Exam AZ-100 topic 15 question 1 discussion

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?

Suggested Answer: Correct 🗳️
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Testlet 2 -

Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has
200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment -
The network contains an Active Directory forest named contoso.com. All domain controllers are configured as
DNS servers and host the contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires
1GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).

Planned Changes -
Contoso plans to implement the following changes:
✑ Deploy Azure ExpressRoute to the Montreal office.
✑ Migrate the virtual machines hosted on Server1 and Server2 to Azure.
✑ Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
✑ Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Technical requirements -
Contoso must meet the following technical requirements:
✑ Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
✑ Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the
Montreal office.
✑ Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
✑ Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
✑ Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
✑ Connect the New York office to VNet1 over the Internet by using an encrypted connection.
✑ Create a workflow to send an email message when the settings of VM4 are modified.
✑ Create a custom Azure role named Role1 that is based on the Reader role.
✑ Minimize costs whenever possible.

QUESTION 1 -

HOTSPOT -
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: [none]

Explanation -

Testlet 3 -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
✑ File servers
✑ Domain controllers
✑ Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
✑ Move all the tiers of App1 to Azure.
✑ Move the existing product blueprint files to Azure Blob storage.
✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements -
Contoso must meet the following technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
✑ Ensure that all the virtual machines for App1 are protected by backups.
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Use unmanaged standard storage for the hard disks of the virtual machines.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
✑ Minimize administrative effort whenever possible.

User Requirements -
Contoso identifies the following requirements for users:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.
✑ Admin1 must receive email alerts regarding service outages.
✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

QUESTION 1 -

HOTSPOT -
You need to recommend a solution for App1. The solution must meet the technical requirements. What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

QUESTION 2 -
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
A. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
B. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
Section: [none]

Explanation -

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a
SQL database, a web front end, and a processing middle tier.
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Testlet 4 -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.

Existing Environment -

Active Directory Environment -
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.

Network Infrastructure -
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.

Active Directory Issue -
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.

Licensing Issue -
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."
You verify that the Azure subscription has the available licenses.

Requirements -

Planned Changes -
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.

Planned Azure AD Infrastructure -
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows
Server 2016, or Red Hat Linux.

Department Requirements -
Humongous Insurance identifies the following requirements for the company's departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Authentication Requirements -
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless
SSO) when accessing resources in Azure.

QUESTION 1 -

HOTSPOT -
You are evaluating the connectivity between the virtual machines after the planned implementation of the
Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:


Section: [none]

Explanation -

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered
VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.
All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and
Subnet4, which are on AllOffices-VNet will have access to the Internet.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview https://docs.microsoft.com/en-us/azure/networking/networking-overview#internet-connectivity

QUESTION 2 -

HOTSPOT -
You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:


Section: [none]

Explanation -


Box 1: Yes -
All client computers in the Paris office will be joined to an Azure AD domain.
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

Box 2: Yes -
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

Box 3: No -
Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

Question Set 1 -

QUESTION 1 -
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Directory role blade, modify the directory role.
B. From the Groups blade, invite the user account to a new group.
C. From the Licenses blade, assign a new license.
Section: [none]

Explanation -


Assign a role to a user -
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users- assign-role-azure-portal

QUESTION 2 -

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -


Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -
Both membership rules apply.
References:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

QUESTION 3 -
You have an Active Directory forest named contoso.com.
You install and configure Azure AD Connect to use password hash synchronization as the single sign-on
(SSO) method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?
A. From Synchronization Service Manager, run a full import.
B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
C. From Azure PowerShell, run Start-AdSyncSyncCycle -PolicyType Initial.
D. Run Azure AD Connect and disable staging mode.
Section: [none]

Explanation -

Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync- troubleshoot-password-hash-synchronization#no-passwords-are-synchronized-troubleshoot-by-using-the- troubleshooting-task

QUESTION 4 -
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless
SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?
A. From the on-premises network, deploy Active Directory Federation Services (AD FS).
B. From Azure AD, add and verify a custom domain name.
C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options.
Section: [none]

Explanation -

Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure
AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:
✑ State: Verified
Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.
✑ State: Not verified
Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified.
✑ Action Required: Verify the custom domain in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

