Skip to Content

AZ-303 Microsoft Azure Architect Technologies Exam Questions and Answers – Page 1

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Microsoft AZ-303 Microsoft Azure Architect Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-303 Microsoft Azure Architect Technologies exam and earn Microsoft AZ-303 Microsoft Azure Architect Technologies certification.

AZ-303 Microsoft Azure Architect Technologies Exam Questions and Answers

Exam Question 51

You have an Azure subscription.
You create a custom role in Azure by using the following Azure Resource Manager template.

You assign the role to a user named User1.
Which action can User1 perform?

A. Create virtual machines.
B. Create resource groups.
C. Delete virtual machines.
D. Create support requests.

Correct Answer:
D. Create support requests.
Answer Description:
The “Microsoft.Support/*” operation will allow the user to create support tickets.

Exam Question 52

A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and Azure-based VMs communicate using ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and must not require Multiprotocol Label Switching (MPLS) support.
You need to recommend a solution that provides continued operations.
What should you recommend?

A. Increase the bandwidth of the existing ExpressRoute connection.
B. Increase the bandwidth for the on-premises internet connection.
C. Set up a VPN connection.
D. Set up a second ExpressRoute connection.

Correct Answer:
C. Set up a VPN connection.

Exam Question 53

You have an Azure subscription that contains the resources shown in the following table.

You have an Azure subscription that contains the resources shown in the following table.

You have an Azure subscription that contains the resources shown in the following table.

Subnet1 is on VNET1. VM1 connects to Subnet1.
You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Create a local network gateway.
B. Modify the address space used by Subnet1.
C. Create a subnet named GatewaySubnet on VNET1.
D. Modify the address space used by VNET1.
E. Delete Subnet1.

Correct Answer:
D. Modify the address space used by VNET1.
E. Delete Subnet1.

Exam Question 54

Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant.
You deploy Azure AD Connect and configure pass-through authentication.
Your Azure subscription contains several web apps that are accessed from the Internet.
You plan to use Azure Multi-Factor Authentication (MFA) with the Azure Active Directory tenant.
You need to recommend a solution to prevent users from being prompted for Azure MFA when they access the web apps from the on-premises network.
What should you include in the recommendation?

A. an Azure policy
B. trusted IPs
C. a site-to-site VPN between the on-premises network and Azure
D. an Azure ExpressRoute circuit

Correct Answer:
B. trusted IPs
Answer Description:
The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet. The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators.

Exam Question 55

You create a new Azure subscription. You create a resource group named RG1. In RG1, you create the resources shown in the following table.

In RG1, you create the resources shown in the following table.

In RG1, you create the resources shown in the following table.

You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. a VPN gateway
B. a site-to-site connection
C. a point-to-site configuration
D. a VNet-to-VNet connection
E. a local network gateway

Correct Answer:
A. a VPN gateway
E. a local network gateway
Answer Description:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a local network gateway, located on-premises that has an externally facing public IP address assigned to it.
Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

Exam Question 56

You plan to create an Azure Storage account named storage1 that will store blobs and be accessed by Azure Databricks.
You need to ensure that you can set permissions for individual blobs by using Azure Active Directory (Azure AD) authentication.
Which Advanced setting should you enable for storage1?

A. Large file shares
B. Hierarchical namespace
C. NFS v3
D. Blob soft delete

Correct Answer:
B. Hierarchical namespace
Answer Description:
Question: Do I have to enable support for ACLs?
No. Access control via ACLs is enabled for a storage account as long as the Hierarchical Namespace (HNS) feature is turned ON.
Note 1: We [Microsoft] are pleased to share the general availability of Azure Active Directory (AD) based access control for Azure Storage Blobs and Queues. Enterprises can now grant specific data access permissions to users and service identities from their Azure AD tenant using Azure’s Role-based access control (RBAC).
Note 2: Azure Data Lake Storage Gen2 implements an access control model that supports both Azure rolebased access control (Azure RBAC) and POSIX-like access control lists (ACLs).
You can associate a security principal with an access level for files and directories. These associations are captured in an access control list (ACL). Each file and directory in your storage account has an access control list. When a security principal attempts an operation on a file or directory, An ACL check determines whether that security principal (user, group, service principal, or managed identity) has the correct permission level to perform the operation.

Exam Question 57

You have the following Azure Active Directory (Azure AD) tenants:

  • Contoso.onmicrosoft.com: Linked to a Microsoft Office 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization
  • Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1

You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.
What should you do?

A. Configure contoso.onmicrosoft.com to use pass-through authentication.
B. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.
C. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com.
D. Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.

Correct Answer:
C. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com.
Answer Description:
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365.
Note: The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology.

Exam Question 58

You have several Azure web apps that use access keys to access databases.
You plan to migrate the access keys to Azure Key Vault. Each app must authenticate by using Azure Active Directory (Azure AD) to gain access to the access keys.
What should you create in Azure to ensure that the apps can access the access keys?

A. managed identities
B. managed applications
C. Azure policies
D. an App Service plan

Correct Answer:
A. managed identities
Answer Description:
Azure Key Vault provides a way to securely store credentials and other secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources overview helps to solve this problem by giving Azure services an automatically managed identity in Azure AD. You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having to display credentials in your code.

Exam Question 59

You have an Azure key vault named KV1.
You need to implement a process that will digitally sign the blobs stored in Azure Storage.
What is required in KV1 to sign the blobs?

A. a key
B. a secret
C. a certificate

Correct Answer:
B. a secret
Answer Description:
Use an Azure key vault secret to key of your blob storage account container.

Exam Question 60

You set the multi-factor authentication status for a user named [email protected] to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?

A. a phone call, an email message that contains a verification code, and a text message that contains an app password.
B. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app.
C. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app.
D. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.

Correct Answer:
D. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.
Answer Description:
The Microsoft Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it’s legitimate, select Verify. Otherwise, they can select Deny.

Testlet 2: Implement Management and Security Solutions

Case study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of severs for business operations, including the following:

  • File servers
  • Domain controllers
  • Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

  • A SQL database
  • A web front end
  • A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

  • Move all the tiers of App1 to Azure.
  • Move the existing product blueprint files to Azure Blob storage.
  • Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

  • Move all the virtual machines for App1 to Azure.
  • Minimize the number of open ports between the App1 tiers.
  • Ensure that all the virtual machines for App1 are protected by backups.
  • Copy the blueprint files to Azure over the Internet.
  • Ensure that the blueprint files are stored in the archive storage tier.
  • Ensure that partner access to the blueprint files is secured and temporary.
  • Prevent user passwords or hashes of passwords from being stored in Azure.
  • Use unmanaged standard storage for the hard disks of the virtual machines.
  • Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
  • Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

  • Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
  • Designate a new user named Admin1 as the service admin for the Azure subscription.
  • Admin1 must receive email alerts regarding service outages.
  • Ensure that a new user named User3 can create network objects for the Azure subscription.