need to identify which type of Azure storage must be provisioned to support Event Hubs
Capture, and which inbound data format the reporting system must support.

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 13

Correct

Answer:

Question #29Topic 2
You have the resources shown in the following table.

CDB1 hosts a container that stores continuously updated operational data.

You are designing a solution that will use AS1 to analyze the operational data daily.

You need to recommend a solution to analyze the data without affecting the performance of
the operational data store.

What should you include in the recommendation?

• A. Azure Data Factory with Azure Cosmos DB and Azure Synapse Analytics connectors
• B. Azure Synapse Analytics with PolyBase data loading
• C. Azure Synapse Link for Azure Cosmos DB Most Voted
• D. Azure Cosmos DB change feed

Hide Solution Discussion 3

Correct Answer: C 🗳️

Community vote distribution

 C (100%)

Question #30Topic 2
HOTSPOT
-

You have an Azure subscription. The subscription contains an Azure SQL managed instance
that stores employee details, including social security numbers and phone numbers.

You need to configure the managed instance to meet the following requirements:

• The helpdesk team must see only the last four digits of an employee’s phone number.
• Cloud administrators must be prevented from seeing the employee’s social security numbers.

What should you enable for each column in the managed instance? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 1

Correct Answer:

Question #31Topic 2
You plan to use an Azure Storage account to store data assets.

You need to recommend a solution that meets the following requirements:

• Supports immutable storage

• Disables anonymous access to the storage account
• Supports access control list (ACL)-based Azure AD permissions

What should you include in the recommendation?

• A. Azure Files
• B. Azure Data Lake Storage Most Voted
• C. Azure NetApp Files
• D. Azure Blob Storage Most Voted

Hide Solution Discussion 12

Correct Answer: C 🗳️

Community vote distribution

B (54%)
Question #32Topic 2
HOTSPOT
-

You are designing a storage solution that will ingest, store, and analyze petabytes (PBs) of
structured, semi-structured, and unstructured text data. The analyzed data will be offloaded to
Azure Data Lake Storage Gen2 for long-term retention.

You need to recommend a storage and analytics solution that meets the following
requirements:
• Stores the processed data
• Provides interactive analytics
• Supports manual scaling, built-in autoscaling, and custom autoscaling

What should you include in the recommendation? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct Answer:

Question #33Topic 2
HOTSPOT
-

You plan to use Azure SQL as a database platform.

You need to recommend an Azure SQL product and service tier that meets the following
requirements:
• Automatically scales compute resources based on the workload demand
• Provides per second billing

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct Answer:

Topic 3 - Question Set 3

Question #1Topic 3
You have SQL Server on an Azure virtual machine. The databases are written to nightly as part
of a batch process.
You need to recommend a disaster recovery solution for the data. The solution must meet the
following requirements:
✑ Provide the ability to recover in the event of a regional outage.
✑ Support a recovery time objective (RTO) of 15 minutes.
✑ Support a recovery point objective (RPO) of 24 hours.
✑ Support automated recovery.
✑ Minimize costs.
What should you include in the recommendation?

• A. Azure virtual machine availability sets

• B. Azure Disk Backup
• C. an Always On availability group
• D. Azure Site Recovery Most Voted

Hide Solution Discussion 49

Correct Answer: D 🗳️
Replication with Azure Site Recover:
✑ RTO is typically less than 15 minutes.
✑ RPO: One hour for application consistency and five minutes for crash consistency.
Incorrect Answers:
B: Too slow.
C: Always On availability group RPO: Because replication to the secondary replica is
asynchronous, there's some data loss.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-sql
Community vote distribution
D (82%)
C (18%)

Question #2Topic 3
HOTSPOT -
You plan to deploy the backup policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 30

Correct
Answer:
Question #3Topic 3
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The
solution must meet the following requirements:
✑ Provide access to the full .NET framework.
Provide redundancy if an Azure region fails.

✑ Grant administrators access to the operating system to install custom application

dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you create an Azure
Traffic Manager profile.
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 27

Correct Answer: A 🗳️
Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic
optimally to services across global Azure regions, while providing high availability and
responsiveness.
Community vote distribution
A (100%)

Question #4Topic 3
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The
solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application
dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you deploy an Azure
Application Gateway.
Does this meet the goal?

