1.

You have an Azure environment that contains 10 virtual networks and

100 virtual machines.

You need to limit the amount of inbound traffic to all the Azure virtual
networks.

What should you create?

o one application security group (ASG)

o 10 virtual network gateways
o 10 Azure ExpressRoute circuits
o one Azure firewall

Explanation:
You can restrict traffic to multiple virtual networks with a single Azure firewall.

Azure Firewall is a managed, cloud-based network security service that protects your
Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in
high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies
across subscriptions and virtual networks. Azure Firewall uses a static public IP address
for your virtual network resources allowing outside firewalls to identify traffic
originating from your virtual network.

2. This question requires that you evaluate the underlined text to

determine if it is correct.

Azure Key Vault is used to store secrets for Azure Active Directory
(Azure AD) user accounts.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed”. If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed
o Azure Active Directory (Azure AD) administrative accounts
o Personally Identifiable Information (PII)
o server applications

Explanation:
Key Vault is designed to store configuration secrets for server apps. It’s not intended for
storing data belonging to your app’s users, and it shouldn’t be used in the client-side part
of an app.

3. Your company plans to automate the deployment of servers to Azure.

Your manager is concerned that you may expose administrative

credentials during the deployment.
 You need to recommend an Azure solution that encrypts the
administrative credentials during the deployment.

What should you include in the recommendation?

o Azure Key Vault

o Azure Information Protection
o Azure Security Center
o Azure Multi-Factor Authentication (MFA)

Explanation:
Azure Key Vault is a secure store for storage various types of sensitive information. In
this question, we would store the administrative credentials in the Key Vault. With this
solution, there is no need to store the administrative credentials as plain text in the
deployment scripts.

All information stored in the Key Vault is encrypted.

Azure Key Vault can be used to Securely store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key
lengths, and hardware security modules (HSMs). The HSMs used are Federal Information
Processing Standards (FIPS) 140-2 Level 2 validated.

Access to a key vault requires proper authentication and authorization before a caller
(user or application) can get access. Authentication establishes the identity of the caller,
while authorization determines the operations that they are allowed to perform.

4. You plan to deploy several Azure virtual machines.

You need to control the ports that devices on the Internet can use to
access the virtual machines.

What should you use?

o a network security group (NSG)

o an Azure Active Directory (Azure AD) role
o an Azure Active Directory group
o an Azure key vault

Explanation:
A network security group works like a firewall. You can attach a network security group
to a virtual network and/or individual subnets within the virtual network. You can also
attach a network security group to a network interface assigned to a virtual machine. You
can use multiple network security groups within a virtual network to restrict traffic
between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network
with a network security group. A network security group contains security rules that
allow or deny inbound network traffic to, or outbound network traffic from, several types
of Azure resources.
5. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
When you create a virtual machine, the default setting is to create a Network Security
Group attached to the network interface assigned to a virtual machine.

A network security group works like a firewall. You can attach a network security group
to a virtual network and/or individual subnets within the virtual network. You can also
attach a network security group to a network interface assigned to a virtual machine. You
can use multiple network security groups within a virtual network to restrict traffic
between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network
with a network security group. A network security group contains security rules that
allow or deny inbound network traffic to, or outbound network traffic from, several types
of Azure resources.

In this question, we need to add a rule to the network security group to allow the
connection to the virtual machine on port 8080.

6. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

7. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from
the Internet over HTTP.

Solution: You modify a network security group (NSG).

Does this meet the goal?

o Yes
o No

Explanation:
A network security group works like a firewall. You can attach a network security group
to a virtual network and/or individual subnets within the virtual network. You can also
attach a network security group to a network interface assigned to a virtual machine. You
can use multiple network security groups within a virtual network to restrict traffic
between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network
with a network security group. A network security group contains security rules that
allow or deny inbound network traffic to, or outbound network traffic from, several types
of Azure resources.
 In this question, we need to add a rule to the network security group to allow the
connection to the virtual machine on port 80 (HTTP).

8. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from
the Internet over HTTP.

Solution: You modify a DDoS protection plan.

Does this meet the goal?

o Yes
o No

Explanation:
DDoS is a form of attack on a network resource. A DDoS protection plan is used to protect
against DDoS attacks; it does not provide connectivity to a virtual machine.

To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP,
you need to modify a network security group or Azure Firewall.

9. You need to collect and automatically analyze security events from

Azure Active Directory (Azure AD).

What should you use?

o Azure Sentinel
o Azure Synapse Analytics
o Azure AD Connect
o Azure Key Vault

10. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.
 Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from
the Internet over HTTP.

Solution: You modify an Azure firewall.

Does this meet the goal?

o Yes
o No

Explanation:
Azure Firewall is a managed, cloud-based network security service that protects your
Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in
high availability and unrestricted cloud scalability.

In this question, we need to add a rule to Azure Firewall to allow the connection to the
virtual machine on port 80 (HTTP).

11. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from
the Internet over HTTP.

Solution: You modify an Azure Traffic Manager profile.

Does this meet the goal?

o Yes
o No

Explanation:
Azure Traffic Manager is a DNS-based load balancing solution. It is not used to ensure
that a virtual machine named VM1 is accessible from the Internet over HTTP.

To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP,
you need to modify a network security group or Azure Firewall.

In this question, we need to add a rule to a network security group or Azure Firewall to
allow the connection to the virtual machine on port 80 (HTTP).
12. Your company plans to deploy several web servers and several database
servers to Azure.

You need to recommend an Azure solution to limit the types of

connections from the web servers to the database servers.

What should you include in the recommendation?

o network security groups (NSGs)

o Azure Service Bus
o a local network gateway
o a route filter

Explanation:
A network security group works like a firewall. You can attach a network security group
to a virtual network and/or individual subnets within the virtual network. You can also
attach a network security group to a network interface assigned to a virtual machine. You
can use multiple network security groups within a virtual network to restrict traffic
between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network
with a network security group. A network security group contains security rules that
allow or deny inbound network traffic to, or outbound network traffic from, several types
of Azure resources.

13. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
You would use the Azure Activity Log, not Access Control to view which user turned off a
specific virtual machine during the last 14 days.