QUESTION 5 -
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?
A. From the Azure portal, configure the portal settings.
B. From the Azure portal, change the directory.
C. From Azure Cloud Shell, run Set-AzureRmContext.
D. From Azure Cloud Shell, run Set-AzureRmSubscription.
Section: [none]

Explanation -

Change the subscription directory in the Azure portal.
The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure
Active Directory (AAD), is now available in Azure portal. It used to be available only to Service Admins with
Microsoft accounts, but now it's available to users with AAD accounts as well.
To get started:
1. Go to Subscriptions.
2. Select a subscription.
3. Select Change directory.
Incorrect Answers:
C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.
References:
https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-portal/

QUESTION 6 -
You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named [email protected] as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Device settings from the Devices blade.
B. General settings from the Groups blade.
C. User settings from the Users blade.
D. Providers from the MFA Server blade.
Section: [none]

Explanation -

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

QUESTION 7 -

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

QUESTION 8 -

HOTSPOT -
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure
AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -


Box 1: User5 -
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The
Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.

Box 2: UserA -
Azure AD Global Admin credentials credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect- accounts-permissions

QUESTION 9 -
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
A. Azure Active Directory (AD) Identity Protection and an Azure policy
B. a Recovery Services vault and a backup policy
C. an Azure Key Vault and an access policy
D. an Azure Storage account and an access policy
Section: [none]

Explanation -

You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the password is never put in plain text in the template parameter file.
References:
https://azure.microsoft.com/en-us/resources/templates/101-vm-secure-password/

QUESTION 10 -
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?

A. RRSIG -

B. PTR -

C. DNSKEY -

D. TXT -
Section: [none]

Explanation -

Create the TXT record. App Services uses this record only at configuration time to verify that you own the custom domain. You can delete this TXT record after your custom domain is validated and configured in App
Service.
References:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

QUESTION 11 -

DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of
@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:


Section: [none]

Explanation -

The process is simple:
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
References:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

QUESTION 12 -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
You hire a temporary vendor. The vendor uses a Microsoft account that has a sign-in of [email protected].
You need to ensure that the vendor can authenticate to the tenant by using [email protected].
What should you do?
A. From Windows PowerShell, run the New-AzureADUser cmdlet and specify the UserPrincipalName [email protected] parameter.
B. From the Azure portal, add a custom domain name, create a new Azure AD user, and then specify [email protected] as the username.
C. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the UserPrincipalName [email protected] parameter.
D. From the Azure portal, add a new guest user, and then specify [email protected] as the email address.
Section: [none]

Explanation -

UserPrincipalName - contains the UserPrincipalName (UPN) of this user. The UPN is what the user will use when they sign in into Azure AD. The common structure is @, so for Abby Brown in Contoso.com, the UPN would be [email protected]
Example:
To create the user, call the New-AzureADUser cmdlet with the parameter values: powershell New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -PasswordProfile
$PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "[email protected]"
References:
https://docs.microsoft.com/bs-cyrl-ba/powershell/azure/active-directory/new-user-sample?view=azureadps-2.0

QUESTION 13 -

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.

You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the
Password Reset tab.)

You configure the authentication methods for password reset as shown in the Authentication Methods exhibit.
(Click the Authentication Methods tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -


Box 1: No -
Two methods are required.

Box 2: No -
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

Box 3: Yes -
As a User Administrator User3 can add security questions to the reset process.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq

QUESTION 14 -
You have an Azure subscription.
You enable multi-factor authentication for all users.
Some users report that the email applications on their mobile device cannot connect to their Microsoft
Exchange Online mailbox. The users can access Exchange Online by using a web browser and from Microsoft
Outlook 2016 on their computer.
You need to ensure that the users can use the email applications on their mobile device.
What should you instruct the users to do?

A. Create an app password -
B. Reset the Azure Active Directory (Azure AD) password
C. Enable self-service password reset
D. Reinstall the Microsoft Authenticator app
Section: [none]

Explanation -
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

QUESTION 15 -
You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1.
Tenant1 contains the users in the following table.

