Verify your global Azure DNS

In a real-world scenario, after you create the public DNS zone, you update the NS records of the domain-
name registrar to delegate the domain to Azure.

Even though we don't have a registered domain, it's still possible to verify that the DNS zone works as
expected by using the nslookup tool.

============================================================
What is an apex domain?
The apex domain is your domain's highest level. In our case, that's wideworldimports.com. The apex
domain is also sometimes referred to as the zone apex or root apex. The @ symbol often represents the
apex domain in your DNS zone records.

If you check the DNS zone for wideworldimports.com, you see that there are two apex domain records:
NS and SOA. The NS and SOA records are automatically created when you created the DNS zone.

CNAME records that you might need for an Azure Traffic Manager profile or Azure Content Delivery
Network endpoints aren't supported at the zone apex level. However, other alias records are supported
at the zone apex level.

============================================================

With network security groups, the connections are stateful. Return traffic is automatically allowed for
the same TCP/UDP session. For example, an inbound rule allowing traffic on port 80 also allows the VM
to respond to the request (typically on an ephemeral port). You don't need a corresponding outbound
rule.
============================================================
Default security rules
The default rules for inbound traffic are:

Priority 65000
Rule name AllowVnetInbound
Description Allow inbound coming from any VM to any VM within the virtual network

65001
AllowAzureLoadBalancerInbound
Allow traffic from the default load balancer to any VM within the subnet

65500
DenyAllInBound
Deny traffic from any external source to any of the VMs

The default rules for outbound traffic are:

Priority 65000
Rule name AllowVnetOutbound
Description Allow outbound going from any VM to any VM within the virtual network
 65001
AllowInternetOutbound
Allow outbound traffic going to the internet from any VM

65500
DenyAllOutBound
Deny traffic from any internal VM to a system outside the virtual network

============================================================
What is DNS?
DNS, or the Domain Name System, is a protocol within the TCP/IP standard. DNS serves an essential role
of translating the human-readable domain names—for example: www.wideworldimports.com—into a
known IP address. IP addresses enable computers and network devices to identify and route requests
among themselves.
DNS uses a global directory hosted on servers around the world. Microsoft is part of the network that
provides a DNS service through Azure DNS.
A DNS server is also known as a DNS name server, or just a name server.
How does DNS work?
A DNS server carries out one of two primary functions:
 Maintains a local cache of recently accessed or used domain names and their IP addresses. This
cache provides a faster response to a local domain lookup request. If the DNS server can't find the
requested domain, it passes the request to another DNS server. This process repeats at each DNS
server until either a match is made or the search times out.
 Maintains the key-value pair database of IP addresses and any host or subdomain over which the
DNS server has authority. This function is often associated with mail, web, and other internet
domain services.
============================================================
You can restrict access to many services. Microsoft manages the service tags, meaning you can't create
your own. Some examples of the tags are:
 VirtualNetwork: Represents all virtual network addresses anywhere in Azure, and in your on-
premises network if you're using hybrid connectivity.
 AzureLoadBalancer: Denotes Azure's infrastructure load balancer. The tag translates to the virtual
IP address of the host (168.63.129.16) where Azure health probes originate.
 Internet: Represents anything outside the virtual network address that's publicly reachable,
including resources that have public IP addresses. One such resource is the Web Apps feature of
Azure App Service.
 AzureTrafficManager: Represents the IP address for Azure Traffic Manager.
 Storage: Represents the IP address space for Azure Storage. You can specify whether traffic is
allowed or denied. You can also specify if access is allowed only to a specific region, but you can't
select individual storage accounts.
 SQL: Represents the address for Azure SQL Database, Azure Database for MySQL, Azure Database
for PostgreSQL, and Azure Synapse Analytics services. You can specify whether traffic is allowed or
denied, and you can limit to a specific region.
 AppService: Represents address prefixes for Azure App Service.
==============================================================
Remember that the default rules deny all inbound traffic into a virtual network, unless this traffic is
coming from the same virtual network. The Deny All Inbound rule blocked the inbound SSH connections
you just attempted.
==============================================================
Summary
Completed100 XP
 2 minutes
Your company recently bought the custom domain name wideworldimporters.com from a third-party
domain-name registrar. The domain name is for a new website your organization plans to launch. You
need a hosting service for DNS domains. This hosting service would resolve the wideworldimporters.com
domain to your Azure-based web server's IP address.
Your company wanted to manage all their infrastructure and related domain name information in one
place. You saw how easy it was to manage Domain Name System (DNS) information by using an Azure
DNS zone. First, you created an Azure DNS zone, and then you updated the NS records at your domain
registrar to point at it.
You learned the uses of the different record sets, A, AAAA, CNAME, NS, and SOA. You also learned how
you can use Azure aliases to override the static A/AAAA/CNAME record to provide a dynamic reference
to your resources. Using an Azure DNS zone improved your company's administration of resources,
because your staff only needed one place to manage DNS-related tasks.
The Azure DNS zone allows better control and integration with your Azure resources. It's possible to
achieve some of the more basic record set functions by using the domain registrar's management
console. However, linking to any of your Azure resources becomes difficult or impossible without a high
degree of complex redirection.
By using an Azure DNS zone to host your domain, your organization benefits by having all the resources
managed through a single, common interface. This solution provides better integration with existing
Azure resources, improved security, and monitoring tools.
Azure service endpoints are available for many services, such as:
 Azure Storage.
 Azure SQL Database.
 Azure Cosmos DB.
 Azure Key Vault.
 Azure Service Bus.
 Azure Data Lake.