Activity logs are kept for 90 days. You can query for any range of dates, as long as the
starting date isn’t more than 90 days in the past.
 In this question, we would create a filter to display shutdown operations on the virtual
machine in the last 14 days.

14. Which service provides network traffic filtering across multiple Azure
subscriptions and virtual networks?

o Azure Firewall
o an application security group
o Azure DDoS protection
o a network security group (NSG)

Explanation:
You can restrict traffic to multiple virtual networks in multiple subscriptions with a
single Azure firewall.

Azure Firewall is a managed, cloud-based network security service that protects your
Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in
high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies
across subscriptions and virtual networks. Azure Firewall uses a static public IP address
for your virtual network resources allowing outside firewalls to identify traffic
originating from your virtual network.

15. Which Azure service should you use to store certificates?

o Azure Security Center

o an Azure Storage account
o Azure Key Vault
o Azure Information Protection

Explanation:
Azure Key Vault is a secure store for storage various types of sensitive information
including passwords and certificates.

Azure Key Vault can be used to Securely store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key
lengths, and hardware security modules (HSMs). The HSMs used are Federal Information
Processing Standards (FIPS) 140-2 Level 2 validated.

Access to a key vault requires proper authentication and authorization before a caller
(user or application) can get access. Authentication establishes the identity of the caller,
while authorization determines the operations that they are allowed to perform.

16. Which Azure service can you use as a security information and event
management (SIEM) solution?

o Azure Analysis Services

o Azure Sentinel
o Azure Information Protection
o Azure Cognitive Services
17. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

18. DRAG DROP

Match the Azure Services service to the correct descriptions.

Instructions: To answer, drag the appropriate service from the column on the left to its
description on the right. Each service may be used once, more than once, or not at all.

NOTE: Each correct match is worth one point.

 Explanation:
Box 1: Azure Sentinel
Box 2: Azure Security Center
Box 3: Azure Key Vault
Incorrect Answer:
– Azure Active Directory (Azure AD)
Azure AD is an identity and access management service, which helps your employees
sign in and access resources
– Azure Lighthouse
Azure Lighthouse is used for cross- and multi-tenant management.

19. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Azure firewall does not encrypt network traffic. It is used to block or allow traffic based
on source/destination IP address, source/destination ports and protocol.
Box 2: No
A network security group does not encrypt network traffic. It works in a similar way to a
firewall in that it is used to block or allow traffic based on source/destination IP address,
source/destination ports and protocol.
Box 3: No
The question is rather vague as it would depend on the configuration of the host on the
Internet. Windows Server does come with a VPN client and it also supports other
encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if
the Internet host was configured to require or accept the encryption. However, the VM
could not encrypt the traffic to an Internet host that is not configured to require the
encryption.
20. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: Yes
Azure Security Center is a unified infrastructure security management system that
strengthens the security posture of your data centers, and provides advanced threat
protection across your hybrid workloads in the cloud – whether they’re in Azure or not –
as well as on premises.
Box 2: No
Only two features: Continuous assessment and security recommendations, and Azure
secure score, are free.
Box 3: Yes
The advanced monitoring capabilities in Security Center also let you track and manage
compliance and governance over time. The overall compliance provides you with a
measure of how much your subscriptions are compliant with policies associated with
your workload.

21. You need to complete the defense-in-depth strategy used in a

datacenter. What should you do? To answer, drag the appropriate layers
to the correct positions in the model. Each layer may be used once, more
than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.

NOTE: Each correct selection is worth one point(DRAG DROP)

Explanation:
Defence in depth layers (from bottom to top):
Data
– In almost all cases attackers are after data.
– Data can be in database, stored on disk inside VMs, on a SaaS application such as Office
365 or in cloud storage.
– Those storing and controlling access to data to ensures that it’s properly secured
– Often regulatory requirements dictates controls & processes
– to ensure confidentiality, integrity, and availability.
Application
– Ensure applications are secure and free of vulnerabilities.
– Store sensitive application secrets in a secure storage medium.
– Make security a design requirement for all application development.
– Integrate security into the application development life cycle.
Compute
– Secure access to virtual machines.
– Implement endpoint protection and keep systems patched and current.
– Malware, unpatched systems, and improperly secured systems open your environment
to attacks.
Networking
– Limit communication between resources.
– Deny by default.
– Allow only what is required
– Restrict inbound internet access and limit outbound, where appropriate.
– Implement secure connectivity to on-premises networks.
 Perimeter
– Use distributed denial of service (DDoS) protection to filter large-scale attacks before
they can cause a denial of service for end users.
– Use perimeter firewalls to identify and alert on malicious attacks against your network.
Identity and access
– Control access to infrastructure and change control.
– Access granted is only what is needed
– Use single sign-on and multi-factor authentication.
– Audit events and changes.
Physical security
– Building security & controlling access to computing hardware.
– First line of defense.

22. You have an Azure virtual machine named VM1.

You plan to encrypt VM1 by using Azure Disk Encryption.

Which Azure resource must you create first?

o an Azure Storage account

o an Azure Key Vault
o an Azure Information Protection policy
o an Encryption key

Explanation:
Azure Disk Encryption requires an Azure Key Vault to control and manage disk
encryption keys and secrets.

23. Which resources can be used as a source for a Network security group
inbound security rule?

o Service Tags only

o IP Addresses, Service tags and Application security groups
o Application security groups only
o IP Addresses only

Explanation:
Source or destination:
Any, or an individual IP address, classless inter-domain routing (CIDR) block
(10.0.0.0/24, for example), service tag, or application security group.

24. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
25. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

26. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

27. HOTSPOT
 To complete the sentence, select the appropriate option in the answer area.

Explanation:
The VNet will be marked as ‘Non-compliant’ when the policy is assigned. However, it will
not be deleted and will continue to function normally.
Azure Policy is a service in Azure that you use to create, assign, and manage policies.
These policies enforce different rules and effects over your resources, so those resources
stay compliant with your corporate standards and service level agreements.
If there are any existing resources that aren’t compliant with a new policy assignment,
they appear under Non-compliant resources.

28. Your company has an Azure subscription that contains resources in

several regions.

You need to create the Azure resource that must be used to meet the
policy requirement.

