The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 451
The Nutex Corporation wants to enhance the security for its Azure Active Directory by utilizing the Azure AD Smart Lockout feature.
Which of the following statements about the Azure AD Smart Lockout feature is TRUE? (Select One)
A. Azure AD Smart Lockout must be enabled explicitly for a new Azure AD deployment.
*B. Azure AD Smart Lockout is tracked at the level of a data center.
C. An Azure AD account locks out for shorter durations for subsequent occurrences of account lockouts due to failed attempts.
D. An Azure AD administrator can unlock an Azure AD cloud account if the account is locked out by Azure AD Smart Lockout.
Explanation
Azure AD Smart lockout locks out bad actors who are trying to guess the AD users’ passwords or use brute-force methods to log in. This feature recognizes sign-ins coming from valid users and treat them differently than ones from attackers and other unknown sources. Smart lockout locks out the attackers while letting your valid users continue to access their accounts and be productive.
Azure AD Smart Lockout is tracked at the level of a data center. Each Azure AD data center tracks Smart Lockout independently. A user will have the (threshold_limit * datacenter_count) number of attempts when the user hits each data center.
AD administrator CANNOT unlock a cloud account if it has been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire.
By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and LONGER in subsequent attempts.
Azure AD Smart Lockout does not have to be enabled explicitly for a new Azure AD deployment because iSmart lockout is always ON for all Azure AD deployments by default. With these default settings Microsoft offers a good mix of security and usability.
Question 452
Which of the following are true regarding an Azure resource? (Choose two.)
A. Resources in a resource group must be located in the same region as the resource group.
*B. Some Azure resources can exist outside a resource group.
*C. If you apply tags to a resource group, the resources in that resource group do NOT inherit those tags.
D. A resource can connect to only a resource in that resource group.
Explanation
Resources in a resource group do not inherit tags that are applied to the resource group.
Resources in a resource group could be located in the same region as the resource group or another region.
A resource can be connected to multiple resources and those resources could be in different resource groups. You could have a web app in one resource group that connects to a database in another resource group. However, a resource can only exist in one resource group, but can communicate with resources in other resource groups, subscriptions, or management groups.
Resources such as subscriptions and management groups exist outside of resource groups. Management groups and subscriptions contain resource groups.
Question 453
The Nutex Corporation wants to use the capabilities of Azure Security to secure their Azure infrastructure, customer data, and applications. You are asked to implement Azure Security. It is important that you understand its capabilities before you implement it.
Match the capabilities of Azure Security with its appropriate description.
Description:
- Pre-determined limits that govern compute resources and concurrency for query execution.
- Orchestrates replication, failover, and recovery of workloads and apps so that they are always available.
- A dedicated WAN link that extends the on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.
- A mechanism that ensures that services are not allowed to initiate a connection to devices on the Internet.
- Offers various layer 7 load balancing capabilities for applications.
Capabilities:
- Azure Site Recovery
- Express Route
- Application Gateway
- Forced tunnelling
- Resource class
Answer:
- Azure Site Recovery: Orchestrates replication, failover, and recovery of workloads and apps so that they are always available.
- Express Route: A dedicated WAN link that extends the on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.
- Application Gateway: Offers various layer 7 load balancing capabilities for applications.
- Forced tunnelling: A mechanism that ensures that services are not allowed to initiate a connection to devices on the Internet.
- Resource class: Pre-determined limits that govern compute resources and concurrency for query execution.
Explanation
You would map the capabilities of Azure Security with their descriptions as follows:
Azure Site Recovery keeps corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if the primary location goes down.
ExpressRoute establishes connections to Microsoft cloud services, such as Azure, Office 365, and CRM Online. Connectivity can be from a point-to-point Ethernet network, an any-to-any (IP VPN) network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections travel the Internet and are more secure than VPN-based solutions. It allows the connections to offer lower latencies, faster speeds, better reliability, and higher security than typical connections over the Internet.
Application Gateway optimizes the web farm productivity by offloading CPU intensive SSL termination to the application gateway (also known as “SSL offload” or “SSL bridging”). It also provides other Layer 7 routing capabilities, including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single application gateway. Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between servers, whether they are on the cloud or on-premises.
Forced tunneling is commonly used to force outbound traffic to the Internet to go through on-premises security proxies and firewalls.
VPN Gateway sends network traffic between an Azure Virtual Network and the on-premises site. A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection.
Question 454
You are part of the IT team at the Nutex Corporation. Your management has triggered an initiative to reduce the costs with Azure resources.