The backend pool instances can be Azure virtual machines (VMs) or virtual machine scale sets.
==============================================================
To analyze system updates across multiple virtual machines, which feature of Azure Monitor should you
utilize?
Your answer is incorrect
Metrics
Explanation
Metrics in Azure Monitor provide numerical data about the performance of resources, such as CPU
usage, memory usage, and disk I/O. While metrics are useful for monitoring the performance of
individual virtual machines, they may not be the best choice for analyzing system updates across
multiple virtual machines.
Insights
Explanation
Insights in Azure Monitor provide a high-level overview of the health and performance of applications
and resources. While insights can give valuable information about the overall state of your environment,
they may not be the most suitable feature for analyzing system updates across multiple virtual
machines.
Correct answer
Log Analytics
Explanation
Log Analytics in Azure Monitor allows you to collect, analyze, and visualize log and performance data
from multiple sources, including virtual machines. By utilizing Log Analytics, you can track system
updates, identify trends, and troubleshoot issues across multiple virtual machines effectively.
Alerts
Explanation
Alerts in Azure Monitor allow you to set up notifications based on predefined conditions or thresholds.
While alerts are essential for proactively monitoring the health of your resources, they are not
specifically designed for analyzing system updates across multiple virtual machines.
==============================================================
How does Azure Network Watcher support graphical visualizations for networks?
Next hop
Explanation
The Next hop feature in Azure Network Watcher is a diagnostic tool that provides insights into the
routing paths within a network. While it is instrumental in network troubleshooting, it does not offer
graphical visualizations of the network's structure.
Views
Explanation
Views isn't a valid feature of Azure Network Watcher.
Your answer is correct
Topology tool
Explanation
The Topology tool in Azure Network Watcher is a dedicated feature for creating graphical visualizations
of network structures. It displays the network resources and their interconnections, thereby providing a
visual understanding of the network's layout and facilitating efficient network management.
==============================================================

Network Watcher consists of three major sets of tools and capabilities:

 Monitoring
 Network diagnostic tools
 Traffic
Monitoring
Network Watcher offers two monitoring tools that help you view and monitor resources:

Topology
Connection monitor

Network diagnostic tools

Network Watcher offers seven network diagnostic tools that help troubleshoot and diagnose network
issues:

IP flow verify
NSG diagnostics
Next hop
Effective security rules
Connection troubleshoot
Packet capture
VPN troubleshoot

Traffic
Network Watcher offers two traffic tools that help you log and visualize network traffic:

Flow logs
Traffic analytics
==============================================================
You're planning to safeguard your data against data loss in Azure.
Which of the following would you utilize to store backup data, such as files, folders, and system state?
Azure Storage Account
Explanation
Azure Storage Account is primarily used for storing data objects like blobs, files, queues, tables, and
disks. While it can be used to store backup data, such as files and folders, it is not specifically designed
for data protection and disaster recovery purposes.
Your answer is correct
Recovery Services vault
Explanation
Recovery Services vault is specifically designed for storing backup data, including files, folders, and
system state, to protect against data loss in Azure. It provides features like backup policies, retention
settings, and recovery options to ensure data resilience and availability.
Azure Backup vault
Explanation
A Backup Vault is a specialized storage service in Azure designed to provide backup storage for newer
workloads that Azure Backup now supports. These include Azure Managed Disks, Azure Blob Storage,
and Azure Database for PostgreSQL Servers. It is important to note that a Backup Vault is not a
replacement for the Recovery Services Vault but rather complements it by expanding the range of
supported workloads and providing additional flexibility.
Azure Blob Storage
Explanation
Azure Blob Storage is designed for storing large amounts of unstructured data, such as text or binary
data. While it can be used to store backup data, it lacks the built-in backup and recovery features
provided by the Recovery Services vault for safeguarding data against loss in Azure.
Resources
==============================================================

