Free Dumps, Free Microsoft Dump
Free AZ-900 Dump
Question #250Topic 1
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
What are two possible solutions? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- A. Modify an Azure Traffic Manager profile
- B. Modify a network security group (NSG)
- C. Modify a DDoS protection plan
- D. Modify an Azure firewall
Correct Answer: B
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Community vote distribution
B (67%)
D (33%)
Question #251Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center allows you to lock down inbound traffic to your Azure Virtual Machines. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-asc
Question #252Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Question #253Topic 1
You have an Azure environment that contains 10 virtual networks and 100 virtual machines.
You need to limit the amount of inbound traffic to all the Azure virtual networks.
What should you create?
- A. one application security group (ASG)
- B. 10 virtual network gateways
- C. 10 Azure ExpressRoute circuits
- D. one Azure firewall
Correct Answer: D
You can restrict traffic to multiple virtual networks with a single Azure firewall.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
Community vote distribution
D (100%)
Question #254Topic 1
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Key Vault is used to store secrets for Azure Active Directory (Azure AD) user accounts.
Instructions: Review the underlined text. If it makes the statement correct, select `No change is needed`. If the statement is incorrect, select the answer choice that makes the statement correct.
- A. No change is needed
- B. Azure Active Directory (Azure AD) administrative accounts
- C. Personally Identifiable Information (PII)
- D. server applications
Correct Answer: D
Key Vault is designed to store configuration secrets for server apps. It’s not intended for storing data belonging to your app’s users, and it shouldn’t be used in the client-side part of an app.
Reference:
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/2-what-is-key-vault https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/
Community vote distribution
D (60%)
A (37%)
2%
Question #255Topic 1
Your company plans to automate the deployment of servers to Azure.
Your manager is concerned that you may expose administrative credentials during the deployment.
You need to recommend an Azure solution that encrypts the administrative credentials during the deployment.
What should you include in the recommendation?
- A. Azure Key Vault
- B. Azure Information Protection
- C. Azure Security Center
- D. Azure Multi-Factor Authentication (MFA)
Correct Answer: A
Azure Key Vault is a secure store for storage various types of sensitive information. In this question, we would store the administrative credentials in the Key Vault.
With this solution, there is no need to store the administrative credentials as plain text in the deployment scripts.
All information stored in the Key Vault is encrypted.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are
Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
Community vote distribution
A (100%)
Question #256Topic 1
You plan to deploy several Azure virtual machines.
You need to control the ports that devices on the Internet can use to access the virtual machines.
What should you use?
- A. a network security group (NSG)
- B. an Azure Active Directory (Azure AD) role
- C. an Azure Active Directory group
- D. an Azure key vault
Correct Answer: A
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Community vote distribution
A (100%)
Question #257Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
When you create a virtual machine, the default setting is to create a Network Security Group attached to the network interface assigned to a virtual machine.
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 8080.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question #258Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner
Question #259Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a network security group (NSG).
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Community vote distribution
A (86%)
14%
Question #260Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a DDoS protection plan.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
DDoS is a form of attack on a network resource. A DDoS protection plan is used to protect against DDoS attacks; it does not provide connectivity to a virtual machine.
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or Azure Firewall.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
Community vote distribution
B (100%)
Question #261Topic 1
You need to collect and automatically analyze security events from Azure Active Directory (Azure AD).
What should you use?
- A. Azure Sentinel
- B. Azure Synapse Analytics
- C. Azure AD Connect
- D. Azure Key Vault
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
Community vote distribution
A (100%)
Question #262Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure firewall.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
In this question, we need to add a rule to Azure Firewall to allow the connection to the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
Community vote distribution
A (100%)
Question #263Topic 1
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Germany can be used by legal residents of Germany only.
Instructions: Review the underlined text. If it makes the statement correct, select `No change is needed`. If the statement is incorrect, select the answer choice that makes the statement correct.
- A. no change is needed
- B. only enterprises that are registered in Germany
- C. only enterprises that purchase their azure licenses from a partner based in Germany
- D. any user or enterprise that requires its data to reside in Germany
Correct Answer: D
Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/EFTA, including the United Kingdom.
Azure Germany offers a separate instance of Microsoft Azure services from within German datacenters. The datacenters are in two locations, Frankfurt/Main and
Magdeburg. This placement ensures that customer data remains in Germany and that the datacenters connect to each other through a private network. All customer data is exclusively stored in those datacenters. A designated German company–the German data trustee–controls access to customer data and the systems and infrastructure that hold customer data.
References:
https://docs.microsoft.com/en-us/azure/germany/germany-welcome?toc=%2fazure%2fgermany%2ftoc.json https://docs.microsoft.com/en-us/azure/germany/germany-overview-data-trustee
Community vote distribution
D (100%)
Question #264Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes –
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and
Azure AD.
Box 2: Yes –
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.
Box 3: Yes –
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
Question #265Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
Question #266Topic 1
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- A. Azure Service Health
- B. Azure Knowledge Center
- C. Azure Security Center
- D. Azure Advisor
Correct Answer: C
The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
Community vote distribution
C (100%)
Question #267Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that contain credit card information.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can include visual markings such as a header, footer, or watermark.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. In this question, we would configure a label to be automatically applied to Microsoft Word documents that contain credit card information. The label would then add the watermark to the documents.