You need to reduce storage costs for blob data. You propose using Azure Storage reserved capacity.
Which of the following is true regarding Azure Storage reserved capacity? Choose two.
A. Not supported for Archive access tiers
B. Available for Azure Data Lake Storage Gen1
*C. You must commit to a reservation of 1 year or more.
D. Available for Azure Table storage
*E. Available for Azure Data Lake Storage Gen2
F. Operations, bandwidth, and data transfer charges are included in the reservation
G. You must commit to a reservation of 3 months or more.
H. Not supported for Cool access tiers
I. You must commit to a reservation of 6 months or more.
Explanation
The following are true regarding Azure Storage reserved capacity:
- You must commit to a reservation of 1 year or more.
- Available for Azure Data Lake Storage Gen2
Azure Storage reserved capacity can give you a discount when you commit to a reservation for at least one year or more for Azure Data Lake Storage Gen2 data and for block blobs in standard storage accounts.
The reservation applies to data storage and not for bandwidth, operation, or data transfer charges.
Hot, Cool, and Archive access tiers support Azure Storage reserved capacity.
Azure Storage reserved capacity is not supported for Azure Table storage, Azure Data Lake Storage Gen1, general-purpose v1 (GPv1) storage accounts, premium storage accounts, page blobs, or Azure Queue storage.
Question 455
Jocelyn has been asked to configure one of the Nutex web servers in the East US 2 region with a public IP address for external FTP access. She executes the following command in the Azure CLI:
az network public-ip create -g NutexResourceGroup -n IPNutexFTP --dns-name NutexFTP --allocation-method Static
What would be the fully qualified domain name (FQDN) assigned to the resulting public IP address resource?
A. eastus2.NutexFTP.azure.com
*B. NutexFTP.eastus2.cloudapp.azure.com
C. eastus2.NutexFTP.cloudapp.azure.com
D. NutexFTP.eastus2.azure.com
Explanation
The default FQDN would be NutexFTP.eastus2.cloudapp.azure.com using the format domainnamelabel.location.cloudapp.azure.com.
When creating a public IP address resource using the command specified, the –dns-name option will fill the domainnamelabel portion, and the location will be the Datacenter region the resource group resides in.
An Azure DNS Service can be used with a custom domain name instead of the default, if customization is desired.
All other domain names are incorrect:
The option eastus2.NutexFTP.cloudapp.azure.com has the location and label in the wrong order.
The option NutexFTP.eastus2.azure.com is missing the CloudApp section.
The option eastus2.NutexFTP.azure.com is missing the CloudApp section and has the location and label in the wrong order.
Question 456
In your latest meeting with management, you discussed data encryption. You currently have Windows and Linux VMs in Azure. To meet the organization’s security and compliance commitments, you decide to take advantage of Azure disk encryption.
Which statement is NOT true regarding Azure Disk Encryption?
A. Azure Disk Encryption allows the full encryption of operating system and data volumes on VMs running in Azure.
*B. The disk encryption keys are stored in Azure Storage.
C. The Azure Disk Encryption solution leverages Windows BitLocker feature.
D. The Azure Disk Encryption solution leverages Linux’s dm-crypt feature.
Explanation
The data in the virtual machine disks are encrypted at rest in Azure storage. However, the Azure Key Vault is used to safeguard and manage the disk encryption keys, not Azure Storage.
Azure Disk Encryption is a new feature that helps you encrypt Windows and Linux IaaS virtual machine disks. With this new technology you can leverage industry standards for encryption, such as the BitLocker feature of Windows and the dm-crypt feature of Linux.
There are many encryption scenarios supported, such as enabling encryption on new IaaS VMs created from the Azure gallery or existing IaaS VMs already running in Azure. You can also disable encryption on Windows IaaS VMs. Azure Disk Encryption allows full encryption of operating system and data volumes on VMs running in Azure.
Question 457
Which of the following is the proper use of an Azure ARM template?
*A. The automatic creation of Azure resources
B. To deploy predictive analytics
C. To act as a broker with message queues and publish-subscribe topics (in a namespace).
D. To organize resources and subscriptions
Explanation
Azure Resource Manager templates are JavaScript Object Notation (JSON) files that specify the infrastructure and configuration for your project. They can be used to automate the creation of resources. An ARM template can create identical resources in multiple locations.
Organizing resources and subscriptions is better done through the use of management groups. Azure Management Groups can be used to create an effective and efficient hierarchy to manage Azure subscriptions and resources.