• A. Yes
 • B. No Most Voted

Hide Solution Discussion 13

Correct Answer: B 🗳️
App Gateway will balance the traffic between VMs deployed in the same region. Create an
Azure Traffic Manager profile instead.
Community vote distribution
B (100%)

Question #5Topic 3
HOTSPOT -
You plan to create an Azure Storage account that will host file shares. The shares will be
accessed from on-premises applications that are transaction intensive.
You need to recommend a solution to minimize latency when accessing the file shares. The
solution must provide the highest-level of resiliency for the selected storage tier.
What should you include in the recommendation? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 25

Correct
Answer:
Box 1: Premium -
Premium: Premium file shares are backed by solid-state drives (SSDs) and provide consistent
high performance and low latency, within single-digit milliseconds for most IO operations, for
IO-intensive workloads.
Incorrect Answers:
✑ Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such
as team shares. Hot file shares are offered on the standard storage hardware backed by HDDs.
✑ Transaction optimized: Transaction optimized file shares enable transaction heavy
workloads that don't need the latency offered by premium file shares.
Transaction optimized file shares are offered on the standard storage hardware backed by hard
disk drives (HDDs). Transaction optimized has historically been called "standard", however this
refers to the storage media type rather than the tier itself (the hot and cool are also "standard"
tiers, because they are on standard storage hardware).
Box 2: Zone-redundant storage (ZRS):
Premium Azure file shares only support LRS and ZRS.
Zone-redundant storage (ZRS): With ZRS, three copies of each file stored, however these copies
are physically isolated in three distinct storage clusters in different Azure availability zones.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning
Question #6Topic 3
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The
solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application
dependencies.
Solution: You deploy an Azure virtual machine scale set that uses autoscaling.
Does this meet the goal?

• A. Yes
• B. No Most Voted

Hide Solution Discussion 21

Correct Answer: B 🗳️
Instead, you should deploy two Azure virtual machines to two Azure regions, and you create a
Traffic Manager profile.
Note: Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute
traffic optimally to services across global Azure regions, while providing high availability and
responsiveness.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
Community vote distribution
B (100%)

Question #7Topic 3
HOTSPOT -
You need to recommend an Azure Storage account configuration for two applications named
Application1 and Application2. The configuration must meet the following requirements:
✑ Storage for Application1 must provide the highest possible transaction rates and the lowest
possible latency.
✑ Storage for Application2 must provide the lowest possible storage costs per GB.
✑ Storage for both applications must be available in an event of datacenter failure.
✑ Storage for both applications must be optimized for uploads and downloads.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 43

Correct
Answer:

Box 1: BlobStorage with Premium Performance,‫ג‬€¦

Application1 requires high transaction rates and the lowest possible latency. We need to use
Premium, not Standard.
Box 2: General purpose v2 with Standard Performance,..
General Purpose v2 provides access to the latest Azure storage features, including Cool and
Archive storage, with pricing optimized for the lowest GB storage prices. These accounts
provide access to Block Blobs, Page Blobs, Files, and Queues. Recommended for most
scenarios using Azure Storage.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-upgrade
Question #8Topic 3
HOTSPOT -
You plan to develop a new app that will store business critical data. The app must meet the
following requirements:
✑ Prevent new data from being modified for one year.
✑ Maximize data resiliency.
✑ Minimize read latency.
What storage solution should you recommend for the app? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 33

Correct
Answer:

Box 1: Standard general-purpose v2

Standard general-purpose v2 supports immutable storage.
In general Standard general-purpose v2 is the preferred Microsoft recommendation.
Box 2: Zone-redundant storage (ZRS)
ZRS is more resilient compared to LRS.
Note: RA-GRS is even more resilient, but it is not an option here.
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/s
Question #9Topic 3
You plan to deploy 10 applications to Azure. The applications will be deployed to two Azure
Kubernetes Service (AKS) clusters. Each cluster will be deployed to a separate Azure region.
The application deployment must meet the following requirements:
✑ Ensure that the applications remain available if a single AKS cluster fails.
✑ Ensure that the connection traffic over the internet is encrypted by using SSL without having
to configure SSL on each container.
Which service should you include in the recommendation?

