Microsoft AZ-102 Study Guides 2021

NEW QUESTION 1
You plan to grant the member of a new Azure AD group named crop 75099086 the right to delegate administrative access to any resource in the resource group named 7509086.
You need to create the Azure AD group and then to assign the correct to e to the group. The solution must use the principle of least privilege and minimize the number of role assignments.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Click Resource groups from the menu of services to access the Resource Groups blade

Step 2:
Click Add (+) to create a new resource group. The Create Resource Group blade appears. Enter corp7509086 as the Resource group name, and click the Create button.

Step 3: Select Create.
Your group is created and ready for you to add members. Now we need to assign a role to this resource group scope. Step 4:
Choose the newly created Resource group, and Access control (IAM) to see the current list of role assignments at the resource group scope. Click +Add to open the Add permissions pane.

Step 5:
In the Role drop-down list, select a role Delegate administration, and select Assign access to: resource group corp7509086

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-azuremarketplace- resource-group.html

Case Study: 11
Mix Questions Set E (Security Identities)

NEW QUESTION 2
DRAG DROP
You have an on-premises network that includes a Microsoft SQL Server instance named SQL1. You create an Azure Logic App named App1.
You need to ensure that App1 can query a database on SQL1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: To access data sources on premises from your logic apps, you can create a data gateway resource in Azure so that your logic apps can use the on-premises connectors.
Box 1: From an on-premises computer, install an on-premises data gateway.
Before you can connect to on-premises data sources from Azure Logic Apps, download and install the on-premises data gateway on a local computer.
Box 2: From the Azure portal, create an on-premises data gateway Create Azure resource for gateway
After you install the gateway on a local computer, you can then create an Azure resource for your gateway. This step also associates your gateway resource with your Azure subscription.
Sign in to the Azure portal. Make sure you use the same Azure work or school email address used to install the gateway.
On the main Azure menu, select Create a resource > Integration > On-premises data gateway.

On the Create connection gateway page, provide this information for your gateway resource.
To add the gateway resource to your Azure dashboard, select Pin to dashboard. When you're done, choose Create.
Box 3: From the Logic Apps Designer in the Azure portal, add a connector
After you create your gateway resource and associate your Azure subscription with this resource, you can now create a connection between your logic app and your on-premises data source by using the gateway.
In the Azure portal, create or open your logic app in the Logic App Designer. Add a connector that supports on-premises connections, for example, SQL Server. Set up your connection.
References:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection

NEW QUESTION 3
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. an XML manifest file
• B. a driveset CSV file
• C. a dataset CSV file
• D. a PowerShell PS1 file
• E. a JSON configuration file

Answer: BC

Explanation: B: Modify the driveset.csv file in the root folder where the tool resides.
C: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-datato- files

NEW QUESTION 4
HOT SPOT
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.

In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: No
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network.
Box 3: Yes
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone. By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.
References: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

NEW QUESTION 5
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD You need to ensure that Azure can verify the domain name. Which type of DNS record should you create?

• A. PTR
• B. MX
• C. NSEC3
• D. RRSIG

Answer: B

Explanation: To verify your custom domain name (example)
Sign in to the Azure portal using a Global administrator account for the directory. Select Azure Active Directory, and then select Custom domain names.
On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.

References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

NEW QUESTION 6
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2021 and hosts 10 virtual machines that run Windows Server 2021.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery. You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1. You need to add Host1 to ASR1.
What should you do?

• A. Download the installation file for the Azure Site Recovery Provide
• B. Download the vault registration key.Install the Azure Site Recovery Provider on Host1 and register the server.
• C. Download the installation file for the Azure Site Recovery Provide
• D. Download the storage account key.Install the Azure Site Recovery Provider on Host1 and register the server.
• E. Download the installation file for the Azure Site Recovery Provide
• F. Download the vault registration key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
• G. Download the installation file for the Azure Site Recovery Provide
• H. Download the storage account key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machine

Answer: A

Explanation: Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.
Install the Provider on each VMM server. You don't need to explicitly install anything on Hyper-V hosts.
Incorrect Answers:
B, D: Use the Vault Registration Key, not the storage account key. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

NEW QUESTION 7
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?

• A. Azure Active Directory (AD) Identity Protection and an Azure policy
• B. a Recovery Services vault and a backup policy
• C. an Azure Key Vault and an access policy
• D. an Azure Storage account and an access policy

Answer: C

Explanation: You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
References: https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/

NEW QUESTION 8
You need to resolve the Active Directory issue. What should you do?

• A. From Active Directory Users and Computers, select the user accounts, and then modify the User PrincipalName value.
• B. Run idfix.exe, and then use the Edit action.
• C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
• D. From Azure AD Connect, modify the outbound synchronization rul

Answer: B

Explanation: IdFix is used to perform discovery and remediation of identity objects and their attributes in an onpremises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is
intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters. You suspect that some of the characters are unsupported in Azure AD.
References: https://www.microsoft.com/en-us/download/details.aspx?id=36832

NEW QUESTION 9
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-ofbusiness application that is available 24 hours a day. VM1 has one network interface and one
managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1: Change the size to D8s v3.
Add a 500-GB managed disk. Add the Puppet Agent extension.
Attach an additional network interface. Which change will cause downtime for VM1?

