Tag: Shared access signatures

Elevate Your Career with AI & Machine Learning For Dummies PRO and Start mastering the technologies shaping the future—download now and take the next step in your professional journey!

Azure Solutions Architect Expert Certification Questions And Answers Dumps

This exam measures your ability to accomplish the following technical tasks: design identity, governance, and monitoring solutions; design data storage solutions; design business continuity solutions; and design infrastructure solutions.

This blog covers the Designing Microsoft Azure Infrastructure Solutions.

A candidate for this certification should have advanced experience and knowledge of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platforms, and governance. A professional in this role should manage how decisions in each area affect an overall solution. In addition, they should have experience in Azure administration, Azure development, and DevOps processes.

Skills measured

• Design identity, governance, and monitoring solutions (25-30%)
• Design data storage solutions (25-30%)
• Design business continuity solutions (10-15%)
• Design infrastructure solutions (25-30%)

Below are the top 50 Questions and Answers for AZ303, AZ304 and AZ305 Certification Exam:

What is one reason to regularly review Azure role assignments?

A. ensure naming conventions are properly applied.

B. To reduce the risk associated with stale role assignments.

C. To eliminate extra distribution groups that are no longer used.

How can Discovery and insights for privileged identity management help an organization?

A. Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).

B. Discovery and insights can find when guest’s access resources across Azure AD.

C. Discovery and insights can find security group assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).

D. N/A

Whether to assign a role to a group instead of to individual users is a strategic decision. When planning, consider assigning a role to a group to manage role assignments when the desired outcome is to delegate assigning the role and what else?

A. You want to use Conditional Access policies.

B. Many Azure resources need to be managed.

C. Many users are assigned to a role.

D. N/A

Which roles can only be assigned using Privileged Identity Management?

A. Permanently active roles.

B. Eligible roles.

C. Transient roles.

D. N/A

What is the purpose of the audit logs?

A. Azure AD audit logs provide a comparison of budgeted Azure usage compared to actual.

B. Azure AD audit logs provide records of system activities for compliance reporting.

C. Azure AD audit logs allow customer to monitor activity when provisioning new services within Azure.

D. N/A

Can Azure export logging data to third-party SIEM tools?

A. Yes, Azure supports exporting log data to several common third-party SIEM tools.

B. No, Azure only supports the export to Azure Sentinel.

C. Yes, Splunk is the 3rd Party SIEM Azure can export to.

D. N/A

A Solutions Architect wants to configure email notifications to be sent from Azure AD Domain Services when issues are detected. In Azure, where this would be configured?

A. Azure Microsoft Portal > Azure Active Directory > Monitoring > Notifications > Add email recipient.

B. Azure Microsoft Portal > Azure AD Domain Services > Notification settings > Add email recipient.

C. Azure Microsoft Portal > Notification Hubs > Azure Active Directory > Add email recipient.

D. N/A

You are architecting a web application that constantly reads and writes important medical imaging data in blob storage.

To ensure the web application is resilient, you have been asked to configure Azure Storage as follows:

• Protect against a regional disaster.
• Leverage synchronous replication of storage data across multiple data centers.

How would you configure Azure Storage to meet these requirements?

GZRS provides asynchronous replication to a single physical location in the secondary region. Additionally, this includes synchronous replication across three availability zones within the primary region (ZRS).

Video for reference: Storage Account Replication

You need to ensure your virtual machine boot and data volumes are encrypted. Your virtual machine is already deployed using an Azure marketplace Windows OS image and managed disks. Which  tasks should you complete to enable the required encryption?

New-AzStorageAccount -name "tpcstore01" -ResourceGroupName "rg1" -location "auseast" -SkuName "standard_lrs"

Which two arguments could you use to complete the PowerShell command to meet the above requirements?

-Kind "Storage"

General Purpose v1 supports blob, file, queue, table, and disk.

-Kind "StorageV2"

General Purpose v2 supports blob, file, queue, table, disk, and data lake.

You need to ensure your virtual machine boot and data volumes are encrypted. Your virtual machine is already deployed using an Azure marketplace Linux OS image and managed disks.
Which  two commands would you use to enable the required encryption?

Azure Disk Encryption leverages a Key Vault for the secure storage of cryptographic information.

Set-AzVMDiskEncryptionExtension

Azure Disk Encryption leverages a VM extension to enable BitLocker (Windows) or DM-Crypt (Linux) to encrypt boot/OS/data volumes.

CompanyA is planning on making some significant changes to their governance solution. They have asked for your assistance with recommendations and questions. Here are the specific requirements.

– Consistency across subscriptions. It appears each subscription has different policies for the creation of virtual machines. The IT department would like to standardize the policies across the Azure subscriptions.

– Ensure critical storage is highly available. There are several critical applications that use storage. The IT department wants to ensure the storage is made highly available across regions.

– Identify R&D costs. The CTO wants to know how much a new project is costing. The costs are spread out across multiple departments.