• A. Azure Front Door Most Voted

• B. Azure Traffic Manager
• C. AKS ingress controller
• D. Azure Load Balancer

Hide Solution Discussion 23

Correct Answer: A 🗳️
Azure Front Door supports SSL.
Azure Front Door, which focuses on global load-balancing and site acceleration, and Azure CDN
Standard, which offers static content caching and acceleration.
The new Azure Front Door brings together security with CDN technology for a cloud-based CDN
with threat protection and additional capabilities.
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-overview
Community vote distribution
A (90%)
7%
Question #10Topic 3
HOTSPOT -
You have an on-premises file server that stores 2 TB of data files.
You plan to move the data files to Azure Blob Storage in the West Europe Azure region.
You need to recommend a storage account type to store the data files and a replication
solution for the storage account. The solution must meet the following requirements:
✑ Be available if a single Azure datacenter fails.
✑ Support storage tiers.
✑ Minimize cost.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 9

Correct
Answer:

Box 1: Standard general-purpose v2

Standard general-purpose v2 meets the requirements and minimizes the costs.
Box 2: Zone-redundant storage (ZRS)
ZRS protects against a Datacenter failure, while minimizing the costs.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Question #11Topic 3
HOTSPOT -
You have an Azure web app named App1 and an Azure key vault named KV1.
App1 stores database connection strings in KV1.
App1 performs the following types of requests to KV1:
✑ Get
✑ List
✑ Wrap
✑ Delete

Unwrap -

✑ Backup
✑ Decrypt
✑ Encrypt
You are evaluating the continuity of service for App1.
You need to identify the following if the Azure region that hosts KV1 becomes unavailable:
✑ To where will KV1 fail over?
✑ During the failover, which request type will be unavailable?
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 9

Correct
Answer:

Box 1: A server in the paired region

The contents of your key vault are replicated within the region and to a secondary region at
least 150 miles away, but within the same geography to maintain high durability of your keys
and secrets.
Regions are paired for cross-region replication based on proximity and other factors.
Box 2: Delete -
During failover, your key vault is in read-only mode. Requests that are supported in this mode
are:

List certificates -

Get certificates -

List secrets -

Get secrets -

List keys -

Get (properties of) keys -

Encrypt -

Decrypt -

Wrap -

Unwrap -

Verify -

Sign -

Backup -
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance
Question #12Topic 3
DRAG DROP -
Your company identifies the following business continuity and disaster recovery objectives for
virtual machines that host sales, finance, and reporting applications in the company's on-
premises data center:
✑ The sales application must be able to fail over to a second on-premises data center.
✑ The reporting application must be able to recover point-in-time data at a daily granularity.
The RTO is eight hours.
✑ The finance application requires that data be retained for seven years. In the event of a
disaster, the application must be able to run from Azure. The recovery time objective (RTO) is
10 minutes.
You need to recommend which services meet the business continuity and disaster recovery
objectives. The solution must minimize costs.
What should you recommend for each application? To answer, drag the appropriate services to
the correct applications. Each service may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Hide Solution Discussion 12

Correct
Answer:

Box 1: Azure Site Recovery -

Azure Site Recovery -

Coordinates virtual-machine and physical-server replication, failover, and fullback.
DR solutions have low Recovery point objectives; DR copy can be behind by a few
seconds/minutes.
DR needs only operational recovery data, which can take hours to a day. Using DR data for long-
term retention is not recommended because of the fine-grained data capture.
Disaster recovery solutions have smaller Recovery time objectives because they are more in
sync with the source.
Remote monitor the health of machines and create customizable recovery plans.
Box 2: Azure Site Recovery and Azure Backup
Backup ensures that your data is safe and recoverable while Site Recovery keeps your
workloads available when/if an outage occurs.

Box 3: Azure Backup only -

Azure Backup -
Backs up data on-premises and in the cloud
Have wide variability in their acceptable Recovery point objective. VM backups usually one day
while database backups as low as 15 minutes.
Backup data is typically retained for 30 days or less. From a compliance view, data may need to
be saved for years. Backup data is ideal for archiving in such instances.
Because of a larger Recovery point objective, the amount of data a backup solution needs to
process is usually much higher, which leads to a longer Recovery time objective.
Reference:
https://lighthousemsp.com/whats-the-difference-between-azure-backup-and-azure-site-
recovery/
Question #13Topic 3
You need to design a highly available Azure SQL database that meets the following
requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?

