- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups. Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: B
Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.
Reference:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-managementgroups

- (Exam Topic 4)
You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that ServerAdmins can perform the following tasks:
Create virtual machines in RG1 only.
Connect the virtual machines to the existing virtual networks in RG2 only.
The solution must use the principle of least privilege.
Which two role-based access control (RBAC) roles should you assign to ServerAdmins? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

1. A. a custom RBAC role for RG2
2. B. the Network Contributor role for RG2
3. C. the Contributor role for the subscription
4. D. a custom RBAC role for the subscription
5. E. the Network Contributor role for RG1
6. F. the Virtual Machine Contributor role for RG1

Correct Answer: AF
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

- (Exam Topic 4)
You have an Azure subscription that contains 100 virtual machines and has Azure Security Center Standard tier enabled.
You plan to perform a vulnerability scan of each virtual machine.
You need to deploy the vulnerability scanner extension to the virtual machines by using an Azure Resource Manager template.
Which two values should you specify in the code to automate the deployment of the extension to the virtual
machines? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. the user-assigned managed identity
2. B. the workspace ID
3. C. the Azure Active Directory (Azure AD) ID
4. D. the Key Vault managed storage account key
5. E. the system-assigned managed identity
6. F. the primary shared key

Correct Answer: AC

- (Exam Topic 4)
You have an Azure Active Directory (Azure AD) tenant. The tenant contains users that are assigned Azure AD Premium Plan 2 licenses.
You have an partner company that has a domain named The fabrikam.com domain contains a user named user'. User' has an email address of userl@tabrikam.com.
You to provide User1 with to the resources in the tenant The solution must meet the following requirements: user1 must be able to sign in by using the userl@fabrikam.com credentials
You must be able to grant User1 access to the resources in the tenant
Administrative effort must be minimized.
What should you do?

1. A. Create a user account for user1.
2. B. Create an invite for User1.
3. C. To the tenant add fabrikamcom as a custom domain
4. D. Set Enable guest self-service sign up via user flows to Yes for the tenant.

Correct Answer: B

- (Exam Topic 4)
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD)
tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant. You need to recommend an integration solution that meets the following requirements:
Ensures that password policies and user logon restrictions apply to user accounts that are synced to the Tenant Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?

1. A. federated identity with Active Directory Federation Services (AD FS)
2. B. password hash synchronization with seamless single sign-on (SSO)
3. C. pass-through authentication with seamless single sign-on (SSO)

Correct Answer: C
* 1. Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
>> Pass-Through Authentication enforce on-premises user account states, password policies, and sign-in hours.
* 2. Minimizes the number of servers required for the solution.
>> Pass-through needs a lightweight agent to be installed one (or more) on-premises servers.
>> PW Hash also require installing Azure AD Connect on your existing DC.