– ISO compliance. CompanyA wants to certify that it complies with the ISO 27001 standard. The standard will require resources groups, policy assignments, and templates.

How can CompanyA to ensure policies are implemented across multiple subscriptions?

Create a management group and place all the relevant subscriptions in the new management group.
A management group could include all the subscriptions. Then a policy could be scoped to the management group and applied to all the subscriptions.

How can CompanyA ensure applications use geo-redundancy to create highly available storage applications?

Add an Azure policy that requires geo-redundant storage.
An Azure policy can enforce different rules over your resource configurations.

How can CompanyA report all the costs associated with a new product?

Add a resource tag to identify which resources are used for the new product.
Resource tagging provides extra information, or metadata, about your resources. You could then run a cost report on all resources with that tag.

Which governance tool should CompanyA use for the ISO 27001 requirements?

Azure blueprints.
Azure blueprints will deploy all the artifacts for ISO 27001 compliance.

You are configuring an Azure Automation runbook using the Azure sandbox.
For your runbook to work, you need to install a PowerShell module. You would like to minimize the administrative overhead for maintaining and operating your runbook.
Which option should you choose to install an additional PowerShell module?

Navigate to Shared Resources > Modules, and configure the additional module.
Additional PowerShell modules can be added to the sandbox environment for use by your runbooks.

CompanyA is planning on making some significant changes to their identity and access management solution. They have asked for your assistance on some recommendations and questions. Here are the specific requirements.

– Device access to company applications. The CTO has agreed to allow some level of device access. Employees at the company’s retail stores will now be able to access certain company applications. This access, however, should be restricted to only approved devices.

– Company reorganization. A company-wide reorganization has affected many employees. These employees are now in new roles. The IT team needs to ensure users have the correct access based on their new jobs.

– External developer accounts. A new development project requires external software developers to access company data files. The IT team needs to create user accounts for approximately five developers.

– User sign-in attempts. A recent audit of user sign-ins attempts revealed anonymous IP addresses and unusual locations. The IT team wants to require multifactor authentication for these attempted sign-ins.

How can CompanyA ensure that employees at the company’s retail stores can access company applications only from approved tablet devices?

Conditional access: Conditional Access enables you to require users to access your applications only from approved, or managed, devices.

What should CompanyA do to ensure employees have the correct permissions for their job role?

Require an access review: An access review would give managers an opportunity to validate the employees access.

What should CompanyA do to give access to the partner developers?

Invite the developers as guest users to their directory: In Business-to-Business scenarios guest user accounts are created. You can then apply the appropriate permissions

What solution would be best for the user sign-in attempts requirement?

Create a sign-in risk policy: That’s correct. A sign-in risk policy can identify anonymous IP and atypical locations. Secondary multifactor authentication can then be required.

You are working as a network administrator, managing the following virtual networks:

VNET1

• Location: Australia East

• Resource group: RG1

• Address space: 10.1.0.0/16

  VNET2

• Location: Australia Southeast

• Resource group: RG2

• Address space: 10.1.0.0/16

You have been asked to connect VNET1 and VNET2, to allow private communication between resources in each virtual network. Do you need to modify either of the two virtual networks before virtual network peering is supported?

Yes: IP address ranges cannot overlap. One of the virtual networks must have their address space changed before VNet peering would be able to be configured.

You are architecting identity management for a hybrid environment, and you plan to use Azure AD Connect with password hash sync (PHS).
It is important that you design the solution to be highly available. How would you implement high availability for the synchronization service?

Configure an additional server with Azure AD Connect in staging mode.

Azure AD Connect can be configured in staging mode, which helps with high availability.

You are responsible for monitoring a major web application for your company. The application is implemented using Azure App Service Web Apps and Application Insights.
The chief marketing officer has asked you to provide information to help analyze user behavior based on a group of characteristics. To start with, it will be a simple query looking at all active users from Australia.
Which of the following would you use to provide this information?

Cohorts leverage analytics queries to analyze users, sessions, events, or operations that have something in common (e.g., location, event, etc.). Reference: App insights

You work for a company with multiple Active Directory domains: exampledomain1.com and test.lab.com. Your company would like to use Azure AD Connect to synchronize your on-premises Active Directory domain, exampledomain1.com, with Azure AD. You do not wish to synchronize test.lab.com.

Which tasks should you complete, requiring minimal administrative effort and causing the least disruption to the existing environment?

Run the Azure AD Connect wizard, and configure Domain and OU filtering.

You are architecting a mission-critical processing solution for your company. The solution will leverage virtual machines for the processing tier, and it is critical that high performance levels are maintained at all times.
You need to leverage a managed disk that guarantees up to 900 MB/s throughput and 2,000 IOPS — but also minimizes costs.
Which of the following would you use within your solution?

What is the best way to provide the developer access to the ecommerce HTML files?