Reference:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial
Question #268Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: No –
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain controllers on virtual machines.
Box 2: Yes –
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources and Microsoft 365.
Box 3: No –
User accounts in Azure Active Directory can be assigned multiple licenses for different Azure or Microsoft 365 services.
Question #269Topic 1
Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- A. a Canadian government contractor
- B. a European government contractor
- C. a United States government entity
- D. a United States government contractor
- E. a European government entity
Correct Answer: CD
Azure Government is a cloud environment specifically built to meet compliance and security requirements for US government. This mission-critical cloud delivers breakthrough innovation to U.S. government customers and their partners. Azure Government applies to government at any level ” from state and local governments to federal agencies including Department of Defense agencies.
The key difference between Microsoft Azure and Microsoft Azure Government is that Azure Government is a sovereign cloud. It’s a physically separated instance of Azure, dedicated to U.S. government workloads only. It’s built exclusively for government agencies and their solution providers.
References:
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-government/2-what-is-azure-government
Community vote distribution
CD (100%)
Question #270Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: No –
It is not true that you must deploy a federation solution or sync on-premises identities to the cloud. You can have a cloud-only environment and use MFA.
Box 2: No –
Picture identification and passport numbers are not valid MFA authentication methods. Valid methods include: Password, Microsoft Authenticator App, SMS and
Voice call.
Box 3:
You can configure MFA to be required for administrator accounts only or you can configure MFA for any user account.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Question #271Topic 1
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password.
Which Azure service should you use?
- A. Azure AD Connect Health
- B. Azure AD Privileged Identity Management
- C. Azure Advanced Threat Protection (ATP)
- D. Azure AD Identity Protection
Correct Answer: D
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password.
References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
Community vote distribution
D (100%)
Question #272Topic 1
DRAG DROP –
Match the term to the correct definition.
Instructions: To answer, drag the appropriate term from the column on the left to its description on the right. Each term may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer: 
Box 1: ISO –
ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for example ISO 9001 or 27001 are commonly used in IT companies.
Box 2: NIST –
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of
Commerce.
Box 3: GDPR –
GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and replaces the now deprecated Data Protection
Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European
Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Box 4: Azure Government –
US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that
Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only).
References:
https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-welcome
Question #273Topic 1
To what should an application connect to retrieve security tokens?
- A. an Azure Storage account
- B. Azure Active Directory (Azure AD)
- C. a certificate store
- D. an Azure key vault
Correct Answer: D
Key Vault is designed to store configuration secrets for server apps.
Incorrect Answers:
A: An Azure Storage account is used to store data. It is not used to store secrets for applications.
B: Azure Active Directory (Azure AD) is a centralized identity provider in the cloud that authenticates users and provides access tokens to them. It is not used for applications.
Reference:
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/2-what-is-key-vault https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
Community vote distribution
D (55%)
B (45%)
Question #274Topic 1
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.
You need to recommend a solution to minimize the impact on users after the planned migration.
What should you recommend?
- A. Implement Azure Multi-Factor Authentication (MFA)
- B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
- C. Instruct all users to change their password
- D. Create a guest user account in Azure Active Directory (Azure AD) for each user
Correct Answer: B
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and
Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
Community vote distribution
B (100%)
Question #275Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes –
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it’s consuming.
Box 2: Yes –
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.
Box 3: Yes –
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple sources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Question #276Topic 1
HOTSPOT –
You create a resource group named RG1 in Azure Resource Manager.
You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use? To answer, select the appropriate setting in the answer area.
Hot Area:
Correct Answer: 
You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
✑ CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
✑ ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
Question #277Topic 1
You have a resource group named RG1.
You need to prevent the creation of virtual machines in RG1. The solution must ensure that other objects can be created in RG1.
What should you use?
- A. a lock
- B. an Azure role
- C. a tag
- D. an Azure policy
Correct Answer: D
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Community vote distribution
D (100%)
Question #278Topic 1
You have an Azure subscription and 100 Windows 10 devices.
You need to ensure that only users whose devices have the latest security patches installed can access Azure Active Directory (Azure AD)-integrated applications.
What should you implement?
- A. a conditional access policy
- B. Azure Bastion
- C. Azure Firewall
- D. Azure Policy
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
Community vote distribution
A (100%)
Question #279Topic 1
What can Azure Information Protection encrypt?
- A. network traffic
- B. documents and email messages
- C. an Azure Storage account
- D. an Azure SQL database
Correct Answer: B
Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.
The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory.
This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection that is applied by using Rights
Management stays with the documents and emails, independently of the location ” inside or outside your organization, networks, file servers, and applications.
References:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection https://docs.microsoft.com/en-us/azure/information-protection/quickstart-label-dnf-protectedemail
Community vote distribution
B (100%)
Question #280Topic 1
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- A. the Knowledge Center website
- B. the Advisor blade from the Azure portal
- C. Compliance Manager from the Service Trust Portal
- D. the Solutions blade from the Azure portal
Correct Answer: C
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
Question #281Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
Question #282Topic 1
You have an Azure subscription.