• A. Azure SQL Managed Instance Business Critical

• B. Azure SQL Database Premium Most Voted
• C. Azure SQL Database Basic
• D. Azure SQL Managed Instance General Purpose

Hide Solution Discussion 37

Correct Answer: D 🗳️
General Purpose service tier provides zone redundant availability.
There are two high availability architectural models:
* Standard availability model that is based on a separation of compute and storage. It relies on
high availability and reliability of the remote storage tier. This architecture targets budget-
oriented business applications that can tolerate some performance degradation during
maintenance activities.
* Premium availability model that is based on a cluster of database engine processes. It relies
on the fact that there is always a quorum of available database engine nodes. This architecture
targets mission-critical applications with high IO performance, high transaction rate and
guarantees minimal performance impact to your workload during maintenance activities.
Note: Zone-redundant configuration for the general purpose service tier is offered for both
serverless and provisioned compute. This configuration utilizes Azure
Availability Zones ‫ג‬€‰to replicate databases across multiple physical locations within an Azure
region.‫ג‬€‰By selecting zone-redundancy, you can make your‫ג‬€‰new and existing serverless
and provisioned general‫ג‬€‰purpose single databases and elastic pools resilient to a much
larger set of failures, including catastrophic datacenter outages, without any changes of the
application logic.
Incorrect:
Not A: Azure SQL Managed Instance Business Critical is more expensive.
Not B: Premium is more expensive.
Not C: Azure SQL Database Basic, and General purpose provide only locally redundant
availability.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla
Community vote distribution
B (100%)

Question #14Topic 3
You need to design a highly available Azure SQL database that meets the following
requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?

• A. Azure SQL Managed Instance Business Critical

• B. Azure SQL Database Premium Most Voted
• C. Azure SQL Database Basic
• D. Azure SQL Database Hyperscale

Hide Solution Discussion 14

Correct Answer: B 🗳️
Azure SQL Database Premium meets the requirements and is the least expensive.
Note: There are two high availability architectural models:
* Standard availability model that is based on a separation of compute and storage. It relies on
high availability and reliability of the remote storage tier. This architecture targets budget-
oriented business applications that can tolerate some performance degradation during
maintenance activities.
* Premium availability model that is based on a cluster of database engine processes. It relies
on the fact that there is always a quorum of available database engine nodes. This architecture
targets mission-critical applications with high IO performance, high transaction rate and
guarantees minimal performance impact to your workload during maintenance activities.
Note: Zone-redundant configuration for the general purpose service tier is offered for both
serverless and provisioned compute. This configuration utilizes Azure
Availability Zones ‫ג‬€‰to replicate databases across multiple physical locations within an Azure
region.‫ג‬€‰By selecting zone-redundancy, you can make your‫ג‬€‰new and existing serverless
and provisioned general‫ג‬€‰purpose single databases and elastic pools resilient to a much
larger set of failures, including catastrophic datacenter outages, without any changes of the
application logic.
Incorrect:
Not A: Azure SQL Managed Instance Business Critical is more expensive.
Not C: Azure SQL Database Basic, and General purpose provide only locally redundant
availability.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla
Community vote distribution
B (100%)

Question #15Topic 3
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription. The
solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application
dependencies.
Solution: You deploy a web app in an Isolated App Service plan.
Does this meet the goal?

• A. Yes
• B. No Most Voted

Hide Solution Discussion 9

Correct Answer: B 🗳️
Instead: You deploy two Azure virtual machines to two Azure regions, and you create an Azure
Traffic Manager profile.
Note: Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute
traffic optimally to services across global Azure regions, while providing high availability and
responsiveness.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
Community vote distribution
B (100%)

Question #16Topic 3
You need to design a highly available Azure SQL database that meets the following
requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?

• A. Azure SQL Database Serverless Most Voted

• B. Azure SQL Database Business Critical Most Voted
• C. Azure SQL Database Basic
• D. Azure SQL Database Standard

Hide Solution Discussion 45

Correct Answer: A 🗳️
Now your new and existing serverless Azure SQL Databases allow for zone redundant
configuration. This feature utilizes Azure Availability Zones to replicate databases across
multiple physical locations within an Azure region. By selecting zone redundancy, you can make
your serverless databases resilient to a much larger set of failures, including catastrophic
datacenter outages‫ג‬€"without any changes of the application logic.
The SQL Database serverless compute tier optimizes price-performance and simplifies
performance management for single databases with intermittent, unpredictable usage by auto-
scaling compute and billing for compute used per second.
Incorrect:
Not B: Azure SQL Database Business Critical is a more expensive solution.
Not C: Azure SQL Database Basic does not provide zone redundancy.
Not D: Azure SQL Database Standard is a more expensive solution.
Reference:
https://azure.microsoft.com/en-us/updates/public-preview-zone-redundant-configuration-for-
azure-sql-database-serverless-compute-tier/
Community vote distribution
B (55%)
A (45%)

Question #17Topic 3
HOTSPOT
-

You have an on-premises Microsoft SQL Server database named SQL1.

