Microsoft Azure Administrator Certification Transition v1.0 (AZ-102)

Page:    1 / 6   
Total 81 questions

HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named
Subnet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:




Answer :

Explanation:
Box 1: An Log analytics workspace
Log analytics workspace: An instance of log analytics, where the data pertaining to an Azure account, is stored.
Log Analytics: An Azure service that collects monitoring data and stores the data in a central repository. This data can include events, performance data, or custom data provided through the Azure API. Once collected, the data is available for alerting, analysis, and export. Monitoring applications such as network performance monitor and traffic analytics are built using Log Analytics as a foundation.

Box 2: NSG1 -
Network security group (NSG): Contains a list of security rules that allow or deny network traffic to resources connected to an Azure Virtual Network. NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
References:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

You have an Azure subscription named Subscription1 that has the following providers registered:
-> Authorization
-> Automation
-> Resources
-> Compute
-> KeyVault
-> Network
-> Storage
-> Billing
-> Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
-> Private IP address: 10.0.0.4 (dynamic)
-> Network security group (NSG): NSG1
-> Public IP address: None
-> Availability set: AVSet
-> Subnet: 10.0.0.0/24
-> Managed disks: No
-> Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Register the Microsoft.Insights resource provider
  • B. Add an Azure Network Watcher connection monitor
  • C. Register the Microsoft.LogAnalytics provider
  • D. Enable Azure Network Watcher in the East US Azure region
  • E. Create an Azure Storage account
  • F. Enable Azure Network Watcher flow logs


Answer : ADF

Explanation:
Step 1: (D)
We must have a network watcher enabled in the East US region
Step 2: (A+F)
A: NSG flow logging requires the Microsoft.Insights provider, which must be registered.
F: Network security groups (NSG) allow or deny inbound or outbound traffic to a network interface in a VM. The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

HOTSPOT -
You configure the multi-factor authentication status for three users as shown in the following table.


You create a group named Group1 and add Admin1, Admin2, and Admin3 to the group.
For all cloud apps, you create a conditional access policy that includes Group1. The policy requires multi-factor authentication.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Explanation:

Box 1: No -
Disabled is the default state for a new user not enrolled in Azure MFA.

Box 2: Yes -
Enforced: The user has been enrolled and has completed the registration process for Azure MFA.
Web browser apps require login in this case.

Box 3: Yes -
Enabled: The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in.
Web browser apps require login in this case.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2.
Subscription1 is associated to Tenant1. Multi-factor authentication (MFA) is enabled for all the users in Tenant1.
You need to enable MFA for the users in tenant2. The solution must maintain MFA for Tenant1.
What should you do first?

  • A. Configure the MFA Server setting in Tenant1.
  • B. Transfer the administration of Subscription1 to a global administrator of Tenant2.
  • C. Create and link a subscription to Tenant2.
  • D. Change the directory for Subscription1.


Answer : C

You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.
You need to enable two-step verification for Azure users.
What should you do?

  • A. Configure a playbook in Azure AD conditional access policy.
  • B. Create an Azure AD conditional access policy.
  • C. Create and configure the Identify Hub.
  • D. Install and configure Azure AD Connect.


Answer : B

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.

Block/unblock users -
A blocked user will not receive Multi-Factor Authentication requests. Authentication attempts for that user will be automatically denied. A user will remain blocked for 90 days from the time they are blocked. To manually unblock a user, click the "Unblock" action.


What caused AlexW to be blocked?

  • A. The user entered an incorrect PIN four times within 10 minutes.
  • B. The user account password expired.
  • C. An administrator manually blocked the user.
  • D. The user reported a fraud alert when prompted for additional authentication.


Answer : D

You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.
You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?

  • A. From the on-premises network, deploy Active Directory Federation Services (AD FS).
  • B. From the server that runs Azure AD Connect, modify the filtering options.
  • C. From the on-premises network, request a new certificate that contains the Active Directory domain name.
  • D. From Azure AD, add and verify a custom domain name.


Answer : D

Explanation:
Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:
-> State: Verified
Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.
-> State: Not verified
Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default
.onmicrosoft.com suffix after synchronization if the domain isn't verified.
Action Required: Verify the custom domain in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

HOTSPOT -
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.


Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Explanation:

Box 1: User5 -
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.

Box 2: UserA -
Azure AD Global Admin credentials credentials are only used during the installation and are not used after the installation has completed. It is used to create the
Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
Hot Area:




Answer :

Explanation:
Box 1: Assignments, Users and Groups
When you configure the sign-in risk policy, you need to set:
The users and groups the policy applies to: Select Individuals and Groups


Box 2:
When you configure the sign-in risk policy, you need to set the type of access you want to be enforced.

Box 3:
When you configure the sign-in risk policy, you need to set:
The type of access you want to be enforced when your sign-in risk level has been met:

References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy

You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of the AD-joined devices when members of the Global
Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.
What should you do?

  • A. From the Azure portal, modify session control of Policy1.
  • B. From the Azure portal, modify grant control of Policy1.
  • C. From the multi-factor authentication page, modify the user settings.
  • D. From the multi-factor authentication page, modify the service settings.


Answer : B

Explanation:
With grant controls, you can either block access altogether or allow access with additional requirements by selecting the desired controls. For multiple controls, you can require:
-> All selected controls to be fulfilled (AND)
One selected control to be fulfilled (OR)



Incorrect Answers:
A: Session controls enable limited experience within a cloud app.
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls

You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?

  • A. the multi-factor authentication service settings
  • B. an Azure AD Identity Protection user risk policy
  • C. the default for all the roles in Azure AD Privileged Identity Management
  • D. an Azure AD Identity Protection sign-in risk policy


Answer : A

You set the multi-factor authentication status for a user named [email protected] to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?

  • A. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.
  • B. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app.
  • C. a phone call, an email message that contains a verification code, and a text message that contains an app password.
  • D. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app.


Answer : A

Explanation:
The user portal is an IIS web site that allows users to enroll in Azure Multi-Factor Authentication (MFA) and maintain their accounts. A user may change their phone number, change their PIN, or choose to bypass two-step verification during their next sign-on.
Mobile App verification method is an option. If the user selects the Mobile App verification method, the page prompts the user to install the Microsoft Authenticator app on their device and generate an activation code. After installing the app, the user clicks the Generate Activation Code button.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy-userportal

You have an Azure subscription.
You enable multi-factor authentication for all users.
Some users report that the email applications on their mobile device cannot connect to their Microsoft Exchange Online mailbox. The users can access Exchange
Online by using a web browser and from Microsoft Outlook 2016 on their computer.
You need to ensure that the users can use the email applications on their mobile device.
What should you instruct the users to do?

  • A. Create an app password.
  • B. Enable self-service password reset.
  • C. Reset the Azure Active Directory (Azure AD) password.
  • D. Reinstall the Microsoft Authenticator app.


Answer : B

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?

  • A. From Azure Cloud Shell, run Set-AzureRmContext.
  • B. From the Azure portal, change the directory.
  • C. From the Azure portal, configure the portal settings.
  • D. From Azure Cloud Shell, run Set-AzureRmSubscription.


Answer : A

Explanation:
The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.profile/set-azurermcontext

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?

  • A. NSEC3
  • B. DNSKEY
  • C. RRSIG
  • D. TXT


Answer : D

Explanation:
After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file.
Creating this TXT record for your domain "verifies" ownership of your domain name
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

Page:    1 / 6   
Total 81 questions