• A. Add a 500-GB managed disk.
• B. Attach an additional network interface.
• C. Add the Puppet Agent extension.
• D. Change the size to D8s v3.

Answer: D

Explanation: While resizing the VM it must be in a stopped state.
References: https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

NEW QUESTION 10
You have 100 Azure subscriptions. All the subscriptions are associated to the same Azure Active Directory (Azure AD) tenant named contoso.com.
You are a global administrator.
You plan to create a report that lists all the resources across all the subscriptions. You need to ensure that you can view all the resources in all the subscriptions. What should you do?

• A. From the Azure portal, modify the profile settings of your account.
• B. From Windows PowerShell, run the Add-AzureADAdministrativeUnitMember cmdlet.
• C. From Windows PowerShell, run the New-AzureADUserAppRoleAssignment cmdlet.
• D. From the Azure portal, modify the properties of the Azure AD tenan

Answer: C

Explanation: The New-AzureADUserAppRoleAssignment cmdlet assigns a user to an application role in Azure Active Directory (AD). Use it for the application report.
References: https://docs.microsoft.com/en-us/powershell/module/azuread/newazureaduserapproleassignment? view=azureadps-2.0

NEW QUESTION 11
You have an Azure subscription that contains the resources in the following table.

Store1 contains a file share named Data. Data contains 5,000 files.
You need to synchronize the files in Data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A. Download an automation script.
• B. Create a container instance.
• C. Create a sync group.
• D. Register Server1.
• E. Install the Azure File Sync agent on Server1.

Answer: CDE

Explanation: Step 1 (E): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (D): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3 (C): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server. References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deploymentguide

NEW QUESTION 12
HOT SPOT
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and Vnet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to Vnet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: You can move a VM and its associated resources to another resource group using the portal. References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm

NEW QUESTION 13
You have an Azure App Service plan that hosts an Azure App Service named App1.
You configure one production slot and four staging slots for App1.
You need to allocate 10 percent of the traffic to each staging slot and 60 percent of the traffic to the production slot.
What should you add to Appl1?

• A. slots to the Testing in production blade
• B. a performance test
• C. a WebJob
• D. templates to the Automation script blade

Answer: A

Explanation: Besides swapping, deployment slots offer another killer feature: testing in production. Just like the name suggests, using this, you can actually test in production. This means that you can route a specific percentage of user traffic to one or more of your deployment slots.
Example:

References:
https://stackify.com/azure-deployment-slots/

NEW QUESTION 14
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these Questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 15
You have a public load balancer that balancer ports 80 and 443 across three virtual machines. You need to direct all the Remote Desktop protocol (RDP) to VM3 only.
What should you configure?

• A. an inbound NAT rule
• B. a load public balancing rule
• C. a new public load balancer for VM3
• D. a new IP configuration

Answer: A

Explanation: To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
Incorrect Answers:
B: Load-balancing rule to distribute traffic that arrives at frontend to backend pool instances. References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

NEW QUESTION 16
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE Each correct selection is worth one point.

• A. Azure Active Directory (AD) Identity Protection and an Azure policy
• B. a Recovery Services vault and a backup policy
• C. an Azure Key Vault and an access policy
• D. an Azure Storage account and an access policy

Answer: BD

Explanation: D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined.
C: Azure AD connect does not port 8080. It uses port 443.
E: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to Azure AD.
References: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directoryaadconnect-sso-quick-start

NEW QUESTION 17
Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2021. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed: The DNS Manager console
Azure PowerShell Azure CLI 2.0
You need to move the adatum.com zone to Subscription1. The solution must minimize administrative effort.
What should you use?

• A. Azure PowerShell
• B. Azure CLI
• C. the Azure portal
• D. the DNS Manager console

Answer: B

Explanation: Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal. References: https://docs.microsoft.com/en-us/azure/dns/dns-import-export

NEW QUESTION 18
You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?

• A. the subnets on VNet2 only
• B. the subnets on VNet1 only
• C. the subnets on VNet2 and VNet3 only
• D. the subnets on VNet1, VNet2, and VNet3
• E. the subnets on VNet3 only

Answer: E

Explanation: All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plandesign- arm

NEW QUESTION 19
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it As a result these questions will not appear in the review screen.
You have an Azure wet) app named Appl. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier.
You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You change the pricing tier of Plan1 to Shared. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You should switch to the Basic Tier.
The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Shared Tier provides 240 CPU minutes / day. The Basic tier has no such cap.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

NEW QUESTION 20
HOT SPOT
You have an Azure subscription named Subscription1.
In Subscription1, you create an Azure file share named share1.
You create a shared access signature (SAS) named SAS1 as shown in the following exhibit.

To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Will be prompted for credentials
Azure Storage Explorer is a standalone app that enables you to easily work with Azure Storage data on Windows, macOS, and Linux. It is used for connecting to and managing your Azure storage accounts.
Box 2: Will have read, write, and list access
The net use command is used to connect to file shares. References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signaturepart- https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storageexplorer? tabs=windows