Microsoft Azure Architect Design v1.0 (AZ-301)

Page:    1 / 18   
Total 265 questions

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Create an Access Review for Group1.
Does this solution meet the goal?

  • A. Yes
  • B. No


Answer : B

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: You implement an access package.
Does this solution meet the goal?

  • A. Yes
  • B. No


Answer : B

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Implement Azure AD Privileged Identity Management.
Does this solution meet the goal?

  • A. Yes
  • B. No


Answer : A

Your company has several Azure subscriptions that are part of a Microsoft Enterprise Agreement.
The company"™s compliance team creates automatic alerts by using Azure Monitor.
You need to recommend a solution to apply automatically recreate the alerts in the new Azure subscriptions that are added to the Enterprise Agreement.
What should you include in the recommendation?

  • A. Azure Automation runbooks
  • B. Azure Log Analytics alerts
  • C. Azure Monitor action groups
  • D. Azure Resource Manager templates
  • E. Azure Policy


Answer : E

You store web access logs data in Azure Blob storage.
You plan to generate monthly reports from the access logs.
You need to recommend an automated process to upload the data to Azure SQL Database every month.
What should you include in the recommendation?

  • A. Microsoft SQL Server Migration Assistant (SSMA)
  • B. Azure Data Factory
  • C. Data Migration Assistant
  • D. AzCopy


Answer : B

Your company has the offices shown in the following table.


The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD).
All users connect to an application hosted in Microsoft 365.
You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to the application from one of the offices.
What should you include in the recommendation?

  • A. a named location and two Microsoft Cloud App Security policies
  • B. a conditional access policy and two virtual networks
  • C. a virtual network and two Microsoft Cloud App Security policies
  • D. a conditional access policy and two named locations


Answer : D

Explanation:
Conditional Access policies are at their most basic an if-then statement combining signals, to make decisions, and enforce organization policies. One of those signals that can be incorporated into the decision-making process is network location.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-locations

HOTSPOT -
You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016.
You need to centrally monitor all warning events in the System logs of the virtual machines.
What should you include in the solutions? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:




Answer :

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.
Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.
You need to enable single sign-on (SSO) for company users.
Solution: Install and configure an on-premises Active Directory Federation Services (AD FS) server with a trust established between the AD FS server and Azure
AD.
Does the solution meet the goal?

  • A. Yes
  • B. No


Answer : B

Explanation:
Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
Instead install and configure an Azure AD Connect server.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

You have an Azure subscription that contains several resource groups, including a resource group named RG1. RG1 contains several business-critical resources.
A user named admin1 is assigned the Owner role to the subscription.
You need to prevent admin1 from modifying the resources in RG1. The solution must ensure that admin1 can manage the resources in the other resource groups.
What should you use?

  • A. a management group
  • B. an Azure policy
  • C. a custom role
  • D. an Azure blueprint


Answer : C

Explanation:
Role-based access control (RBAC) focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group.
Incorrect Answers:
A: If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.
B: There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.
D: Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

HOTSPOT -
You deploy Azure service by using Azure Resources Manager templates. The template reference secrets are stored in Azure key Vault.
You need to recommend a solution for accessing the secrets during deployments.
The solution must prevent the users who are performing the deployments from accessing the secrets in the key vault directly.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:




Answer :

Explanation:
Box 1: An advanced access policy for the key vaults

Enable template deployment -
1. In the portal, select your Key Vault.
2. Select Access policies.
3. Select access policies
4. Select Click to show advanced access policies.
5. Show advanced access policies
6. Select Enable access to Azure Resource Manager for template deployment. Then, select Save.
Box 2: Role-based access control (RBAC)
In large teams you may have multiple people deploying resources but don"™t want to give them access to the actual secrets inside the vault. You can achieve this by creating a custom role that only gives access to the KeyVault for deployment purposes. The deployment user cannot read the secrets within.
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/managed-applications/key-vault-access https://azurecto.com/azure-key-vault-custom-role-for-deployment/

DRAG DROP -
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that uses the Basic license.
You plan to deploy two applications to Azure. The applications have the requirements shown in the following table.


