- (Exam Topic 5)
You plan to create an Azure environment that will contain a root management group and 10 child management groups. Each child management group will contain five Azure subscriptions. You plan to have between 10 and 30 resource groups in each subscription.
You need to design an Azure governance solution. The solution must meet the following requirements:
• Use Azure Blueprints to control governance across all the subscriptions and resource groups.
• Ensure that Blueprints-based configurations are consistent across all the subscriptions and resource groups.
• Minimize the number of blueprint definitions and assignments.
What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Solution:
* 1. Root management group
* 2. The subscriptions
Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal Assign a blueprint After a blueprint has been published, it can be assigned to a subscription. Assign the
blueprint that you created to one of the subscriptions under your management group hierarchy. If the blueprint is saved to a subscription, it can only be assigned to that subscription.
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 5)
You have a multi-tier app named Appl and an Azure SQL database named SQL l. The backend service Of Appl writes data to Users use the Appl client to read the data from SQL 1.
During periods of high utilization the users experience delays retrieving the data. You need to minimize how long it takes for data requests.
What should you include in the solution?
Correct Answer:
D
- (Exam Topic 3)
What should you implement to meet the identity requirements? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Solution:
Requirements: Identity Requirements
Contoso identifies the following requirements for managing Fabrikam access to resources:
Every month, an account manager at Fabrikam must review which Fabrikam users have access permissions to App1. Accounts that no longer need permissions must be removed as guests.
The solution must minimize development effort.
Box 1: The Azure AD Privileged Identity Management (PIM) When should you use access reviews?
Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
Box 2: Access reviews
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 5)
You plan to migrate data to Azure.
The IT department at your company identifies the following requirements:
The storage must support 1 PB of data.
The data must be stored in blob storage.
The storage must support three levels of subfolders.
The storage must support access control lists (ACLs).
You need to meet the requirements. What should you use?
Correct Answer:
B
Microsoft recommends that you use a GPv2 storage account for most scenarios. It supports up to 5 PB, and blob storage including Data Lake storage.
Note: A key mechanism that allows Azure Data Lake Storage Gen2 to provide file system performance at object storage scale and prices is the addition of a hierarchical namespace. This allows the collection of objects/files within an account to be organized into a hierarchy of directories and nested subdirectories in the same way that the file system on your computer is organized. With a hierarchical namespace enabled, a storage account becomes capable of providing the scalability and cost-effectiveness of object storage, with file system semantics that are familiar to analytics engines and frameworks.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-namespace
- (Exam Topic 1)
You need to configure an Azure policy to ensure that the Azure SQL databases have TDE enabled. The solution must meet the security and compliance requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Solution:
A picture containing text Description automatically generated
Scenario: All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Step 1: Create an Azure policy definition that uses the deployIfNotExists identity.
The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully deploy the content of your included template.
Step 2: Create an Azure policy assignment
When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles defined in roleDefinitionIds.
Step 3: Invoke a remediation task
Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.
During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources or subscriptions. When non-compliant resources or subscriptions are found, the details are provided on the Remediation page.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Does this meet the goal?
Correct Answer:
A