Exam-Answer

Exam AZ-300: Microsoft Azure Architect Technologies

Prepare for Exam AZ-300: Microsoft Azure Architect Technologies. Free demo questions with answers and explanations.

Home / Microsoft / AZ-300 / Question 1

Question 1

You need to recommend a solution that will monitor Azure subscription activity and send alerts to a non-Azure system for processing.

Notification of alerts sent to the external system must be automated.

Which mechanism should you recommend?

Answers



A B C D

Explanation

You should recommend using a webhook. Azure alerts use HTTP POST to send the alert contents in JSON format to a webhook URI that you provide when you create the alert. Azure posts one entry per request when an alert is activated.

You should not recommend Power BI. This service is used to present and analyze both historical and live data. The external system would need to retrieve the data from Power BI.

You should not recommend Azure Event Hubs. Although this service is used to ingest data, you would need an additional component to send data to an external system.

You should not recommend Azure Stream Analytics. This service is used to process large amounts of data on the fly and to perform complex data analytics and aggregations.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 2

Question 2

You are taking over as the IT administrator for an Azure subscription. You want a simple, efficient, and free way to view and manage all the blobs in the subscription.

You need to download the most appropriate tool.

Which tool should you use?

Answers



A B C D

Explanation

You should use Storage Explorer. This tool is free and simple to use. It allows you to manage different types of Azure storage accounts, including blobs, tables, and queues.

You should not use Visual Studio Ultimate. This is a fully-featured integrated development environment (IDE) that allows you to write code for applications and websites. Although you can use the built-in Azure Cloud Explorer tool to view blobs, Storage Explorer is easier to use.

You should not use Visual Studio Code. This is a light-weight IDE that allows you to write code for applications and websites. It does not provide a built-in user interface for managing blobs.

You should not use Storage Emulator. This tool allows you to emulate Azure storage accounts. It does not connect to real Azure storage accounts.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 3

Question 3

A blob associated with an Azure Blob storage account contains data that is accessed several times per day.

You plan to add a new blob to the Blob storage account. The data in the new blob will be viewed infrequently but must be available immediately when accessed.

You must configure the storage tier for the new blob. The solution must minimize storage costs.

What should you do?

Answers



A B C D

Explanation

You should set the storage tier for the new blob to Cool. Cool storage is intended for data that is accessed infrequently and stored for 30 days or more. Cool storage has a similar time-to-access as Hot data. Although it has a slightly lower availability compared to Hot data, storage costs are lower.

You should not set the storage tier for the new blob to Archive. Although Archive storage is the least expensive, it also has several hours of retrieval latency.

You should not set the default storage tier for the account to Hot. Only the original blob in the storage account is accessed frequently. If the tier for the account is set to Hot, this applies to the new blob as well.

You should not set the default storage tier for the account to Cool. This is appropriate only for the new blob. If the tier for the account is set to Cool, this applies to the original blob as well.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 4

Question 4

You are planning to deploy 15 identical virtual machines (VMs) to Azure. All 15 VMs must be based on the settings of a local on-premises computer.

You need to choose the best strategy for deploying the VMs.

What should you do?

Answers



A B C D

Explanation

You should create a JSON file that describes a single VM. This file is referred to as an Azure Resource Manager (ARM) template in Azure. You should then use deployment commands to deploy the template to Azure. One tool that you can use is PowerShell. Once the template is deployed, you can use it to create actual VMs.

You should not create an XML file to describe a single VM. ARM templates must be written in JSON syntax.

You should not create the VM in Azure and then use PowerShell or Azure CLI to copy it. ARM templates provide a way to describe a VM before you create it.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 5

Question 5

You need to deploy a virtual machine (VM) to Azure from a third-party online template.

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use New-AzureRmResourceGroupDeployment. This cmdlet allows you to use Azure Resource Manager (ARM) templates to create Azure resources. In this scenario, it allows you to create a VM from an ARM template.

You should not use New-AzureQuickVM or New-AzureVM. Both cmdlets allows you to create a VM from an Azure template, not from a third-party online template.

You should not use New-AzureRmVMConfig. This cmdlet creates a VM configuration, not an actual VM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 6

Question 6

You manage two on-premises networks, each located in a separate branch office. You must connect both networks to Azure while controlling costs.

Which type of connection should you choose?

Answers



A B C D

Explanation

You should choose a multi-site VPN. This accomplishes the goal of connecting the branch offices to Azure while controlling costs.

You should not choose an ExpressRoute connection. ExpressRoute connects an on-premises network to a virtual network via wide area network (WAN). Although this solution provides a fast, secure connection, it is not a low-cost option.

You should not choose an MPLS network. This is also not a low-cost option.

You should not choose a point-to-site connection. This option connects one or more machines and a site via the Internet and is not an appropriate solution for connecting branch offices.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 7

Question 7

You are the Azure administrator for a web API that uses the Free plan.

You need to monitor the web API to determine whether or not you should change the plan to Basic.

Which metric should you monitor?

Answers



A B C D

Explanation

You should monitor CPU time. This represents the number of CPU minutes used by the web API. For the Free plan, a web app or web API is allowed 60 CPU minutes per day. By monitoring this metric, you can decide whether or not to scale up the web API.

You should not monitor Average Response Time. This represents the average number of milliseconds used to serve a single request. An App Service Plan can affect the response time, but it is not feasible to use the response time to determine whether or not to scale up an app due to other factors. For example, the average response time can increase due to the number of simultaneous requests made, such as during peak times.

You should not monitor Requests. This represents the total number of HTTP requests made to the web API. An App Service Plan does not limit the number of requests made to a web API.

You should not monitor Thread Count. This represents the total number of working threads used to service requests. An App Service Plan does not limit the number of threads used by a web API.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 8

Question 8

Your company has on-premises Domain Name System (DNS) servers that are authoritative for its domain. You create a directory in Azure Active Directory (Azure AD). You want to create a custom domain for this directory that matches your company's domain.

You need to configure the environment so that you can have Azure verify the custom domain.

What should you do?

Answers



A B C D

Explanation

You should add a TXT record to your company's DNS servers. When you ask Azure to verify a custom domain, it issues DNS queries for TXT records. Because your company has on-premises DNS servers that are authoritative for its domain, Azure sends the DNS queries to your company's DNS servers. If the TXT entry in Azure matches the TXT entry in your company's DNS servers, verification succeeds.

You should not add a TXT record to your company's domain registrar. You should do this only if the registrar is authoritative or the domain.

You should not add CNAME records. CNAME records are alias records that allow you to forward requests from a domain name to another domain name or server.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 9

Question 9

You plan to use Azure AD join in a federated environment. You need to ensure that the identity provider supports WS-* protocols to ensure that Azure AD join works natively.

Which two protocols must be supported? Each correct answer presents part of the solution.

Answers



A B C D

Explanation

You should make sure that the identity provider supports the WS-Fed protocol. This protocol is required to join a device to Azure AD.

You should also make sure that the identity provider supports the WS-Trust protocol. This protocol is required to sign in to an Azure AD joined device. Both of these protocols are needed if Azure AD join is intended to work natively.

You should not make sure that the identity provider supports the WS-Reliability protocol. This protocol guarantees reliable messaging in Web Services applications. WS-Reliability was superseded by WS-ReliableMessaging.

You should not make sure that the identity provider supports the WS-Policy protocol. This protocol describes the capabilities and constraints of the security policies on communication endpoints.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 10

Question 10

Your company uses Azure Active Directory (AD). You find that the service account defined on the Azure AD Connector cannot contact Azure AD because the password has expired.

You need to provide Azure AD Global admin credentials.

Which cmdlet should you use?

Answers



A B C D

Explanation

You should use the Add-ADSyncAADServiceAccount cmdlet to provide Azure AD Global admin credentials. You need to pass the connector name and the credentials of the administrator.

You should not use the Set-ADSyncAADPasswordResetConfiguration cmdlet to provide Azure AD Global admin credentials. This cmdlet is used to disable and enable password writeback.

You should not use the Set-FullPasswordSync cmdlet to provide Azure AD Global admin credentials. This cmdlet resets the password sync state information, which forces a full sync the next time the service is started.

You should not use the Get-PasswordSyncLogStatus cmdlet to provide Azure AD Global admin credentials. This cmdlet is used to retrieve the current logging level for the Password Sync feature of the Azure Active Directory Sync tool.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 11

Question 11

You are the IT administrator for your company. Your company hosts Active Directory (AD). You want to also use Azure AD.

You need to configure your environment so that password hash synchronization can be used for authentication.

What should you do?

Answers



A B C D

Explanation

You should install Azure AD Connect on an on-premises server. This tool allows you to synchronize password hashes from a domain controller to Azure AD.

You should not install AD Domain Services on an Azure VM. This does not allow synchronization from an on-premises AD infrastructure. It simply places a domain controller in the cloud instead of on-premises.

You should not create a site link on an Azure VM. A site link is an AD object that allows replication across on-premises domain controllers.

You should not create a site link bridge on an on-premises server. A site link bridge is an AD object that represents a collection of site links, which allow replication across on-premises domain controllers.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 12

Question 12

You implement Azure Active Directory (Azure AD) Connect so you can synchronize accounts in your on-premises AD with those in Azure AD. You decide to synchronize only a specific organizational unit.

You receive the following error during the first synchronization:

"Number of deletions exceeds the default threshold of 500 objects".

You need to successfully synchronize the accounts.

Which cmdlet should you use?

Answers



A B C D

Explanation

You should run the Disable-ADSyncExportDeletionThreshold cmdlet. This cmdlet disables the deletion protection and allows the synchronization to complete without errors. When you install Azure AD Connect, it prevents accidental deletes by default. The default configuration does not allow an export with more than 500 deletes. This feature is designed to protect from accidental configuration changes and changes to the on-premises directory that would affect many users and other objects.

You should not run the Enable-ADSyncExportDeletionThreshold -DeletionThreshold 1000 cmdlet. It changes the threshold from the default value (500) to 1000 elements. When the number of elements is reached, an error occurs.

You should not run the Enable-ADSyncExportDeletionThreshold -ThresholdPercentage 10 cmdlet. It changes the threshold from the default value (500 elements) to percentage values. When the number of elements is reached, an error occurs.

You should not run the Get-ADSyncExportDeletionThreshold cmdlet. It is used to display the current threshold value.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 13

Question 13

You need to enable encryption for a running Windows Infrastructure-as-a-Service (IaaS) virtual machine (VM).

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use the Set-AzVMDiskDiskEncryptionExtension cmdlet. This cmdlet is used to enable encryption on a running VM by installing the disk encryption extension. This cmdlet is used to enable encryption for a Windows or supported Linux VM. You should create a snapshot of the VM before enabling encryption.