Where will you find details on the personal data collected by Microsoft, how Microsoft uses the data, and what the data is used for?
- A. the Data Protection Addendum
- B. the Microsoft Online Services Terms
- C. the Microsoft Privacy Statement
- D. Azure Security Center
Correct Answer: C
The Microsoft Privacy Statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes. Your applicable Services
Agreement or the Preview Supplemental Terms may specify lesser or different privacy measures for some Preview services.
Reference:
https://azure.microsoft.com/en-us/support/legal/
Community vote distribution
C (100%)
Question #283Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
Question #284Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
The VNet will be marked as ‘Non-compliant’ when the policy is assigned. However, it will not be deleted and will continue to function normally.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
If there are any existing resources that aren’t compliant with a new policy assignment, they appear under Non-compliant resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal
Question #285Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://www.microsoft.com/en-us/trust-center
Question #286Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes –
You use Azure Policy to enforce tagging rules and conventions.
Box 2: Yes –
Each resource or resource group can have a maximum of 50 tags.
Box 3: No –
Tags applied to the resource group or subscription aren’t inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/govern-tags https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
Question #287Topic 1
DRAG DROP –
Match the resources to the appropriate descriptions.
To answer, drag the appropriate resource from the column on the left to its description on the right. Each resource may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer: 
Reference:
https://azure.microsoft.com/en-us/support/legal/
Question #288Topic 1
HOTSPOT –
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
Question #289Topic 1
HOTSPOT –
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer: 
Reference:
https://support.azure.cn/en-us/support/faq/
Question #290Topic 1
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- A. Azure Service Health
- B. Azure Knowledge Center
- C. Microsoft Defender for Cloud
- D. Azure Advisor
Correct Answer: C
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard
Community vote distribution
C (100%)
Question #291Topic 1
HOTSPOT –
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer: 
Microsoft Service Trust Portal.
The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about Microsoft security, privacy, and compliance practices.
Trust Documents –
Provides a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance objectives by understanding how Microsoft Cloud services keep your data secure. To review content, select one of the following options on the Trust Documents pull-down menu.
* Audit Reports: A list of independent audit and assessment reports on Microsoft’s Cloud services is displayed. These reports provide information about Microsoft
Cloud services compliance with data protection standards and regulatory requirements.
* Data Protection: Contains a wealth of resources such as audited controls, white papers, FAQs, penetration tests, risk assessment tools, and compliance guides.
* Azure Security and Compliance Blueprints: Resources that help you build secure and compliant cloud-based applications. This area contains blueprint-guidance for government, finance, healthcare, and retail verticals.
Incorrect:
Not: Microsoft Defender for Cloud.
Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.
Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and streamline security management.
Not: the Microsoft 365 Compliance center
The Security & Compliance Center lets you grant permissions to people who perform compliance tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal
Question #292Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
Question #293Topic 1
Your company has an Azure subscription that contains resources in several regions.
You need to create the Azure resource that must be used to meet the policy requirement.
What should you create?
- A. a read-only lock
- B. an Azure policy
- C. a management group
- D. a reservation
Correct Answer: B
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non- compliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
Azure Policy offers several built-in policies that are available by default. In this question, we would use the ‘Allowed Locations’ policy to define the locations where resources can be deployed.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Community vote distribution
B (100%)
Question #294Topic 1
This question requires that you evaluate the underlined text to determine if it is correct.
From Azure Cloud Shell, you can track your company’s regulatory standards and regulations, such as ISO 27001.
Instructions: Review the underlined text. If it makes the statement correct, select `No change is needed.` If the statement is incorrect, select the answer choice that makes the statement correct.
- A. No change is needed.
- B. the Microsoft Cloud Partner Portal
- C. Compliance Manager
- D. the Trust Center
Correct Answer: C
Microsoft Compliance Manager (Preview) is a free workflow-based risk assessment tool that lets you track, assign, and verify regulatory compliance activities related to Microsoft cloud services. Azure Cloud Shell, on the other hand, is an interactive, authenticated, browser-accessible shell for managing Azure resources.
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview https://docs.microsoft.com/en-us/azure/cloud-shell/overview
Community vote distribution
C (63%)
D (38%)
Question #295Topic 1
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Azure AD join only applies to Windows 10 devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan
Question #296Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
The Microsoft Privacy Statement explains what personal data Microsoft processes, how Microsoft processes the data, and the purpose of processing the data
Reference:
https://privacy.microsoft.com/en-us/privacystatement
Question #297Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
Authentication, not authorization is the process of verifying a user’s credentials.
The difference between authentication and authorization is:
✑ Authentication is proving your identity, proving that you are who you say you are. The most common example of this is logging in to a system by providing credentials such as a username and password.
✑ Authorization is what you’re allowed to do once you’ve been authenticated. For example, what resources you’re allowed to access and what you can do with those resources.
Question #298Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Question #299Topic 1
HOTSPOT –
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