You need to add an Azure AD Privileged Identity Management application to Tenant1.
Which account can you use?
A. [email protected]
B. [email protected]
C. [email protected]

D. [email protected] -
Section: [none]

Explanation -
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

QUESTION 16 -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicorosft.com.
The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user [email protected] Generic authorization exception."
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Roles and administrators blade, assign the Security administrator role to Admin1.
B. From the Users blade, modify the External collaboration settings
C. From the Organizational relationship blade, add an identity provider
D. From the Custom domain names blade, add a custom domain
Section: [none]

Explanation -
References:
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Generic-authorization-exception-inviting-Azure-

AD-gests/td-p/274742 -

QUESTION 17 -
You set the multi-factor authentication status for a user named [email protected] to 6.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?
A. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app
B. an app password, a text message that contains a verification code, and a verification code sent from the

Microsoft Authenticator app -
C. an app message, a text message that contains a verification code, and a notification sent from the

Microsoft Authenticator app -
D. a phone call, an email message that contains a verification code, and a text message that contains an app password
Section: [none]

Explanation -

QUESTION 18 -
You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscription1 is associated to Tenant1. Multi-factor authentication (MFA) is enabled for all the users in
Tenant1.
You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant1.
What should you do first?
A. Create and link a subscription to Tenant2.
B. Configure the MFA Server setting in Tenant1
C. Transfer the administration of Subscription1 to a global administrator of Tenant2
D. Change the directory for Subscription1
Section: [none]

Explanation -

QUESTION 19 -
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure
AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.
What should you do?
A. From the Azure portal, modify session control of Policy1
B. From the multi-factor authentication page, modify the service settings
C. From the multi-factor authentication page, modify the user settings
D. From the Azure portal, modify grant control of Policy1
Section: [none]

Explanation -

There are two types of controls:
✑ Grant controls To gate access
✑ Session controls To restrict access to a session
Grant controls oversee whether a user can complete authentication and reach the resource that theyre attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed. The current implementation of Azure Active Directory enables you to set the following grant control requirements:

References:
https://blog.lumen21.com/2017/12/15/conditional-access-in-azure-active-directory/

QUESTION 20 -
From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.

What caused AlexW to be blocked?
A. The user reported a fraud alert when prompted for additional authentication
B. The user account password expired
C. An administrator manually blocked the user
D. The user entered an incorrect PIN for time within 10 minutes
Section: [none]

Explanation -

QUESTION 21 -
You purchase an Azure subscription that is associated to a basic Azure Active Directory (Azure AD) tenant.
You need to receive an email notification when any user activates an administrative role.
What should you do?
A. Purchase Enterprise Mobility + Security E3 and configure conditional access policies
B. Purchase Azure AD Premium P2 and configure Azure AD Privileged Identity Management
C. Purchase Enterprise Mobility + Security E5 and create a custom alert rule in Azure Security Center
D. Purchase Azure AD Premium P1 and enable Azure AD Identity Protection
Section: [none]

Explanation -

When key events occur in Azure AD Privileged Identity Management (PIM), email notifications are sent. For example, PIM sends emails for the following events:
✑ When a privileged role activation is pending approval
✑ When a privileged role activation request is completed
✑ When a privileged role is activated
✑ When a privileged role is assigned
✑ When Azure AD PIM is enabled
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications

QUESTION 22 -

HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-
4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: [none]

Explanation -
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider- operations#microsoftresources

QUESTION 23 -
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com
You need to enable two-step verification for Azure users.
What should you do?
A. Configure a security policy in Azure Security Center
B. Configure a playbook in Azure Security Center
C. Create an Azure AD conditional access policy

D. Install an MFA Server -
Section: [none]

Explanation -
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

QUESTION 24 -

HOTSPOT -
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer area.
Hot Area:
Section: [none]

Explanation -

Box 1: "*/read",
*/read lets you view everything, but not make any changes.
Box 2: " Microsoft.Support/*"
The action Microsoft.Support/* enables creating and management of support tickets.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

QUESTION 25 -

HOTSPOT -
From Azure Active Directory (AD) Privileged Identify Management, you configure the Role settings for the
Owner role of an Azure subscription as shown in the following exhibit.