Which of the following statements are true regarding managing licenses in Microsoft Entra ID?
Your selection is correct
Licenses can be assigned to individual users.
Explanation
Licenses can indeed be assigned to individual users in Microsoft Enterprise ID, allowing organizations to
control access to specific features and services based on user roles and responsibilities.
Your selection is incorrect
Licenses are automatically provisioned when a new user is created.
Explanation
Licenses are not automatically provisioned when a new user is created in Microsoft Enterprise ID. They
need to be manually assigned by administrators to ensure proper access and compliance.
Your selection is correct
Licenses can be assigned to groups.
Explanation
In Microsoft Enterprise ID, licenses can be assigned to groups as well, enabling organizations to manage
licenses more efficiently by assigning them to groups of users with similar needs or roles.
Each user can have only one license.
Explanation
Each user in Microsoft Enterprise ID can have multiple licenses assigned to them, depending on the
services and features they require access to. This flexibility allows organizations to tailor license
assignments to individual user needs.
Resources
Assign or remove licenses
==============================================================
Which of the following is a built-in Azure role that grants full access to manage all resources, but does
not allow you to assign roles in Azure RBAC?
Owner
Explanation
Owner is a built-in Azure role that grants full access to manage all resources in Azure, including the
ability to assign roles in Azure RBAC. This role has the highest level of access and control over Azure
resources.
Your answer is correct
Contributor
Explanation
Contributor is a built-in Azure role that grants full access to manage all resources, but it does not allow
the user to assign roles in Azure RBAC. Users with the Contributor role can create and manage all types
of Azure resources, but they cannot manage access to those resources.
Reader
Explanation
Reader is a built-in Azure role that grants read-only access to view resources in Azure. Users with the
Reader role can view Azure resources but cannot make any changes or modifications to them.
User Access Administrator
Explanation
User Access Administrator is a built-in Azure role that grants the user permissions to manage user access
to Azure resources. This role allows the user to manage access control for resources, but it does not
grant full access to manage all resources like the Contributor role does.
Resources
Azure built-in roles - Azure RBAC
===========================================================
In Azure, Role-Based Access Control (RBAC) can be assigned at various levels.
Which of the following scopes are valid levels for assigning roles in Azure?
Your selection is correct
Resource Group
Explanation
Assigning roles at the Resource Group level in Azure allows for granular control over permissions for a
specific set of resources that are grouped together. This level of scope is beneficial for managing access
to resources that are related to a particular project or team, ensuring that only authorized users have
the necessary permissions.
Correct selection
Management Group
Explanation
Management Groups in Azure serve as containers for organizing and managing resources, subscriptions,
and policies. By assigning roles at the Management Group level, you can establish consistent access
controls and governance practices across multiple subscriptions within the same hierarchy, making it a
valid level for role assignment in Azure.
Your selection is correct
Subscription
Explanation
At the Subscription level in Azure, Role-Based Access Control (RBAC) enables administrators to define
who has access to resources and what actions they can perform within a specific subscription. Assigning
roles at this level ensures that permissions are managed effectively across all resources and services
within the subscription.
Correct selection
Virtual Network
Explanation
While Virtual Networks in Azure play a crucial role in network connectivity and isolation, they are also
valid levels for assigning roles in Role-Based Access Control (RBAC). The resource level is the most
granular scope, referring to an individual resource like a virtual machine, storage account, or database.
Assigning a role at the resource level means the role assignment applies only to that specific resource.
Resources
==============================================================
Which of the following are valid methods to restrict access to Azure Storage accounts?
Your selection is correct
Configuring a firewall to allow requests from specific IP ranges.
Explanation
Configuring a firewall to allow requests from specific IP ranges is a valid method to restrict access to
Azure Storage accounts. By specifying the IP ranges that are allowed to access the storage account,
unauthorized users or systems outside of the specified ranges will be blocked from accessing the data.
Correct selection
Setting up a virtual network to allow only traffic from within the VNet to access the storage.
Explanation
Setting up a virtual network to allow only traffic from within the VNet to access the storage is an
effective way to restrict access to Azure Storage accounts. By confining access to the storage account to
resources within the virtual network, external entities will be prevented from accessing the data.
Your selection is incorrect
Utilizing Entra ID-based authentication for Azure Files.
Explanation
Utilizing Entra ID-based authentication for Azure Files is NOT a valid method to restrict access to Azure
Storage accounts. While Entra ID-based authentication provides secure access control, it is not
specifically designed to restrict access to storage accounts. Other methods like firewall rules and virtual
network restrictions are more suitable for this purpose.
Creating a new Azure subscription.
Explanation
Creating a new Azure subscription is not a valid method to restrict access to Azure Storage accounts.
Subscriptions are used for organizing and managing resources within Azure, but they do not directly
control access to specific storage accounts. Other methods like firewall rules and virtual network
restrictions should be used for access control.
Resources
Configure Azure Storage firewalls and virtual networks
=========================================================
When creating and managing Azure file shares, which of the following features are available?
Your selection is correct
Soft delete to recover a deleted share.
Explanation