You should not use the Set-AzVMDataDisk cmdlet. This cmdlet is used to modify properties for a VM data disk but does not include properties related to encryption.

You should not use the Set-AzDiskDiskEncryptionKey cmdlet. This cmdlet sets the disk encryption key properties on a disk but does not enable encryption.

You should not use the ConvertTo-AzVMManagedDisk cmdlet. This cmdlet is used to convert a VM with blob-based disks to a VM with managed disks.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 14

Question 14

An Azure resource group was initially deployed from an Azure Resource Manager (ARM) template. Resources have since been added and modified manually through Azure portal.

You need to create a new template based on the current state of the resource group.

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use the Export-AzureRmResourceGroup cmdlet. This cmdlet captures a specified resource group and saves it as a template to a JSON file. This gives you a way to create a template based on the current resources in a resource group. You also have the option of exporting a running resource group as a template from Azure portal.

You should not use the Save-AzureRmResourceGroupDeploymentTemplate cmdlet. This saves a resource group deployment, not the current resource group, to a file. You must specify both the deployment name and resource group name.

You should not use the Save-AzureRmDeploymentTemplate cmdlet. This saves an existing deployment template to a new template file.

You should not use the New-AzureRmResourceGroupDeployment cmdlet. This cmdlet is used to apply a template to an existing resource group, not create a new template file.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 15

Question 15

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there be less hands-on maintenance and administration once the infrastructure is moved to Azure.

You need to create the VM and assign it to the availability set named WebSiteAvailabilitySet.

Which commands should you use? Select correct placeholder values.

$set = Get-AzureRmAvailabilitySet -ResourceGroupName WebSiteResoureGroup -Name WebSiteAvailabilitySet

$vm = PLACEHOLDER 1

-VMName "DealershipWebServer" -VMSize "PLACEHOLDER 2" -AvailabilitySetId

"PLACEHOLDER 3"

"PLACEHOLDER 4" -ResourceGroupName WebSiteResourceGroup

"PLACEHOLDER 5"

Answers



A B C D E F G H I J K L

Explanation

You should use the following commands:

$set = Get-AzureRmAvailabilitySet

-ResourceGroupName WebSiteResoureGroup

-Name WebSiteAvailabilitySet

$vm = New-AzureRmVMConfig

-VMName "DealershipWebServer"

-VMSize "Standard_B1s"

-AvailabilitySetId $set.Id

New-AzureRmVM -ResourceGroupName WebSiteResourceGroup

-Location "westus" -VM $vm

The first command uses Get-AzureRmAvailabilitySet to retrieve the availability set named WebSiteAvailabilitySet and store it in a variable named $set.

The second command uses New-AzureRmVMConfig to create a VM configuration that sets the VM name to DealershipWebServer and the size to a B-series size named Standard_B1s. This is a Standard offering with a 4-GB SSD. This command also places the VM in the availability set retrieved by the first command. It stores the result in a variable named $vm.

The third command uses New-AzureRmVM to actually create the VM. It uses the configuration stored in the $vm variable to create the VM, and it places the VM in the West United States region.

You should not call New-AzureRmVM before New-AzureRmVMConfig. New-AzureRmVMConfig allows you to create the VM configuration, while New-AzureRmVM uses that configuration to create the VM.

You should not specify 4 GiB as the value for the -VMSize parameter. The value must be in the form <Offering>_<VM Size>.

You should not specify $set or WebSiteAvailabilitySet as the value of the -AvailabilitySetId parameter. The value must be the ID of an availability set.

You should not call New-AzureRmVM without specifying a value for the -VM parameter. Otherwise an empty VM is created.

You should not call New-AzureRmVMConfig last. This command is used to create a VM configuration, not to create the actual VM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 16

Question 16

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there be less hands-on maintenance and administration once the infrastructure is moved to Azure.

You need to eliminate the bottleneck during peak seasons.

Which two Azure resources should you create? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should create a scale set. A scale set contains one or more identical VMs. It can be configured to automatically scale out more VMs as the CPU threshold increases.

You should also create a load balancer. A load balancer distributes traffic evenly across a set of VMs.

You should not create a Service Fabric cluster. Service Fabric allows you to scale out micro-services. In this scenario, you need to scale out VMs.

You should not create a Traffic Manager profile. Traffic Manager distributes traffic across Azure regions. It uses DNS to determine the nearest Azure datacenter to which external traffic should be routed.

You should not create an API Management gateway. API Management allows API developers to publish and secure web APIs.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 17

Question 17

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there be less hands-on maintenance and administration once the infrastructure is moved to Azure.

You need configure Azure to automatically notify the owner of the dealership when peak season appears to have started. The solution must minimize expense and difficulty to implement.

What should you do?

Answers



A B C D

Explanation

You should use Monitor to create an alert when a CPU threshold is exceeded. With Monitor, you first choose a resource to monitor. In this scenario, the resource is a VM. You then choose a condition to monitor. In this scenario, when peak season starts, the website's response time is slower. This means that the CPU is doing more work than usual. Therefore, you should create a condition that monitors CPU percentage. You then choose an action. You can configure an action to e-mail the owner of the dealership when the CPU percentage exceeds a specific threshold.

You should not use Machine Learning. With Machine Learning, you import historical data into a model to predict future outcomes. You cannot monitor VM metrics like CPU usage and memory consumption.

You should not create a Function. This requires you to create an App Service resource. Also, you would need to manually write code to monitor CPU usage on the VM and send the text message.

You should not create a WebJob. This requires you to create an App Service resource. Also, you would need to manually write code to monitor memory consumption on the VM and invoke the WebHook. You would also need to code the WebHook to send the message to the owner.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 18

Question 18

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there be less hands-on maintenance and administration once the infrastructure is moved to Azure.

Answers



A B C D E

Explanation

You should add an inbound port rule to the VM. This rule should allow traffic over an HTTP port, which by default is port 80. (For HTTPS, the port is 443.)

You should also add a DNS name label to the VM. This is a host (A) record that resolves to the public IP address assigned to the VM. The public IP address is dynamic by default, and this does not cost any more money. At the domain registrar, you can create a CNAME record that points your website domain name to Azure at [dnsnamelabel].[region].cloudapp.azure.net.

You should not add a VM extension. A VM extension is a small application that provides post deployment tasks. For example, an extension can automatically install anti-virus software whenever a VM is deployed through script.

You should not add an outbound port rule to the VM. The VM should allow all outbound traffic by default.

You should not assign a public static IP address to the VM. This causes the IP address assigned to it to always remain the same. However, this is not necessary and it costs more money. You can use a CNAME record at the domain registrar and a DNS name label in Azure.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 19

Question 19

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You create two Windows 10 virtual machines for the lawyer and legal assistant. You must ensure that the lawyer and legal assistant can connect to their desktop computers from any location and from any device.

What should you do?

Answers



A B C D

Explanation

You should add an inbound port rule to each VM. An inbound port rule specifies the port that must be open for the VM. In this scenario, you can open a Remote Desktop Protocol (RDP) port to allow the lawyer and legal assistant to remotely connect to the VMs.

You should not place the two VMs in the same availability set. An availability set allows one VM to be responsive when another VM is down for maintenance or some unexpected event. It does not allow users to connect to a VM remotely.

You should not move each VM into its own subnet. This increases resource management. Both VMs can be part of the same subnet.

You should not assign a static public IP address to each VM. This is not necessary, and it will add to the monthly cost. You can continue to use the dynamic public IP address that is assigned to each VM by default.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 20

Question 20

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You need to meet the availability demands for Windows computers.

What should you do?

Answers



A B C D

Explanation

You should create one availability set for each VM. An availability set allows you to group VMs for availability. For example, the first availability set can contain the Windows 10 computer for the assistant, with additional VM instances for failover support. The second availability set can contain the Windows 10 computer for the lawyer, with additional VM instances for failover support.

You should not create one availability set for both VMs. This would cause the lawyer's VM to be used when the assistant's VM is being upgraded, and vice versa.

You should not implement horizontal auto-scaling. Horizontal auto-scaling allows more VMs to be created as load on a particular VM increases. It does not provide failover support.

You should not implement vertical auto-scaling. Vertical auto-scaling allows more resources to be added to a VM as load on a particular VM increases. It does not provide failover support.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 21

Question 21

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You need to ensure that the Linux virtual machine (VM) automatically expands its disk size when it is running low on space.

What two actions should you perform? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should install a script on the VM that monitors the disk space and sends a notification to Azure. This script can be written in the language of your choice. The type of notification should be an HTTP request.

You should also create an Azure Function that uses an HTTP trigger. When this trigger is invoked, it should stop the VM, expand the disk, and then restart the VM.

You should not configure Azure Monitor with an alert rule. Azure Monitor can monitor a VM for free disk space and an alert rule can trigger an alert. However, the alert is only shown in the Azure portal, so no action is triggered based on the alert. If you do this, the Linux VM disk will not be expanded.

You should not run an Azure PowerShell or Azure CLI command from the VM. Although both types of commands can be used to expand a disk, they should be run from a separate computer or VM instance.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 22

Question 22

You need to create an alert for a virtual machine named VM1 that will be fired when the VM's CPU utilization is greater than 95 percent for at least 10 minutes. You also need to add an action group named AG1 to this alert.

What should you do? Select correct placeholder values.

az monitor metrics alert PLACEHOLDER 1 -n A1 -g RG1 -- PLACEHOLDER 2 "avg Percentage CPU > 95"

-- PLACEHOLDER 3 10m -- PLACEHOLDER 4 AG1

Answers



A B C D E F G H I J K L

Explanation

You should use the following command:

az monitor metrics alert create -n A1 -g RG1 --condition "avg Percentage CPU > 95"

--window-size 10m --action AG1

You should use the az monitor metrics alert create command to create a metric-based alert rule. The list and show commands list alert rules and show a specific alert rule.

You should use the condition parameter to specify the condition that triggers the rule. The scopes option defines an action group associated with an alert, and the description option provides a free-text description of the rule.

You should use the window-size option to define a time window in which the value of the condition is aggregated. You should not use the evaluation-frequency option to define a time window in which the value of the condition is aggregated. This option is used to define the frequency at which measured values are calculated. The action option defines an action group associated with an alert.

You should use the action option to define an action group associated with the alert. The name option assigns a name to the rule. The condition parameter specifies the condition that triggers the rule.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 23

Question 23

You need to provide information from Azure Log Analytics for the following sources:

* Windows event log and Syslog

* Application insights about traces, requests, and page views

* Performance metrics

You need to deliver all data from the event log and Syslog. You must deliver only matched data for application insights and performance metrics.

