The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 511
Which of the following would most likely use a private cloud? (Choose two.)
A. Large manufacturer of engines
*B. Mid- to large-sized bank
*C. Local municipal government
D. Mid-sized beverage distributor
Explanation
Of the choices listed, a municipal government or mid- to large-sized bank would be the most likely candidates for using a private cloud. A private cloud has computing resources exclusively used by a single organization. A private cloud has the following advantages:
- Private clouds provide scalability and efficiency.
- Private clouds are more secure than a public cloud because cloud resources are not shared with others.
Since both a financial institution and a municipal government would need more control over resources than a manufacturer or a distributor, a private cloud would be a better choice than a public cloud.
Question 512
You need to ensure that applications running on servers in Azure stay up and running. You need to choose a technology that will ensure Azure can replicate resources such as VM storage across different locations to reduce the downtime from power outages or natural disasters and prevent outages from planned Azure updates.
What should you use?
A. Availability groups
*B. Region pairs
C. Secondary zones
D. Availability zones
Explanation
Region pairs consists of two Azure regions within the same geography. Region pairs reduce or eliminate downtime caused by power or network outages, natural disasters, or civil unrest. In a region pair, resources are replicated between the regions. Region pairs prioritize one region in a pair if there is a widespread Azure outage. This prioritization helps reduce the time for restoring applications. Azure updates are deployed to one region in a pair first to cut down on downtime and the risk of application outage.
You should not choose availability zones. Availability zones are physically separate locations within an Azure region, not in different regions. Each availability zone has one or more datacenters. Each datacenter is equipped with independent power, cooling, and networking. Availability zones protect your applications and data from datacenter failures, but not widespread outage.
You should not choose secondary zones. Secondary zones are read-only copies of a primary zone on a DNS server. Secondary zones are used to allow clients to resolve the FQDN of a resource. Secondary zones are used for DNS, not for the replication of Azure resources.
You should not choose an availability group. An availability group is used by SQL Server to group databases which are copied to other SQL Server instances for read-only queries. An availability group can have a set of primary databases and can have up to eight sets of secondary databases. An availability group does not replicate Azure resources.
Question 513
Dreamsuites Corporation wants to use Azure Blueprints for greater governance of their Azure subscriptions. An Azure Blueprint is made of several resources, known as “artifacts.”
What artifacts are currently available to Dreamsuites? (Choose four.)
*A. ARM templates
*B. Role assignment
C. Azure containers
*D. Policy assignment on Azure resources
*E. Resource groups
Explanation
Role assignment, or role-based access control (RBAC), is an available artifact that assigns the desired users to a group or built-in role.
ARM templates are an available artifact that can be part of an Azure Blueprint. There is some overlap between ARM templates and Azure Blueprints. Azure Blueprints are a more overarching concept that keeps their connection between the blueprint and the subscriptions it is deployed to.
Policy assignment on Azure resources is an available artifact that allows enforcement of rules and effects. Any policies or parameters are assigned when the blueprint is created or assigned to a subscription.
Resource groups are an artifact in Azure Blueprints. You can create resource groups for use by other artifacts to help limit the scope of those artifacts.
Microsoft includes Azure Blueprint templates for a variety of industries and regulatory requirements. You can also start with a blank template and the artifacts to be configured as part of the deployment.
An Azure container is not an Azure Blueprint artifact.
Question 514
You need to design a multi-factor authentication (MFA) for your Azure deployment. You need to secure the following with a second method of authentication.
- First-party Microsoft apps
- Web applications published through Azure AD App Proxy
You are using Azure Active Directory and on-premises Active Directory. You will use Azure AD Connect with password sync. You want to have a phone call as a second factor for MFA.
You use Multi-Factor Authentication (MFA) Server on-premises to design a multi-factor authentication (MFA) for your Azure deployment.
Does your solution meet the requirement?
*A. No
B. Yes
Explanation
You should not use Multi-Factor Authentication (MFA) Server on-premises to design a multi-factor authentication (MFA) for your Azure deployment. You should use Azure Multi-Factor Authentication in the cloud instead. You can determine which of these two choices would be best by determining what objects that you want to secure, where your users are located, and what features of MFA that you want.