What should you create?

o a read-only lock
o an Azure policy
o a management group
o a reservation

Explanation:
Azure policies can be used to define requirements for resource properties during
deployment and for already existing resources. Azure Policy controls properties such as
the types or locations of resources.
 Azure Policy is a service in Azure that you use to create, assign, and manage policies.
These policies enforce different rules and effects over your resources, so those resources
stay compliant with your corporate standards and service level agreements. Azure Policy
meets this need by evaluating your resources for non-compliance with assigned policies.
All data stored by Azure Policy is encrypted at rest.

Azure Policy offers several built-in policies that are available by default. In this question,
we would use the ‘Allowed Locations’ policy to define the locations where resources can
be deployed.

29. This question requires that you evaluate the underlined text to
determine if it is correct.

From Azure Cloud Shell, you can track your company’s regulatory
standards and regulations, such as ISO 27001.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed.” If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed.
o the Microsoft Cloud Partner Portal
o Compliance Manager
o the Trust Center

Explanation:
Microsoft Compliance Manager (Preview) is a free workflow-based risk assessment tool
that lets you track, assign, and verify regulatory compliance activities related to Microsoft
cloud services. Azure Cloud Shell, on the other hand, is an interactive, authenticated,
browser-accessible shell for managing Azure resources.

30. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Azure AD join only applies to Windows 10 devices.

31. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
The Microsoft Privacy Statement explains what personal data Microsoft processes, how
Microsoft processes the data, and the purpose of processing the data

32. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
Authentication, not authorization is the process of verifying a user’s credentials.

The difference between authentication and authorization is:

– Authentication is proving your identity, proving that you are who you say you are. The
most common example of this is logging in to a system by providing credentials such as a
username and password.
– Authorization is what you’re allowed to do once you’ve been authenticated. For
example, what resources you’re allowed to access and what you can do with those
resources.

33. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

34. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
35. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

36. HOTSPOT
 For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

37. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

38. HOTSPOT
 For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

39. Your company plans to migrate all on-premises data to Azure.

You need to identify whether Azure complies with the company’s

regional requirements.

What should you use?

o the Knowledge Center

o Azure Marketplace
o the MyApps portal
o the Trust Center

Explanation:
Azure has more than 90 compliance certifications, including over 50 specific to global
regions and countries, such as the US, the European Union, Germany, Japan, the United
Kingdom, India and China.

You can view a list of compliance certifications in the Trust Center to determine whether
Azure meets your regional requirements.

40. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: No
Authorization to access Azure resources can be provided by other identity providers by
using federation. A commonly used example of this is to federate your on-premises
Active Directory environment with Azure AD and use this federation for authentication
and authorization.
Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be
used to access Azure resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may
vary, but typically includes authentication and almost always includes authorization. A
typical federation might include a number of organizations that have established trust for
shared access to a set of resources.
Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is
the primary built-in authentication and authorization service to provide secure access to
Azure resources.

41. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

0
 Explanation:
You can configure a lock on a resource group to prevent the accidental deletion of the
resource group. The lock applies to everyone, including global administrators. If you
want to delete the resource group, the lock must be removed first.

As an administrator, you may need to lock a subscription, resource group, or resource to

prevent other users in your organization from accidentally deleting or modifying critical
resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the
locks are called Delete and Read-only respectively.
– CanNotDelete means authorized users can still read and modify a resource, but they
can’t delete the resource.
– ReadOnly means authorized users can read a resource, but they can’t delete or update
the resource. Applying this lock is similar to restricting all authorized users to the
permissions granted by the Reader role.

42. This question requires that you evaluate the underlined text to
determine if it is correct.

Azure Germany can be used by legal residents of Germany only.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed”. If the statement is incorrect, select
the answer choice that makes the statement correct.

o no change is needed
o only enterprises that are registered in Germany
o only enterprises that purchase their azure licenses from a partner based in
Germany
o any user or enterprise that requires its data to reside in Germany

Explanation:
Azure Germany is available to eligible customers and partners globally who intend to do
business in the EU/EFTA, including the United Kingdom.

Azure Germany offers a separate instance of Microsoft Azure services from within
German datacenters. The datacenters are in two locations, Frankfurt/Main and
Magdeburg. This placement ensures that customer data remains in Germany and that the
datacenters connect to each other through a private network. All customer data is
exclusively stored in those datacenters. A designated German company–the German data
trustee–controls access to customer data and the systems and infrastructure that hold
customer data.

43. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: Yes
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active
Directory Connect synchronization services (Azure AD Connect sync) is a main
component of Azure AD Connect. It takes care of all the operations that are related to
synchronize identity data between your on-premises environment and Azure AD.
Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be
used to access Azure resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may
vary, but typically includes authentication and almost always includes authorization. A
typical federation might include a number of organizations that have established trust for
shared access to a set of resources.
Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is
the primary built-in authentication and authorization service to provide secure access to
Azure resources.

44. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
The advanced monitoring capabilities in Security Center lets you track and manage
compliance and governance over time. The overall compliance provides you with a
measure of how much your subscriptions are compliant with policies associated with
your workload.

45. What should you use to evaluate whether your company’s Azure
environment meets regulatory requirements?

o Azure Service Health

o Azure Knowledge Center
o Azure Security Center
o Azure Advisor
Explanation:
The advanced monitoring capabilities in Security Center lets you track and manage
compliance and governance over time. The overall compliance provides you with a
measure of how much your subscriptions are compliant with policies associated with
your workload.

46. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
Azure Information Protection is used to automatically add a watermark to Microsoft
Word documents that contain credit card information.

You use Azure Information Protection labels to apply classification to documents and
emails. When you do this, the classification is identifiable regardless of where the data is
stored or with whom it’s shared. The labels can include visual markings such as a header,
footer, or watermark.

Labels can be applied automatically by administrators who define rules and conditions,
manually by users, or a combination where users are given recommendations. In this
question, we would configure a label to be automatically applied to Microsoft Word
documents that contain credit card information. The label would then add the watermark
to the documents.

47. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: No
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain
controllers on virtual machines.
Box 2: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is
the primary built-in authentication and authorization service to provide secure access to
Azure resources and Microsoft 365.
Box 3: No
User accounts in Azure Active Directory can be assigned multiple licenses for different
Azure or Microsoft 365 services.