Which operators are required in the Log Analytics query for the data that you need to deliver?

Select correct placeholder values.

Windows event log PLACEHOLDER 1

Syslog PLACEHOLDER 2

Application insights PLACEHOLDER 3

Performance metrics PLACEHOLDER 4

Answers



A B C D E F G H I J K L

Explanation

You should use the union operator to deliver all data from the Windows event log and Syslog. The operator takes all rows from first source and appends all data from the second source. The structure of the sources must be identical.

You should use the inner join operator to deliver only matched data from application insights and performance metrics. The inner join operator returns matching records from both sources.

You should not use the inner join operator to deliver all data from the event log and Syslog. The inner join operator requires that sources have columns that can be used as keys to perform matching.

You should not use the inner unique join operator to deliver all data from the event log and Syslog. The inner unique join operator requires that sources have columns that can be used as keys to perform matching. The inner unique join operator removes duplicates.

You should not use the union operator to deliver only matched data from application insights and performance metrics. The union operator takes all rows from the first source and appends all data from the second source. The structure of the sources must be identical.

You should not use the inner unique join operator to deliver only matched data from application insights and performance metrics. The inner unique join operator removes duplicates.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 24

Question 24

You need to retrieve data from Log Analytics on virtual machines (VMs) hosted on Azure. You must write a Log Analytics query that meets the following requirements:

* Find VMs that have failed to send a heartbeat signal within the previous hour

* Summarize the data by operating system type

How should you complete the query? Select correct placeholder values.

Heartbeat

| where PLACEHOLDER 1

| summarize distinct_computers= PLACEHOLDER 2 (Computer) by OSType

Answers



A B C D E F

Explanation

You should use the following command:

Heartbeat

|where TimeGenerated > ago(1h)

|summarize distinct_computers=Dcount(Computer) by OSType

You should use the TimeGenerated > ago(1h) condition to find all heartbeats that have been generated within the last hour. The ago(1h) function is a shortcut of the now(-1h) function and has the same meaning.

You should not use the TimeGenerated > now(1h) condition to find all heartbeats that have been generated within last hour. The now(1h) function would find events older than one hour.

You should not use the now()-TimeGenerated > 1h condition to find all heartbeats that have been generated within last hour. The now()-TimeGenerated > 1h function would find events older than one hour.

You should use the Dcount function to calculate the distinct number of computers that have sent a heartbeat signal within the last hour.

You should not use the count function to calculate the distinct number of computers that have sent a heartbeat signal within the last hour. The count function would sum all the heartbeat signals.

You should not use the Dcountif function to calculate the distinct number of computers that have sent a heartbeat signal within the last hour. This function is used to add a filter to the counting process. For example, you could count only computers running Linux.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 25

Question 25

You monitor security events collected from virtual machines (VMs) hosted on Azure.

You prepare a static table that consists of the security event codes. You need to show the description of the event and how many times it occurred on the VM. If an event code is not present, zero should be displayed.

Select correct placeholder values.

Recuirement: Join to use to match data from the events with static table: Query option: PLACEHOLDER 1

Recuirement: Function to use to count the number of events: Query option: PLACEHOLDER 2

Answers



A B C D E F

Explanation

You should use a Leftouter join to match data from the events with the static table. For this type of join, all records in the left table and matching records in the right table are included in the results. Unmatched output properties contain nulls.

You should not use the Innerunique join type to match data from the events with the static table. This is the default join mode. The values of the matched column on the left table are found, and duplicate values are removed. Then, the set of unique values is matched against the right table.

You should not use the Leftanti join type to match data from the events with the static table. Records from the left side that do not have matches on the right side are included in the results. The results table has only columns from the left table.

You should use the Count aggregation function. This function returns a count of the security events.

You should not use the DCount aggregation function to count the number of security events. The DCount function is used to calculate the distinct count values and remove duplicates from the dataset. In this case, you would observe only one event per VM.

You should not use the DCountIf aggregation function to count the number of security events. The DCountIf function is used to calculate the distinct count values and remove duplicates from the dataset. In this case, you would observe only one event per VM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 26

Question 26

You are the IT administrator for an Azure subscription. You create a Log Analytics workspace that you want to use to monitor all the virtual machines (VMs) in the subscription that have not been responsive today.

You need to create the query.

How should you create the query? To answer, select the appropriate code segments from the drop down menus.

PLACEHOLDER 1

| where TimeGenerated > ago(7d)

| summarize PLACEHOLDER 2 by Computer

| where PLACEHOLDER 3 < ago(1d)

Answers



A B C D E F G H I J

Explanation

You should use the following query:

Heartbeat

| where TimeGenerated > ago(7d)

| summarize max(TimeGenerated) by Computer

| where max_TimeGenerated < ago(1d)

This query searches the Heartbeat table for all events, TimeGenerated, that were generated more than seven days ago. It summarizes those events by the maximum time, max(TimeGenerated). It then filters those events where the maximum time generated, max_TimeGenerated, is less than one day.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 27

Question 27

You are the Azure administrator for an online personal training company. You create a blob storage account to store training videos. Only you should be able to manage the storage account.

The storage account has a container that personal trainers use to upload their videos. Only personal trainers that your company approves should be able to upload video files.

Choose all that apply:

Answers



A B C

Explanation

You should create a shared access signature. This is a URI that contains access rights to an Azure resource.

You should not set the access level of the blob container to Public. This allows anyone to access the container, including anonymous users. You should instead set the access level to Private. By doing this and giving out the shared access signature, you can control who has access to the blob container.

You should not share the storage account key with the personal trainers. This allows the personal trainers to manage the storage account, including the ability to delete other trainers' videos.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 28

Question 28

You are a Cloud Solutions Architect for a mobile application development company. The company has worldwide users that require consistently high performance.

You now want to drop the dependency on physical datacenter storage. You plan to create a new storage solution for the enterprise that uses Azure Storage for disaster recovery, high availability, and performance.

Choose all that apply:

Answers



A B C

Explanation

You should not use Premium Storage for global replication. Premium Storage is available only for locally redundant storage (LRS) replication. Also, Premium Storage is not available for all regions.

Recovery time objective (RTO) is the maximum acceptable time that an application can be unavailable after an incident. For example, if your RTO is 50 minutes, you can restore the application to a running state within 50 minutes after the start of an incident. However, if you have a very low RTO, you might keep a second regional deployment continually running an active/passive configuration on standby to protect against a regional outage.

You cannot authorize the Azure Storage from HTTP. To authorize blob and queue operations with an OAuth token, you must use HTTPS.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 29

Question 29

You are determining which type of Azure storage replication is appropriate for your storage account.

You must consider the features of each replication option and choose the most appropriate one: locally-redundant storage (LRS), zone-redundant storage (ZRS), geo-redundant storage (GRS), or read-access geo-redundant storage (RA-GRS).

Which replication options should you use to provide the features listed in the answer area? Choose all that apply:

Answers



A B C D E F G H I J K L

Explanation

LRS maintains three copies of your data within a single datacenter in a single region. This type of replication does not protect your data from failure of a single data center or region, but it protects you from hardware failures.

Premium storage supports only locally redundant storage (LRS).

RA-GRS replicates your data to another datacenter in a secondary region and provides read-only access to the data in the secondary location. This replication option is the default option for new storage accounts.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 30

Question 30

You create an Azure storage account that is used to store financial records. These records are accessed frequently. In the event of a data center outage, you want to ensure that the records can still be retrieved, even if they cannot be modified. All applications use REST APIs to access the financial records.

You need to choose the most appropriate, least expensive configuration.

How should you configure the storage account? Choose all that apply:

Answers



A B C D E F G

Explanation

You should use the Hot access tier. This tier is feasible for storage accounts that are accessed frequently.

You should use the RA-GRS replication strategy. With this strategy, if a failure occurs at a datacenter, data is replicated to another datacenter in another region, and it is available for read-only access.

You should use the Standard performance tier. This tier uses magnetic drives to store data at low cost.

You should not use the Cool access tier. This tier is feasible for storage accounts that are not accessed frequently.

You should not use LRS. This replication strategy only copies data within a datacenter. It is feasible for scenarios such as power supply failure or disk failure.

You should not use GRS. This replication strategy copies data to other regions. However, the data is not available to be read unless Microsoft initiates a failover to that region.

You should not use the Premium performance tier. This tier uses solid state drives at a higher cost. These storage accounts can only be used with virtual machine (VM) disks.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 31

Question 31

You are the IT administrator for an Azure subscription that contains 20 virtual machines (VMs).

You need to write a Log Analytics query to determine which VMs have not been responsive within the past hour.

How should you complete the query?

Answers



A B C D

Explanation

You should use the following query:

Heartbeat | where TimeGenerated > ago(1h)

This query finds all computers that have had a heartbeat within the past hour. Computers send a heartbeat to let Azure know that they are responsive. The ago(1h) means the timestamp is one hour ago. If TimeGenerated is greater than that timestamp, the heartbeat occurred within the past hour.

You should not use Perf as a source. This source looks at performance counters. In this scenario, you need to search the Heartbeat source, not performance counters.

You should not use the following query:

Heartbeat | where TimeGenerated < ago(1h)

This query finds all computers that have sent a heartbeat before one hour ago.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 32

Question 32

You are the IT administrator for your company. Your company has a main office in California and a branch office in Amsterdam. Only employees work at the main and branch offices. Contractors can work remotely from anywhere in the world.

An Azure subscription contains a virtual network (VNet) that contains resources to which all employees and contractors must access. Only the main office has a VPN server.

You need to choose a connection type to ensure that each group of workers can access the full network.

Which connection types should you use? Choose all that apply:

Answers



A B C

Explanation

You should not use site-to-site for contractors. This connection type allows you to connect to on-premises datacenters by using VPN. It requires that each datacenter host a VPN server. You should instead use site-to-site for the employees in California.

You should not use point-to-site for employees in California. This connection type allows workers to connect to an Azure VNet over the public network. You should use point-to-site for contractors who work remotely.

You should use ExpressRoute for employees in Amsterdam. This connection type allows you to create a private connection between Azure and an on-premises network. It does not require the on-premises location to host a VPN server.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 33

Question 33

You create a VPN gateway using the Resource Manager deployment model and want to verify the connection.

How can you verify the connection?

Answers



A B C

Explanation

You can use the az network vpn-connection show Azure CLI command to show connection status for a gateway created using the Resource Manager deployment model. When the connection is established, its status shows Connected.