You plan to migrate SQL1 to Azure.

You need to recommend a hosting solution for SQL1. The solution must meet the following
requirements:

• Support the deployment of multiple secondary, read-only replicas.

• Support automatic replication between primary and secondary replicas.
• Support failover between primary and secondary replicas within a 15-minute recovery time
objective (RTO).

What should you include in the solution? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 54
Correct
Answer:

Question #18Topic 3
HOTSPOT
-

You have two on-premises Microsoft SQL Server 2017 instances that host an Always On
availability group named AG1. AG1 contains a single database named DB1.

You have an Azure subscription that contains a virtual machine named VM1. VM1 runs Linux
and contains a SQL Server 2019 instance.

You need to migrate DB1 to VM1. The solution must minimize downtime on DB1.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 40
Correct
Answer:

Question #19Topic 3
HOTSPOT
-

You are building an Azure web app that will store the Personally Identifiable Information (PII) of
employees.

You need to recommend an Azure SQL. Database solution for the web app. The solution must
meet the following requirements:

• Maintain availability in the event of a single datacenter outage.

• Support the encryption of specific columns that contain PII.
• Automatically scale up during payroll operations.
• Minimize costs.

What should you include in the recommendations? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15
Correct
Answer:

Question #20Topic 3
You plan to deploy an Azure Database for MySQL flexible server named Server1 to the East US
Azure region.

You need to implement a business continuity solution for Server1. The solution must minimize
downtime in the event of a failover to a paired region.

What should you do?

• A. Create a read replica.

• B. Store the database files in Azure premium file shares.
• C. Implement Geo-redundant backup. Most Voted
• D. Configure native MySQL replication.
Hide Solution Discussion 13
Correct Answer: C 🗳️

Community vote distribution

C (79%)
A (21%)

Question #21Topic 3
You have an Azure subscription that contains the resources shown in the following table.

You need to recommend a load balancing solution that will distribute incoming traffic for
VMSS1 across NVA1 and NVA2. The solution must minimize administrative effort.

What should you include in the recommendation?

• A. Gateway Load Balancer

• B. Azure Front Door
• C. Azure Application Gateway
• D. Azure Traffic Manager

Hide Solution Discussion 3

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Topic 4 - Question Set 4

Question #1Topic 4
You have an Azure subscription that contains a Basic Azure virtual WAN named VirtualWAN1
and the virtual hubs shown in the following table.
You have an ExpressRoute circuit in the US East Azure region.
You need to create an ExpressRoute association to VirtualWAN1.
What should you do first?

• A. Upgrade VirtualWAN1 to Standard. Most Voted

• B. Create a gateway on Hub1.
• C. Enable the ExpressRoute premium add-on.
• D. Create a hub virtual network in US East.

Hide Solution Discussion 15

Correct Answer: A 🗳️
A basic Azure virtual WAN does not support express route. You have to upgrade to standard.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
Community vote distribution
A (100%)

Question #2Topic 4
You have an Azure subscription that contains a storage account.
An application sometimes writes duplicate files to the storage account.
You have a PowerShell script that identifies and deletes duplicate files in the storage account.
Currently, the script is run manually after approval from the operations manager.
You need to recommend a serverless solution that performs the following actions:
✑ Runs the script once an hour to identify whether duplicate files exist
✑ Sends an email notification to the operations manager requesting approval to delete the
duplicate files
✑ Processes an email response from the operations manager specifying whether the deletion
was approved
✑ Runs the script if the deletion was approved
What should you include in the recommendation?