48. Which two types of customers are eligible to use Azure Government to
develop a cloud solution? Each correct answer presents a complete
solution.

NOTE: Each correct selection is worth one point.

o a Canadian government contractor

o a European government contractor
o a United States government entity
 o a United States government contractor
o a European government entity
Explanation:
Azure Government is a cloud environment specifically built to meet compliance and
security requirements for US government. This mission-critical cloud delivers
breakthrough innovation to U.S. government customers and their partners. Azure
Government applies to government at any level – from state and local governments to
federal agencies including Department of Defense agencies.

The key difference between Microsoft Azure and Microsoft Azure Government is that
Azure Government is a sovereign cloud. It’s a physically separated instance of Azure,
dedicated to U.S. government workloads only. It’s built exclusively for government
agencies and their solution providers.

49. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
It is not true that you must deploy a federation solution or sync on-premises identities to
the cloud. You can have a cloud-only environment and use MFA.
Box 2: No
Picture identification and passport numbers are not valid MFA authentication methods.
Valid methods include: Password, Microsoft Authenticator App, SMS and Voice call.
 Box 3:
You can configure MFA to be required for administrator accounts only or you can
configure MFA for any user account.
50. You need to ensure that when Azure Active Directory (Azure AD) users
connect to Azure AD from the Internet by using an anonymous IP
address, the users are prompted automatically to change their
password.

Which Azure service should you use?

o Azure AD Connect Health

o Azure AD Privileged Identity Management
o Azure Advanced Threat Protection (ATP)
o Azure AD Identity Protection

Explanation:
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk
policy. A sign-in risk represents the probability that a given authentication request isn’t
authorized by the identity owner.

There are several types of risk detection. One of them is Anonymous IP Address. This risk
detection type indicates sign-ins from an anonymous IP address (for example, Tor
browser or anonymous VPN). These IP addresses are typically used by actors who want
to hide their login telemetry (IP address, location, device, etc.) for potentially malicious
intent.

You can configure the sign-in risk policy to require that users change their password.

51. DRAG DROP

Match the term to the correct definition.Instructions: To answer, drag the appropriate
term from the column on the left to its description on the right. Each term may be used
once, more than once, or not at all.
 NOTE: Each correct match is worth one point.

Explanation:
Box 1: ISO
ISO is the International Organization for Standardization. Companies can be certified to
ISO standards, for example ISO 9001 or 27001 are commonly used in IT companies.
Box 2: NIST
The National Institute of Standards and Technology (NIST) is a physical sciences
laboratory, and a non-regulatory agency of the United States Department of Commerce.
Box 3: GDPR
GDPR is the General Data Protection Regulations. This standard was adopted across
Europe in May 2018 and replaces the now deprecated Data Protection Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data
protection and privacy in the European Union (EU) and the European Economic Area
(EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The
GDPR aims primarily to give control to individuals over their personal data and to
simplify the regulatory environment for international business by unifying the regulation
within the EU.
Box 4: Azure Government
US government agencies or their partners interested in cloud services that meet
government security and compliance requirements, can be confident that Microsoft
Azure Government provides world-class security, protection, and compliance services.
Azure Government delivers a dedicated cloud enabling government agencies and their
partners to transform mission-critical workloads to the cloud. Azure Government
services handle data that is subject to certain government regulations and requirements,
such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to
provide you with the highest level of security and compliance, Azure Government uses
physically isolated datacenters and networks (located in U.S. only).

52. To what should an application connect to retrieve security tokens?

o an Azure Storage account

o Azure Active Directory (Azure AD)
 o a certificate store
o an Azure key vault

Explanation:
Key Vault is designed to store configuration secrets for server apps.

Incorrect Answers:
A: An Azure Storage account is used to store data. It is not used to store secrets for
applications.
B: Azure Active Directory (Azure AD) is a centralized identity provider in the cloud that
authenticates users and provides access tokens to them. It is not used for applications.

53. Your network contains an Active Directory Forest. The forest contains
5,000 user accounts.

Your company plans to migrate all network resources to Azure and to

decommission the on-premises data center.

You need to recommend a solution to minimize the impact on users after

the planned migration.

What should you recommend?

o Implement Azure Multi-Factor Authentication (MFA)

o Sync all the Active Directory user accounts to Azure Active Directory (Azure
AD)
o Instruct all users to change their password
o Create a guest user account in Azure Active Directory (Azure AD) for each
user

Explanation:
To migrate to Azure and decommission the on-premises data center, you would need to
create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to
sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can
even sync their passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active
Directory Connect synchronization services (Azure AD Connect sync) is a main
component of Azure AD Connect. It takes care of all the operations that are related to
synchronize identity data between your on-premises environment and Azure AD.

54. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: Yes
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations,
monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and
logs (including Azure AD activity logs). Activity logs record when resources are created
or modified. Metrics tell you how the resource is performing and the resources that it’s
consuming.
Box 2: Yes
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions,
and tenants into one location for analysis together.
Box 3: Yes
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially
attempt to take corrective action. Alert rules based on metrics provide near real time
alerting based on numeric values, while rules based on logs allow for complex logic
across data from multiple sources.

55. HOTSPOT

You create a resource group named RG1 in Azure Resource Manager. You need to prevent the
accidental deletion of the resources in RG1.Which setting should you use? To answer, select
the appropriate setting in the answer area.
 Explanation:
You can configure a lock on a resource group to prevent the accidental deletion.

As an administrator, you may need to lock a subscription, resource group, or resource to

prevent other users in your organization from accidentally deleting or modifying critical
resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the
locks are called Delete and Read-only respectively.
– CanNotDelete means authorized users can still read and modify a resource, but they
can’t delete the resource.
– ReadOnly means authorized users can read a resource, but they can’t delete or update
the resource. Applying this lock is similar to restricting all authorized users to the
permissions granted by the Reader role.

56. You have a resource group named RG1.

You need to prevent the creation of virtual machines in RG1. The

solution must ensure that other objects can be created in RG1.
 What should you use?

o a lock
o an Azure role
o a tag
o an Azure policy

Explanation:
Azure policies can be used to define requirements for resource properties during
deployment and for already existing resources. Azure Policy controls properties such as
the types or locations of resources.