You cannot use the Get-AzureVNetConnection PowerShell cmdlet to verify connectivity. The Get-AzureVNetConnection cmdlet is used to show the connection status for a classic VPN gateway. To show the status of a gateway created using the Resource Manager deployment model, you must use the Get-AzureRmVirtualNetworkGatewayConnection PowerShell cmdlet.

In the Azure portal, you can navigate to the gateway and click Connection to verify connectivity for a Resource Manager VPN gateway. You can also click the connection to open Essentials, which shows more information about the connection.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 34

Question 34

You have three virtual networks (VNets) named VNET1, VNET2 and VNET3. The VNets have the following subnets:

*VNET1: Subnet11, Subnet12

*VNET2: Subnet21

*VNET3: Subnet31, Subnet32

You perform the following actions:

*Add peering from VNET1 to VNET2

*Add peering from VNET2 to VNET3

*Add peering from VNET3 to VNET2

You need to identify network connectivity between subnets.

Which network connectivity should you identify for each subnet? Choose all that apply:

Answers



A B C D E F G H

Explanation

Virtual network (VNet) peering enables you to connect VNets. Peered VNets appear as one for connectivity purposes. You must add peering to both VNets that you want to connect. If you add peering to only one VNet, peering is in the Initiated state, and VNets will not have connectivity.

Subnet11 has network connectivity with Subnet12 only. Those two subnets are on the same VNet. Subnets on the same VNet always have full network connectivity.

Subnet11 does not have network connectivity with Subnet21. Subnet11 is on VNET1, and Subnet21 is on VNET2. You have only added peering between VNET1 and VNET2 in one direction. For this reason, peering is in the Initiated state and the two VNets do not have connectivity. Because the VNets are not connected, Subnet11 does not have connectivity with Subnet21.

Subnet21 has network connectivity with Subnet31 and Subnet32 only. Subnet21 is on a different VNet than Subnet31 and Subnet32. You add peering from VNET2 to VNET3 and from VNET3 to VNET2. Because the VNets are connected, the subnets on VNET2 have full connectivity to subnets on VNET3.

You added peering from VNET1 to VNET2, but you did not add peering from VNET2 to VNET1. Because the peering was only added to one of the VNets, there is no network connectivity between VNET1 and VNET2 and Subnet21 does not have connectivity with Subnet11 and Subnet12.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 35

Question 35

You create two Azure virtual machines (VMs) named vm1 and vm2, and then you add them to a virtual network. The private IP addresses for vm1 and vm2 are 10.1.0.10 and 10.1.0.11, respectively. You connect to vm1 by using Remote Desktop from your laptop computer.

You run the following PowerShell cmdlet on vm1:

ping 10.1.0.11

You receive an error message that the request timed out.

You must ensure that the ping command is successful.

You need to run a PowerShell cmdlet on vm2.

How should you complete the cmdlet?

Answers



A B C D

Explanation

You should run the following cmdlet on vm2:

New-NetFirewallRule -DisplayName "Ping" -Protocol ICMPv4

This cmdlet creates a firewall rule that allows inbound Internet Control Message Protocol (ICMP) traffic to reach vm2. This is necessary because the ping command uses ICMP to communicate.

You should not run the following cmdlet on vm2:

New-NetFirewallRule -DisplayName "Ping" -Protocol TCP -LocalPort 3389

This cmdlet opens TCP port 3389 on vm2. This is the default port for Remote Desktop. The problem is that the ping command is not successful. Also, all of the parts for that cmdlet are not available.

You should not run the following cmdlet on vm2:

New-NetIPsecRule -InboundSecurity Require -RemoteAddress 10.1.0.10

The New-NetIPsecRule cmdlet allows you to configure an IPsec rule. IPsec is a collection of protocols that allow secure communication across IP networks. The problem in this scenario is related to ping, not IPsec.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 36

Question 36

You need to change the public IP address for an Azure virtual machine (VM) named sn2-prod-091 to 13.65.243.111.

How should you complete the command? Choose all that apply:

Answers



A B C D E

Explanation

You should call the Get-AzureVM cmdlet to retrieve an instance to the Azure VM. Next you should call the Set-AzureStaticVNetIP cmdlet to set the public static IP address of the virtual adapter assigned to that VM. Finally, you should call Update-AzureVM to update the changes.

You should not call Add-AzureRmVMNetworkInterface. This cmdlet adds a new virtual network interface to a VM.

You should not call New-AzureRmVMConfig. This cmdlet creates a configuration that can be used to update a VM. However, it does not actually update the VM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 37

Question 37

You plan to perform an Azure Active Directory (Azure AD) Access Review because you have found a higher number of users than you expected in certain groups and roles.

You need to review the security group members, Azure AD roles, and Azure resource roles.

Where will you create reviews for the different groups? Choose all that apply:

Answers



A B C D E F G H I

Explanation

The review for security group members should be created in Azure AD Access reviews. This can be done from the access panel in Azure. To use the access reviews, you need to have an Azure AD Premium P2 license and an Enterprise Mobility + Security E5 license.

The review for Azure AD roles and Azure resource roles should be created in Azure AD Privileged Identity Management (PIM). This can be done from the Azure portal. Azure PIM is a service that enables you to manage, control, and monitor access to important resources in your organization.

Azure AD enterprise apps is used for reviews of users assigned to connected apps.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 38

Question 38

You have an Azure Active Directory (Azure AD) tenant named Adatum.com that includes the following users:

? User1, who is a member of a group named Group1.

? User2, who is a member of a group named Group2.

The following Windows 10 computers are joined to Adatum.com:

? Computer1, which is a member of a group named GroupA.

? Computer2, which is a member of a group named GroupA.

? Computer3, which is a member of a group named GroupB.

Enterprise State Roaming in Adatum.com is enabled for Group1 and GroupA only. Choose all that apply:

Answers



A B C D

Explanation

Enterprise State Roaming (ESR) can be enabled only for users. If device accounts are in a group for which you enable ESR, device accounts are ignored.

If User1 modifies the desktop background on Computer1, User1 will have the modified background when he is signed in to Computer2. ESR is enabled for Group1, which User1 is member of. Desktop background is one of the settings that is roamed by ESR. Because ESR is enabled for User1, the modified desktop background will be visible on all Windows 10 computers on which User1 signs in. That means that the modified desktop will be used also when User1 signs in to Computer3.

If User2 modifies the desktop background on Computer1, User2 will not have the modified background when he is signed in to Computer2. ESR is not enabled for User2 (or for Group2, which User2 is member of). This means that if User2 performs customization at one computer, those customizations will not roam and will not be used when User2 signs in to a different computer.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 39

Question 39

You plan to enable Azure Active Directory (AD) Identity Protection for your company. The configuration must include the following:

* A role that allows full access to Identity Protection but without resetting passwords for users

* A policy that will analyze user sign-in and learn typical user behavior

Which role and policy will meet these requirements? Choose all that apply:

Answers



A B C D E F

Explanation

You should recommend the Security administrator role. This role provides full access to Identity Protection but cannot reset user passwords.

You should not recommend the Global administrator role. This role has a full access to Identity Protection but can reset user passwords.

You should not recommend the Security reader role. This role has read-only access to Identity Protection and cannot configure policies or reset passwords.

You should recommend a user risk policy. With this type of policy, Azure AD analyzes each user's sign-in so it can detect suspicious actions (risk events) related to the sign-in. After a particular learning period, the system can learn typical user behavior.

You should not recommend an MFA registration policy. This type of policy provides a second layer of security to user sign-ins and transactions, but it does not analyze user sign-ins and learn typical user behavior.

You should not recommend a sign-in policy. This type of policy is used to define a response for a specific sign-in risk level. It does not analyze user sign-in or learn typical user behavior.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 40

Question 40

Your company has a hybrid solution that uses an on-premises Active Directory (AD) infrastructure and Azure AD. You want to enable password writeback so that whenever users change their passwords in Azure, the change is reflected on-premises.

You need to perform the required tasks to support password writeback.

Which tasks do you need to perform? For each of the following tasks, select Yes if the task should be performed. Choose all that apply:

Answers



A B C

Explanation

You should assign the Azure AD Premium 1 license to your AD tenant. This is the minimum license required to install Azure AD Connect. Azure AD Connect allows you to synchronize password hashes from a domain controller to Azure AD.

You should install Azure AD Connect on an on-premises server. This tool allows you to synchronize password hashes from a domain controller to Azure AD. You must install this tool to enable password writeback.

You should not deploy Azure AD Passthrough Authentication. This allows users to sign in to Azure AD with the same password as they use with an on-premises directory. This is not required to enable password writeback.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 41

Question 41

You plan to use Azure Active Directory (AD) Connect as a solution that spans from your on-premises directory to cloud servers.

The on-premises Active Directory contains approximately 200,000 objects. The solution must meet the following requirements:

* Use Azure Multi-Factor Authentication (MFA)

* Ensure that no password hashes are stored in the cloud

* Support smartcard authentication

You need to choose the installation type, version, and hybrid identity option. Choose all that apply:

Answers



A B C

Explanation

You should not use password hash synchronization from on-premises to Azure AD for single sign-on. This would be appropriate for Office 365 hybrid scenarios. You also should not recommend pass-through authentication. Although it ensures that no passwords will be stored in the cloud, it does not support smartcard authentication. You should, instead, use federation from on-premises to Azure AD for single sign-on because it allows cloud multi-factor authentication, ensures that no password hashes are stored in the cloud, and supports smartcard authentication.

You should choose the custom installation type because you need to enable cloud multi-factor authentication solutions and you have more than 100,000 objects in the on-premises AD. In-place upgrade performs the upgrade from DirSync or Azure AD Sync. Express installation should be used only when you have less than 100,000 objects in the on-premises AD. You also must have an enterprise administrator account that you can use for the installation.

You should install the full version of SQL Server for the Azure AD Connect database because you have more than 100,000 objects in the on-premises AD. For a smaller number of objects, you can use the default database installation, which is LocalDb. You cannot install SQL Server Express for the Azure AD Connect database because you have more than 100,000 objects in the on-premises AD. The SQL Server Express version has a data size limitation and can use only 1 GB RAM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 42

Question 42

Your company plans to use a custom image based on an existing Azure Windows virtual machine (VM) to provision new VMs in multiple regions.

You need to prepare the VM so it can be used to create a custom image.

Which three commands should you run first in sequence?

Answers



A B C D

Explanation

You need to start by running the following commands in order:

1. Sysprep

2. Stop-AzVm

3. Set-VzVm

A custom image is similar to an Azure marketplace image. The primary difference is that you create the image yourself from an existing VM. The result is a reusable image that can be used to create as many VMs as you want.

