The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 521
Your company has a Microsoft 365 subscription. The company has over 100 users that will use Microsoft 365. This is an example of which of the following types of cloud services?
*A. SaaS
B. IaaS
C. FaaS
D. PaaS
Explanation
You would choose Software as a service (SaaS). SaaS is software that is hosted in the cloud and managed by the cloud provider for the customer. The customer can configure the software according to their needs. SaaS allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendars, and office tools. SaaS is typically licensed through a monthly or annual subscription. Microsoft Office 365 is an example of SaaS software.
You would not choose Infrastructure as a service (IaaS). IaaS is a category of cloud computing services that is used by many cloud providers. With IaaS, you pay for resources such as servers, virtual machines (VMs), storage, networks, and operating systems from a cloud provider on a pay-as-you-go basis. These resources are provisioned and managed over the Internet.
You would not choose Platform as a service (PaaS). PaaS provides a company with an environment for developing, running, debugging, testing, patching, and deploying software applications. PaaS allows you to quickly create an application without having to worry about managing the underlying infrastructure. PaaS eliminates the need to install an operating system, web server, server patches, or other infrastructure to create applications. PaaS creates a complete deployment environment in the cloud that has tools to deliver simple cloud-based apps or sophisticated cloud-enabled enterprise applications. The tools and resources are purchased from the service provider on a pay-as-you-go basis.
You would not choose Function as a service (FaaS). This type of service uses a service-hosted remote procedure call. It uses serverless computing in the cloud to enable deployment of the functions that run-in response to events that occur in the cloud.
Question 522
You are implementing Azure roles to be used in your new tenant.
System administrators who are new to Azure are not sure what the difference is between Azure RBAC roles and Azure AD administrator roles.
Which statements are true for Azure RBAC roles? (Choose three.)
*A. Scope can be specified at multiple levels (subscription, resource group, resource).
B. Role information can be accessed in Microsoft Graph.
C. Scope is at the tenant level.
*D. Role information can be accessed in Azure CLI.
E. Manage access to Azure Active Directory resources.
*F. Manage access to Azure resources.
Explanation
In Azure RBAC roles, information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, and REST API. Scope in Azure RBAC can be specified at multiple levels (management group, subscription, resource group, resource). RBAC roles can manage access to Azure resources.
Role information cannot be accessed in Microsoft Graph because that is available only for Azure AD administrator roles.
The scope of a role is not at the tenant level for most roles. Only Azure AD administrator roles have a scope at the tenant level.
You cannot manage access to Azure Active Directory resources for most roles. You can control access to Azure Active Directory resources only for Azure AD administrator roles.
Question 523
The Nutex Corporation has deployed multiple subscriptions and multiple resources and resource groups on Azure. You are part of the Azure management team who must simplify policy management on Azure.
Which of the following statements about the Initiatives feature in Azure are TRUE? (Choose three.)
*A. Initiative parameters help simplify initiative management by reducing redundancy.
B. The maximum allowed initiative definitions for a tenant is 100.
*C. The scope for an initiative definition must either be a management group or a subscription.
*D. An initiative definition is a collection of policy definitions that can be used for a common overarching goal.
Explanation
An initiative definition is a collection of policy definitions that can be used as a common overarching goal. Definitions group a set of policies as one single item that can be assigned to scopes.
The scope for an initiative definition must either be a management group or a subscription:
- Subscription – Resources within that subscription can be assigned the policy.
- Management group – Resources within child management groups and child subscriptions can be assigned the policy. The location must be a management group that contains those subscriptions if you plan to apply the policy definition to several subscriptions.
Initiative parameters help simplify initiative management by reducing redundancy. They are used within the initiative’s policy definition and include allowedLocations (type=array) and allowedSingleLocation (string).
It is not true that the maximum number of allowed initiative definitions for a tenant is 100. The following is the maximum counts of policy objects you can create per scope or tenant:
- Policy definitions per scope – 500
- Initiative definitions per scope – 100
- Initiative definitions per tenant – 1,000
- Policy or initiative assignments per scope – 100
- Parameters per policy definition – 20
- Policies per initiative definition – 100
- Parameters per initiative definition – 100
Question 524
Which of the following are characteristics of a public cloud? Choose three.
