- (Exam Topic 3)
You need to design a solution to provide administrators with secure remote access to the virtual machines. The solution must meet the following requirements:
• Prevent the need to enable ports 3389 and 22 from the internet.
• Only provide permission to connect the virtual machines when required.
• Ensure that administrators use the Azure portal to connect to the virtual machines.
Which two actions should you include in the solution? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.
2. B. Configure Azure VPN Gateway.
3. C. Enable Just Enough Administration (JEA).
4. D. Enable just-in-time (JIT) VM access.
5. E. Configure Azure Bastion.

Correct Answer: DE
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.2 https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

- (Exam Topic 3)
A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an Azure subscription.
All the on-premises servers in the perimeter network are prevented from connecting directly to the internet. The customer recently recovered from a ransomware attack.
The customer plans to deploy Microsoft Sentinel.
You need to recommend configurations to meet the following requirements:
• Ensure that the security operations team can access the security logs and the operation logs.
• Ensure that the IT operations team can access only the operations logs, including the event logs of the servers in the perimeter network.
Which two configurations can you include in the recommendation? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

1. A. Configure Azure Active Directory (Azure AD) Conditional Access policies.
2. B. Use the Azure Monitor agent with the multi-homing configuration.
3. C. Implement resource-based role-based access control (RBAC) in Microsoft Sentinel.
4. D. Create a custom collector that uses the Log Analytics agent.

Correct Answer: BC

- (Exam Topic 3)
Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.
You need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attach surface.
What should you include in the recommendation?

1. A. Azure Firewall Premium
2. B. Azure Application Gateway Web Application Firewall (WAF)
3. C. network security groups (NSGs)
4. D. Azure Traffic Manager and application security groups

Correct Answer: D
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection

- (Exam Topic 3)
You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment?

1. A. service chaining
2. B. local network gateways
3. C. forced tunneling
4. D. a VNet-to-VNet connection

Correct Answer: A
https://docs.microsoft.com/en-us/learn/modules/configure-vnet-peering/5-determine-service-chaining-uses

- (Exam Topic 3)
Your company has a hybrid cloud infrastructure.
Data and applications are moved regularly between cloud environments.
The company's on-premises network is managed as shown in the following exhibit.

You are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:
Govern virtual machines and servers across multiple environments.
Enforce standards for all the resources across all the environment across the Azure policy.
Which two components should you recommend for the on-premises network? Each correct answer presents part of the solution.
NOTE Each correct selection is worth one point.

1. A. Azure VPN Gateway
2. B. guest configuration in Azure Policy
3. C. on-premises data gateway
4. D. Azure Bastion
5. E. Azure Arc

Correct Answer: BE
https://docs.microsoft.com/en-us/azure/governance/machine-configuration/overview