Azure Policy is a service in Azure that you use to create, assign, and manage policies.
These policies enforce different rules and effects over your resources, so those resources
stay compliant with your corporate standards and service level agreements.

In this question, we would create an Azure policy assigned to the resource group that
denies the creation of virtual machines in the resource group.

You could place a read-only lock on the resource group. However, that would prevent the
creation of any resources in the resource group, not virtual machines only. Therefore, an
Azure Policy is a better solution.

57. You have an Azure subscription and 100 Windows 10 devices.

You need to ensure that only users whose devices have the latest
security patches installed can access Azure Active Directory (Azure AD)-
integrated applications.

What should you implement?

o a conditional access policy

o Azure Bastion
o Azure Firewall
o Azure Policy

58. What can Azure Information Protection encrypt?

o network traffic
o documents and email messages
o an Azure Storage account
o an Azure SQL database

Explanation:
Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to
classify and optionally, protect its documents and emails by applying labels. Labels can
be applied automatically by administrators who define rules and conditions, manually by
users, or a combination where users are given recommendations.

The protection technology uses Azure Rights Management (often abbreviated to Azure
RMS). This technology is integrated with other Microsoft cloud services and applications,
such as Office 365 and Azure Active Directory.
 This protection technology uses encryption, identity, and authorization policies. Similarly
to the labels that are applied, protection that is applied by using Rights Management
stays with the documents and emails, independently of the location – inside or outside
your organization, networks, file servers, and applications.

59. What should you use to evaluate whether your company’s Azure
environment meets regulatory requirements?

o the Knowledge Center website

o the Advisor blade from the Azure portal
o Compliance Manager from the Service Trust Portal
o the Solutions blade from the Azure portal

Explanation:
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool
that helps you track, assign, and verify your organization’s regulatory compliance
activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and
Azure.

60. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

10 Q20 107 Question

61. You have an Azure subscription.

Where will you find details on the personal data collected by Microsoft,
how Microsoft uses the data, and what the data is used for?

o the Data Protection Addendum

o the Microsoft Online Services Terms
o the Microsoft Privacy Statement
o Azure Security Center
 62. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

63. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
If the SLA for an Azure service is not met, you receive credits for that service and that
service only. The credits are deducted from your monthly bill for that service. If you
stopped using the service where the SLA was not met, your account would remain in
credit for that service. The credits would not be applied to any other services that you
may be using.
 Service Credits apply only to fees paid for the particular Service, Service Resource, or
Service tier for which a Service Level has not been met. In cases where Service Levels
apply to individual Service Resources or to separate Service tiers, Service Credits apply
only to fees paid for the affected Service Resource or Service tier, as applicable. The
Service Credits awarded in any billing month for a particular Service or Service Resource
will not, under any circumstance, exceed your monthly service fees for that Service or
Service Resource, as applicable, in the billing month.

64. Which task can you perform by using Azure Advisor?

o Integrate Active Directory and Azure Active Directory (Azure AD).

o Estimate the costs of an Azure solution.
o Confirm that Azure subscription security follows best practices.
o Evaluate which on-premises resources can be migrated to Azure.

65. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
Azure Free Account gives you 12 months access to the most popular free services. It also
gives you a credit (150 GBP or 200 USD) to use on any Azure service for up to 30 days.
Box 2: Yes
All free accounts expire after 12 months.
Box 3: No
You can only create one free Azure account per Microsoft account.
66. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Public Preview means that the service is in public beta and can be tried out by anyone
with an Azure subscription. Services in public preview are often offered at a discount
price.

Box 1: No
Services in private preview can be viewed in the regular Azure portal. However, you need
to be signed up for the feature in private preview before you can view it. Access to
private preview features is usually by invitation only.
Box 2: Yes
You can use services in public preview in production environments. However, you should
be aware that the service may have faults, is not subject to an SLA and may be withdrawn
without notice.
Box 3: No
Public previews are excluded from SLAs and in some cases, no support is offered.

67. Your company has 10 offices. You plan to generate several billing
reports from the Azure portal. Each report will contain the Azure
resource utilization of each office.

Which Azure Resource Manager feature should you use before you
generate the reports?

o tags
o templates
o locks
o policies

Explanation:
You can use resource tags to ‘label’ Azure resources. Tags are metadata elements
attached to resources. Tags consist of pairs of key/value strings. In this question, we
would tag each resource with a tag to identify each office. For example: Location =
 Office1. When all Azure resources are tagged, you can generate reports to list all
resources based on the value of the tag. For example: All resources used by Office1.

68. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
An Azure free account comes with a ‘basic’ support plan, not a ‘standard’ support plan.
Box 2: Yes
You can purchase the Professional Direct, Standard, and Developer support plans with
the Microsoft Customer Agreement. You can also purchase the Professional and Standard
support plans with the Enterprise Agreement.
Box 3: No
Users with any type of Azure subscription (pay-as-you-go, Enterprise Agreement,
Microsoft Customer Agreement etc.) can get support from the MSDN forums.

69. This question requires that you evaluate the underlined text to
determine if it is correct.

If Microsoft plans to end support for an Azure service that does NOT
have a successor service, Microsoft will provide notification at least 12
months before.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed”. If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed.
o 6 months
 o 90 days
o 30 days

Explanation:
The Modern Lifecycle Policy covers products and services that are serviced and
supported continuously. For products governed by the Modern Lifecycle Policy, Microsoft
will provide a minimum of 12 months’ notification prior to ending support if no
successor product or service is offered—excluding free services or preview releases.

70. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
You need to be an administrator of the billing account that has the subscription to be able
to transfer the subscription. This could be a Billing Administrator or Global
Administrator. A subscription owner can manage all resources and permissions within
the subscription but cannot transfer ownership of the subscription.
Box 2: Yes
You can convert a free trial subscription to Pay-As-You-Go. This is common practice for
people who wish to continue using the Azure services when the free trial period expires.
Box 3: Yes
You can remove the spending limit, but you can’t increase or decrease it.
The spending limit in Azure prevents spending over your credit amount. All new
customers who sign up for an Azure free account or subscription types that include
credits over multiple months have the spending limit turned on by default. The spending
limit is equal to the amount of credit and it can’t be changed. For example, if you signed
up for Azure free account, your spending limit is $200 and you can’t change it to $500.
However, you can remove the spending limit. So, you either have no limit, or you have a
limit equal to the amount of credit.
71. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Explanation:
Box 1: Yes
A reservation is where you commit to pay for a resource (for example a virtual machine)
for one or three years. This gives you a discounted price on the resource for the
reservation period.
Box 2: No
There are other factors that influence the cost of a virtual machine such as the virtual
hard disks attached to the virtual machine. You could have multiple virtual machines
with the same ‘size’ (B2S in this case) but with different virtual hard disk configurations.
Box 3: Yes
When a virtual machine is stopped (deallocated), the virtual machine is
unloaded/dismounted from the physical server in Azure. In this state, you are not
charged for the virtual machine itself. However, you are still charged for the storage costs
of the virtual hard disks attached to the virtual machine.
If the virtual machine is stopped but not deallocated (this happens if you shut down the
virtual machine from the operating system of the virtual machine), the virtual machine is
still mounted on the physical server in Azure and you are charged for the virtual machine
itself as well as the storage costs. To ensure that a virtual machine is ‘stopped
(deallocated)’, you need to stop the virtual machine in the Azure portal.

72. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company has an Azure subscription that contains the following

unused resources:
 – 20 user accounts in Azure Active Directory (Azure AD)
– Five groups in Azure AD
– 10 public IP addresses
– 10 network interfaces

You need to reduce the Azure costs for the company.

Solution: You remove the unused network interfaces.

Does this meet the goal?

o Yes
o No

Explanation:
You are not charged for unused network interfaces. Therefore, deleting unused network
interfaces will not reduce the Azure costs for the company.

73. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company has an Azure subscription that contains the following

unused resources:

– 20 user accounts in Azure Active Directory (Azure AD)

– Five groups in Azure AD
– 10 public IP addresses
– 10 network interfaces

You need to reduce the Azure costs for the company.

Solution: You remove the unused public IP addresses.

Does this meet the goal?

o Yes
o No

Explanation:
You are charged for public IP addresses. Therefore, deleting unused public IP addresses
will reduce the Azure costs.
74. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company has an Azure subscription that contains the following

unused resources:

– 20 user accounts in Azure Active Directory (Azure AD)

– Five groups in Azure AD
– 10 public IP addresses
– 10 network interfaces

You need to reduce the Azure costs for the company.

Solution: You remove the unused user accounts.

Does this meet the goal?

o Yes
o No

Explanation:
You are not charged for user accounts. Therefore, deleting unused user accounts will not
reduce the Azure costs for the company.

75. HOTSPOT

How should you calculate the monthly uptime percentage? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Explanation:
“Maximum Available Minutes” is the total accumulated minutes during a billing month .

“Downtime” is the total accumulated minutes that are part of Maximum Available
Minutes where a system is unavailable.
 “Monthly Uptime Percentage” for a service is calculated as Maximum Available Minutes
less Downtime divided by Maximum Available Minutes x 100.
Monthly Uptime Percentage is represented by the following formula:
Monthly Uptime % = (Maximum Available Minutes-Downtime) / Maximum Available
Minutes x 100.

76. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
Resource groups are logical containers for Azure resources. You do not pay for resource
groups.
Box 2: No
Data ingress over a VPN is data ‘coming in’ to Azure over the VPN. You are not charged
data transfer costs for data ingress.
Box 3: Yes
Data egress over a VPN is data ‘going out’ of Azure over the VPN. You are charged for data
egress.

77. This question requires that you evaluate the underlined text to
determine if it is correct.

A support plan solution that gives you best practice information, health
status and notifications, and 24/7 access to billing information at the
lowest possible cost is a Standard support plan.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed”. If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed
o Developer
o Basic
o Premier
Explanation:
A basic support plan provides:
24×7 access to billing and subscription support, online self-help, documentation,
whitepapers, and support forums
Best practices: Access to full set of Azure Advisor recommendations
Health Status and Notifications: Access to personalized Service Health Dashboard &
Health API

78. In which Azure support plans can you open a new support request?

o Premier and Professional Direct only

o Premier, Professional Direct, and Standard only
 o Premier, Professional Direct, Standard, and Developer only
o Premier, Professional Direct, Standard, Developer, and Basic

Explanation:
You can submit support request tickets in the following plans: Premier, Professional
Direct, Standard, Developer, and Basic.

79. This question requires that you evaluate the underlined text to
determine if it is correct.

You can create an Azure support request from support.microsoft.com.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed.” If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed.
o the Azure portal
o the Knowledge Center
o the Security & Compliance admin center

Explanation:
You can create an Azure support request from the Help and Support blade in the Azure
portal or from the context menu of an Azure resource in the Support + Troubleshooting
section.

80. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company has an Azure subscription that contains the following

unused resources:

– 20 user accounts in Azure Active Directory (Azure AD)

– Five groups in Azure AD
– 10 public IP addresses
– 10 network interfaces

You need to reduce the Azure costs for the company.

Solution: You remove the unused groups.

Does this meet the goal?

 o Yes
o No

Explanation:
You are not charged for Azure Active Directory Groups. Therefore, deleting unused
groups will not reduce your Azure costs.

81. This question requires that you evaluate the underlined text to
determine if it is correct.

The Azure Standard support plan is the lowest cost option to receive
24×7 access to support engineers by phone.

Instructions: Review the underlined text. If it makes the statement

correct, select “No change is needed”. If the statement is incorrect, select
the answer choice that makes the statement correct.

o No change is needed
o Developer
o Basic
o Professional Direct

Explanation:
The Basic support plan is free so is therefore the cheapest. The Developer support plan is
the cheapest paid-for support plan. The order of support plans in terms of cost ranging
from the cheapest to most expensive is: Basic, Developer, Standard, Professional Direct,
Premier.

However, 24/7 access to technical support by email and phone is only available for
Standard, Professional Direct, Premier plans.

82. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
Preview features are made available to you on the condition that you accept additional
terms which supplement the regular Azure terms. The supplemental terms state:

PREVIEWS ARE PROVIDED “AS-IS,” “WITH ALL FAULTS,” AND “AS AVAILABLE,” AND
ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY.

