HOTSPOT - You need to design an Azure policy that will implement the following functionality: - For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed. - For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources. - For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values. The solution must use the principle of least privilege. What should you include in the design? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Modify - Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation. Incorrect: * The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy * Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource. Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the Modify effect for tags instead. Box 2: A managed identity with the Contributor role The managed identity needs to be granted the appropriate roles required for remediating resources to grant the managed identity. Contributor - Can create and manage all types of Azure resources but can't grant access to others. Incorrect: User Access Administrator: lets you manage user access to Azure resources. Reference: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Question 22
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You create an Azure SQL database named DB1 that is hosted in the East US Azure region. To DB1, you add a diagnostic setting named Settings1. Settings1 archive SQLInsights to storage1 and sends SQLInsights to Workspace1. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Hot Area:
Box 1: Yes - A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), then create multiple settings. Each resource can have up to 5 diagnostic settings. Note: This diagnostic telemetry can be streamed to one of the following Azure resources for analysis. * Log Analytics workspace * Azure Event Hubs * Azure Storage Box 2: Yes - Box 3: Yes - Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings https://docs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?tabs=azure-portal
Question 23
You plan to deploy an Azure SQL database that will store Personally Identifiable Information (PII). You need to ensure that only privileged users can view the PII. What should you include in the solution?
A. dynamic data masking
B. role-based access control (RBAC)
C. Data Discovery & Classification
D. Transparent Data Encryption (TDE)
Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview
Question 24
You plan to deploy an app that will use an Azure Storage account. You need to deploy the storage account. The storage account must meet the following requirements: - Store the data for multiple users. - Encrypt each user's data by using a separate key. - Encrypt all the data in the storage account by using customer-managed keys. What should you deploy?
A. files in a premium file share storage account
B. blobs in a general purpose v2 storage account
C. blobs in an Azure Data Lake Storage Gen2 account
D. files in a general purpose v2 storage account
You can specify a customer-provided key on Blob storage operations. A client making a read or write request against Blob storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Question 25
HOTSPOT - You have an Azure App Service web app that uses a system-assigned managed identity. You need to recommend a solution to store the settings of the web app as secrets in an Azure key vault. The solution must meet the following requirements: - Minimize changes to the app code. - Use the principle of least privilege. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Key Vault references in Application settings Source Application Settings from Key Vault. Key Vault references can be used as values for Application Settings, allowing you to keep secrets in Key Vault instead of the site config. Application Settings are securely encrypted at rest, but if you need secret management capabilities, they should go into Key Vault. To use a Key Vault reference for an app setting, set the reference as the value of the setting. Your app can reference the secret through its key as normal. No code changes are required. Box 2: Secrets: Get - In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it. 1. Create a key vault by following the Key Vault quickstart. 2. Create a managed identity for your application. 3. Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity. 4. Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Question 26
You plan to deploy an application named App1 that will run on five Azure virtual machines. Additional virtual machines will be deployed later to run App1. You need to recommend a solution to meet the following requirements for the virtual machines that will run App1: - Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database. - Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines. - Avoid storing secrets and certificates on the virtual machines. - Minimize administrative effort for managing identities. Which type of identity should you include in the recommendation?
A. a system-assigned managed identity
B. a service principal that is configured to use a certificate
C. a service principal that is configured to use a client secret
D. a user-assigned managed identity
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. A user-assigned managed identity: Can be shared. The same user-assigned managed identity can be associated with more than one Azure resource. Common usage: Workloads that run on multiple resources and can share a single identity. For example, a workload where multiple virtual machines need to access the same resource. Incorrect: Not A: A system-assigned managed identity can't be shared. It can only be associated with a single Azure resource. Typical usage: Workloads that are contained within a single Azure resource. Workloads for which you need independent identities. For example, an application that runs on a single virtual machine. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Question 27
You have the resources shown in the following table: CDB1 hosts a container that stores continuously updated operational data. You are designing a solution that will use AS1 to analyze the operational data daily. You need to recommend a solution to analyze the data without affecting the performance of the operational data store. What should you include in the recommendation?
A. Azure Cosmos DB change feed
B. Azure Data Factory with Azure Cosmos DB and Azure Synapse Analytics connectors
C. Azure Synapse Link for Azure Cosmos DB
D. Azure Synapse Analytics with PolyBase data loading
Azure Synapse Link for Azure Cosmos DB creates a tight integration between Azure Cosmos DB and Azure Synapse Analytics. It enables customers to run near real-time analytics over their operational data with full performance isolation from their transactional workloads and without an ETL pipeline. Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/synapse-link-frequently-asked-questions
Question 28
HOTSPOT - You deploy several Azure SQL Database instances. You plan to configure the Diagnostics settings on the databases as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: 90 days - As per exhibit. Box 2: 730 days - How long is the data kept? Raw data points (that is, items that you can query in Analytics and inspect in Search) are kept for up to 730 days. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-retention-privacy
Question 29
You have an application that is used by 6,000 users to validate their vacation requests. The application manages its own credential store. Users must enter a username and password to access the application. The application does NOT support identity providers. You plan to upgrade the application to use single sign-on (SSO) authentication by using an Azure Active Directory (Azure AD) application registration. Which SSO method should you use?
A. header-based
B. SAML
C. password-based
D. OpenID Connect
Password - On-premises applications can use a password-based method for SSO. This choice works when applications are configured for Application Proxy. With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Azure AD provides the username and password to the application. Password-based SSO enables secure application password storage and replay using a web browser extension or mobile app. This option uses the existing sign-in process provided by the application, enables an administrator to manage the passwords, and doesn't require the user to know the password. Incorrect: Choosing an SSO method depends on how the application is configured for authentication. Cloud applications can use federation-based options, such as OpenID Connect, OAuth, and SAML. Federation - When you set up SSO to work between multiple identity providers, it's called federation. Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on
Question 30
HOTSPOT - You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual machines are connected to VNET1. You need to design a solution to manage the virtual machines from the internet. The solution must meet the following requirements: - Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication (MFA) before network connectivity is allowed. - Incoming connections must use TLS and connect to TCP port 443. - The solution must support RDP and SSH. What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Just-in-time (JIT) VN access Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud's just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM. Note: Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. Your legitimate users also use these ports, so it's not practical to keep them closed. When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked. To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. Box 2: A conditional Access policy that has Cloud Apps assignment set to Azure Windows VM Sign-In You can enforce Conditional Access policies such as multi-factor authentication or user sign-in risk check before authorizing access to Windows VMs in Azure that are enabled with Azure AD sign in. To apply Conditional Access policy, you must select the "Azure Windows VM Sign-In" app from the cloud apps or actions assignment option and then use Sign-in risk as a condition and/or require multi-factor authentication as a grant access control. Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
