AZ-303 Practice Questions Free – 50 Exam-Style Questions to Sharpen Your Skills
Are you preparing for the AZ-303 certification exam? Kickstart your success with our AZ-303 Practice Questions Free – a carefully selected set of 50 real exam-style questions to help you test your knowledge and identify areas for improvement.
Practicing with AZ-303 practice questions free gives you a powerful edge by allowing you to:
Understand the exam structure and question formats
Discover your strong and weak areas
Build the confidence you need for test day success
Below, you will find 50 free AZ-303 practice questions designed to match the real exam in both difficulty and topic coverage. They’re ideal for self-assessment or final review. You can click on each Question to explore the details.
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
HOTSPOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table.
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table.
You apply RT1 to Subnet1 and Subnet2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
IP forwarding enables the virtual machine a network interface is attached to:
✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
✑ Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes –
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No –
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes –
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the virtual machines shown in the following table.
RG2 contains the virtual machines shown in the following table.
All the virtual machines are configured to use premium disks and are accessible from the Internet.
VM1 and VM2 are in an availability set named AVSET1. VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2. VM5 and
VM6 are in different availability zones.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.
Box 2: No –
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.
Box 3: Yes –
VM5 and VM6 are in different availability zones.
For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.
References: https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously
✑ Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
HOTSPOT -
A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
✑ (Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain
Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
✑ Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
References: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/
You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
A. the default for all the roles in Azure AD Privileged Identity Management
B. an Azure AD Identity Protection user risk policy
C. an Azure AD Identity Protection sign-in risk policy
D. the multi-factor authentication service settings
SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the `ËœNext' button.
Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam.
Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab -
You may start the lab by clicking the Next button.
Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255.
You need to ensure that only devices from the on-premises network can connect to the rg1lod8322490n1 storage account.
What should you do from the Azure portal?
Suggested Answer: See solution below.
Step 1: Navigate to the rg1lod8322490n1 storage account.
Step 2: Click on the settings menu called Firewalls and virtual networks.
Step 3: Ensure that you have elected to allow access from ‘Selected networks’.
Step 4: To grant access to an internet IP range, enter the address range of 131.107.2.0 to 131.107.2.255 (in CIDR format) under Firewall, Address Ranges.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company's help desk reports an increase in calls from users who receive MFA requests while they work from the company's main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?
A. From Conditional access in Azure Active Directory (Azure AD), create a named location.
B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Azure Active Directory (Azure AD), configure organizational relationships.
Suggested Answer: B
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to consider configuring some of the available settings. One of the most important features is a trusted IPs list. This will allow you to whitelist a range of IPs for your network. This way, when users are in the office, they will not get prompted with MFA, and when they take their devices elsewhere, they will. Here’s how to do it:
Log in to your Azure Portal.
Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.
Reference: https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You assign the Service administrator role to Admin1.
Does this meet the goal?
An administrator plans to create a function app in Azure that will have the following settings:
✑ Runtime stack: .NET Core
✑ Operating System: Linux
✑ Plan type: Consumption
✑ Enable Application Insights: Yes
You need to ensure that you can back up the function app.
Which settings should you recommend changing before creating the function app?
Your company has the groups shown in the following table.
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?
A. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
B. Purchase an Azure AD Premium P1 license for each user in the Managers group.
C. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
D. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
HOTSPOT -
You have an Azure subscription named Subscription1.
In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as shown in the following exhibit.
Alert1 alert criteria is triggered every minute.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: 60 –
One alert per minute will trigger one email per minute.
Box 2: 12 –
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
References: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-monitor/overview.md
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B
Instead use Synchronization Rules Editor to create a synchronization rule.
Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g.,
john.doe@acme.com
would be synced while
jane.doe@internal.acme.com
would not).
Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.
Reference: https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
You have an Azure subscription that contains the storage accounts shown in the following table.
You enable Storage Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Storage ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
You have an Azure web app that runs in a Premium App Service plan.
Developers plan to update the app weekly.
You need to ensure that the app can be switched from the current version to the new version. The solution must meet the following requirements:
✑ Provide the developers with the ability to test the app in Azure prior to switching versions. Testing must use the same app instance.