83. What is guaranteed in an Azure Service Level Agreement (SLA) for

virtual machines?

o uptime
o feature availability
o bandwidth
o performance

Explanation:
The SLA for virtual machines guarantees ‘uptime’. The amount of uptime guaranteed
depends on factors such as whether the VMs are in an availability set or availability zone
if there is more than one VM, the distribution of the VMs if there is more than one or the
disk type if it is a single VM.

The SLA for Virtual Machines states:

For all Virtual Machines that have two or more instances deployed across two or more
Availability Zones in the same Azure region, we guarantee you will have Virtual Machine
Connectivity to at least one instance at least 99.99% of the time.
For all Virtual Machines that have two or more instances deployed in the same
Availability Set or in the same Dedicated Host Group, we guarantee you will have Virtual
Machine Connectivity to at least one instance at least 99.95% of the time.
For any Single Instance Virtual Machine using Premium SSD or Ultra Disk for all
Operating System Disks and Data Disks, we guarantee you will have Virtual Machine
Connectivity of at least 99.9%.

84. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
Public Preview means that the service is in public beta and can be tried out by anyone
with an Azure subscription. Services in public preview are often offered at a discount
price.
Public previews are excluded from SLAs and in some cases, no support is offered.

Incorrect Answers:
– Services in private preview are available only to selected people who has signed up to
the private preview program.
– Services in development are not available to the public.
– Services provided under an Enterprise Agreement (EA) subscription are available only
to the subscription owner.

85. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company plans to purchase an Azure subscription.

The company’s support policy states that the Azure environment must
provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy
requirement.

Solution: Recommend a Basic support plan.

Does this meet the goal?

o Yes
o No

Explanation:
The Basic support plan does not have any technical support for engineers.

Access to Support Engineers via email or phone is available in the following support
plans: Premier, Professional Direct and standard.

86. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.
 After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company plans to purchase an Azure subscription.

The company’s support policy states that the Azure environment must
provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy
requirement.

Solution: Recommend a Standard support plan.

Does this meet the goal?

o Yes
o No

Explanation:
The Standard, Professional Direct, and Premier support plans have technical support for
engineers via email and phone.

87. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company plans to purchase an Azure subscription.

The company’s support policy states that the Azure environment must
provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy
requirement.

Solution: Recommend a Premier support plan.

Does this meet the goal?

o Yes
o No
 Explanation:
The Standard, Professional Direct, and Premier support plans have technical support for
engineers via email and phone.

88. Your company plans to request an architectural review of an Azure

environment from Microsoft. The company currently has a Basic support
plan.You need to recommend a new support plan for the company. The
solution must minimize costs.

Which support plan should you recommend?

o Premier
o Developer
o Professional Direct
o Standard

Explanation:
The Premier support plan provides customer specific architectural support such as
design reviews, performance tuning, configuration and implementation assistance
delivered by Microsoft Azure technical specialists.

89. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: Yes
Most services go to private preview then public preview before being released to general
availability.
The private preview is only available to certain Azure customers for evaluation purposes.
The public preview is available to all Azure customers.
Box 2: No
Azure services in public preview can be managed using the regular management tools:
Azure Portal, Azure CLI and PowerShell.
Box 3: No
Services in private or public preview are usually offered at reduced costs. However, the
costs increase, not decrease when the services are released to general availability.

90. What is required to use Azure Cost Management?

o a Dev/Test subscription
o Software Assurance
o an Enterprise Agreement (EA)
o a pay-as-you-go subscription

Explanation:
Azure customers with an Azure Enterprise Agreement (EA), Microsoft Customer
Agreement (MCA), or Microsoft Partner Agreement (MPA) can use Azure Cost
Management.

Cost management is the process of effectively planning and controlling costs involved in
your business. Cost management tasks are normally performed by finance, management,
and app teams. Azure Cost Management + Billing helps organizations plan with cost in
mind. It also helps to analyze costs effectively and take action to optimize cloud spending.

91. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.
 Explanation:
A stopped (deallocated) VM is offline and not mounted on an Azure host server. Starting
a VM mounts the VM on a host server before the VM starts. As soon as the VM is mounted,
it becomes chargeable. For this reason, you are unable to start a VM after a trial has
expired.

Incorrect Answers:
– You are not charged for Azure Active Directory user accounts so you can continue to
create accounts.
– You can access data that is already stored in Azure.
– You can access the Azure Portal. You can also reactivate and upgrade the expired
subscription in the portal.

92. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than
one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to
return to it. As a result, these questions will not appear in the review
screen.

Your company plans to purchase an Azure subscription.

The company’s support policy states that the Azure environment must
provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy
requirement.

Solution: Recommend a Professional Direct support plan.

Does this meet the goal?

o Yes
o No

Explanation:
The Basic support plan does not have any technical support for engineers.
The Developer support plan has only technical support for engineers via email.
The Standard, Professional Direct, and Premier support plans have technical support for
engineers via email and phone.

93. Your company has a Software Assurance agreement that includes

Microsoft SQL Server licenses.

You plan to deploy SQL Server on Azure virtual machines.

 What should you do to minimize licensing costs for the deployment?

o Deallocate the virtual machines during off hours.

o Use Azure Hybrid Benefit.
o Configure Azure Cost Management budgets.
o Use Azure reservations.

Explanation:
Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs
of running your workloads in the cloud. It works by letting you use your on-premises
Software Assurance-enabled Windows Server and SQL Server licenses on Azure.

94. Your company has 10 departments.

The company plans to implement an Azure environment.

You need to ensure that each department can use a different payment
option for the Azure services it consumes.

What should you create for each department?

o a reservation
o a subscription
o a resource group
o a container instance

Explanation:
There are different payment options in Azure including pay-as-you-go (PAYG),
Enterprise Agreement (EA), and Microsoft Customer Agreement (MCA) accounts.

Your Azure costs are ‘per subscription’. You are charged monthly for all resources in a
subscription. Therefore, to use different payment options per department, you will need
to create a separate subscription per department. You can create multiple subscriptions
in a single Azure Active Directory tenant.

