- (Exam Topic 5)
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), and Azure AD Connect
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.
What should you recommend?

1. A. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
2. B. Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
3. C. In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers.
4. D. Configure an AD FS relying party trust between the fabrikam and Contoso AD FS infrastructures.

Correct Answer: A
Trust configurations - Configure trust from managed forests(s) or domain(s) to the administrative forest
A one-way trust is required from production environment to the admin forest.
Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts.
References:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access

- (Exam Topic 5)
You are designing an application that will use Azure Linux virtual machines to analyze video files. The files will be uploaded from corporate offices that connect to Azure by using ExpressRoute.
You plan to provision an Azure Storage account to host the files.
You need to ensure that the storage account meets the following requirements:
• Supports video files of up to 7 TB
• Provides the highest availability possible
• Ensures that storage is optimized for the large video files
• Ensures that files from the on-premises network are uploaded by using ExpressRoute
How should you configure the storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 1)
How should the migrated databases DB1 and DB2 be implemented in Azure?

Solution:
Table Description automatically generated
Box 1: SQL Managed Instance
Scenario: Once migrated to Azure, DB1 and DB2 must meet the following requirements:
Maintain availability if two availability zones in the local Azure region fail.
Fail over automatically.
Minimize I/O latency.
The auto-failover groups feature allows you to manage the replication and failover of a group of databases on a server or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing active geo-replication feature, designed to simplify deployment and management of geo-replicated databases at scale. You can initiate a geo-failover manually or you can delegate it to the Azure service based on a user-defined policy. The latter option allows you to automatically recover multiple related databases in a secondary region after a catastrophic failure or other unplanned event that results in full or partial loss of the SQL Database or SQL Managed Instance availability in the primary region.
Box 2: Business critical
SQL Managed Instance is available in two service tiers:
General purpose: Designed for applications with typical performance and I/O latency requirements. Business critical: Designed for applications with low I/O latency requirements and minimal impact of
underlying maintenance operations on the workload.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-overview https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 5)
Your company has an Azure Web App that runs via the Premium App Service Plan. A development team will be using the Azure Web App. You have to configure the Azure Web app so that it can fulfil the below requirements.
Provide the ability to switch the web app from the current version to a newer version
Provide developers with the ability to test newer versions of the application before the switch to the newer version occurs
Ensure that the application version can be rolled back Minimize downtime
Which of the following can be used for this requirement?

1. A. Create a new App Service Plan
2. B. Make use of deployment slots
3. C. Map a custom domain
4. D. Backup the Azure Web App

Correct Answer: B

- (Exam Topic 5)
You have to deploy an Azure SQL database named db1 for your company. The databases must meet the following security requirements
When IT help desk supervisors query a database table named customers, they must be able to see the full number of each credit card
When IT help desk operators query a database table named customers, they must only see the last four digits of each credit card number
A column named Credit Card rating in the customers table must never appear in plain text in the database system. Only client applications must be able to decrypt the information that is stored in this column
Which of the following can be implemented for the Credit Card rating column security requirement?

1. A. Always Encrypted
2. B. Azure Advanced Threat Protection
3. C. Transparent Data Encryption
4. D. Dynamic Data Masking

Correct Answer: A
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine