You have an Azure subscription that contains the resources shown in the following table. You need to ensure that ServerAdmins can perform the following tasks: - Create virtual machines in RG1 only. - Connect the virtual machines to the existing virtual networks in RG2 only. The solution must use the principle of least privilege. Which two role-based access control (RBAC) roles should you assign to ServerAdmins? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
HOTSPOT - Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). The Azure AD tenant contains the users shown in the following table. You configure the Authentication methods - Password Protection settings for adatum.com as shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
HOTSPOT - Your company has an Azure subscription named Subscription1. Subscription1 is associated with the Azure Active Directory tenant that includes the users shown in the following table. The company is sold to a new owner. The company needs to transfer ownership of Subscription1. Which user can transfer the ownership and which tool should the user use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
You have an Azure subscription that uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM). A PIM user that is assigned the User Access Administrator role reports receiving an authorization error when performing a role assignment or viewing the list of assignments. You need to resolve the issue by ensuring that the PIM service principal has the correct permissions for the subscription. The solution must use the principle of least privilege. Which role should you assign to the PIM service principle?
A. Contributor
B. User Access Administrator
C. Managed Application Operator
D. Resource Policy Contributor
Question 105
You have an Azure Active Directory (Azure AD) tenant that contains a user named Admin1. Admin1 is assigned the Application developer role. You purchase a cloud app named App1 and register App1 in Azure AD. Admin1 reports that the option to enable token encryption for App1 is unavailable. You need to ensure that Admin1 can enable token encryption for App1 in the Azure portal. What should you do?
A. Upload a certificate for App1.
B. Modify the API permissions of App1.
C. Add App1 as an enterprise application.
D. Assign Admin1 the Cloud application administrator role.
This is a tricky one because uploading a certificate is also required. However, the question states that the Token Encryption option is unavailable. This is because the app is not added as an enterprise application. When the app is added as an enterprise application, the Token Encryption option will be available. Then you can upload the certificate. Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption
Question 106
You plan to deploy an app that will modify the properties of Azure Active Directory (Azure AD) users by using Microsoft Graph. You need to ensure that the app can access Azure AD. What should you configure first?
You have a Microsoft 365 tenant that uses an Azure Active Directory (Azure AD) tenant. The Azure AD tenant syncs to an on-premises Active Directory domain by using an instance of Azure AD Connect. You create a new Azure subscription. You discover that the synced on-premises user accounts cannot be assigned roles in the new subscription. You need to ensure that you can assign Azure and Microsoft 365 roles to the synced Azure AD user accounts. What should you do fist?
A. Configure the Azure AD tenant used by the new subscription to use pass-through authentication.
B. Configure the Azure AD tenant used by the new subscription to use federated authentication.
C. Change the Azure AD tenant used by the new subscription.
D. Configure a second instance of Azure AD Connect.
Question 108
You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table. You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege. What should you do?
A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.
B. Add a new Application API permission for Microsoft.Graph Calendars.ReadWrite.
C. Select Grant admin consent.
D. Add new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.Shared.
HOTSPOT - You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table. You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings: - Assignments: Include Group1, exclude Group2 - Conditions: Sign-in risk level: Low and above - Access: Allow access, Require multi-factor authentication You need to identify what occurs when the users sign in to Azure AD. What should you identify for each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
HOTSPOT - You have an Azure subscription that contains an Azure SQL database named SQL1. You plan to deploy a web app named App1. You need to provide App1 with read and write access to SQL1. The solution must meet the following requirements: - Provide App1 with access to SQL1 without storing a password. - Use the principle of least privilege. - Minimize administrative effort. Which type of account should App1 use to access SQL1, and which database roles should you assign to App1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
