Azure 104 Exam question

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.VM1 hosts a frontend application that connects to VM2 to retrieve data.Users report that the frontend application is slower than usual.You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.Which Azure Network Watcher feature should you use?

The connection monitor:-  A (Correct Answer)

The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint

The IP flow:- B

The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.

Network Security:-C

The Network Security Groups flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an Network Security Groups.

connection troubleshoot:- D

The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does.

From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit. What caused AlexW to be blocked?

Answer 3

Blob storage supports three types of blobs (block, page and append blobs), and three access tiers (hot, cool, and archive).

https://docs.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs

Azure Monitor is a single-pane of glass for accessing Azure metrics, tenant and resource diagnostic logs, Log Analytics, service health, and alerts.

Azure Monitor is a single-pane of glass for accessing Azure metrics, tenant and resource diagnostic logs, Log Analytics, service health, and alerts.

You can configure alerts based on metric alerts (captured from Azure Metrics) to Activity Log alerts that can notify only with an Azure Automation Runbook (and not by email).

Explanation

You can configure alerts based on metric alerts (captured from Azure Metrics) to Activity Log alerts that can notify by email, web hook, SMS, Logic Apps, or even an Azure Automation Runbook.

You have an Azure Active Directory (Azure AD) tenant. You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the GlobalAdministrators group authenticate to Azure AD from untrusted locations.You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.What should you do?

Explanation

There are two types of controls:  Grant controls " To gate access  Session controls " To restrict access to a sessionGrant controls oversee whether a user can complete authentication and reach the resource that they're attempting to sign-in to.

If you have multiple controls selected, you can configure whether all of them are required when your policy is processed.

The current implementation of Azure Active Directory enables you to set the following grant control requirements:

Reference: https://blog.lumen21.com/2017/12/15/conditional-access-in-azure-active-directory/

You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.

From Azure, you download and install the VPN client configuration package on a computer named Computer2.You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.

Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?

Explanation

Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

The Standard performance tier uses

Explanation

The Standard performance tier uses magnetic disks and supports all services. The Premium tier uses solid-state disks and is only used for unmanaged VM disks.

https://www.danielstocker.net/what-is-the-difference-between-azure-standard-storage-and-azure-premium-storage/

Role-based access control allows you to grant users, groups, and service principals access to Azure resources at the subscription, resource group, or resource scopes with RBAC inheritance. The three core roles are Owner, Administrator, and Guest.

Explanation

Role-based access control allows you to grant users, groups, and service principals access to Azure resources at the subscription, resource group, or resource scopes with RBAC inheritance. The three core roles are Owner, Contributor, and Reader.

You have an Active Directory forest named contoso.com.
You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?

Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-hash-synchronization#no-passwords- are-synchronized-troubleshoot-by-using-the-troubleshooting-task

You have an Active Directory forest named contoso.com.You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.You need to ensure that the synchronization completes successfully.

What should you do?

Answers

·      Run Azure AD Connect and set the SSO method to Pass-through Authentication.

·      From Synchronization Service Manager, run a full import.

·      From Azure PowerShell, run Start-AdSyncSyncCycle ?PolicyType Initial.

·      Run Azure AD Connect and disable staging mode.

 

Advertisement

Explanation (click to expand)

Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:

Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.

Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.

Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.

Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.

Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.

 You have an Azure Active Directory (Azure AD) tenant.

All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?

• A. the default for all the roles in Azure AD Privileged Identity Management
• B. an Azure AD Identity Protection user risk policy
• C. an Azure AD Identity Protection sign-in risk policy
• D. the multi-factor authentication service settings

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

Top of Form

You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop.You configure the network security group (Network Security Groups) shown in the picture.

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80. What should you do?

·         ​

Change the Port_80 inbound security rule.

·         ​

Change the DenyWebSites outbound security rule.

·         ​

Disassociate the Network Security Groups from a network interface.

·         ​

Associate the Network Security Groups to Subnet1.

Bottom of Form

Explanation

You can associate or dissociate a network security group from a network interface or subnet.The Network Security Groups has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.

References: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group