The following illustrations shows what objects can be secured with a second a method of authentication with Multi-Factor Authentication (MFA) Server on-premises or Azure Multi-Factor Authentication in the cloud.
| Objects to secure | MFA Server | MFA in the cloud |
|---|---|---|
| SaaS apps in the app gallery | X | |
| Remote access such as VPN, RDG | X | X |
| Web applications published through Azure AD App Proxy | X | |
| IIS applications not published through Azure AD App Proxy | X | |
| First-party Microsoft apps | X | X |
The following illustration shows which MFA method Microsoft recommends.
| User Location | MFA Server | MFA in the cloud |
|---|---|---|
| On-premises Active Directory | X | |
| Azure Active Directory | X | |
| Azure AD and on-premises AD using federation with AD FS | X | X |
| Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect – no password sync | X | X |
| Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect – with password sync | X |
In this scenario, users will in Azure Active Directory and on-premises Active Directory, and you will use Azure AD Connect with password sync.
Question 515
Thanks to Azure, developers of the Dreamsuites Corporation can easily deploy and manage their own cloud workloads. They want to get the most out of their investment by optimizing their Azure deployments. As an Azure consultant, where would you direct Dreamsuites to obtain some personalized, detailed recommendations for reliability, performance and operational excellence?
*A. Azure Advisor Score
B. Investigation Priority Score
C. Azure Secure Score
*D. Azure Advisor
E. Azure Monitor
Explanation
Azure Advisor Score is a sub-feature of Azure Advisor. Dreamsuites can use the Azure Advisor Score to assess how well they are following the best practices defined by the Azure Advisor. Any problem area can be selected to see individual recommendations.
Dreamsuites can meet their needs using Azure Advisor. Azure Advisor examines resource configuration and usage and provides recommended solutions. Recommendations for cost, security, reliability (formerly High Availability), operational excellence, and performance are combined in a single dashboard.
Azure Monitor collects telemetry data from applications and services to identify how applications are performing. While useful, it does not contain the workload recommendations that Dreamsuites needs.
An Investigation Priority Score does not meet the needs of the scenario. This score is given by Cloud App Security to help investigate “risky” users.
Azure Secure Score does not directly meet all of Dreamsuites’ needs. It is part of Azure Security Center and is an assessment of security issues at a glance. However, security recommendations are included as part of Azure Advisor.
Question 516
You are planning to implement an Azure AD hybrid identity solution. You need to understand the different authentication methods that can be used with an Azure AD hybrid identity solution that uses Azure AD Connect.
Match the need with the authentication method. (Each need can be used more than once.)
Authentication Need:
- You want sign-in disaster recovery or leaked credential reports
- You have a sign-in requirement that is not natively supported by Azure AD
- You want to enforce user-level Active Directory security policies during sign-in
- You want Azure AD to handle sign-in completely in the cloud
Authentication methods:
- Password Hash Sync and Seamless SSO
- Pass-through Authentication and Seamless SSO
- Federation
- Federation with Password Hash Sync
Answer:
Password Hash Sync and Seamless SSO:
- You want Azure AD to handle sign-in completely in the cloud
Pass-through Authentication and Seamless SSO:
- You want to enforce user-level Active Directory security policies during sign-in
- You want Azure AD to handle sign-in completely in the cloud
Federation:
- You have a sign-in requirement that is not natively supported by Azure AD
- You want to enforce user-level Active Directory security policies during sign-in
- You want Azure AD to handle sign-in completely in the cloud
Federation with Password Hash Sync:
- You want sign-in disaster recovery or leaked credential reports
- You have a sign-in requirement that is not natively supported by Azure AD
- You want to enforce user-level Active Directory security policies during sign-in
- You want Azure AD to handle sign-in completely in the cloud
Explanation
You should choose the following:
The Azure AD Password Hash synchronization authentication method allows users to use the same username and password that they use on-premises without another infrastructure. This method allows you provide seamless single sign-on (SSO) which so users can use their cloud apps without providing their user ID or password.
The Azure AD Pass-through Authentication method uses a software agent that runs on one or more on-premises servers to provide password validation for Azure AD authentication services. The on-premises servers validate the users to your on-premises Active Directory. This method allows you provide seamless single sign-on (SSO) which so users can use their cloud apps without providing their user ID or password. This authentication method can allow you to enforce user-level Active Directory security policies during sign-in.
Federation authentication takes care of the authentication process by using a separate trusted authentication system instead of Azure AD. This authentication method can allow you to enforce user-level Active Directory security policies during sign-in. This authentication method can allow you to a sign-in requirement that is not natively supported by Azure AD.
If you use Federation authentication with Password Hash Synchronization, then this authentication method can allow you to have sign-in disaster recovery or leaked credential reports.
Question 517
You would like to address security issues surrounding the use of administrative permissions? What tool would you use?