You start by running the Sysprep command to remove personal information and generalize the image. You then use the Stop-AzVm cmdlet to deallocate the VM. Finally, you need to identify the VM as generalized to Azure using the Set-AzVm command.

Once you have prepared the image, you run Get-AzVM to retrieve the image and load it into a variable, New-AzImageConfig to create the image configuration by specifying the image location, and finally New-AzImage to create the image, specifying the image name and location.

At this point, you can use the New-AzVm to create new VMs from the image.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 43

Question 43

A company is using a template to provision a new virtual machine (VM) in the RG03 resource group using PowerShell.

You need to ensure the following:

* The new VM is deployed.

* Resources already in the resource group are not affected.

How should you complete the PowerShell script? Select correct placeholder values.

PLACEHOLDER 1 -Mode PLACEHOLDER 2

-Name NewVMDeployment -ResourceGroupName RG03

-TemplateFile c:\MyTemplates\newvm.json

Answers



A B C D E

Explanation

You should complete the PowerShell script as follows:

New-AzResourceGroupDeployment -Mode Incremental

-Name NewVMDeployment -ResourceGroupName RG03

-TemplateFile c:\MyTemplates

ewvm.json

The New-AzResourceGroupDeployment cmdlet is used to add a deployment to an existing resource group. You need to specify the incremental mode to add the new VM without changing the existing resources. You can use incremental mode to apply changes to existing resources, but you need to include all of that resource's parameters in the template.

You should not run the New-AzResourceGroup cmdlet. This is used to create a new resource group, not deploy resources to an existing group.

You should not run the Set-AzResourceGroup cmdlet. The cmdlet lets you modify resource group properties by to adding, changing, or deleting Azure tags applied to the resource group. It does not let you manage resources in the resource group.

You should not choose the Complete mode. This would cause any resources not included in the template to be deleted.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 44

Question 44

Your company is researching ways to improve data security for Windows and Linux Infrastructure-as-a-Service (IaaS) virtual machines (VM)s. You need to determine if Azure Disk Encryption (ADE) can meet the company's requirements. Choose all that apply:

Answers



A B C

Explanation

ADE is not supported for Basic tier VMs. It is supported for Standard, and Premium tier VMs. ADE supports Windows Server 2008 and later and a subset of Azure Linux images. Custom Linux images are not supported.

You must encrypt the boot volume before you can encrypt any data volumes on a Windows VM. ADE does not let you encrypt a data volume unless you first encrypt the OS volume. This is different for Linux VMs, which let you encrypt data without first encrypting the OS volume.

You cannot use an on-premises key management service to safeguard encryption keys. You are required to use Azure Key Management service. Azure Key Management service is a prerequisite for implementing ADE.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 45

Question 45

Your company is deploying new virtual machines (VMs) and associated resources using Azure Resource Manager templates. The company wants to use PowerShell cmdlets to provision the resources from a template deployed to your local computer.

You need to complete the PowerShell script to accomplish this.

How should you complete the PowerShell script? Select correct placeholder values.

PLACEHOLDER 1 PLACEHOLDER 2 RG02 -Location "North Central US"

PLACEHOLDER 3 PLACEHOLDER 4 RG02

-TemplateFile c:\\MyTemplates\\newazure.json

Answers



A B C D E F G H

Explanation

You should complete the PowerShell script as follows:

New-AzResourceGroup -Name RG02 -Location "North Central US"

New-AzResourceGroupDeployment -ResourceGroupName RG02

-TemplateFile c:\\MyTemplates\\newazure.json

You need to first create the resource group and then deploy the resources from the template to the resource group.

You should use the New-AzResourceGroup cmdlet to create the resource group. You should use the -Name parameter to specify the resource group name and -Location to specify the regional location. The cmdlet does not support the -ResourceGroupName parameter.

After you create the resource group, you should use the New-AzResourceGroupDeployment cmdlet to deploy the resources. The -ResourceGroupName parameter is used to identify the resource group, and the -TemplateFile parameter is used to locate the template file to use. The -Name and -Location parameters are not supported by the cmdlet.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 46

Question 46

You have two storage account keys: key1 and key2. Your apps and services use key1, and you maintain key2 as a backup key.

You are concerned that both keys may have been compromised. You want to use the Azure portal to regenerate them without interrupting access to the storage account.

Which four actions should you perform in sequence?

Answers



A B C D

Explanation

You need to perform the following steps in order:

1. Regenerate key2 using the Azure portal.

2. Update connection strings in all relevant apps and services to use key2.

3. Verify that all apps and services are running correctly using the new key.

4. Regenerate key1 using the Azure portal.

You first regenerate key2 because the apps and services are currently using key1 to gain access to stored data, and you do not want to interrupt their access. Next, you change the storage key to key2 in those apps and services and then verify that they can gain access to storage. This is important because the apps and services will not be able to use the previous primary key after it is regenerated.

Finally, you regenerate key1.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 47

Question 47

You need to give a user temporary read and write permissions to a blob by using an ad hoc shared access signature (SAS).

Which six actions should you perform in sequence?

Answers



A B C D

Explanation

You need to perform the following steps in order:

1. Open Azure Storage Explorer.

2. Connect to your Azure Storage account.

3. Create a blob container.

4. Upload the blob to the blob container.

5. Get an SAS for the blob and specify start/expiry time and permissions.

6. Use HTTPS to distribute the URL to the user.

You use Azure Storage Explorer to manage your storage account as well as upload and download blobs, files, and other resources. After you open Azure Storage Explorer, you connect to your storage account. Next, you create a blob container for the blob you will grant access to, and then you upload the blob. Blobs are always uploaded into a container so they can be more easily organized.

You generate a SAS for the blob simply by right-clicking, selecting Get Shared Access Signature, and then specifying start/expiry time and permissions. Finally, you use HTTPS to distribute the SAS to the user. Using HTTP can leave your resources vulnerable to attack.

You should not create a resource group. This is a necessary step when creating VMs in Azure, but it is not part of the procedure to create an SAS by using Azure Storage Explorer.

You should not create a stored access policy for the container. In this scenario, you are creating an ad hoc SAS, and the start time, expiry time, and permissions are specified in the SAS URI. With a stored access policy, the start time, expiry time, and permissions are defined in the policy. An SAS associated with the policy inherits those constraints.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 48

Question 48

You have three application virtual machines (VMs) hosted in one region in Azure. You plan to prepare a strategy that will create backups for all data from the VMs. The backup will occur every day at 1 A.M. on each VM. You must ensure that the data is protected upon configuring the solution. In addition, the solution must minimize administrative effort.

Which three actions should you perform in sequence?

Answers



A B C D

Explanation

You need to perform the following steps in order:

1. Create a Recovery Services vault.

2. Define a backup policy to protect the VMs.

3. Perform the initial backup.

You first create a Recovery Services vault to contain the backup data and the backup policy. You then define the backup policy, which defines when and how often recovery points are taken, to protect the VMs.

You should not define a separate backup policy for each VM. To minimize administrative effort, you should create only one policy to apply to all VMs. You then perform an initial backup. This is a disaster recovery best practice to trigger the first backup so that your data is protected.

Unless you plan to perform backups manually, you should not create a storage account for files. Recovery Services manages the files internally.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 49

Question 49

You plan to migrate the virtual machine (VM) running Windows Server 2012 from Amazon Web Services (AWS) to Azure.

You decide to perform the migration by using Azure Site Recovery (ASR).

You need to prepare the migration.

Which three steps should you perform first? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should create an Azure storage account. Images of replicated machines are held in Azure Storage. Azure VMs are created from storage when you failover from on-premises to Azure.

You should prepare a vault to store all recovery points in Azure Recovery Services. This allows you to configure recovery points to meet the recovery time objective (RTO).

You should set up an Azure network. When Azure VMs are created after the migration (failover), they are joined to this Azure network.

You should not set the recovery point to last processed during preparation steps. The recovery point configuration is done during testing of the failover. The last-processed option means that the VM fails over to the latest recovery point that was processed by Site Recovery.

You should not turn on replication during the preparation steps. This can be done after the configuration is prepared and sources and targets are configured.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 50

Question 50

Your office has an on-premises Hyper-V host computer. It contains a virtual machine (VM) named VM1 that is used as a file server.

You need to replicate VM1 to Azure.

What should you do?

Answers



A B C D

Explanation

You should install the Site Recovery Provider on the Hyper-V host computer. Site Recovery Provider is used by Azure Site Recovery. You must install Site Recovery Provider on the Hyper-V host on which the VM is running to be able to replicate VM1 to Azure (actual configuration of the replication is performed in the Azure portal).

You should not install the Recovery Services agent on the Hyper-V host computer. Recovery Services agent is used by Azure Backup to back up files and folders to Azure. You cannot use it to replicate VMs to Azure.

You should not install the Recovery Services agent on VM1. Recovery Services agent is used for backing up files and folders to Azure. You cannot use it to replicate a VM to Azure.

You should not install the Site Recovery Provider on VM1. Site Recovery Provider is used for replicating VMs to Azure, but you must install it on the Hyper-V host computer, not the VM.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 51

Question 51

You are the cloud administrator for an Azure subscription. Your on-premises network includes a Hyper-V virtual machine (VM) that hosts a SQL Server.

You need to configure Azure Site Recovery to migrate the VM to Azure.

Which five actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following actions in order:

1. Create a Recovery Services vault.

2. Set the Protection goal to migrate from on-premises to Azure.

3. Create a Hyper-V.

4. Install the Site Recovery Provider on the Hyper-V host.

5. Register the Hyper-V host in the vault.

You should first create a Recovery Services vault. This is simply a storage instance that stores backups and VMs that are replicated to Azure by using Azure Site Recovery. You should next set the Protection goal to migrate from on-premises to Azure. You should then create a Hyper-V site, install the Site Recovery Provider on the Hyper-V host and finally you should register the Hyper-V host in the vault.

You should not create an Azure VM. When you set up Azure Site Recovery, VMS that you replicate to Azure will be created automatically. you should not create them manually.

You should not install Site Recovery Provider on an Azure VM. This component should be installed on a Hyper-V host, from which VMs will be replicated to Azure.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 52

Question 52

You plan to move an Azure virtual machine (VM) to another region by using Azure Site Recovery (ASR). You are not a subscription administrator.

You need permissions to do the following:

* Create a VM in an Azure resource group.

* Perform ASR operations.

Which roles provide the required permissions? Select two.

Answers



A B C D

Explanation

You should have the Virtual Machine Contributor role to create a VM in an Azure resource group. This role allows you to manage VMs. It does not allow access to the VM.

You should not use the Virtual Administrator Login role to create a VM in an Azure resource group. This role allows you to view virtual machines in the portal and log in as administrator.

You should not use the Virtual Machine User Login role to create a VM in an Azure resource group. This role allows you to view VMs in the portal and log in as a regular user.

You should have the Site Recovery Contributor role to perform ASR operations. This role has all permissions required to manage ASR operations in a Recovery Services vault. This role is intended for disaster recovery administrators who can enable and manage disaster recovery for applications or entire organizations.

You should not use the Site Recovery Operator role to perform ASR operations. This role has permissions to execute and manage Failover and Failback operations. This role is intended for disaster recovery operators who can failover VMs or applications when instructed by application owners and IT administrators.

You should not use the Site Recovery Reader role to perform ASR operations. This role has permissions to view all Site Recovery management operations. It is intended for IT monitoring executives who can monitor the current state of protection and raise support tickets if required.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 53

Question 53

An Azure Logic app accesses data from an on-premises SQL Server database. The database administrator recently changed the password that is used to connect to the database.

You need to update your Logic app so that it can connect to the database with the new password.

Which Azure option should you modify?

Answers



A B C D

Explanation

You should modify API connections. This option allows you to update the connection to an on-premises data gateway, which is a component that allows you to connect an Azure Logic app to an on-premises database.

You should not modify Workflow settings. This option allows you to configure access control to the Logic app, such as which IP addresses are allowed to access the app. It does not allow you to change connections to on-premises databases.

You should not modify the Properties setting. This option specifies the endpoint information that you can use to manage the Logic app from PowerShell or Azure CLI. It does not allow you to change connections to on-premises databases.

You should not modify the Access keys setting. This option allows you to generate access keys that you can use to access Logic apps from code. It does not allow you to change connections to on-premises databases.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 54

Question 54

An Azure function responds to GET requests at the URL http://shipping.azurewebsites.net/api/HttpTriggerJS1.

You need to modify the setting so that the function responds to requests at http://shipping/azurewebsites.net/Rate

Choose all that apply:

Answers



A B C

Explanation

You should change the routePrefix value to a slash (/) in the host.json file. By default, this value is /api. This means that all functions in this function app have a URL that begin with http://shipping.azurewebsites.net/api. By changing the routePrefix value to /, you allow all functions to have a URL that begin with http://shipping.azurewebsites.net.

You should change the route template to /Rate. This is the path for the actual function. This means that the function in this scenario will be reachable at http://shipping/azurewebsites.net/Rate.

You should not change the Request parameter name to Rate. This Request parameter name represents the parameter to the method that represents the function. By default, this parameter is named req.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 55

Question 55

You are the cloud administrator for your organization. The development department wants to use Azure Service Bus to send messages whenever an order is placed. Two client applications are responsible for receiving those messages after they are sent.

You need to create the minimum number of Azure resources required to meet the development department's needs.

How should you allocate resources? Choose three:

Answers



A B C D E F G H I

Explanation

You should create one namespace. A Service Bus namespace serves as the container for queues and topics. At least one namespace is required to use Service Bus messaging.

You should create one topic. A Service Bus topic allows multiple subscribers to receive messages that are sent to it. In this scenario, the two client applications act as subscribers to the same topic.

You should not create any queues. Messages in a Service Bus queue can be accessed with only one application. Once the message is retrieved, it disappears.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 56

Question 56

You plan to deploy an application that will be analyzing financial transactions.

You need to recommend a messaging service that will allow you to find duplicate transactions while processing the data.

Which messaging service should you create?

Answers



A B C D

Explanation

You should use Service Bus to find duplicate transactions in the incoming data. Service Bus is a brokered messaging system. It stores data in a queue until the subscriber is ready to receive the message.

You should not use Event Hub to find duplicate transactions in the incoming data. Azure Event Hub is a big data streaming platform that enables capturing, retaining, and replaying telemetry and event stream data. The data may come from a variety of sources.

You should not use Event Hub to find duplicate transactions in the incoming data. Event Grid is a fully managed event service that enables event-driven, reactive programming following a publish-subscribe model. Publishers post events without expectations about which events are being handled. Subscribers can choose which events they want to handle.

You should not use Azure Queue to find duplicate transactions in the incoming data. Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world via authenticated calls using HTTP or HTTPS.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 57

Question 57

You have an Azure service bus named ServiceBus1 in a resource group named RG1.

You create a queue named queue1 in ServiceBus1.

You find that a client application is reading and removing messages from queue1, but is failing to process them.

You need to prevent messages from being removed from queue1. Queue1 should still be able to receive messages.

What should you do? Select correct placeholder values.

$q = Get-AzureRmServiceBusQueue -ResourceGroup RG1 `

-NamespaceName ServiceBus1 -QueueName queue1

$q.Status = PLACEHOLDER 1

PLACEHOLDER 2 -ResourceGroup RG1 `

-NamespaceName ServiceBus1 -QueueName queue1 -QueueObj $q

Answers



A B C D E F G H

Explanation

You should use the following code:

$q = Get-AzureRmServiceBusQueue -ResourceGroup RG1 `

-NamespaceName ServiceBus1 -QueueName queue1

$q.Status = "SendDisabled"

Set-AzureRmServiceBusQueue -ResourceGroup RG1 `

-NamespaceName ServiceBus1 -QueueName queue1 -QueueObj $q

You should set the state of the queue to SendDisabled. The SendDisabled state means that the messages cannot be removed from the queue, while it can still receive the messages.

You should not set the state of the queue to Active. This means that the queue is active and all operations, including adding and removing messages, are permitted.

You should not set the state of the queue to Disabled. This means that the queue is suspended and none of the operations on the queue are permitted.

You should not set the state of the queue to ReceiveDisabled. This means that the queue is partially suspended. You can still remove the messages from the queue, but the queue is not allowed to receive new messages.

You should use the Set-AzureRmServiceBusQueue cmdlet to set a new status for the existing queue. First, you must set the status to the proper value and then you can modify the queue.

You should not use the Set-AzureRmServiceBusSubscription cmdlet to set a new status for the existing queue. This cmdlet is used to update the description of a Service Bus subscription in the specified namespace.

You should not use the Set-AzureRmServiceBusTopic cmdlet to set a new status for the existing queue. This cmdlet is used to update the description of a Service Bus topic in the specified namespace.

You should not use the Stop-AzureRmServiceBusMigration cmdlet to set a new status for the existing queue. This cmdlet is used to terminate the migration between standard to premium namespace.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 58

Question 58

You are running SQL Server on a virtual machine (VM) in Azure.

You need to create an outbound load balancing rule.

Which command should you use?

Answers



A B C D

Explanation

You should use the az network lb command to create an outbound rule. You can specify various parameters, which as protocol, ports, or a list of frontend IP configuration names.

You should not use the az network nic command to create an outbound rule. This command is used to create, update, or delete a network interface. A network interface allows an Azure VM to communicate with the Internet, Azure, and on-premises resources.

You should not use the az network local-gateway command to create an outbound rule. This command is used to create, update, or delete a local VPN gateway. The local network gateway typically refers to your on-premises location.

You should not use the az network private-endpoint command to create an outbound rule. This command is used to manage interface endpoints.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 59

Question 59

The DevOps team deploys five virtual machines (VMs) to Azure that host a web application in Internet Information Services (IIS). The team wants you to create a load balancer that routes traffic to the VMs that are available.

The development team creates a web page named HealthCheck.aspx that, when responding with a 200 request, indicates that the VM is available for servicing web requests. If a VM fails to respond after four consecutive checks, the VM should be considered unavailable.

You need to use PowerShell to create a Load Balancer configuration that checks the health of the VMs.

How should you complete the cmdlet?

PLACEHOLDER 1

-Name "checkVmHealth"

-PLACEHOLDER 2 healthcheck.aspx

-Protocol http

-Port 80

-IntervalInSeconds 15

-PLACEHOLDER 3 4

Answers



A B C D E F

Explanation

You should use the following PowerShell cmdlet:

New-AzureRmLoadBalancerProbeConfig

-Name "checkVmHealth"

-RequestPath healthcheck.aspx

-Protocol http

-Port 80

-IntervalInSeconds 15

-ProbeCount 4

The New-AzureRmLoadBalancerProbeConfig cmdlet creates a health probe. A health probe is a configuration that specifies how Azure Load Balancer determines whether or not a VM is available. The -RequestPath parameter specifies the path to an HTTP resource that determines availability, which is HealthCheck.aspx in this scenario. The -ProbeCount parameter specifies the number of consecutive failures that must occur before the VM is considered unavailable, which is four in this scenario.

You should not use the New-AzureRmLoadBalancerFrontendIpConfig cmdlet. This cmdlet creates a front-end IP configuration, which simply specifies the public IP address of the Load Balancer. It does not perform a health check.

You should not specify the WhatIf parameter. This parameter is part of the New-AzureRmLoadBalancer cmdlet. It simply displays what would happen if the cmdlet is run successfully.

You should not specify the Confirm parameter. This parameter is part of the New-AzureRmLoadBalancer cmdlet. It simply prompts for confirmation before creating a Load Balancer.

Comments

Load more

Home / Microsoft / AZ-300 / Question 60

Question 60

You are starting a new job as an Azure cloud administrator. The previous administrator leaves you a note with the following PowerShell cmdlets:

$publicIP = New-AzureRmPublicIpAddress

-ResourceGroupName "resourceGroup11"

-Location "EastUS"

-AllocationMethod "Static"

-Name "myPublicIP"

New-AzureRmLoadBalancerFrontendIpConfig

-Name "nat"

-PublicIpAddress $publicIP

You need to determine what these cmdlets do.

What should you conclude?

Answers



A B C D

Explanation

The cmdlets create a load balancer configuration that uses NAT to send inbound traffic to a set of virtual machines (VMs). The New-AzureRmPublicIpAddress cmdlet creates a public IP address. The New-AzureRmLoadBalancerFrontendIpConfig cmdlet creates a Load Balancer configuration that specifies the front-end public IP address.

You should not conclude that the cmdlets create an outbound traffic configuration. New-AzureRmLoadBalancerFrontendIpConfig creates an inbound configuration.

You should not conclude that the cmdlets send inbound traffic to a Load Balancer. New-AzureRmLoadBalancerFrontendIpConfig creates an inbound configuration from a Load Balancer to a backend pool.

Comments

Load more

Home / Microsoft / AZ-300 / Question 61

Question 61

You create an Azure Application Gateway that represents the front-end for a pool of two Azure backend virtual machines (VMs). One VM hosts images for a web application, while the other VM hosts videos. You create a path map and a backend listener.