The Azure Service bus, not an ARM template, is a broker with message queues and publish-subscribe topics (in a namespace).
Deploying predictive analytics is better done with the Azure Machine Learning Studio. This is a drag and drop tool that allows you to build, test, and deploy predictive analytics using AI.
Question 458
Your company has several virtual machines that run on both a Hyper-V server and a VMware vCenter Server. The on-premises servers in the Finance department and Marketing department will be migrated to Azure using Azure Migrate. An on-premises VM called the collector appliance will discover information about the on-premises VMs to help the migration process along. The collector appliance will be a VM on the vCenter Server.
A setup file will be downloaded and imported to create the VM that will act as the collector appliance for the on-premises servers in the Finance department and Marketing department. A console connection in vCenter Server will be used to connect to this VM, and then the collector application will run in the VM to initiate discovery.
Which is the correct setup file format for your collector appliance?
*A. Open Virtualization Appliance
B. Microsoft Excel
C. Extensible Markup Language
D. JavaScript Object Notation
Explanation
You should use Open Virtualization Appliance (OVA) file format as the setup file format that you can import on your on-premises vCenter server. You have to have permissions to create a VM by importing a file in .OVA format. You also have to check that the .ova file is secure before you deploy it. For that reason, you have to run the following command on the vCenter server:
CertUtil -HashFile C:\AzureMigrate\AzureMigrate.ova SHA256
You also need one ESXi host running version 5.5 or higher to deploy the collector VM. After securing the file, you can import the downloaded file to the vCenter Server.
You should not use JavaScript Object Notation (JSON) as the setup file format for your collector appliance because it is not supported for this purpose. This file type is used with Java Script programming.
You should not use Extensible Markup Language (XML) as the setup file format for your collector appliance because it is not supported for this purpose. XML is a human and machine readable format for encoding documents.
You should not use Microsoft Excel as the setup file format for your collector appliance because it is not supported for this purpose. After the assessment is finished, you can view it in the portal or download it in Microsoft Excel format. However, you cannot use Microsoft Excel format for the setup file.
Question 459
You would like to take advantage of an Azure service that can meet the following requirements:
- Reduce boot times for virtual machines
- Increase battery life on devices
- Reduce device crashes
What tool do you need?
A. Azure DevTest Labs
B. Microsoft Windows for Workgroups
C. Azure Reserved Virtual Machines (VM) Instances
*D. Microsoft Managed Desktop
E. Azure PowerShell
F. Microsoft Windows PE
Explanation
Microsoft Managed Desktop is a tool that can make managing systems easier. Benefits provided to systems managed by MMD are:
- Reduces boot times on devices.
- Almost doubles a device’s battery life
- Reduces crashes on devices
- When using Enterprise State Roaming, users have the same experience when they sign in with different devices.
All other options are incorrect.
Windows Preinstallation Environment (PE) is a lightweight operating system that can be used to troubleshoot Windows devices. It can be used for deployment of workstations and servers.
Windows for Workgroups is a legacy operating environment that had support for SMB file sharing.
Azure DevTest Labs is used to deploy a system to developers. Large numbers of systems running different operating systems can be deployed quickly and then deleted as soon as they are no longer needed.
Azure PowerShell is a set of command line commands called cmdlets that manage resources. It can be a powerful automation tool when using scripts.
Azure Reserved Virtual Machines (VM) Instances are virtual machines (VM) on the Microsoft Azure public cloud that has been reserved for dedicated use on a one- or three-year basis.
Question 460
You want a user’s attempts to sign into Active Directory to be monitored by Microsoft.
Which of the following makes this possible?
A. SSO
*B. Azure AD Connect
C. Conditional access
D. AD Multi-Factor Authentication
Explanation
When you use on-premises Active Directory only, Microsoft does not monitor sign-in attempts. When you use Azure AD Connect, Microsoft can help protect you by detecting suspicious sign-in attempts. Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD, thereby making monitoring by Microsoft possible.
AD Multi-Factor Authentication is when a user is prompted during the sign-in process for multiple identification factors, such as a token and a PIN. It does not cause login attempts to be monitored by Microsoft.
Conditional access is a feature of Azure AD that allows or denies access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user requests access from. It does not cause login attempts to be monitored by Microsoft.
Single sign-on (SSO) is a capability of a directory service not unique to Azure that allows a single password to authenticate a user to all resources. It does not cause login attempts to be monitored by Microsoft.