Soft delete allows you to recover a deleted share within a specified retention period, providing an added
layer of protection against accidental deletions.
Conversion of a file share into a blob container.
Explanation
Conversion of a file share into a blob container is not a feature available when creating and managing
Azure file shares. This functionality is not supported in this context.
Your selection is correct
Creation of snapshots for a point-in-time copy of the file share.
Explanation
Creation of snapshots for a point-in-time copy of the file share enables you to capture the state of the
file share at a specific moment, allowing you to revert back to that state if needed.
Auto-expansion of file shares.
Explanation
Auto-expansion of file shares is not a feature available when creating and managing Azure file shares.
File shares have a fixed size limit that needs to be manually adjusted if more storage space is required.
==========================================================
Which feature in Azure Blob Storage is used to automate the transition of blobs to cooler storage tiers,
archive blobs or delete blobs at the end of their lifecycles?
Azure Blob Storage Soft Delete
Explanation
Azure Blob Storage Soft Delete is a feature that allows you to recover blobs that have been accidentally
deleted within a specified retention period. It is not used to automate the transition of blobs to cooler
storage tiers, archive blobs, or delete blobs at the end of their lifecycles.
Immutable Blob Storage
Explanation
Immutable Blob Storage is a feature that prevents blobs from being modified or deleted for a specified
retention period. It does not automate the transition of blobs to cooler storage tiers, archive blobs, or
delete blobs at the end of their lifecycles.
Azure Blob Versioning
Explanation
Azure Blob Versioning is a feature that allows you to maintain different versions of a blob over time. It
does not automate the transition of blobs to cooler storage tiers, archive blobs, or delete blobs at the
end of their lifecycles.
Your answer is correct
Azure Blob Lifecycle Management
Explanation
Azure Blob Lifecycle Management is the feature in Azure Blob Storage that is used to automate the
transition of blobs to cooler storage tiers, archive blobs, or delete blobs at the end of their lifecycles
based on rules defined by the user. This feature helps optimize storage costs and manage data lifecycle
efficiently.
===========================================================
When examining an Azure Resource Manager (ARM) template, which of the following elements can be
commonly found?
Your selection is correct
Resources
Explanation
Resources are a common element found in an Azure Resource Manager (ARM) template. They define
the Azure resources that will be deployed as part of the template, such as virtual machines, storage
accounts, or databases.
Correct selection
Outputs
Explanation
Outputs are another common element found in an ARM template. They define the values that will be
returned after the deployment of the Azure resources specified in the template, such as IP addresses,
connection strings, or resource IDs.
Your selection is incorrect
Dependencies
Explanation
Dependencies are not commonly found as a separate element in an ARM template. Dependencies are
typically defined within the resource definitions to specify the order in which resources should be
deployed or to establish relationships between resources.
Extensions
Explanation
Extensions are not commonly found as a separate element in an ARM template. Extensions are used to
customize the behavior or configuration of specific Azure resources, such as virtual machines or virtual
networks, but they are typically specified within the resource definitions themselves.
Your selection is correct
Variables
Explanation
Variables are a common element found in an ARM template. They allow you to define and reference
values that can be used throughout the template, such as connection strings, passwords, or resource
names. Variables help make the template more dynamic and reusable.
==========================================================
You have successfully deployed resources using an ARM template. Now, you want to use the Bicep
language to manage these resources in the future.
What command do you use to transition from ARM to Bicep?
bicep build
Explanation
The bicep build command is used when you want to see the ARM template JSON that is created from
your Bicep file.
Your answer is incorrect
bicep compile
Explanation
The bicep compile command is used to compile a Bicep file into an ARM template. It is not the correct
command to transition from ARM to Bicep.
bicep version
Explanation
The bicep version command is used to check the version of the Bicep CLI tool installed on your machine.
It is not the correct command to transition from ARM to Bicep.
Correct answer
bicep decompile
Explanation
The bicep decompile command is used to decompile an ARM template into a Bicep file. This is the
correct command to transition from ARM to Bicep as it converts existing ARM templates into Bicep files
for future management.
===========================================================
mportant
Azure Resource Manager will only support Transport Layer Security (TLS) 1.2 or later by Fall 2023. For
more information, see Migrating to TLS 1.2 for Azure Resource Manager.
=============================================================
Types of shared access signatures
Azure Storage supports three types of shared access signatures:
 User delegation SAS
 Service SAS
 Account SAS
Type of SAS Type of authorization
User delegation SAS (Blob Storage and Data Lake Storage only) Microsoft Entra ID
Service SAS Shared Key
Account SAS Shared Key
=============================================================
Standard storage accounts
ZRS is supported for all Azure Storage services through standard general-purpose v2 storage accounts,
including:
 Azure Blob storage (hot and cool block blobs and append blobs, nondisk page blobs)
 Azure Files (all standard tiers: transaction optimized, hot, and cool)
 Azure Table storage
 Azure Queue storage
Premium block blob accounts
ZRS is supported for premium block blobs accounts
Premium file share accounts
ZRS is supported for premium file shares (Azure Files) through the FileStorage storage account kind.
Managed disks
ZRS is supported for managed disks with the following limitations.
Only standard general-purpose v2 storage accounts support GZRS. All Azure Storage services support
GZRS, including:
 Azure Blob storage (hot and cool block blobs, nondisk page blobs)
 Azure Files (all standard tiers: transaction optimized, hot, and cool)
 Azure Table storage
 Azure Queue storage