✑ Ensure that the app version can be rolled back.
✑ Minimize downtime.
What should you do?
A. Create a deployment slot.
B. Copy the App Service plan.
C. Add an instance of the app to the scale set.
D. Create an Azure Active Directory (Azure AD) enterprise application.
Suggested Answer: A
Azure Functions deployment slots allow your function app to run different instances called “slots”. Slots are different environments exposed via a publicly available endpoint. One app instance is always mapped to the production slot, and you can swap instances assigned to a slot on demand.
There are a number of advantages to using deployment slots. The following scenarios describe common uses for slots:
✑ Different environments for different purposes: Using different slots gives you the opportunity to differentiate app instances before swapping to production or a staging slot.
✑ Easy fallbacks: After a swap with production, the slot with a previously staged app now has the previous production app. If the changes swapped into the production slot aren’t as you expect, you can immediately reverse the swap to get your “last known good instance” back.
Prewarming –
Reference: alt=”Reference Image” />
Reference: https://docs.microsoft.com/en-us/azure/azure-functions/functions-deployment-slots
You need to move the blueprint files to Azure.
What should you do?
A. Use the Azure Import/Export service.
B. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
C. Use Azure Storage Explorer to copy the files.
D. Generate an access key. Map a drive, and then copy the files by using File Explorer.
Suggested Answer: C
Scenario:
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
Copy the blueprint files to Azure over the Internet.
To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are not currently supported for mounting.
Incorrect Answers:
A: Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
B: You cannot map a drive with a SAS signature.
Reference: https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-explorer-files
You create a new Azure subscription. You create a resource group named RG1. In RG1, you create the resources shown in the following table.
You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a site-to-site connection
B. a VPN gateway
C. a VNet-to- VNet connection
D. a local network gateway
E. a point-to-site configuration
Suggested Answer: BD
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a local network gateway, located on-premises that has an externally facing public IP address assigned to it.
Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
HOTSPOT -
You need to design an authentication solution that will integrate on-premises Active Directory and Azure Active Directory (Azure AD). The solution must meet the following requirements:
✑ Active Directory users must not be able to sign in to Azure AD-integrated apps outside of the sign-in hours configured in the Active Directory user accounts.
✑ Active Directory users must authenticate by using multi-factor authentication (MFA) when they sign in to Azure AD-integrated apps.
✑ Administrators must be able to obtain Azure AD-generated reports that list the Active Directory users who have leaked credentials.
✑ The infrastructure required to implement and maintain the solution must be minimized.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Pass-through Authentication with Azure AD Seamless SSO
Azure AD Seamless SSO versus Active Directory Federation Services
Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use Azure AD Pass-through Authentication.
You can combine Pass-through Authentication with the Seamless Single Sign-On feature.
Note: Azure AD supports the following authentication methods for hybrid identity solutions.
✑ Azure AD password hash synchronization
✑ Azure AD Pass-through Authentication
Box 2: Azure MFA –
One key benefit with Azure AD Pass-through Authentication is that it works seamlessly with Azure MFA.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The tenant contains computers that run Windows 10. The computers are configured as shown in the following table.
You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
SELECT id FROM c -
WHERE c.day = "Mon" OR c.day = "Tue"
You set the EnableCrossPartitionQuery property to False.
Does this meet the goal?
You have a resource group named RG1 that contains the following:
✑ A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
✑ An Azure Storage account named contososa1
✑ An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
A. Modify the Firewalls and virtual networks settings for contososa1.
B. Create a stored access policy for contososa1.
C. Implement a virtual network service endpoint.
D. Remove the Azure firewall.
Suggested Answer: C
Storage firewall rules apply to the public endpoint of a storage account. You don’t need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
Note: Storage accounts have a public endpoint that is accessible through the internet. ou can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The
Azure storage firewall provides access control access for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases each on a different Azure SQL Database server.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Note: Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference: https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
HOTSPOT -
You have the Azure SQL Database servers shown in the following table.
You have the Azure SQL databases shown in the following table.