A. Azure Functions
B. Azure Key Vault
C. Azure AD Identity protection
*D. Azure AD Privileged Identity Management
E. Credential Manager
Explanation
Among the options available with Azure AD Privileged Identity Management is to assign privileged access to a resource or a privileged right on a temporary basis. It reduces the chance of:
- a malicious actor getting access
- an authorized user inadvertently impacting a sensitive resource
All other answers are incorrect.
Azure AD Identity protection can alert you to issues that can lead to identity compromise.
Among the issues it can detect and then alert to are:
- Anonymous IP address use
- Atypical travel
- Malware linked IP address
- Unfamiliar sign-in properties
- Leaked credentials
- Password spraying
Azure Key Vault is an encrypted solution for storing organizational; secrets such as passwords and encryption keys.
Azure Functions allows you to write serverless code in your language of preference to handle events at scale, with minimal overhead and cost.
Credential Manager is an applet in Control Panel on a Windows devices that allows you to view and delete logon information for websites, connected application and networks.
Question 518
After a recent breach, you have decided to increase the security of the Azure login process.
Which Azure tool should you use?
*A. Azure Multi-Factor Authentication (MFA)
B.Azure Key Vault
C. Azure Functions
D. Credential Manager
E. Azure Information Protection (AIP)
Explanation
Azure Multi-Factor Authentication (MFA) allows you to require multiple factors when authenticating. It works by requiring two or more of the following authentication methods:
- A password, which is “something you know”.
- A device like a phone or hardware key, which is “something you have”.
- Biometrics such as face scan or fingerprint, which is “something you are”.
Azure Information Protection (AIP) is a cloud-based solution that is part of the Microsoft Information Protection (MIP) solution. It uses labels to classify assets and apply tags.
All other choices are incorrect.
Azure Key Vault is an encrypted solution for storing organizational; secrets such as passwords and encryption keys.
Azure Functions allows you to write serverless code in your language of preference to handle events at scale, with minimal overhead and cost.
Credential Manager is an applet in Control Panel on a Windows devices that allows you to view and delete logon information for websites, connected application and networks.
Question 519
When using Azure AD Identity protection, which of the following is NOT a risk that it can mitigate?
A. Connections from an unknown address
B. Atypical travel
C. Malware-linked IP address
*D. Physical social engineering attacks
Explanation
While Azure AD Identity protection can alert you to issues that can lead to identity compromise, it cannot address physical security issues.
Among the issues it can detect and then alert to are:
- Anonymous IP address use
- Atypical travel
- Malware linked IP address
- Unfamiliar sign-in properties
- Leaked credentials
- Password spraying
Question 520
The Nutex Corporation needs to create, assign, and manage policies.
Which of the following statements about Azure Policy are TRUE? (Choose two.)
A. A Policy Definition is a collection of Initiative Definitions that achieve a common goal.
*B. A virtual machine that does not log into a specified Log Analytics workspace is deemed non-compliant.
*C. Guest Configuration uses Desired State Configuration v2 to audit the settings of a Windows virtual machine.
D. A new Policy Definition can be added from the PowerShell by using the New-PolicyDefinition cmdlet.
E. Remediation tasks created to remediate non-compliant resources use the Audit policy effect.
Explanation
The following statements are true:
- Guest Configuration uses Desired State Configuration v2 to audit the settings of a Windows virtual machine.
- A virtual machine that does not log into a specified Log Analytics workspace is deemed non-compliant.
Azure Policy can audit settings inside a machine. The validation is performed by the Guest Configuration extension and client. The extension, through the client, validates settings such as the configuration of the operating system, the configuration of the application, and the environment settings. To audit settings inside a machine, a virtual machine extension is enabled. The extension downloads applicable policy assignment and the corresponding configuration definition. You can use the Microsoft Desired State Configuration v2 utility to audit the settings of a Windows virtual machine.
Virtual machines are deemed as noncompliant if they are logging to the Log Analytics workspace specified in the policy or initiative assignment. Azure Monitor feature reports this.
A Policy Definition is not a collection of Initiative Definitions that achieve a common goal. A Policy Definition contains the conditions under which it is enforced and a defined effect that takes place if the conditions are met. An Initiative Definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal.
The cmdlet used to add a new Policy Definition is New-AzPolicyDefinition not the New-PolicyDefinition cmdlet. The New-PolicyDefinition cmdlet is a legacy cmdlet that is not used any more to create policy definitions.
Remediation tasks created to remediate non-compliant resources do not use the Audit policy effect. Resources that are non-compliant to a deployIfNotExists policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the tag operations of the assigned policy on your existing resources. The Audit policy effect generates a warning event in the activity log but doesn’t fail the request.