Note
 Azure Files does not support read-access geo-redundant storage (RA-GRS) or read-access geo-
zone-redundant storage (RA-GZRS).
=============================================================
Parameter LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
Percent at least at least at least at least 99.99999999999999%
durability of 99.999999999% (11 99.9999999999% (12 99.99999999999999% (16 (16 9s)
objects over a 9s) 9s) 9s)
given year
Availability for At least 99.9% (99% At least 99.9% (99% At least 99.9% (99% for At least 99.9% (99% for
read requests for for cool/cold access cool/cold/archive access cool/cold access tier) for GZRS
cool/cold/archive tier) tiers) for GRS
access tiers) At least 99.99% (99.9% for
At least 99.99% (99.9% for cool/cold access tier) for RA-
cool/cold/archive access GZRS
tiers) for RA-GRS

Availability for At least 99.9% (99% At least 99.9% (99% At least 99.9% (99% for At least 99.9% (99% for
write requests for for cool/cold access cool/cold/archive access cool/cold access tier)
cool/cold/archive tier) tiers)
access tiers)
Number of Three copies within Three copies across Six copies total, including Six copies total, including three
copies of data a single region separate availability three in the primary region across separate availability
maintained on zones within a single and three in the secondary zones in the primary region
separate region region and three locally redundant
nodes copies in the secondary region
The following table indicates whether your data is durable and available in a given scenario, depending
on which type of redundancy is in effect for your storage account:
Expand table
Outage scenario LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
A node within a data center becomes unavailable Yes Yes Yes Yes
1
An entire data center (zonal or nonzonal) becomes unavailable No Yes Yes Yes
1
A region-wide outage occurs in the primary region No No Yes Yes1
Outage scenario LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
Read access to the secondary region is available if the primary region No No Yes (with RA- Yes (with RA-
becomes unavailable GRS) GZRS)

===========================================================
Service LRS ZRS GRS RA-GRS GZRS
Blob storage ✅ ✅ ✅ ✅ ✅
(including Data Lake Storage)
Queue storage ✅ ✅ ✅ ✅ ✅
Table storage ✅ ✅ ✅ ✅ ✅
1,2 1,2 1
Azure Files ✅ ✅ ✅ ✅1
Azure managed disks ✅ ✅ 3

Azure Elastic SAN ✅ ✅

1
Standard file shares are supported on LRS and ZRS. Standard file shares are supported on GRS and
GZRS as long as they're less than or equal to 5 TiB in size.
2
Premium file shares are supported on LRS and ZRS.
3
ZRS managed disks have certain limitations. See the Limitations section of the redundancy options for
managed disks article for details.
========================================================
Supported storage account types
The following table shows which redundancy options are supported for each type of storage account.
For information for storage account types, see Storage account overview.
Expand table
Storage account LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
types

Recommended Standard general-purpose Standard general-purpose Standard general- Standard general-

v2 (StorageV2)1 v2 (StorageV2)1 purpose v2 purpose v2
(StorageV2)1 (StorageV2)1
Premium block blobs Premium block blobs
1
(BlockBlobStorage) (BlockBlobStorage)1

Premium file shares Premium file shares

(FileStorage) (FileStorage)

Premium page blobs

(StorageV2)

Legacy Standard general-purpose N/A Standard general- N/A

v1 (Storage) purpose v1 (Storage)

