HOTSPOT - You plan to deploy a new application to a Linux virtual machine (VM) that is hosted in Azure. The entire VM must be secured at rest by using industry-standard encryption technology to address organizational security and compliance requirements. You need to configure Azure Disk Encryption for the VM. How should you complete the Azure CLI commands? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: keyvault - Create an Azure Key Vault with az keyvault create and enable the Key Vault for use with disk encryption. Specify a unique Key Vault name for keyvault_name as follows: keyvault_name=myvaultname$RANDOM az keyvault create \ --name $keyvault_name \ --resource-group $resourcegroup \ --location eastus \ --enabled-for-disk-encryption True Box 2: keyvault key - The Azure platform needs to be granted access to request the cryptographic keys when the VM boots to decrypt the virtual disks. Create a cryptographic key in your Key Vault with az keyvault key create. The following example creates a key named myKey: az keyvault key create \ --vault-name $keyvault_name \ --name myKey \ --protection software Box 3: vm - Create a VM with az vm create. Only certain marketplace images support disk encryption. The following example creates a VM named myVM using an Ubuntu 16.04 LTS image: az vm create \ --resource-group $resourcegroup \ --name myVM \ --image Canonical:UbuntuServer:16.04-LTS:latest \ --admin-username azureuser \ --generate-ssh-keys \ Box 4: vm encryption - Encrypt your VM with az vm encryption enable: az vm encryption enable \ --resource-group $resourcegroup \ --name myVM \ --disk-encryption-keyvault $keyvault_name \ --key-encryption-key myKey \ --volume-type all Note: seems to an error in the question. Should have enable instead of create. Box 5: all - Encrypt both data and operating system. Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-cli-quickstart
Question 152
Your company is developing an Azure API hosted in Azure. You need to implement authentication for the Azure API to access other Azure resources. You have the following requirements: - All API calls must be authenticated. - Callers to the API must not send credentials to the API. Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Azure Active Directory Managed Service Identity (MSI) gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code. Note: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. Incorrect Answers: A: Use the authentication-basic policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy. B: Anonymous is no authentication at all. D: Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer's workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren't in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem. Reference: https://azure.microsoft.com/en-us/blog/keep-credentials-out-of-code-introducing-azure-ad-managed-service-identity/ https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies
Question 153
DRAG DROP - You are developing an application. You have an Azure user account that has access to two subscriptions. You need to retrieve a storage account key secret from Azure Key Vault. In which order should you arrange the PowerShell commands to develop the solution? To answer, move all commands from the list of commands to the answer area and arrange them in the correct order. Select and Place:
Step 1: Get-AzSubscription - If you have multiple subscriptions, you might have to specify the one that was used to create your key vault. Enter the following to see the subscriptions for your account: Get-AzSubscription - Step 2: Set-AzContext -SubscriptionId To specify the subscription that's associated with the key vault you'll be logging, enter: Set-AzContext -SubscriptionId <subscriptionID> Step 3: Get-AzStorageAccountKey - You must get that storage account key. Step 4: $secretvalue = ConvertTo-SecureString <storageAccountKey> -AsPlainText -Force Set-AzKeyVaultSecret -VaultName <vaultName> -Name <secretName> -SecretValue $secretvalue After retrieving your secret (in this case, your storage account key), you must convert that key to a secure string, and then create a secret with that value in your key vault. Step 5: Get-AzKeyVaultSecret - Next, get the URI for the secret you created. You'll need this URI in a later step to call the key vault and retrieve your secret. Run the following PowerShell command and make note of the ID value, which is the secret's URI: Get-AzKeyVaultSecret -VaultName <vaultName> Reference: https://docs.microsoft.com/bs-latn-ba/Azure/key-vault/key-vault-key-rotation-log-monitoring
Question 154
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Use an X.509 certificate to authenticate the VM with Azure Resource Manager. Does the solution meet the goal?
A. Yes
B. No
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
Question 155
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Use the Reader role-based access control (RBAC) role to authenticate the VM with Azure Resource Manager. Does the solution meet the goal?