You create a failover group named failover1 that has the following settings:
✑ Primary server: sqlserver1
✑ Secondary server: sqlserver2
✑ Read/Write failover policy: Automatic
✑ Read/Write grace period (hours): 1 hour
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
DB1 is on the primary server –
Box 2: No –
DB3 is on the secondary server.
You can put all or several databases within an elastic pool into the same failover group.
Box 3: No –
A failover group is a named group of databases managed by a single server or within a managed instance that can fail over as a unit to another region in case all or some primary databases become unavailable due to an outage in the primary region.
The secondary cannot be in the same region as the primary.
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-overview
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company is deploying an on-premises application named App1. Users will access App1 by using a URL of https://app1.contoso.com.
You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD Application Proxy.
You need to ensure that App1 appears in the My Apps portal for all the users.
Solution: You modify User and Groups for App1.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: A
Assigning users and groups to individual applications in Azure AD controls the visibility of the link.
If you want only a subset of your users to see the link in the Azure AD My Apps portal, configure user assignment as follows:
1. In the menu on the left, select Properties.
2. Set User assignment required to Yes.
3. Click Save.
4. In the menu on the left, click Manage > Users and groups.
5. Click Add user.
6. Select Users.
7. Select the users or groups that you want to provision. If you select a group, all members of the group are provisioned.
8. Click Select.
9. Click Assign.
10.It might take several minutes for a link to show up in the My Apps portal.
Reference: https://cloud.google.com/architecture/identity/integrating-google-services-and-apps-with-azure-ad-portal#adding_links
HOTSPOT -
You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to enhance security for the virtual machines in RG1 to meet the following requirements:
✑ Prevent Group1 from assigning external IP addresses to the virtual machines.
✑ Ensure that Group1 can establish a Remote Desktop connection to the virtual machines through a shared external IP address.
What should you use to meet each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Azure Policy –
There is a built-in policy in the Azure Policy service that allows you to block public IPs on all NICs of a VM.
Note: Azure Policy is a powerful tool in your Azure toolbox. It allows you to enforce specific governance principals you want to see implemented in your environment. Some key examples of what Azure Policy allows you to do is:
Automatically tag resources –
✑ Block VMs from having a public IP
✑ Enforce specific regions
✑ Enforce VM size
Box 2: Azure Bastion –
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure
Portal.
Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.
Incorrect Answers:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference: alt=”Reference Image” />
✑ Block VMs from having a public IP
✑ Enforce specific regions
✑ Enforce VM size
Box 2: Azure Bastion –
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure
Portal.
Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.
Incorrect Answers:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference: https://blog.nillsf.com/index.php/2019/11/02/using-azure-policy-to-deny-public-ips-on-specific-vnets/ https://azure.microsoft.com/en-us/services/azure-bastion/
SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the `ËœNext' button.
Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam.
Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab -
You may start the lab by clicking the Next button.
Your company plans to store several documents on a public website.
You need to create a container named bios that will host the documents in the corpdata7523690n1 storage account. The solution must ensure anonymous access and must ensure that users can browse folders in the container.
What should you do from the Azure portal?
Suggested Answer: See explanation below.
Azure portal create public container
To create a container in the Azure portal, follow these steps:
Step 1: Navigate to your new storage account in the Azure portal.
Step 2: In the left menu for the storage account, scroll to the lob service section, then select Blobs.
Select the + Container button.
Type a name for your new container: bios
Set the level of public access to the container: Select anonymous access.
Step 3: Select OK to create the container.
References: alt=”Reference Image” />
Step 3: Select OK to create the container.
References: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal
A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and Azure-based VMs communicate using ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and must not require Multiprotocol Label Switching (MPLS) support.
You need to recommend a solution that provides continued operations.
What should you recommend?
A. Increase the bandwidth of the existing ExpressRoute connection.
B. Increase the bandwidth for the on-premises internet connection.
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the following table.
You enable self-service password reset (SSPR) for Group1.
You configure the Notifications settings as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
Notify all admins when other admins reset their passwords: Yes.
Box 2: No –
Notify users on password resets: No.