Legacy blob (BlobStorage) Legacy blob

(BlobStorage)
1
Accounts of this type with a hierarchical namespace enabled also support the specified redundancy
option.
All data for all storage accounts is copied from the primary to the secondary according to the
redundancy option for the storage account. Objects including block blobs, append blobs, page blobs,
queues, tables, and files are copied.
Data in all tiers, including the archive tier, is always copied from the primary to the secondary during
geo-replication. The archive tier for Blob Storage is currently supported for LRS, GRS, and RA-GRS
accounts, but not for ZRS, GZRS, or RA-GZRS accounts. For more information about blob tiers, see Access
tiers for blob data.
Unmanaged disks don't support ZRS or GZRS.
For pricing information for each redundancy option, see Azure Storage pricing.
Note
Block blob storage accounts support locally redundant storage (LRS) and zone redundant storage (ZRS)
in certain regions.
==============================================================
Important
You can use blob soft delete only to restore an individual blob, snapshot, directory (in a hierarchical
namespace) or version. To restore a container and its contents, container soft delete must also be
enabled for the storage account. Microsoft recommends enabling container soft delete and blob
versioning together with blob soft delete to ensure complete protection for blob data. For more
information, see Data protection overview.
Blob soft delete does not protect against the deletion of a storage account. To protect a storage account
from deletion, configure a lock on the storage account resource. For more information about locking a
storage account, see Apply an Azure Resource Manager lock to a storage account.
==============================================================
File share type SMB NFS
Standard file shares (GPv2), LRS/ZRS
Standard file shares (GPv2), GRS/GZRS
Premium file shares (FileStorage), LRS/ZRS
=============================================================
Term or Description
concept
Identity A thing that can get authenticated. An identity can be a user with a
username and password. Identities also include applications or other
servers that might require authentication through secret keys or
certificates.
Account An identity that has data associated with it. You can’t have an account
without an identity.
Microsoft Entra An identity created through Microsoft Entra ID or another Microsoft
account cloud service, such as Microsoft 365. Identities are stored in Microsoft
Entra ID and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or school
account.
Account This classic subscription administrator role is conceptually the billing
Administrator owner of a subscription. This role enables you to manage all
subscriptions in an account. For more information, see Azure roles,
Microsoft Entra roles, and classic subscription administrator roles.
Service This classic subscription administrator role enables you to manage all
Administrator Azure resources, including access. This role has the equivalent access of
Term or Description
concept
a user who is assigned the Owner role at the subscription scope. For
more information, see Azure roles, Microsoft Entra roles, and classic
subscription administrator roles.
Owner This role helps you manage all Azure resources, including access. This
role is built on a newer authorization system called Azure role-based
access control (Azure RBAC) that provides fine-grained access
management to Azure resources. For more information, see Azure
roles, Microsoft Entra roles, and classic subscription administrator roles.
Microsoft Entra This administrator role is automatically assigned to whomever created
Global the Microsoft Entra tenant. You can have multiple accounts with this
Administrator role, but anyone with at least Privileged Role Administrator can assign
administrator roles to users. For more information about the various
administrator roles, see Administrator role permissions in Microsoft
Entra ID.
Azure Used to pay for Azure cloud services. You can have many subscriptions
subscription and they're linked to a credit card.
Tenant A dedicated and trusted instance of Microsoft Entra ID. The tenant is
automatically created when your organization signs up for a Microsoft
cloud service subscription. These subscriptions include Microsoft Azure,
Microsoft Intune, or Microsoft 365. This tenant represents a single
organization and is intended for managing your employees, business
apps, and other internal resources. For this reason, it's considered a
workforce tenant configuration. By contrast, you can create a tenant in
an external configuration, which is used in customer identity and access
management (CIAM) solutions for your consumer-facing apps (learn
more about Microsoft Entra External ID).
Single tenant Azure tenants that access other services in a dedicated environment are
considered single tenant.
Multitenant Azure tenants that access other services in a shared environment,
across multiple organizations, are considered multitenant.
Microsoft Entra Each Azure tenant has a dedicated and trusted Microsoft Entra
directory directory. The Microsoft Entra directory includes the tenant's users,
groups, and apps and is used to perform identity and access
management functions for tenant resources.
Custom domain Every new Microsoft Entra directory comes with an initial domain
name, for example domainname.onmicrosoft.com. In addition to that
initial name, you can also add your organization's domain names. Your
organization's domain names include the names you use to do business
