AZ-900 Microsoft Azure Fundamentals Exam Questions and Answers – Page 3

The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.

AZ-900 Microsoft Azure Fundamentals Exam Questions and Answers

Exam Question 221

Which Azure service should you use to correlate events from multiple resources into a centralized repository?

A. Azure Event Hubs
B. Azure Analysis Services
C. Azure Monitor
D. Azure Log Analytics

Correct Answer:
D. Azure Log Analytics.
Answer Description:
Log Analytics is a web tool used to write and execute Azure Monitor log queries. Open it by selecting Logs in the Azure Monitor menu. It starts with a new blank query.
References:
Azure Monitor

Exam Question 222

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that is configured for hybrid coexistence with the on-premises Active Directory Domain.
The tenant contains the users shown in the following users.
User1: User Type – Member, Source – AzureAD, Sign-in – [email protected]
User2: User Type – Member, Source – Windows Server Active Directory, Sign-in – [email protected]
User3: User Type – Guest, Source – Multiple, Sign-in – [email protected]
User4: User Type – Guest, Source – Multiple, Sign-in – [email protected]
Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com.
Which users should you enable for Azure MFA?

A. User1 only.
B. User1, User2, and User3 only.
C. User1 and User2 only.
D. User1, User2, User3, and User4.
E. User2 only.
Correct Answer:
D. User1, User2, User3, and User4.
Answer Description:
The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

Multi-Factor Authentication comes as part of the following offerings:

  • Azure Active Directory Premium or Microsoft 365 Business: Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.
  • Azure AD Free or standalone Office 365 licenses: Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.
  • Azure Active Directory Global Administrators: A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

References:
Microsoft Docs > How it works: Azure Multi-Factor Authentication

Exam Question 223

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: ?Unable to invite user.
[email protected] ? Generic authorization exception.?.
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?

A. From the Roles and administrators blade, assign the Security administrator role to Admin1.
B. From the Organizational relationships blade, add an identity provider.
C. From the Custom domain names blade, add a custom domain.
D. From the Users blade, modify the External collaboration settings.
Correct Answer:
D. From the Users blade, modify the External collaboration settings.
Answer Description:
By default, all users and guests in your directory can invite guests even if they’re not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests.
With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:

  • Turn off invitations
  • Only admins and users in the Guest Inviter role can invite
  • Admins, the Guest Inviter role, and members can invite
  • All users, including guests, can invite

References:
Microsoft Docs > Enable B2B external collaboration and manage who can invite guests

Exam Question 224

You have an Azure DNS zone named adatum.com.
You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?

A. Create an A record named *.research in the adatum.com zone.
B. Create a PTR record named research in the adatum.com zone.
C. Modify the SOA record of adatum.com.
D. Create an NS record named research in the adatum.com zone.
Correct Answer:
D. Create an NS record named research in the adatum.com zone.
Answer Description:
You need to create a name server (NS) record for the zone.
The A Record points your hostname to an IP address. The record A specifies IP address (IPv4) for given host. This is one of the most frequently used records in the DNS Zones.
PTR records are used for the Reverse DNS (Domain Name System) lookup. Using the IP address you can get the associated domain/hostname. An A record should exist for every PTR record. The usage of a reverse DNS setup for a mail server is a good solution.
The SOA means Start Of Authority. The SOA record defines the beginning of the authority DNS zone and specifies the global parameters for the zone. The SOA record has the following structure: “Serial number”, “Primary name server (NS)”, “DNS admin e-mail”, “Refresh Rate”, “Retry Rate”, “Expire time” and “Default TTL”.
The NS records identify the name servers, responsible for your DNS zone. In order to have a valid DNS configuration, the NS records configured in the DNS zone must be exactly the same as these configured as name servers at your domain name provider.
References:
Microsoft Docs > Overview of DNS zones and records

Exam Question 225

Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that other users can join their devices to Azure AD.
You need to ensure that User1 can join the device to Azure AD.
What should you do?

A. From the Device settings blade, modify the Users may join devices to Azure AD setting.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. Assign the User administrator role to User1.
Correct Answer:
B. From the Device settings blade, modify the Maximum number of devices per user setting.
Answer Description:
Maximum number of devices – This setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they are not be able to add additional devices until one or more of the existing devices are removed. The device quota is counted for all devices that are either Azure AD joined or Azure AD registered today. The default value is 20. Maximum number of devices setting does not apply to hybrid Azure AD joined devices.
References:
Microsoft Docs > Manage device identities using the Azure portal
Microsoft Docs > “The maximum number of devices that can be joined to the workplace by the user has been reached” error during a Workplace Join

Exam Question 226

You set the multi-factor authentication status for a user named [email protected] to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?