You need to associate the path map with the backend listener.

How should you create the PowerShell cmdlet? Select correct placeholder values.

$gateway = Get-AzureRmApplicationGateway

-ResourceGroupName myResourceGroupAG

-Name myAppGateway

$backendlistener = Get-AzureRmApplicationGatewayHttplistener

-ApplicationGateway $gateway

-Name backenclastener

$config = Get-AzureRmApplicationGatewayUrlPathMapConfig

-PLACEHOLDER 1

-Name urlpathmap

PLACEHOLDER 2

-ApplicationGateway $gateway

-Name rule2

-RuleType PathBasedRouting

PLACEHOLDER 3

-UrlPathMap $config

Answers



A B C D E F

Explanation

You should use the following cmdlet to get a reference to the path map:

$config = Get-AzureRmApplicationGatewayUrlPathMapConfig

-ApplicationGateway $gateway

-Name urlpathmap

This cmdlet stores the path map into a variable named $config.

You should use the following cmdlet to associate the path map with the backend listener of the application gateway:

Add-AzureRmApplicationGatewayRequestRoutingRule

-ApplicationGateway $gateway

-Name rule2

-RuleType PathBasedRouting

-HttpListener $backendlistener

-UrlPathMap $config

The RuleType parameter specifies that the rule should use path-based routing. The HttpListener parameter specifies a reference to the backend HTTP listener. The UrlPathMap parameter specifies a reference to the path map that you stored in the $config variable.

You should use Set-AzureRmApplicationGateway to update the Application Gateway with the changes.

You should not use the following cmdlet to get a reference to the path map:

$config = Get-AzureRmApplicationGatewayUrlPathMapConfig

-HttpListener $backendListener

-Name urlpathmap

You must specify a reference to the Application Gateway, not a reference to the backend listener.

You should not use New-AzureRmApplicationGateway. This cmdlet creates a new Application Gateway. In this scenario, the Application Gateway already exists.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 62

Question 62

You need to configure an application gateway for your company websites.

Two web applications must be hosted on the same application gateway instance. Each website has the following requirements:

* Must be directed to its own backend pool.

* Must have its own domain.

* Must be hosted on its own virtual machine (VM).

Choose all that apply:

Answers



A B C

Explanation

You do not need to create a virtual network for each application. You should create only one virtual network for the applications. The virtual network acts as a container for all objects that you need to create.

You should create two request routing rules. Because each application has its own VM, traffic must be redirected to each of them.

You should include an HTTP listener for each web application that specifies a host name, protocol, frontend IP configuration, and frontend port. The HTTP listeners

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 63

Question 63

You are an Azure architect at an oil and gas company. The company's field engineers must often work at remote locations.

You must design a solution that allows the engineers to connect securely to a virtual network without using a VPN device.

Which type of connectivity should you recommend?

Answers



A B C D

Explanation

You should recommend Point-to-Site connectivity to ensure a secure connection from a client machine to a virtual network without using an external device.

You should not recommend VNet-to-VNet connectivity because a client would need a VPN device to connect to a virtual network.

You should not recommend a Site-to-Site connection. This type of connection requires a VPN device that is located onsite. The device must have a public IP address that does not use NAT.

You should not recommend a multisite connection. Multiple connections must use a route-based VPN.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 64

Question 64

Your company has an Azure virtual network (VNet) and an on-premises network. Your Internet Service Provider offers Multiprotocol Label Switching (MPLS). You create an ExpressRoute circuit.

You need to determine the next step you should perform to connect the Azure VNet to your on-premises network.

What should you do next?

Answers



A B C D

Explanation

You should next create a VNet gateway. A VNet gateway allows you to send traffic between an Azure VNet and the on-premises VNet.

You should not create a link between the circuit and the VNet next. You must first create a VNet gateway. After the VNet gateway is created, you should create the link.

You should not create a peering. When you use an ISP that offers MPLS, the ISP configures peering for you.

You should not create a static public IP address in Azure. The purpose of ExpressRoute is to offer secure private networking. Therefore, a static public IP address is not required.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 65

Question 65

Your company has an Azure virtual network (VNet) and an on-premises network. Your Internet Service Provider (ISP) only offers Layer 2 connectivity services.

You need to connect the Azure VNet to your on-premises network by using a private connection.

Which four actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following actions in order:

1. Create an ExpressRoute circuit.

2. Create a peering.

3. Create an ExpressRoute VNet gateway.

4. Create a link between the circuit and the VNet.

You should first create an ExpressRoute circuit. This represents a connection between Azure and your ISP.

You should next create a peering. This is the required next step when your ISP only offers Layer 2 connectivity services. You should next create an ExpressRoute VNet gateway, and finally create a link between the circuit and the VNet.

You should not create a static public IP address in Azure. The purpose of ExpressRoute is to offer secure private networking. Therefore, a static public IP address is not required.

You should not create an Application Gateway. An Application Gateway allows you to create a firewall for a pool of backend servers.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 66

Question 66

You are an Azure Solution Architect at a large energy company. You are configuring a point-to-site VPN.

You create an Azure VpnGw2 gateway and need to configure it to support specific cryptographic algorithms for a mixed environment consisting of Windows and Mac devices.

Choose all that apply:

Answers



A B C D E

Explanation

You can enable RADIUS or IKEv2 on already deployed gateways by using either PowerShell or the Azure portal. The gateway SKU VpnGw2 supports both RADIUS and IKEv2.

Your IPSec/IKE policy must specify all algorithms and parameters for both IKE (Main Mode) and IPSec (Quick Mode). Partial policy specifications are not supported.

You can define a custom policy to use a key strength other than that used in the default policy.

You cannot apply both a custom and a default policy to a connection. To use algorithms that are not included in the default policy, you must define and apply a custom policy that includes all IKE and IPSec algorithms in addition to specific algorithms to be added. When you apply a custom policy to a connection, it replaces the default policy.

When you configure both SSTP and IKEv2 in a mixed environment consisting of Windows and Mac devices, the Windows VPN attempts an IKEv2 tunnel first and falls back to SSTP if the IKEv2 connection is not successful. MacOSX connects only via IKEv2.

Only self-signed root certificates can be used. You can upload 20 root certificates for point-to-site connectivity.

You can use your enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, or OpenSS to create certificates.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 67

Question 67

Your company has only one location, but it will soon open a second facility.

You need to create a site-to-site VPN to establish a secure connection with the new facility.

Which five actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following Actions in order:

1. Create the virtual network.

2. Create the gateway subnet.

3. Create the virtual network gateway.

4. Configure the on-premises VPN device.

5. Connect the virtual network gateway and on-premises VPN device.

You should create a virtual network and make sure there is an IP address range specifically for this virtual network.

You should then create a gateway subnet, which is part of the IP address range to be used by your virtual network.

Next, you should create a virtual network gateway, which establishes a public IP address.

Next, you should configure a VPN device for your on-premises network.

Finally, you should create the connection between your virtual network gateway and your VPN device.

You should not generate certificates when creating a site-to-site VPN. This is necessary only when creating a point-to-site VPN connection.

You should not specify the tunnel type when creating a site-to-site VPN. This is necessary only when creating a point-to-site VPN connection. Site-to-site VPN connections use the IPsec and IKE protocols instead of SSTP and IKEv2.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 68

Question 68

Your company has an Azure virtual network (VNet) and an on-premises network. You want to connect the Azure VNet to the on-premises network by using a private connection through your company's Internet Service Provider (ISP). All the servers and virtual machines (VMs) on both networks are used as application servers.

You need to create the most appropriate gateway in Azure.

Which type of gateway should you create?

Answers



A B C D

Explanation

You should create an ExpressRoute gateway. This allows you to create a private connection between Azure and your on-premises network through your ISP.

You should not use a route-based VPN gateway. This is a dynamic routing gateway that connects directly to your company over the public Internet.

You should not use a policy-based VPN gateway. This is a static routing gateway that connects directly to your company over the public Internet.

You should not create an Application gateway. This type of gateway allows you to create a firewall for a pool of backend servers.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 69

Question 69

Your team is using role-based access control (RBAC) to manage access to Azure resources.

You need to programmatically retrieve the team's most recent 100 events.

Which cmdlet should you use?

Answers



A B C D

Explanation

You should use the Get-AzureRmLog cmdlet to retrieve the last 100 events. You should use the MaxRecord parameter with this command. You can also filter the events by start and end time and display detailed information.

You should not use the Get-AzureRmLogProfile cmdlet to retrieve the last 100 events. This cmdlet is used for retrieving information about the log profile.

You should not use the Get-AzureRmMetric cmdlet to retrieve the last 100 events. This cmdlet is used for retrieving information about all metrics values connected to a specified resource.

You should not use the Get-AzureRmDiagnosticSetting cmdlet to retrieve the last 100 events. This cmdlet gets the categories and time grains that are logged for a resource. (A time grain is the aggregation interval of a metric.)

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 70

Question 70

You must create a custom role that allows these operations:

* Read data from a blob but not write data to the blob

* Display a list of containers

To define the role, you must assign permissions to these operations.

What permissions should you use?

PLACEHOLDER 1: Read data from a blob

PLACEHOLDER 2: Exclude write data to a blob

PLACEHOLDER 3: Display a list of containers

Select correct placeholder values.

Answers



A B C D E F G H I J K L

Explanation

You should use the DataActions permission element to allow reading data from a blob because this is a data-related operation. The DataActions permission specifies the data operations that the role allows to be performed to the data within that object.

You should use the NotDataActions permission element to exclude writing data to the blob. The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. The access granted by the role is computed by subtracting the NotDataActions operations from the DataActions operations. The NotActions permission element is used for management operations. The NotActions permission specifies the management operations that are excluded from the allowed Actions. You should use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. The access granted by a role is computed by subtracting the NotActions operations from the Actions operations.

You should use the Actions permission element to allow displaying a list of containers because this operation is related to management instead of data. The Actions permission specifies the management operations that the role allows to be performed. It is a collection of operation strings that identify securable operations of Azure resource providers.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 71

Question 71

A member of the development team needs to have the ability to create Azure resources. However, the developer should not be allowed to grant resource access to other users.

You need to assign the appropriate role to the developer.

Which role should you assign?

Answers



A B C D

Explanation

You should assign the Contributor role to the developer. This role allows the developer to create all types of Azure resources, without the ability to grant resource access to other users.

You should not assign the Owner role to the developer. This role allows the developer to have full access to Azure, including granting resource access to other users.

You should not assign the Reader role to the developer. This role only allows the developer to view resources, not create them.