Incorrect Answers:
A: A reservation is where you commit to a resource (for example a virtual machine) for
one or three years. This gives you a discounted price on the resource for the reservation
period. Reservations do not provide a way to use different payment options per
department.
C: A resource group is a logical container for Azure resources. You can view the total cost
of all the resources in a resource group. However, resource groups do not provide a way
to use different payment options per department.
D: A container instance is an Azure resource used to run an application. Container
instances do not provide a way to use different payment options per department.

95. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
 NOTE: Each correct selection is worth one point.

Explanation:
Box 1: Yes
An Azure free account has a spending limit. This is currently 200 USD or 150 GBP.
Box 2: No
Azure free account has a 5 GB blob storage limit and a 5 GB file storage limit.
Box 3: No
Azure free account has a limit of 10 web, mobile or API apps

96. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: No
Most services go to private preview then public preview before being released to general
availability. The private preview is only available to certain Azure customers for
evaluation purposes.
Box 2: Yes
Public Preview means that the service is in public beta and can be tried out by anyone
with an Azure subscription. Services in public preview are often offered at a discount
price.
Public previews are excluded from SLAs and in some cases, no support is offered.
Box 3: No
An Azure service in general availability is available to all Azure customers, not just a
subset of the customers.

97. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

98. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

99. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
Composite SLAs involve multiple services supporting an application, each with differing
levels of availability. For example, consider an App Service web app that writes to Azure
SQL Database. At the time of this writing, these Azure services have the following SLAs:

App Service web apps = 99.95%

SQL Database = 99.99%

What is the maximum downtime you would expect for this application? If either service
fails, the whole application fails. The probability of each service failing is independent, so
the composite SLA for this application is 99.95% × 99.99% = 99.94%. That’s lower than
the individual SLAs, which isn’t surprising because an application that relies on multiple
services has more potential failure points.

100. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: Yes
SLA’s vary based on the resource type and the location distribution of the resource.
However, the minimum uptime for all Azure services is 99.9 percent.
Box 2: Yes
The SLA guaranteed uptime is increased (usually to 99.95 percent) when resources are
deployed across multiple regions.
Box 3: No
The number of subscriptions is unrelated to uptime SLA’s. You can deploy resources to
multiple regions under a single subscription or you can have multiple subscriptions with
resources deployed to the same region.

101. Which statement accurately describes the Modern Lifecycle Policy

for Azure services?

o Microsoft provides mainstream support for a service for five years.

o Microsoft provides a minimum of 12 months’ notice before ending support
for a service.
o After a service is made generally available, Microsoft provides support for
the service for a minimum of four years.
o When a service is retired, you can purchase extended support for the service
for up to five years.
Explanation:
For products governed by the Modern Lifecycle Policy, Microsoft will provide a minimum
of 12 months’ notification prior to ending support if no successor product or service is
offered – excluding free services or preview releases.

102. HOTSPOT

You need to request that Microsoft increase a subscription quota limit for your company.

Which blade should you use from the Azure portal? To answer, select the appropriate
blade in the answer area.
 Explanation:
Request a standard quota increase from Help + support

103. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

13 Q03 127 Question

Explanation:
Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the
amount defined in the alert condition of the budget. Cost Management budgets are
created using the Azure portal or the Azure Consumption API.
104. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

105. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: Yes
With Azure ExpressRoute, all inbound data transfer is free of charge.
Box 2: No
Inbound data traffic is free but outbound data traffic is not.
Box 3: Yes
106. Your company has an Azure subscription that contains the following
unused resources:

– 20 user accounts in Azure Active Directory (Azure AD)

– Five groups in Azure AD
– 10 public IP addresses
– 10 network interfaces

You need to reduce the Azure costs for the company.

Which unused resources should you remove?

o the network interfaces

o the public IP addresses
o the groups
o the user accounts

Explanation:
You are charged for public IP addresses. Therefore, deleting unused public IP addresses
will reduce the Azure costs.

107. HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Explanation:
When a virtual machine is stopped (deallocated), the virtual machine is
unloaded/dismounted from the physical server in Azure. In this state, you are not
charged for the virtual machine itself. However, you are still charged for the storage costs
of the virtual hard disks attached to the virtual machine.

If the virtual machine is stopped but not deallocated (this happens if you shut down the
virtual machine from the operating system of the virtual machine), the virtual machine is
still mounted on the physical server in Azure and you are charged for the virtual machine
itself as well as the storage costs. To ensure that a virtual machine is ‘stopped
(deallocated)’, you need to stop the virtual machine in the Azure portal.
108. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

Explanation:
Box 1: No
The price of Azure storage varies by region. If you use the Azure storage pricing page, you
can select different regions and see how the price changes per region.
Box 2: No
You are charged for read and write operations in general-purpose v2 storage accounts.
Box 3: No
You would be charge for the read operations of the source storage account and write
operations in the destination storage account.

109. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: Yes
Microsoft guarantee at least 99.9% availability of the Azure Active Directory Premium
edition services. The services are considered available in the following scenarios:
Users are able to login to the service, login to the Access Panel, access applications on the
Access Panel and reset passwords.
IT administrators are able to create, read, write and delete entries in the directory or
provision or de-provision users to applications in the directory.
Box 2: No
No SLA is provided for the Free tier of Azure Active Directory.
Box 3: Yes
You can claim credit if the availability falls below the SLA. The amount of credit depends
on the availability. For example: You can claim 25% credit if the availability is less than
99.9%, 50% credit for less than 99% and 100% for less than 95% availability.

110. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.

NOTE: Each correct selection is worth one point.

 Explanation:
Box 1: No
Resource groups are logical containers for Azure resources. You do not pay for resource
groups.
Box 2: No
Data ingress over a VPN is data ‘coming in’ to Azure over the VPN. You are not charged
data transfer costs for data ingress.
Box 3: Yes
Data egress over a VPN is data ‘going out’ of Azure over the VPN. You are charged for data
egress.

111. Who can use the Azure Total Cost of Ownership (TCO) calculator?

o billing readers for an Azure subscription only

o owners for an Azure subscription only
o anyone
o all users who have an account in Azure Active Directory (Azure AD) that is
linked to an Azure subscription only

Explanation:
You don’t need an Azure subscription to work with the TCO Calculator.