The latest Microsoft AZ-303 Microsoft Azure Architect Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-303 Microsoft Azure Architect Technologies exam and earn Microsoft AZ-303 Microsoft Azure Architect Technologies certification.
Exam Question 41
You have SQL Server on an Azure virtual machine named SQL1.
You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for the virtual machines. The backups must meet the following requirements:
- Meet a recovery point objective (RPO) of 15 minutes.
- Retain the backups for 30 days.
- Encrypt the backups at rest.
What should you provision as part of the backup solution?
A. Elastic Database jobs
B. Azure Key Vault
C. an Azure Storage account
D. a Recovery Services vault
Correct Answer:
C. an Azure Storage account
Answer Description:
An Azure storage account is used for storing Automated Backup files in blob storage. A container is created at this location to store all backup files. The backup file naming convention includes the date, time, and database GUID.
Exam Question 42
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.
KeyVault1 has an access policy that provides several users with Create Key permissions.
You need to ensure that the users can only register secrets in KeyVault1 from VM1.
What should you do?
A. Create a network security group (NSG) that is linked to Subnet1.
B. Configure the Firewall and virtual networks settings for KeyVault1.
C. Modify the access policy for KeyVault1.
D. Configure KeyVault1 to use a hardware security module (HSM).
Correct Answer:
C. Modify the access policy for KeyVault1.
Answer Description:
You grant data plane access by setting Key Vault access policies for a key vault.
Note 1: Grant our VM’s system-assigned managed identity access to the Key Vault.
1. Select Access policies and click Add new.
2. In Configure from template, select Secret Management.
3. Choose Select Principal, and in the search field enter the name of the VM you created earlier. Select the VM in the result list and click Select.
4. Click OK to finishing adding the new access policy, and OK to finish access policy selection.
Note 2: Access to a key vault is controlled through two interfaces: the management plane and the data plane. The management plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies. The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
Exam Question 43
You have resources in three Azure regions. Each region contains two virtual machines. Each virtual machine has a public IP address assigned to its network interface and a locally installed application named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front Door.
What should you implement?
A. Azure Private Link
B. service endpoints
C. network security groups (NSGs) with service tags
D. network security groups (NSGs) with application security groups
Correct Answer:
C. network security groups (NSGs) with service tags
Answer Description:
Configure IP ACLing for your backends to accept traffic from Azure Front Door’s backend IP address space and Azure’s infrastructure services only. Refer the IP details below for ACLing your backend:
Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door’s IPv4 backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
Exam Question 44
You have an Azure key vault named KV1.
You need to ensure that applications can use KV1 to provision certificates automatically from an external certification authority (CA).
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From KV1, create a certificate issuer resource.
B. Obtain the CA account credentials.
C. Obtain the root CA certificate.
D. From KV1, create a certificate signing request (CSR).
E. From KV1, create a private key.
Correct Answer:
C. Obtain the root CA certificate.
D. From KV1, create a certificate signing request (CSR).
Answer Description:
C: Obtain the root CA certificate (step 4 in the picture below)
D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below)
Note: Creating a certificate with a CA not partnered with Key Vault
This method allows working with other CAs than Key Vault’s partnered providers, meaning your organization can work with a CA of its choice.
This method allows working with other CAs than Key Vault’s partnered providers, meaning your organization can work with a CA of its choice.
The following step descriptions correspond to the green lettered steps in the preceding diagram.
1. In the diagram above, your application is creating a certificate, which internally begins by creating a key in your key vault.
2. Key Vault returns to your application a Certificate Signing Request (CSR).
3. Your application passes the CSR to your chosen CA.
4. Your chosen CA responds with an X509 Certificate.
5. Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.
Exam Question 45
You create the following Azure role definition.
You create the following Azure role definition.
You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. AssignableScopes
B. Description
C. DataActions
D. IsCustom
E. Id
Correct Answer:
A. AssignableScopes
D. IsCustom
Answer Description:
Part of example:
"IsCustom": true,
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Exam Question 46
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Authenticator app
B. Email addresses
C. App passwords
D. Short Message Service (SMS) messages
E. Security questions
Correct Answer:
A. Authenticator app
D. Short Message Service (SMS) messages
Answer Description:
The following authentication mechanisms can be used for both MFA and SSPR:
– Short Message Service (SMS) messages
– Azure AD passwords
– Microsoft Authenticator app
– Voice call
Exam Question 47
Your company has the groups shown in the following table.
Your company has the groups shown in the following table.
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers groups.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?
A. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
B. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
C. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
D. Purchase an Azure AD Premium P1 license for each user in the Managers group.
Correct Answer:
D. Purchase an Azure AD Premium P1 license for each user in the Managers group.
Answer Description:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.
Exam Question 48
You create the Azure resources shown in the following table.
You create the Azure resources shown in the following table.
You attempt to add a role assignment to a resource group as shown in the following exhibit.
You attempt to add a role assignment to a resource group as shown in the following exhibit.
What should you do to ensure that you can assign VM2 the Reader role for the resource group?
A. Configure just in time (JIT) VM access on VM2.
B. Configure Access control (IAM) on VM2.
C. Assign a managed identity to VM2.
D. Modify the Reader role at the subscription level.
Correct Answer:
B. Configure Access control (IAM) on VM2.
Answer Description:
After you’ve configured an Azure resource with a managed identity, you can give the managed identity access to another resource, just like any security principal.
Use Azure RBAC to assign a managed identity access to another resource
After you’ve enabled managed identity on an Azure resource, such as an Azure VM or Azure virtual machine scale set:
1. Sign in to the Azure portal using an account associated with the Azure subscription under which you have configured the managed identity.
2. Navigate to the desired resource on which you want to modify access control. In this example, we are giving an Azure virtual machine access to a storage account, so we navigate to the storage account.
3. Select the Access control (IAM) page of the resource, and select + Add role assignment. Then specify the Role, Assign access to, and specify the corresponding Subscription. Under the search criteria area, you should see the resource. Select the resource, and select Save.
Exam Question 49
You have Azure virtual machines deployed to three Azure regions. Each region contains a single virtual network that has four virtual machines on the same subnet. Each virtual machine runs an application named App1. App1 is accessible by using HTTPS. Currently, the virtual machines are inaccessible from the internet.
You need to use Azure Front Door to load balance requests for App1 across all the virtual machines.
Which additional Azure service should you provision?
A. Azure Traffic Manager
B. an internal Azure Load Balancer
C. a public Azure Load Balancer
D. Azure Private Link
Correct Answer:
B. an internal Azure Load Balancer
Answer Description:
Can we deploy Azure Load Balancer behind Front Door?
Azure Front Door needs a public VIP or a publicly available DNS name to route the traffic to. Deploying an Azure Load Balancer behind Front Door is a common use case.
Exam Question 50
You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.
The virtual machines are configured as shown in the following table.
You need to ensure that all critical and security updates are applied to each virtual machine every month.
What is the minimum number of update deployments you should create?
A. 4
B. 6
C. 2
D. 1
Correct Answer:
A. 4
Answer Description:
One for the Windows VMs, and for each type of Linux VM.