Box 3: No –
✑ Notify users on password resets
If this option is set to Yes, then users resetting their password receive an email notifying them that their password has been changed. The email is sent via the
SSPR portal to their primary and alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.
✑ Notify all admins when other admins reset their passwords
If this option is set to Yes, then all administrators receive an email to their primary email address on file in Azure AD. The email notifies them that another administrator has changed their password by using SSPR.
Example: There are four administrators in an environment. Administrator A resets their password by using SSPR. Administrators B, C, and D receive an email alerting them of the password reset.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
HOTSPOT -
You have an Azure subscription that contains the storage account shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: No –
Azure Files supports two storage tiers: premium and standard. Standard file shares are created in general purpose (GPv1 or GPv2) storage accounts and premium file shares are created in FileStorage storage accounts.
You cannot create Azure file shares from Blob storage accounts or premium general purpose (GPv1 or GPv2) storage accounts. Standard Azure file shares must created in standard general purpose accounts only and premium Azure file shares must be created in FileStorage storage accounts only. Premium general purpose (GPv1 and GPv2) storage accounts are for premium page blobs only.
Box 2: Yes –
Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS. Along with the three copies of your data stored within a single region, a further three copies are stored in the twinned Azure region. So using GRS means you get all the features of the LRS storage within your primary zone, but you also get a second LRS data storage in a neighbouring Azure region. This data is updated asynchronously, so there is a small lag between the 2 data sets, but for most cases this is acceptable.
Box 3: Yes –
Blob Storage Standard can be used both LRS and GRS.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq https://www.skylinesacademy.com/blog/2019/7/31/azure-storage-replication https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
You are developing an application that will enable users to download content from an Azure Storage account.
The users must only be able to download the content for a period of seven days.
You need to recommend an authentication solution to access the storage account.
What should you include in the recommendation?
A. shared access signature (SAS) tokens
B. identity-based authentication that uses Active Directory Domain Services (AD DS)
C. storage access key
D. identity-based authentication that uses Azure Active Directory (Azure AD)
HOTSPOT -
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
Scenario: Move the existing product blueprint files to Azure Blob storage.
Scenario: Use unmanaged standard storage for the hard disks of the virtual machines.
Page blobs are optimized for writes at random locations within a blob. They also support Unmanaged Disks.
Scenario:
SQL Server Data Files in Microsoft Azure enables native support for SQL Server database files stored as blobs. It allows you to create a database in SQL Server running in on-premises or in a virtual machine in Microsoft Azure with a dedicated storage location for your data in Microsoft Azure Blob storage.
Box 2: No –
Box 3: No –
Reference: https://docs.microsoft.com/en-us/sql/relational-databases/databases/sql-server-data-files-in-microsoft-azure
HOTSPOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
IP forwarding enables the virtual machine a network interface is attached to:
✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
✑ Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes –
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No –
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes –
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
HOTSPOT -
You have an Azure subscription that contains the Azure SQL servers shown in the following table.
The subscription contains the elastic pools shown in the following table.
The subscription contains the Azure SQL databases shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Note: You cannot add databases from different servers into the same pool
Box 1: Yes –
Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2.
Box 2: Yes –
Pool3 is empty.
Box 3: Yes –
Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1.
Reference: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool
SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the `ËœNext' button.
Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam.
Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab -
You may start the lab by clicking the Next button.
You need to deploy an Azure virtual machine named VM1004a based on an Ubuntu Server image, and then to configure VM1004a to meet the following requirements:
- The virtual machines must contain data disks that can store at least 15 TB of data
- The data disk must be able to provide at least 2,000 IOPS
- Storage costs must be minimized
What should you do from the Azure portal?
Suggested Answer: See solution below.
Step 1: Open the Azure portal.
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1004a as the name for the first Virtual machine.The user name and password entered here will be used to log in to the virtual machine. When complete, select OK. You can create the new VM in an existing resource group, or choose Create new to create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type filter.To support 15 TB of data you would need a Premium disk.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to start the virtual machine deployment.
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed
SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the `ËœNext' button.
Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam.
Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab -
You may start the lab by clicking the Next button.
