- (Exam Topic 4)
You plan to deploy a custom policy initiative for Microsoft Defender for Cloud. You need to identify all the resource groups that have a Delete lock.
How should you complete the policy definition? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 4)
You have the hierarchy of Azure resources shown in the following exhibit.

RG1, RG2, and RG3 are resource groups. RG2 contains a virtual machine named VM1.
You assign role-based access control (RBAC) roles to the users shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 4)
You have an Azure subscription that contains a virtual network. The virtual network contains the subnets shown in the following table.

The subscription contains the virtual machines shown in the following table.

You enable just in time (JIT) VM access for all the virtual machines. You need to identify which virtual machines are protected by JIT. Which virtual machines should you identify?

1. A. VM4 only
2. B. VM1 and VM3 only
3. C. VM1, VM3 and VM4 only
4. D. VM1, VM2, VM3, and VM4

Correct Answer: C
An NSG needs to be enabled, either at the VM level or the subnet level. Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

- (Exam Topic 4)
You have an Azure resource group that contains 100 virtual machines.
You have an initiative named Initiative1 that contains multiple policy definitions. Initiative1 is assigned to the resource group.
You need to identify which resources do NOT match the policy definitions.
What should you do?

1. A. From Azure Security Center, view the Regulatory compliance assessment.
2. B. From the Policy blade of the Azure Active Directory admin center, select Compliance.
3. C. From Azure Security Center, view the Secure Score.
4. D. From the Policy blade of the Azure Active Directory admin center, select Assignments.

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#portal

- (Exam Topic 4)
Lab Task
Task 1
You need to ensure that connections from the Internet to VNET1subnet0 are allowed only over TCP port 7777. The solution must use only currently deployed resources.
Solution:
You need to configure the Network Security Group that is associated with subnet0.
* 1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to
Virtual Networks in the left navigation pane.
* 2. In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
* 3. Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
* 4. In the properties of the Network Security Group, click on Inbound Security Rules.
* 5. Click the Add button to add a new rule.
* 6. In the Source field, select Service Tag.
* 7. In the Source Service Tag field, select Internet.
* 8. Leave the Source port ranges and Destination field as the default values (* and All).
* 9. In the Destination port ranges field, enter 7777.
* 10.Change the Protocol to TCP.
* 11.Leave the Action option as Allow.
* 12.Change the Priority to 100.
* 13. Change the Name from the default Port_8080 to something more descriptive such as Allow_TCP_7777_from_Internet. The name cannot contain spaces.
* 14. Click the Add button to save the new rule.

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A