You should not assign the User Access Administrator role to the developer. This role allows the developer to grant resource access to other users.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 72

Question 72

You have a custom role in a file named CustomRole.json.

You need to add this role to Azure by using Azure CLI.

Which command should you use?

Answers



A B C D

Explanation

You should use the following command:

az role definition create --role-definition CustomRole.json

The az role definition create command creates the role. The --role-definition parameter specifies the name of the role definition JSON file.

You should not use the following command:

az role create --role-definition CustomRole.json

This command is missing the definition token.

You should not use the following command:

az role definition create CustomRole.json

This command is missing the --role-definition parameter.

You should not use the following command:

az role create CustomRole.json

This command is missing the definition token and --role-definition parameter.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 73

Question 73

You want to add a security group named Development to the Website Contributor built-in role.

You need to use Azure CLI.

Which command should you use?

Answers



A B C D

Explanation

You should use the following command:

az role assignment create --assignee "Development" --role "Website Contributor"

This command adds the group development to the role Website Contributor. The --assignee parameter specifies the user name or group. The --role parameter specifies the role.

You should not use the following command:

az role definition create --resource-group "Development" --role "Website Contributor"

This command creates a role, not a role assignment.

You should not use the following command:

az role definition create --assignee "Development" --role "Website Contributor"

This command creates a role, not a role assignment.

You should not use the following command:

az role assignment create --resource-group "Development" --role "Website Contributor"

The --resource-group parameter specifies the name of a resource group, not a security group.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 74

Question 74

Your company requires only single sign-on when employees access resources from the corporate network. Approximately 12 third-party contractors work remotely in various groups throughout the company and access the corporate network by using a virtual private network (VPN).

You want to require multi-factor authentication (MFA) policies for those users by defining a conditional access policy.

What three actions should you perform? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

For Users and Groups, you should include each individual user. Because this policy applies to only a limited number of users and because they work in different groups throughout the company, it is practical to designate individual users.

For Access Controls, you should click Grant and select Require multi-factor authentication. This allows access to users who successfully authenticate by using multi-factor authentication.

For Cloud Apps, you should include All Cloud Apps. Even though the policy does not designate specific apps, the cloud apps condition is required in conditional access policies.

For Access Controls, you should not click Block and select Require multi-factor authentication. The purpose of the policy is to grant access to users who successfully authenticate.

For Locations, you should not include All trusted locations. The conditional access policy applies to individual users and is not based on location.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 75

Question 75

Your company uses Azure Multi-Factor Authentication (MFA) in the cloud to safeguard its assets.

A member of your development team at a remote location normally uses her cell phone to authenticate. She calls you from her land line to inform you that her mobile phone has been lost or stolen, and she cannot log in to her corporate account. She does not have an alternate verification method set up for her account.

Because the developer is working on a critical assignment, you must enable her to gain access to corporate resources as soon as possible.

Choose all that apply:

Answers



A B C

Explanation

You cannot create a one-time bypass that temporarily grants a user access without two-step authentication. This feature is available only with MFA Server, not MFA in the cloud.

You can clear the user's MFA settings and have her specify her land line as a new contact method. Both mobile and non-mobile phones can be used for MFA authentication. When authenticating via land line, the user completes sign-in by answering the call and pressing the pound key (#) on the phone keypad.

You cannot tell the user to click Use a different verification option and use that method. This option is available only if the user has previously set up an alternate verification method for her account.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 76

Question 76

Your company has an Azure Active Directory (AD) tenant.

You need to ensure that users receive a verification text message on their phones before they can log in to Azure.

What should you do?

Answers



A B C D

Explanation

You should enable MFA. This allows you to configure settings so that users receive text messages, phone calls, or app notifications for verification during sign-in attempts.

You should not install AD FS. AD FS is a single sign-on solution. It does not ensure that users receive text messages before logging on to Azure AD.

You should not enable SSPR. SSPR allows users to reset their passwords without IT involvement.

You should not install Microsoft Authenticator on an Azure VM. Microsoft Authenticator is an app that runs on mobile devices to provide MFA.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 77

Question 77

You are configuring Multi-Factor Authentication (MFA) for your company's Azure Active Directory (AD) tenant.

You need to allow users to receive a verification notification on their phones when they attempt to log in to Azure.

What should you do?

Answers



A B C D

Explanation

You should have the users download Microsoft Authenticator. This app allows users to receive notifications on their phones when they log in to Azure.

You should not have the users download Azure. This app allows IT administrators to manage resources from their mobile devices.

You should not create a Notification Hub. This resource allows you to send custom notifications from applications to mobile devices. Azure allows you to send login notifications by using MFA and Microsoft Authenticator.

You should not create a Service Bus Relay. This resource allows you to send messages from Azure to on-premises web services.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 78

Question 78

You are configuring Multi-Factor Authentication (MFA) for your company's Azure Active Directory (AD) tenant.

You need to restrict the devices from which users can log in to Azure.

What should you do?

Answers



A B C D

Explanation

You should configure Trusted IP settings. This feature allows you to control the IP addresses from which users can log in to Azure.

You should not install the Microsoft Authenticator app on each user's device. This allows users to receive notification of login attempts, but it does not control which devices are allowed to authenticate.

You should not create a VNet with all private IP addresses. Private addresses are used to communicate within the network, not over the Internet. This option is not relevant to restricting devices from Azure.

You should not create a VNet with all public IP addresses. Public addresses are used to communicate over the Internet. This option is not relevant to restricting devices from Azure.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 79

Question 79

You create a custom role named App Service Contributor in your Azure subscription.

All company developers are members of the Developers Azure Active Directory (AD) group, which is shown in the answer area.

You need to use Azure CLI to assign the App Service Contributor role to the developers.

Which command should you run?

az PLACEHOLDER 1 assignment create \

--role "App Service Contributor" \

--PLACEHOLDER 2 "5da75e7e-8d19-4f68-8ff1-c9f14298cb5d"

Select correct placeholder values.

Answers



A B C D E F G H

Explanation

You should use the following cmdlet:

az role assignment create \

--role "App Service Contributor" \

--assignee-object-id "5da75e7e-8d19-4f68-8ff1-c9f14298cb5d"

The az role assignment create command assigns a role to a user, service principal, or group. The --role parameter specifies the name of the role. The --assignee-object-id parameter specifies the object ID associated with a security group.

You should not use the --assignee parameter. You should use this parameter when you specify the email alias for a user.

You should not specify Developers as the value of the --assignee-object-id parameter. You must specify the object ID associated with the Developers security group.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 80

Question 80

You are developing a web application that will serve as a search engine for the science department at your school. You plan to host the application in Azure. A console application acts as a web crawler. It crawls the web servers on the school's network every 12 hours to build a local table of keywords and links. This table is used by the web application. You plan to host the web application in an Azure App Service.

You need to ensure that the web crawler continues to work while the web application is in Azure without increasing costs.

What should you do?

Answers



A B C D

Explanation

You should deploy it as a WebJob. A WebJob allows you to run a program in the context of a web application. The program can be written in Java, JavaScript, Python, PHP, Bash, Powershell, or any .NET language. You can configure the WebJob to use a schedule as a trigger, allowing the console application to run every 12 hours. WebJobs are free.

You should not convert it to an Azure Function. Although an Azure Function can use a schedule as a trigger, the cost increases compared to a WebJob.

You should not convert it to a web application. There is no easy way to cause a web application to run on a scheduled basis.

You should not deploy it as a Docker Container instance. Although you can run a Docker Container instance on a schedule, the cost increases compared to a WebJob.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 81

Question 81

You are developing a web application that will serve as a search engine for the science department at a school. You plan to host the application in Azure.

A console application acts as a web crawler. It browses the web servers on the school's network every 12 hours to build a local table of keywords and links. This table is used by the web application. You plan to host the web application in Azure App Service.

You need to make sure that the web crawler continues to work while the web application is in Azure without increasing costs.

What should you do?

Answers



A B C D

Explanation

You should deploy the web crawler as a WebJob. A WebJob allows you to run a program in the context of a web application. The program can be written in Java, JavaScript, Python, PHP, Bash, PowerShell, or any .NET language. You can configure the WebJob to use a schedule as a trigger, which allows the console application to run every 12 hours. Also, WebJobs involves no additional cost.

You should not convert it to an Azure Function. Although an Azure Function can use a schedule as a trigger, it increases the cost, unlike a WebJob.

You should not convert it to a web application. There is no easy way to cause a web application to run on a scheduled basis.

You should not deploy it as a Docker container instance. Although you can run a Docker container instance on a schedule, it increases the cost, unlike a WebJob.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 82

Question 82

You are using the WebJobs SDK to create an Azure WebJob. You write the following code (line numbers are included for reference only):

01 static void Main(string[] args)

02 {

03 var config = new JobHostConfiguration();

04 var host = new JobHost(config);

05

06 }

You need to complete the code at line 05 so that the WebJob can be manually triggered.

Which code should you add at line 05?

Answers



A B C D

Explanation

You should call host.RunAndBlock. This method starts the WebJob and blocks the current thread so that it can keep running.

You should not call host.Start. This method starts the WebJob, but it does not block the current thread. This causes it to stop as soon as the Main method returns.

You should not call host.Call. This method allows you to have the WebJob call an external method.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 83

Question 83

You create an Azure web app.

You need to view HTML documents that provide information about HTTP errors associated with the app.

Which logs should you view?

Answers



A B C D

Explanation

You should view detailed error logs. This is an HTML document that provides information about HTTP errors.

You should not view application diagnostics logs. This is either a space-separated value or comma-separated value file that lists the date, process identifier, event level, and message.

You should not view web server logs. These logs are formatted using the W3C extended log format.

You should not view failed trace requests. These are XML files that show trace information.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 84

Question 84

You are creating an ASP.NET Core web API that you want to host in Azure.

You need to have the API automatically generate JavaScript Object Notation (JSON) and user-friendly documentation.

Which technology should you use?

Answers



A B C D

Explanation

You should use Swagger. This technology automatically generates JSON and user-friendly documentation for web APIs.

You should not use Gulp. Gulp is a JavaScript build toolkit that allows you to stream client-side code.

You should not use AngularJS. AngularJS is a JavaScript framework that allows you to bind application data to HTML elements.

You should not use Docker. Docker allows you to automate deployment of containers.

References

Comments

Load more

Home / Microsoft / AZ-300 / Question 85

Question 85

You use Visual Studio to create an ASP.NET web app named billing and enable Docker Compose support. You publish the app to Docker Hub. You then sign into Azure and create a Windows container app for the web app.

You need to view the progress of the app as it is starting up.

What should you do?