From Azure AD Privileged Identify Management, you assign the Owner role for the subscription to a user named User1, and you set the Assignment type to Active and Permanently eligible.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:


Section: [none]

Explanation -

QUESTION 26 -
You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
A. the multi-factor authentication service settings
B. the default for all the roles in Azure AD Privileged Identity Management
C. an Azure AD Identity Protection sign-in risk policy
D. an Azure AD Identity Protection user risk policy
Section: [none]

Explanation -

QUESTION 27 -

HOTSPOT -
Your network contains an Active Directory domain named contoso.com that is synced to an Azure Active
Directory (Azure AD) tenant named contoso.onmicrosoft.com. The tenant contains only default domain names.
The domain contains the users shown in the following table.

The users have values sets for their user account as shown in the following table.

You plan to enable Azure Multi-Factor Authentication (MFA) by using the following bulk update file named
File1.

Username, MFA Status -
CN=User1, DC=Contoso, DC=onmicrosoft, DC=com, Enabled

[email protected], Enabled -

[email protected], Enabled -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: [none]

Explanation -

QUESTION 28 -

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant has the users shown in the following table.

Azure AD Privileged Identity Management is enabled for contoso.com.
The User Access Administrator role is configured as shown in the Role Setting Details exhibit. (Click the Role
Setting Details tab.)

Group1 is configured as the approver for the User Access Administrator role.
You configure User2 to be eligible for the User Access Administrator role.
You configure User1 to be eligible for the User Access Administrator role as shown in the New Assignment exhibit. (Click the New Assignment tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: [none]

Explanation -

Testlet 2 -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.

Existing Environment -

Active Directory Environment -
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.

Network Infrastructure -
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.

Active Directory Issue -
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.

Licensing Issue -
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."
You verify that the Azure subscription has the available licenses.

Requirements -

Planned Changes -
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.

Planned Azure AD Infrastructure -
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows
Server 2016, or Red Hat Linux.

Department Requirements -
Humongous Insurance identifies the following requirements for the company's departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Authentication Requirements -
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless
SSO) when accessing resources in Azure.

QUESTION 1 -
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE Each correct selection is worth one point.
A. Join the client computers in the Miami office to Azure AD.
B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
C. Allow inbound TCP port 8080 to the domain controllers in the Miami office.
D. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
E. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
Section: [none]

Explanation -

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass- through Authentication, and can be enabled via Azure AD Connect.
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: https:// autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure
AD Joined.
C: Azure AD connect does not port 8080. It uses port 443.
E: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD
Seamless SSO) when accessing resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to
Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso- quick-start

QUESTION 2 -
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
A. humongousinsurance.onmicrosoft.com

B. humongousinsurance.com -

C. ad.humongousinsurance.com -

D. humongousinsurance.local -
Section: [none]

Explanation -

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as [email protected]. instead of
'alice@domain name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

QUESTION 3 -
You need to resolve the Active Directory issue.
What should you do?
A. From Active Directory Users and Computers, select the user accounts, and then modify the UPN suffix value.
B. Run the IdFix tool then use the Update action.
C. From Active Directory Domains and Trusts, modify the list of UPN suffixes.
D. From Azure AD Connect, modify the outbound synchronization rule.
Section: [none]

Explanation -

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises
Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the
Active Directory administrators responsible for directory synchronization with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
References:
https://www.microsoft.com/en-us/download/details.aspx?id=36832

Testlet 3 -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
✑ File servers
✑ Domain controllers
✑ Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
✑ Move all the tiers of App1 to Azure.
✑ Move the existing product blueprint files to Azure Blob storage.
✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements -
Contoso must meet the following technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
✑ Ensure that all the virtual machines for App1 are protected by backups.
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Use unmanaged standard storage for the hard disks of the virtual machines.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
✑ Minimize administrative effort whenever possible.

User Requirements -
Contoso identifies the following requirements for users:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.
✑ Admin1 must receive email alerts regarding service outages.
✑ Ensure that a new user named User3 can create network objects for the Azure subscription.