Which access tier should be used for the older versions of the product catalog?

What tool would you use to identify underutilized and idle Azure resources in order to help reduce overall spend?

You work as a network administrator for a company. You manage several virtual machines within the following virtual network:

• Name: VNET1
• Address space: 10.1.0.0/16
• Subnet: SUBNET1 (10.1.1.0/24)

You need to configure DNS for a VM called VM1, that is located in SUBNET1. DNS should be set to 8.8.8.8. All other VMs must keep their existing settings.

What should you do?

There may be data loss, and the extent of data loss can be estimated using the Last Sync Time.

The Last Sync Time property provides an indication of how far the secondary is behind from the primary. This can be used to estimate the extent of data loss that may occur. 

What storage service should you implement for an application that needs to access data using SMB?

Azure Files: Azure files allow you to create and maintain highly available file shares that are accessible anywhere. They can be considered as a replacement to traditional file servers. They provide SMB access.

You are architecting a mission-critical solution for your company using virtual machines.
The solution must qualify for a Microsoft service level agreement (SLA) of 99.95%.
You deploy your solution to a single virtual machine in an availability set. The virtual machine uses premium storage. Does this meet the required SLA?

No: The virtual machine does use premium storage; however, this only provides a 99.9% SLA.

You are implementing Azure Backup using the Microsoft Azure Backup Server.
Which of the following would you use to allow the server to register with your recovery services vault?

Vault Credentials: Vault Credentials are used by the Microsoft Azure Backup Server software to register with the vault.

You are developing a solution on a server hosted on-premises. The solution needs to access data within Azure Key Vault.
Which two options would you use to ensure the application has access to Azure Key Vault?

Register the application in Azure AD and use a client secret.
To allow an on-premises application to authenticate with Azure AD, it can be registered in Azure AD and given a client secret (or client certificate). If this application was hosted on a supported Azure service, it could have been possible to use a managed identity instead.

Configure an access policy in Azure Key Vault.
To allow access to Key Vault, any identity (application, user, etc.) must be provided permissions using an Access Policy.

You have a Windows virtual machine within Azure, which must be backed up.
You have the following requirements:
– Back up the virtual machine three times per day
– Include system state backups
You configure a backup to a recovery services vault using the Microsoft Azure Recovery Services (MARS) agent.
Does this fulfill the requirements above?

Yes: The Microsoft Azure Recovery Services (MARS) agent can perform backups of files, folders, and system states up to three times a day.

You are planning a migration of machines to Azure from your on-premises Hyper-V host.
You would like to estimate how much it will cost to migrate your operating machines to Azure. Which of the following two items would you include in your migration solution?
The effort required to estimate pricing, and then ultimately go on to perform a migration, should be minimized.

Azure Migrate Project: All migrations (both assessment and migration) require an Azure Migrate Project for the storage of related metadata.

You are implementing Azure Blueprints to help improve standards and compliance for your Azure environment.
You would like to ensure that when an Azure Blueprint is used, a user is assigned ‘owner’ permissions to a specific resource group defined in the blueprint.
Does Azure Blueprints provide this functionality?

Yes: Azure Blueprints includes several different artifacts, one of which is ‘Role Assignment’. This allows a user to be assigned permissions as part of the blueprint definition.

You are planning a migration from on-premises to Azure.
Your on-premises environment is made up of the following:
– VMware hosted virtual machines
– Hyper-V hosted virtual machines
– Physical servers
Will the Azure Migrate: Server Migration tool provided by Microsoft support your environment for migrations to Azure?

Yes, for VMware, Hyper-V, and physical machines. The Azure Migrate: Server Migration tool support migrating VMware VMs, Hyper-V VMs, and physical servers.

For a new container image you are developing, you need to ensure a local HTML file, index.html, is included in the image. Which command would you include in the Dockerfile?

You are responsible for improving the availability of a web application. The web application has the following characteristics:
– Hosted using Azure App Service.
– Leverages an Azure SQL back-end.
You need to configure Azure SQL Database to meet the following needs:
Must be able to continue operations in the event of a region failure.
Must support automatic failover in the event of failure.
You must recommend a solution that requires the least amount of effort to implement, and can manage in the event of a failover. Which configuration do you recommend?

You need to configure high availability for Azure SQL Databases.
You would like the service to include the following:
– Automatic failover policy.
– Ability to manually failover.
– DNS management for primary read/write access.
You configure Azure SQL Active Geo-Replication. Does this meet the requirements?

No: Active Geo-Replication does not include DNS automatically managed for primary read/write access. This is a feature of auto-failover groups. The inclusion of DNS for both the primary read/write endpoint, and the secondary read endpoint, reduces the management overhead for ensuring applications are pointing to the correct resources in the event of a disaster.

https://awscertifiedsolutionarchitectexamprep.com/

Top 60 AWS Solution Architect Associate Exam Tips

A Twitter List by enoumen