• A. Azure Logic Apps and Azure Event Grid

• B. Azure Logic Apps and Azure Functions Most Voted
• C. Azure Pipelines and Azure Service Fabric
• D. Azure Functions and Azure Batch

Hide Solution Discussion 13

Correct Answer: B 🗳️
You can schedule a powershell script with Azure Logic Apps.
When you want to run code that performs a specific job in your logic apps, you can create your
own function by using Azure Functions. This service helps you create Node.js, C#, and F#
functions so you don't have to build a complete app or infrastructure to run code. You can also
call logic apps from inside Azure functions.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions
Community vote distribution
B (100%)

Question #3Topic 4
Your company has the infrastructure shown in the following table.

The on-premises Active Directory domain syncs with Azure Active Directory (Azure AD).
Server1 runs an application named App1 that uses LDAP queries to verify user identities in the
on-premises Active Directory domain.
You plan to migrate Server1 to a virtual machine in Subscription1.
A company security policy states that the virtual machines and services deployed to
Subscription1 must be prevented from accessing the on-premises network.
You need to recommend a solution to ensure that App1 continues to function after the
migration. The solution must meet the security policy.
What should you include in the recommendation?

• A. Azure AD Application Proxy

• B. the Active Directory Domain Services role on a virtual machine
• C. an Azure VPN gateway
• D. Azure AD Domain Services (Azure AD DS) Most Voted

Hide Solution Discussion 23

Correct Answer: D 🗳️
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services
such as domain join, group policy, lightweight directory access protocol (LDAP), and
Kerberos/NTLM authentication.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview
Community vote distribution
D (96%)
4%

Question #4Topic 4
You need to design a solution that will execute custom C# code in response to an event routed
to Azure Event Grid. The solution must meet the following requirements:
✑ The executed code must be able to access the private IP address of a Microsoft SQL Server
instance that runs on an Azure virtual machine.
✑ Costs must be minimized.
What should you include in the solution?

• A. Azure Logic Apps in the Consumption plan

• B. Azure Functions in the Premium plan Most Voted
• C. Azure Functions in the Consumption plan
• D. Azure Logic Apps in the integrated service environment

Hide Solution Discussion 44

Correct Answer: B 🗳️
Virtual connectivity is included in the Premium plan.
Reference:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale#hosting-plans-
comparison
Community vote distribution
B (99%)
1%

Question #5Topic 4
You have an on-premises network and an Azure subscription. The on-premises network has
several branch offices.
A branch office in Toronto contains a virtual machine named VM1 that is configured as a file
server. Users access the shared files on VM1 from all the offices.
You need to recommend a solution to ensure that the users can access the shared files as
quickly as possible if the Toronto branch office is inaccessible.
What should you include in the recommendation?

• A. a Recovery Services vault and Windows Server Backup

• B. Azure blob containers and Azure File Sync
• C. a Recovery Services vault and Azure Backup
• D. an Azure file share and Azure File Sync Most Voted

Hide Solution Discussion 16

Correct Answer: D 🗳️
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping
the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync
transforms Windows Server into a quick cache of your Azure file share.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
Community vote distribution
D (100%)

Question #6Topic 4
HOTSPOT -
You have an Azure subscription named Subscription1 that is linked to a hybrid Azure Active
Directory (Azure AD) tenant.
You have an on-premises datacenter that does NOT have a VPN connection to Subscription1.
The datacenter contains a computer named Server1 that has
Microsoft SQL Server 2016 installed. Server is prevented from accessing the internet.
An Azure logic app resource named LogicApp1 requires write access to a database on Server1.
You need to recommend a solution to provide LogicApp1 with the ability to access Server1.
What should you recommend deploying on-premises and in Azure? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 23

Correct
Answer:
Box 1: An on-premises data gateway
For logic apps in global, multi-tenant Azure that connect to on-premises SQL Server, you need
to have the on-premises data gateway installed on a local computer and a data gateway
resource that's already created in Azure.
Box 2: A connection gateway resource
Reference:
https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-sqlazure
Question #7Topic 4
HOTSPOT -
Your company develops a web service that is deployed to an Azure virtual machine named
VM1. The web service allows an API to access real-time data from
VM1.
The current virtual machine deployment is shown in the Deployment exhibit.
The chief technology officer (CTO) sends you the following email message: "Our developers
have deployed the web service to a virtual machine named VM1.
Testing has shown that the API is accessible from VM1 and VM2. Our partners must be able to
connect to the API over the Internet. Partners will use this data in applications that they
develop."
You deploy an Azure API Management (APIM) service. The relevant API Management
configuration is shown in the API exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Hide Solution Discussion 19

Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/a