Which authentication strategy should you recommend for each application? To answer, drag the appropriate authentication strategies to the correct applications.
Each authentication strategy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:



Answer :

Explanation:

Box 1: Azure AD V2.0 endpoint -
Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all
Microsoft identities and get tokens to call Microsoft APIs, such as Microsoft Graph, or APIs that developers have built. The Microsoft identity platform consists of:
OAuth 2.0 and OpenID Connect standard-compliant authentication service that enables developers to authenticate any Microsoft identity, including:
Work or school accounts (provisioned through Azure AD)
Personal Microsoft accounts (such as Skype, Xbox, and Outlook.com)
Social or local accounts (via Azure AD B2C)

Box 2: Azure AD B2C tenant -
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Azure Active Directory B2C (Azure AD B2C) integrates directly with Azure Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-mfa https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview

HOTSPOT -
You configure OAuth2 authorization in API Management as shown in the exhibit.


Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Explanation:

Box 1: Web applications -
The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes an app.
Note: The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.
After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.
Answers:
Not Headless device authentication:
A headless system is a computer that operates without a monitor, graphical user interface (GUI) or peripheral devices, such as keyboard and mouse.
Headless computers are usually embedded systems in various devices or servers in multi-server data center environments. Industrial machines, automobiles, medical equipment, cameras, household appliances, airplanes, vending machines and toys are among the myriad possible hosts of embedded systems.

Box 2: Client Credentials -
How to include additional client data
In case you need to store additional details about a client that don't fit into the standard parameter set the custom data parameter comes to help:

POST /c2id/clients HTTP/1.1 -

Host: demo.c2id.com -

Content-Type: application/json -
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"redirect_uris" : [ "https://myapp.example.com/callback" ],
"data" : { "reg_type" : "3rd-party",
"approved" : true,
"author_id" : 792440 }
}
The data parameter permits arbitrary content packaged in a JSON object. To set it you will need the master registration token or a one-time access token with a client-reg:data scope.
Incorrect Answers:
Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.
Reference:
https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type https://connect2id.com/products/server/docs/guides/client-registration

A company has deployed several applications across Windows and Linux Virtual machines in Azure. Log Analytics are being used to send the required data for alerting purposes for the Virtual Machines.
You need to recommend which tables need to be queried for security related queries.
Which of the following would you query for events from Windows Event Logs?

  • A. Azure Activity
  • B. Azure Diagnostics
  • C. Event
  • D. Syslog


Answer : C

Explanation:
This is also given in the Microsoft documentation, wherein you would use the Event Table for the queries on events from Windows Virtual machines


Since this is clearly mentioned, all other options are incorrect
For more information on collecting event data from windows virtual machines, please go ahead and visit the below URL.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

Note: This question is a part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Implement Azure AD Identity Protection for Group1.
Does this solution meet the goal?

  • A. Yes
  • B. No


Answer : B

Explanation:
Instead implement Azure AD Privileged Identity Management.
Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

You are designing a solution that will host 20 different web applications.
You need to recommend a solution to secure the web applications with a firewall that protects against common web-based attacks including SQL injection, cross- site scripting attacks, and session hijacks. The solution must minimize costs.
Which three Azure features should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. VPN Gateway
  • B. URL-based content routing
  • C. Multi-site routing
  • D. Web Application Firewall (WAF)
  • E. Azure ExpressRoute
  • F. Azure Application Gateway


Answer : DEF

Explanation:
The web application firewall (WAF) in Azure Application Gateway helps protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacks. It comes preconfigured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities.
ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN-based solutions. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.
Reference:
https://azure.microsoft.com/en-us/updates/application-gateway-web-application-firewall-in-public-preview/ https://docs.microsoft.com/en-us/azure/security/fundamentals/overview

Page:    1 / 18   
Total 265 questions