*A. Virtually unlimited storage
B. Only one tenant is supported
*C. Resource pooling
D. Services are always free
*E. Provider manages the network and virtualization software
Explanation
The following are characteristics of a public cloud:
- Virtually unlimited storage
- Resource pooling
- Provider manages the network and virtualization software
In a public cloud, you can pay for the storage level that you want. You can have almost unlimited storage.
In a public cloud, there is no dedicated hardware. The computing resources in the infrastructure provided by the provider are pooled together to server multiple customers.
In a public cloud, the provider manages the network and virtualization software. The customer pays for the virtual machines and virtual networks that are provisioned, but the underlying structure is managed by the provider.
In a public cloud, services are sometimes free, but generally have metered pricing. You pay for the services that you want when you want.
A public cloud may support multiple tenants.
Question 525
You are the administrator of the Nutex Corporation. You build a Web API 2 HTTP API (hosted on-premises) for the NutexApp application, which is responsible for managing shipping orders. The identity management for the app has to be outsourced to Azure Active Directory B2C.
Service consumers will rely on Azure Active Directory B2C to add features to the app that will support sign up and sign-in for new accounts using identity providers like Facebook, Google, Amazon, LinkedIn, or using Microsoft accounts. Users should be able to sign in with their individual credentials. The consumer does not have to edit the profile attribute, but you want to allow the option to reset the password.
Which kind of policies should you create to meet the requirements with the least amount of effort? (Choose two.)
A. Sign-up policy
B. Sign-in policy
*C. Password reset policy
*D. Sign-up or sign-in policy
E. Profile editing policy
Explanation
You should create a sign-up or sign-in policy and a password reset policy. The sign-up or sign-in policy controls the consumer sign-up and sign-in experiences with a single policy. The sign-up or sign-in policy allows users to choose the right path for either sign-up or sign-in with identity provider credentials, depending on the context. This policy also describes the contents of tokens used for sign-ups or sign-ins from the application.
The password reset policy allows you to enable a fine-grained password to reset on your application. Note that the tenant-wide password reset option that has been specified is still applicable for sign-in policies.
After creating a sign-in policy (with local accounts) or a sign-up policy, the user should see on the first page of the experience a link for “Forgot Password” reminder. If the user clicks the link, the link will not automatically trigger a password reset policy. It will generate a specific error code AADB2C90118, which is returned back to your app. You must write logic into your app to handle this error and invoke a specific password reset policy.
You should not configure a separate sign-in policy and a separate sign-up policy. For the least administrative effort, you should configure a sign-in or sign-up policy.
You should not create a profile editing policy. In this scenario, you do not have to edit the profile attribute. The profile editing policy enables profile editing on your application. This policy describes the experiences that consumers will go through during profile editing, to edit profiles, and to view the contents of tokens that the application will receive on successful completion.
Question 526
You are the administrator of the Nutex Corporation. Your Sales department’s users report that they always have to use their smartcards and PIN to access their Azure AD applications, named App1, App2, and App3. Users are not allowed to use app passwords for Outlook, which is installed locally on their computers.
They can access the applications from inside the company from the internal subnet without problem. When they are traveling outside the office, they want to access these three apps without their smartcard and PIN if they are in the corporate intranet.
What setting should you configure?
A. Skip multi-factor authentication for requests from following range of IP address subnets.
B. Allow users to suspend MFA authentication by causing a device to be remembered.
*C. Skip multi-factor authentication for requests from federated users on my intranet.
D. Allow users to create app passwords to sign into non-browser apps.
Explanation
You have to set Skip multi-factor authentication for requests from federated users on my intranet under Multi-factor authentication in the Azure management portal allows the Sales department user to access the applications App1, App2 and App3 without using their smartcard & PIN, if they are in the company intranet network.