and your users use to access your organization's resources, to the list.
Adding custom domain names helps you to create user names that are
familiar to your users, such as [email protected].
Microsoft Personal accounts that provide access to your consumer-oriented
account (also Microsoft products and cloud services. These products and services
called, MSA) include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft
Term or Description
concept
account is created and stored in the Microsoft consumer identity
account system that's run by Microsoft.
============================================================
Which features work in Microsoft Entra ID?
After you choose your Microsoft Entra ID license, you'll get access to some or all of the following
features:
Expand table
Category Description
Application Manage your cloud and on-premises apps using Application Proxy,
management single sign-on, the My Apps portal, and Software as a Service (SaaS)
apps. For more information, see How to provide secure remote access
to on-premises applications and Application Management
documentation.
Authentication Manage Microsoft Entra self-service password reset, Multifactor
Authentication, custom banned password list, and smart lockout. For
more information, see Microsoft Entra authentication documentation.
Microsoft Entra Build apps that sign in all Microsoft identities, get tokens to call
ID for developers Microsoft Graph, other Microsoft APIs, or custom APIs. For more
information, see Microsoft identity platform (Microsoft Entra ID for
developers).
Business-to- Manage your guest users and external partners, while maintaining
Business (B2B) control over your own corporate data. For more information,
see Microsoft Entra B2B documentation.
Business-to- Customize and control how users sign up, sign in, and manage their
Customer (B2C) profiles when using your apps. For more information, see Azure Active
Directory B2C documentation.
Conditional Manage access to your cloud apps. For more information,
Access see Microsoft Entra Conditional Access documentation.
Device Manage how your cloud or on-premises devices access your
Management corporate data. For more information, see Microsoft Entra Device
Management documentation.
Domain services Join Azure virtual machines to a domain without using domain
controllers. For more information, see Microsoft Entra Domain
Services documentation.
Enterprise users Manage license assignments, access to apps, and set up delegates
using groups and administrator roles. For more information,
see Microsoft Entra user management documentation.
Hybrid identity Use Microsoft Entra Connect and Connect Health to provide a single
user identity for authentication and authorization to all resources,
regardless of location (cloud or on-premises). For more information,
see Hybrid identity documentation.
Identity Microsoft Entra ID P2 includes basic capabilities for privileged identity
governance management (PIM), access reviews and entitlement management.
Microsoft Entra ID Governance customers can manage their
Category Description
organization's identities and access through comprehensive
employee, business partner, vendor, service, and app controls. For
more information, see Microsoft Entra ID Governance
documentation and features by license.
Microsoft Entra Detect potential vulnerabilities affecting your organization's identities,
ID Protection configure policies to respond to suspicious actions, and then take
appropriate action to resolve them. For more information,
see Microsoft Entra ID Protection.
Managed Provide your Azure services with an automatically managed identity in
identities for Microsoft Entra ID that can authenticate any Microsoft Entra-
Azure resources supported authentication service, including Key Vault. For more
information, see What is managed identities for Azure resources?.
Privileged identity Manage, control, and monitor access within your organization. This
management feature includes access to resources in Microsoft Entra ID and Azure,
(PIM) and other Microsoft Online Services, like Microsoft 365 or Intune. For
more information, see Microsoft Entra Privileged Identity
Management.
Monitoring and Gain insights into the security and usage patterns in your
health environment. For more information, see Microsoft Entra monitoring
and health.
Workload Give an identity to your software workload (such as an application,
identities service, script, or container) to authenticate and access other services
and resources. For more information, see workload identities faqs.
========================================================
Azure Blob Storage lifecycle management offers a rule-based policy that you can use to transition blob
data to the appropriate access tiers or to expire data at the end of the data lifecycle.
With the lifecycle management policy, you can:
 Transition current versions of a blob, previous versions of a blob, or blob snapshots to a cooler
storage tier if these objects haven't been accessed or modified for a period of time, to optimize
for cost.-
 Transition blobs back from cool to hot immediately when they're accessed.
 Delete current versions of a blob, previous versions of a blob, or blob snapshots at the end of
their lifecycles.
 Apply rules to an entire storage account, to select containers, or to a subset of blobs using name
prefixes or blob index tags as filters.
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2,
premium block blob, and Blob Storage accounts. Lifecycle management doesn't affect system containers
such as the $logs or $web containers.
==============================================================
a template has the following elements:

