- (Exam Topic 6)
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Solution:
See the answer as below.


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 2)
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
2. B. Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
3. C. Join the client computers in the Miami office to Azure AD.
4. D. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
5. E. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.

Correct Answer: BE
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
E: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

- (Exam Topic 5)
You have an Azure subscription that contains a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?

1. A. Create a new management group and delegate User1 as the owner of the new management group.
2. B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
3. C. Assign the Owner role for the Azure subscription to User1, and then modify the default conditional access policies.
4. D. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

Correct Answer: B
The following chart shows the list of roles and the supported actions on management groups.

Note:
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

- (Exam Topic 4)
You need to add VM1 and VM2 to the backend poo! of LB1. What should you do first?

1. A. Create a new NSG and associate the NSG to VNET1/Subnet1.
2. B. Connect VM2 to VNET1/Subnet1.
3. C. Redeploy VM1 and VM2 to the same availability zone.
4. D. Redeploy VM1 and VM2 to the same availability set.

Correct Answer: C

- (Exam Topic 6)
You have an Azure Active Directory (Azure AD) tenant that has Azure AD Privileged Identity Management configured.
You have 10 users who are assigned the Security Administrator role for the tenant. You need the users to verify whether they still require the Security Administrator role. What should you do?

1. A. From Azure AD Identity Protection, configure a user risk policy.
2. B. From Azure AD Privileged Identity Management, create an access review.
3. C. From Azure AD Identity Protection, configure the Weekly Digest.
4. D. From Azure AD Privileged Identity Management, create a conditional access policy.

Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-securi
To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles. You can also configure recurring access reviews that occur automatically.
Steps:
* 1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.
* 2. Open Azure AD Privileged Identity Management.
* 3. Select Azure AD roles.
* 4. Under Manage, select Access reviews, and then select New.

References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-securi