Another administrator reports that she is unable to configure a web app named corplod10217507n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod10217507n3 to successfully prevent the connections from the IP address. The solution must minimize Azure-related costs.
What should you do from the Azure portal?
Suggested Answer: See explanation below.
Step 1:
Find and select application corplod10217507n3:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
To add an IP restriction rule to your app, use the menu to open Network>IP Restrictions and click on Configure IP Restrictions
Step 3:
Click Add rule –
You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective immediately.
Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule
References: alt=”Reference Image” />
Step 3:
Click Add rule –
You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective immediately.
Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule
<img src=”https://www.examtopics.com/assets/media/exam-media/03862/0048300001.png” alt=”Reference Image” />
References: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
You have an Azure Service Bus and two clients named Client1 and Client2.
You create a Service Bus queue named Queue1 as shown in the exhibit. (Click the Exhibit tab.)
Client1 send messages to Queue1 as shown in the following table.
Client2 reads the messages from Queue1 at 12:01:05.
How will the messages be presented to Client2?
A. Client2 will read three messages in the following order: M1, M2, and then M3.
B. Client2 will read three messages in the following order: M3, M1, and then M2.
C. Client2 will read four messages in the following order: M3, M1, M2 and then M3.
D. Client2 will read four messages in the following order: M3, M2, M1 and then M3.
Suggested Answer: D
It should be M3, M2, M1 as duplicate detection is enabled, and the duplication detection window is set to 10 minutes. The second M3 message in the queue would be discarded.
Note 1: Duplicate detection enables the sender resend the same message, and the queue or topic discards any duplicate copies.
Note 2: Queues offer First In, First Out (FIFO) message delivery to one or more competing consumers. That is, receivers typically receive and process messages in the order in which they were added to the queue, and only one message consumer receives and processes each message.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions https://docs.microsoft.com/en-us/azure/service-bus-messaging/duplicate-detection
HOTSPOT -
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Yes –
Scenario: Move the existing product blueprint files to Azure Blob storage.
Scenario: Use unmanaged standard storage for the hard disks of the virtual machines.
Page blobs are optimized for writes at random locations within a blob. They also support Unmanaged Disks.
Scenario:
SQL Server Data Files in Microsoft Azure enables native support for SQL Server database files stored as blobs. It allows you to create a database in SQL Server running in on-premises or in a virtual machine in Microsoft Azure with a dedicated storage location for your data in Microsoft Azure Blob storage.
Box 2: No –
Box 3: No –
References: https://docs.microsoft.com/en-us/sql/relational-databases/databases/sql-server-data-files-in-microsoft-azure
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: User1 only.
User1: The Owner Role lets you manage everything, including access to resources.
Not User3: The Network Contributor role lets you manage networks, but not access to them.
Box 2: User1 and User2 only –
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You have an Azure subscription.
You create a custom role in Azure by using the following Azure Resource Manager template.
You assign the role to a user named User1.
Which action can User1 perform?
DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication
(MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Authenticator app
B. Email addresses
C. App passwords
D. Short Message Service (SMS) messages
E. Security questions
Suggested Answer: AD
The following authentication mechanisms can be used for both MFA and SSPR:
✑ Short Message Service (SMS) messages
✑ Azure AD passwords
✑ Microsoft Authenticator app
✑ Voice call
Incorrect Answers:
B, E: The following authentication mechanisms are used for SSPR only:
✑ Email addresses
✑ Security questions
E: App passwords authentication mechanisms can be used for MFA only, but only in certain cases.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
HOTSPOT -
A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
(Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain
Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
✑ Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
Reference: alt=”Reference Image” />
Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
✑ Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/
HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscription blade, you select the subscription, and then click Resource providers.
Does this meet the goal?
DRAG DROP -
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggested Answer:
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint –
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package.
Does this meet the goal?
HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
References: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
You create a new Azure subscription. You create a resource group named RG1. In RG1, you create the resources shown in the following table.
You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a VPN gateway
B. a site-to-site connection
C. a point-to-site configuration
D. a VNet-to-VNet connection
E. a local network gateway
Suggested Answer: AE
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a local network gateway, located on-premises that has an externally facing public IP address assigned to it.
Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Free Access Full AZ-303 Practice Questions Free
Want more hands-on practice? Click here to access the full bank of AZ-303 practice questions free and reinforce your understanding of all exam objectives.
We update our question sets regularly, so check back often for new and relevant content.
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table.
You apply RT1 to Subnet1 and Subnet2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
RG1 contains the virtual machines shown in the following table.
RG2 contains the virtual machines shown in the following table.
All the virtual machines are configured to use premium disks and are accessible from the Internet. VM1 and VM2 are in an availability set named AVSET1. VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2. VM5 and VM6 are in different availability zones. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
When you are finished performing all the tasks, click the `ËœNext' button. Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam. Overview - The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided. Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab. To start the lab - You may start the lab by clicking the Next button. Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255. You need to ensure that only devices from the on-premises network can connect to the rg1lod8322490n1 storage account. What should you do from the Azure portal?
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group. Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD. You verify that Admin1 is assigned the Global administrator role. You need to ensure that Admin1 can enable Enterprise State Roaming. What should you do?
Alert1 alert criteria is triggered every minute. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
You enable Storage Advanced Threat Protection (ATP) for all the storage accounts. You need to identify which storage accounts will generate Storage ATP alerts. Which two storage accounts should you identify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
You need to configure an encrypted tunnel between your on-premises network and VNET1. Which two additional resources should you create in Azure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
The tenant contains computers that run Windows 10. The computers are configured as shown in the following table.
You enable Enterprise State Roaming in contoso.com for Group1 and GroupA. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only. Solution: You run the following query. SELECT id FROM c - WHERE c.day = "Mon" OR c.day = "Tue" You set the EnableCrossPartitionQuery property to False. Does this meet the goal?
You have the Azure SQL databases shown in the following table.
You create a failover group named failover1 that has the following settings: ✑ Primary server: sqlserver1 ✑ Secondary server: sqlserver2 ✑ Read/Write failover policy: Automatic ✑ Read/Write grace period (hours): 1 hour For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
When you are finished performing all the tasks, click the `ËœNext' button. Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam. Overview - The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided. Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab. To start the lab - You may start the lab by clicking the Next button. Your company plans to store several documents on a public website. You need to create a container named bios that will host the documents in the corpdata7523690n1 storage account. The solution must ensure anonymous access and must ensure that users can browse folders in the container. What should you do from the Azure portal?
You enable self-service password reset (SSPR) for Group1. You configure the Notifications settings as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
No devices are connected to VNet1. You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16. You need to create the peering. What should you do first?
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
The subscription contains the elastic pools shown in the following table.
The subscription contains the Azure SQL databases shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
When you are finished performing all the tasks, click the `ËœNext' button. Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam. Overview - The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided. Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab. To start the lab - You may start the lab by clicking the Next button. You need to deploy an Azure virtual machine named VM1004a based on an Ubuntu Server image, and then to configure VM1004a to meet the following requirements: - The virtual machines must contain data disks that can store at least 15 TB of data - The data disk must be able to provide at least 2,000 IOPS - Storage costs must be minimized What should you do from the Azure portal?
When you are finished performing all the tasks, click the `ËœNext' button. Note that you cannot return to the lab once you click the `ËœNext' button. Scoring occur in the background while you complete the rest of the exam. Overview - The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided. Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab. To start the lab - You may start the lab by clicking the Next button. Another administrator reports that she is unable to configure a web app named corplod10217507n3 to prevent all connections from an IP address of 11.0.0.11. You need to modify corplod10217507n3 to successfully prevent the connections from the IP address. The solution must minimize Azure-related costs. What should you do from the Azure portal?
Client1 send messages to Queue1 as shown in the following table.
Client2 reads the messages from Queue1 at 12:01:05. How will the messages be presented to Client2?
Which user can perform each configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
You assign the role to a user named User1. Which action can User1 perform?
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
You need to configure an encrypted tunnel between your on-premises network and VNET1. Which two additional resources should you create in Azure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.