{
"$schema":"https://schema.management.azure.com/schemas/2019-04-01/
deploymentTemplate.json#",
"languageVersion": "",
"contentVersion": "",
 "apiProfile": "",
"definitions": { },
"parameters": { },
"variables": { },
"functions": [ ],
"resources": [ ], /* or "resources": { } with languageVersion 2.0 */
"outputs": { }
}

============================================================
You're tasked with setting up a storage account firewall to restrict access to the storage services.
Which of the following options can be implemented to grant specific access?
Your selection is correct
By allowing access from specific public IP addresses or IP ranges.
Explanation
Allowing access from specific public IP addresses or IP ranges is a valid method to restrict access to the
storage services by only allowing connections from designated sources. This helps enhance security by
limiting access to authorized entities.
By enabling all networks to have access.
Explanation
Enabling all networks to have access would defeat the purpose of setting up a storage account firewall
to restrict access. It would open up the storage services to potentially unauthorized users or entities,
compromising security.
Your selection is correct
By allowing access from specific Azure virtual networks (VNets).
Explanation
Allowing access from specific Azure virtual networks (VNets) is a secure way to restrict access to the
storage services to only those within the specified virtual networks. This helps ensure that only
approved networks can connect to the storage account.
By providing a list of resource group names.
Explanation
Providing a list of resource group names is not a valid method for setting up a storage account firewall to
restrict access. Resource groups are logical containers for resources in Azure and do not directly control
access to storage services.
=========================================================
You are managing data between two storage accounts. You have just set up object replication between
these accounts. Using AzCopy, you noticed that some blobs that existed before enabling replication
haven't been replicated.
What steps should you consider next? (Choose two)
Disabling and Re-enabling Replication
Explanation
Disabling and re-enabling replication may not necessarily resolve the issue of missing blobs that existed
before enabling replication. It is not a recommended step as it may disrupt the replication process and
potentially cause further issues.
Your selection is correct
Use Azure Storage Explorer to manually copy the missing blobs.
Explanation
Using Azure Storage Explorer to manually copy the missing blobs is a valid step to consider. This allows
you to ensure that all necessary blobs are replicated between the source and destination storage
accounts, filling in any gaps that may have occurred during the initial replication setup.
Your selection is correct
Use AzCopy to copy the pre-existing blobs between the source and destination.
Explanation
Using AzCopy to copy the pre-existing blobs between the source and destination storage accounts is a
recommended step to ensure that all blobs are replicated correctly. This allows you to manually transfer
any missing blobs and synchronize the data between the two accounts.
Changing Blob Types
Explanation
Changing blob types is not directly related to resolving the issue of missing blobs during replication. It is
more focused on the configuration and management of blob storage properties rather than addressing
replication discrepancies.
=========================================================
You are responsible for ensuring data resilience for a set of files hosted on an Azure file share. A user
accidentally deleted a critical file, and you need to recover it.
Which of the following would best facilitate file recovery?
Your answer is correct
Soft delete on Azure Files
Explanation
Soft delete on Azure Files enables you to recover files that have been accidentally deleted within a
specified retention period. It acts as a recycle bin for the file share, allowing you to easily restore deleted
files without the need for a separate backup or snapshot.
Azure File share backup
Explanation
Azure File share backup is a valid option for file recovery, but it is not the best choice in this scenario.
While backups can help recover files, soft delete on Azure Files provides a more immediate and efficient
way to restore accidentally deleted files without the need to restore from a backup.
Azure File Sync
Explanation
Azure File Sync is a service that synchronizes files between on-premises servers and Azure file shares.
While it can help with data synchronization and replication, it is not specifically designed for file
recovery purposes. Soft delete on Azure Files is a more suitable option for facilitating file recovery in this
scenario.
Azure Blob Storage versioning
Explanation
Azure Blob Storage versioning is not directly related to file recovery on Azure Files. While versioning can
help maintain different versions of files in Blob Storage, it is not the most suitable option for facilitating
file recovery on an Azure file share. Soft delete on Azure Files is a more appropriate choice for this
scenario.
=======================================================
A company wishes to optimize its costs related to Blob Storage. They have a mix of frequently accessed
data, data that's accessed occasionally, and archives. They also want data that hasn't been accessed for
180 days to be deleted automatically.
Which actions should the company take? (Choose three)
Your selection is correct
Set infrequently accessed blobs to the "Cool" access tier.
Explanation
Setting infrequently accessed blobs to the "Cool" access tier is a cost-effective option as it offers lower
storage costs compared to the "Hot" access tier while still allowing relatively fast access to the data
when needed.
Set archives to "Premium" access tier.
Explanation
Setting archives to the "Premium" access tier is not a recommended action as the "Premium" tier is
typically used for high-performance, low-latency scenarios where cost optimization is not the primary
concern. Archives are better suited for the "Archive" access tier, which offers the lowest storage costs
for data that is rarely accessed.
Your selection is correct
Configure a lifecycle management policy to delete blobs that haven't been accessed in 180 days.
Explanation
Configuring a lifecycle management policy to delete blobs that haven't been accessed in 180 days is a
proactive cost-saving measure. By automatically deleting unused data, the company can avoid
unnecessary storage costs and keep their Blob Storage organized and efficient.
Your selection is correct
Use the "Hot" access tier for frequently accessed data.
Explanation
Using the "Hot" access tier for frequently accessed data ensures that the data is readily available for
immediate access without any retrieval delays. This tier is suitable for data that requires frequent access
and is a good choice for optimizing performance for frequently accessed data.
Only use the Hot Access tier.
Explanation
Only using the Hot Access tier may not be the most cost-effective approach for the company's storage
needs. By utilizing different access tiers based on the data's access patterns, the company can optimize
costs while still ensuring efficient access to their data.
=====================================================
The reference to [parameters('location')] in the Azure Resource Manager (ARM) template is a way to
specify the location of resources during deployment. The 'location' is a parameter that identifies the
region where the resources will be deployed. The value of this parameter is resolved before the
deployment operations start. This allows for flexibility when deploying the template, as you can provide
different values for the 'location' parameter to reuse the template for different environments. However,
it's important to note that the 'location' parameter, like all other parameters in an ARM template, must
be set to one of the data types. The default value of the 'location' parameter is often set
to resourceGroup().location, which refers to the location of the resource group.
==============================================================
Storage accounts have a public endpoint that's accessible through the internet. You can also
create private endpoints for your storage account. Creating private endpoints assigns a private IP
address from your virtual network to the storage account. It helps secure traffic between your virtual
network and the storage account over a private link.
==========================================================
The Azure Storage firewall provides access control for the public endpoint of your storage account. You
can also use the firewall to block all access through the public endpoint when you're using private
endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage
account.
An application that accesses a storage account when network rules are in effect still requires proper
authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs,
tables, file shares and queues, with a valid account access key, or with a shared access signature (SAS)
token. When you configure a blob container for anonymous access, requests to read data in that
container don't need to be authorized. The firewall rules remain in effect and will block anonymous
traffic.
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless
the requests originate from a service that operates within an Azure virtual network or from allowed
public IP addresses. Requests that are blocked include those from other Azure services, from the Azure
portal, and from logging and metrics services.
You can grant access to Azure services that operate from within a virtual network by allowing traffic
from the subnet that hosts the service instance. You can also enable a limited number of scenarios
through the exceptions mechanism that this article describes. To access data from the storage account
through the Azure portal, you need to be on a machine within the trusted boundary (either IP or virtual
network) that you set up.