- (Exam Topic 3)
You need to encrypt storage1 to meet the technical requirements. Which key vaults can you use?
Correct Answer:
B
The storage account and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
Storage1 is in the West US region. KeyVault1 is the only key vault in the same region. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
- (Exam Topic 4)
Lab Task
use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password. place your cursor in the Enter password box and click on the password below. Azure Username: Userl -28681041@ExamUsers.com
Azure Password: GpOAe4@lDg
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only: Lab Instance: 28681041
Task 3
The developers at your company plan to create a web app named App28681041 and to publish the app to https://www.contoso.com. You need to perform the following tasks:
• Ensure that App28681041 is registered to Azure AD.
• Generate a password for App28681041.
Solution:
To register App28681041 to Azure AD and generate a password for it, you can follow these steps:
In the Azure portal, search for and select Azure Active Directory. In the left pane, select App registrations. Select New registration. In the Register an application pane, enter the following information: Name: App28681041 Supported account types: Select the appropriate account types for your scenario. Redirect URI: Leave this field blank. Select Register. In the App registrations pane, select the newly created App28681041 application. In the left pane, select Certificates & secrets. Select New client secret. In the Add a client secret pane, enter the following information: Description: Enter a description for the client secret. Expires: Select an appropriate expiration date for the client secret. Select Add. In the Certificates & secrets pane, copy the value of the newly created client secret.
You can find more information on this topic in the following Microsoft documentation: Quickstart: Register an application with the Microsoft identity platform.
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You have an Azure subscription that contains a user named Adminl1 and a virtual machine named VM1. VM1 runs Windows Server 2019 and was deployed by using an Azure Resource Manager template. VM1 is the member of a backend pool of a public Azure Basic Load Balancer.
Admin1 reports that VM1 is listed as Unsupported on the Just in time VM access blade of Azure Security Center.
You need to ensure that Admin1 can enable just in time (JIT) VM access for VM1. What should you do?
Correct Answer:
D
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-re
- (Exam Topic 4)
You need to recommend which virtual machines to use to host App1. The solution must meet the technical requirements for KeyVault1.
Which virtual machines should you use?
Correct Answer:
D
- (Exam Topic 2)
You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Solution:
Box 1: No. VM4 is in Subnet13 which has NSG3 attached to it.
VM1 is in ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1. Only TCP traffic is allowed from ASG1.
NSG3 has the inbound security rules shown in the following table.
Box 2: Yes.
VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed.
Box3. VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on ports TCP 80 or TCP 443.
Does this meet the goal?
Correct Answer:
A