A. Yes
B. No
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
Question 156
HOTSPOT - You are building a website that is used to review restaurants. The website will use an Azure CDN to improve performance and add functionality to requests. You build and deploy a mobile app for Apple iPhones. Whenever a user accesses the website from an iPhone, the user must be redirected to the app store. You need to implement an Azure CDN rule that ensures that iPhone users are redirected to the app store. How should you complete the Azure Resource Manager template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: iOS - Azure AD Conditional Access supports the following device platforms: - Android - iOS - Windows Phone - Windows macOS Box 2: DeliveryRuleIsDeviceConditionParameters The DeliveryRuleIsDeviceCondition defines the IsDevice condition for the delivery rule. parameters defines the parameters for the condition. Box 3: HTTP_USER_AGENT - Incorrect Answers: - The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. It is used for backwards compatibility with HTTP/1.0 caches. - "X-Powered-By" is a common non-standard HTTP response header (most headers prefixed with an 'X-' are non-standard). Box 4: DeliveryRuleRequestHeaderConditionParameters DeliveryRuleRequestHeaderCondition defines the RequestHeader condition for the delivery rule. parameters defines the parameters for the condition. Box 5: iOS - The Require approved client app requirement only supports the iOS and Android for device platform condition. Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Question 157
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level. You need to configure authorization. Solution: - Configure and use Integrated Windows Authentication in the website. - In the website, query Microsoft Graph API to load the groups to which the user is a member. Does the solution meet the goal?
A. Yes
B. No
Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. Instead in the Azure AD application's manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the groups claim from the JWT for the user to determine permissions. Reference: https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/
Question 158
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint. Does the solution meet the goal?
A. Yes
B. No
Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager You will need to use PowerShell in this portion. 1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect. 2. Enter in your Username and Password for which you added when you created the Windows VM. 3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session. 4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager. Example: $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https:// management.azure.com/' -Method GET -Headers @{Metadata="true"} Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
Question 159
HOTSPOT - You are building a website to access project data related to teams within your organization. The website does not allow anonymous access. Authentication is performed using an Azure Active Directory (Azure AD) app named internal. The website has the following authentication requirements: - Azure AD users must be able to login to the website. - Personalization of the website must be based on membership in Active Directory groups. You need to configure the application's manifest to meet the authentication requirements. How should you configure the manifest? To answer, select the appropriate configuration in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: groupMembershipClaims - Scenario: Personalization of the website must be based on membership in Active Directory groups. Group claims can also be configured in the Optional Claims section of the Application Manifest. Enable group membership claims by changing the groupMembershipClaim The valid values are: "All" "SecurityGroup" "DistributionList" "DirectoryRole" Box 2: oauth2Permissions - Scenario: Azure AD users must be able to login to the website. oauth2Permissions specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during consent. Incorrect Answers: oauth2AllowImplicitFlow. oauth2AllowImplicitFlow specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like Javascript single-page apps. Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Question 160
You develop an app that allows users to upload photos and videos to Azure storage. The app uses a storage REST API call to upload the media to a blob storage account named Account1. You have blob storage containers named Container1 and Container2. Uploading of videos occurs on an irregular basis. You need to copy specific blobs from Container1 to Container2 when a new video is uploaded. What should you do?
A. Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API
B. Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet
C. Use AzCopy with the Snapshot switch to copy blobs to Container2
D. Download the blob to a virtual machine and then upload the blob to Container2
The Start-AzureStorageBlobCopy cmdlet starts to copy a blob. Example 1: Copy a named blob - C:\PS>Start-AzureStorageBlobCopy -SrcBlob "ContosoPlanning2015" -DestContainer "ContosoArchives" -SrcContainer "ContosoUploads" This command starts the copy operation of the blob named ContosoPlanning2015 from the container named ContosoUploads to the container named ContosoArchives. Reference: https://docs.microsoft.com/en-us/powershell/module/azure.storage/start-azurestorageblobcopy?view=azurermps-6.13.0