A. A phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.
B. An app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app.
C. An app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app.
D. A phone call, an email message that contains a verification code, and a text message that contains an app password.
Correct Answer:
A. A phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.
Answer Description:
Verification methods: Call to phon, Text message to phone, Notification through mobile app, and Verification code from mobile app or hardware token.
Verification methods:
You can choose the verification methods that are available for your users.
When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled. Guidance for the user enrollment process is provided in Set up my account for two-step verification.

  • Call to phone: Places an automated voice call. The user answers the call and presses # in the phone keypad to authenticate. The phone number is not synchronized to on-premises Active Directory.
  • Text message to phone: Sends a text message that contains a verification code. The user is prompted to enter the verification code into the sign-in interface. This process is called one-way SMS. Two-way SMS means that the user must text back a particular code. Two-way SMS is deprecated and not supported after November 14, 2018. Users who are configured for two-way SMS are automatically switched to call to phone verification at that time.
  • Notification through mobile app: Sends a push notification to your phone or registered device. The user views the notification and selects Verify to complete verification. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS.
  • Verification code from mobile app or hardware token: The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS.

References:
Microsoft Docs > Configure Azure Multi-Factor Authentication settings

Exam Question 227

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1.
Adatum contains a group named Developers.
Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
Does this meet the goal?

A. Yes
B. No
Correct Answer:
A. Yes
Answer Description:
You can permit only specific users or groups to run specific operations, such as managing, editing, and viewing logic apps. To control their permissions, use Azure Role-Based Access Control (RBAC) to assign customized or built-in roles to members in your Azure subscription:

  • Logic App Contributor: Lets you manage logic apps, but you can’t change access to them.
  • Logic App Operator: Lets you read, enable, and disable logic apps, but you can’t edit or update them.

To prevent others from changing or deleting your logic app, you can use Azure Resource Lock, which prevents others from changing or deleting production resources.
References:
Microsoft Docs > Built-in roles for Azure resources
Microsoft Docs > Secure access and data in Azure Logic Apps

Exam Question 228

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

A. Get-Event Event | where ($_.EventType ?eq “error”).
B. Get-Event Event | where ($_.EventType == “error”).
C. Search in (Event) * | where EventType ?eq “error”.
D. Search in (Event) “error”.
E. Select *from Event where EventType == “error”.
F. Event | where EventType is “error”.
Correct Answer:
D. Search in (Event) “error”.
Answer Description:
Table scoping: To search a term in a specific table, add in (table-name) just after the search operator:
Search in table Event: search in (Event) “error”| take 100
Search in multiple tables: search in (Event, SecurityEvent) “error”| take 100
References:
Microsoft Docs > Search queries in Azure Monitor logs
Microsoft Docs > Get started with Log Analytics in Azure Monitor

Exam Question 229

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
***
Name: RG1,????????????????????Azure region: West Europe,????Policy: Policy1
Name: RG2,????????????????????Azure region: North Europe,???Policy: Policy2
Name: RG3,????????????????????Azure region: France Central,?Policy: Policy3
***
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?

A. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
Correct Answer:
B. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
Answer Description:
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region. The region in which your app runs is the region of the App Service plan it’s in. However, you cannot change an App Service plan’s region.
References:
Microsoft Docs > Manage an App Service plan in Azure

Exam Question 230

You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines.
Your company has three cost centers named Manufacturing, Sales, and Finance.
You need to associate each virtual machine to a specific cost center.
What should you do?

A. Configure locks for the virtual machine.
B. Add an extension to the virtual machines.
C. Assign tags to the virtual machines.
D. Modify the inventory settings of the virtual machine.
Correct Answer:
C. Assign tags to the virtual machines.
Answer Description:
Billing Tags Policy Initiative: Requires specified tag values for cost center and product name. Uses built-in policies to apply and enforce required tags. You specify the required values for the tags.
References:
Microsoft Docs > Prevent unexpected charges with Azure billing and cost management
Microsoft Docs > Use tags to organize your Azure resources
Microsoft Docs > Sample – Billing tags policy initiative