You do not have to set Allow users to create app passwords to sign into non-browser apps under Multi-factor authentication in the Azure management portal. If a user has been enabled for multi-factor authentication and the user attempts to use a non-browser app, he will be unable to do so. An app password allows a user to sign into a non-browser app. In this scenario, the apps are browser-based apps, and you want the Sales department users to access the applications without MFA if they are in the intranet. App passwords will not achieve this objective.
You do not have to set Skip multi-factor authentication for requests from following range of IP address subnets because the sales department users want to access the application from the intranet, not from a specific subnet. This setting contains an IP whitelist you can use to define a subnet or range of subnets that grant access to the application without multi-factor authentication.
You do not have to set Allow users to suspend MFA authentication by causing a device to be remembered because when the admin enables this feature, end users can choose to have Azure AD remember the device and browser they are signing in from when completing a successful MFA. The MFA suspension lasts between 1 to 60 days based on administrator configuration. The feature is available for all flavors of Azure multi-factor authentication, including multi-factor authentication for Office 365 and multi-factor authentication for Azure admins.
Question 527
You want to have Azure monitor your VMs for CPU usage.
Which of the following actions can you configure when CPU usage rises above a designated threshold? (Choose all that apply.)
A. run a batch file
B. execute a PowerShell script
*C. send email notifications
D. call a performance monitor counter for a performance management object
*E. call a webhook
*F. start execution of an Azure runbook
Explanation
An alert triggers when the value of a specified metric crosses a threshold you designate. The actions that can be taken when metric alert triggers are:
- Send email/SMS/Push/Voice notifications
- Call a webhook
- Start execution of an Azure runbook
- Run a Logic App
- Use an IT Service Management Connector (ITSMC)
You can send email notifications to owners, contributors, or readers. You can also add additional email addresses of administrators.
Webhooks route a notification to another computer or system using HTTP or HTTPS endpoints.
You can start the execution of an Azure runbook when you use Azure Automation. You can have a runbook run when an alert is triggered.
You cannot have an Azure VM run a batch file, execute a PowerShell script, or launch a backup when CPU usage rises above a designated threshold. Only email notifications, webhooks, or runbooks can be triggered by an alert.
You can use the Azure CLI az monitor metrics alert command to create and monitor alerts. For example, you can create a simple metric alert rule that monitors if average Percentage CPU on a VM is greater than 80
az monitor metrics alert create -n Alert1 -g ResourceGroup1 --scopes {VirtualMachineResourceID} --condition "avg Percentage CPU > 80" --description CPUpercentage
You can use Powershell cmdlets to create a classic alert rule as shown in the following example, which triggers whenever it consistently receives any traffic for 10 minutes and again when it receives no traffic for 10 minutes:
Add-AzureRmMetricAlertRule -Name myMetricRuleWithWebhookAndEmail -Location "West US" -ResourceGroup myresourcegroup -TargetResourceId /subscriptions/dededede-7aa0-407d-a6fb-eb20c8bd1192/resourceGroups/myresourcegroupname/providers/Microsoft.Web/sites/mywebsitename -MetricName "BytesReceived" -Operator GreaterThan -Threshold 2 -WindowSize 00:10:00 -TimeAggregationOperator Total -Description "alert on any website activity"
You can send an email or create a webhook when an alert triggers. However, you have to create the email or the webhook before creating the alert rule. If an alert rule is already created, you cannot associate webhook or emails with it. For this reason, you cannot associate a PowerShell script with an alert rule.
You cannot associate Performance Monitor counters with an alert rule. You are limited to the signal logic metrics provided:
These metrics are similar, but not the same as Performance Monitor.
Question 528
Which Azure Active Directory (Azure AD) feature is used to provide access to resources based on organizational policies?
A. multi-factor authentication (MFA)
B. single sign-on (SSO)
C. administrative units
*D. Conditional Access
Explanation
Conditional Access is the tool used by Azure Active Directory to allow (or deny) access to resources based on identity signals. Conditional access is a more refined MFA (multifactor authentication) method.
Question 529
Select the answer that correctly completes the sentence.
Single sign-on (SSO) is __________ method that enables users to sign in the first time and access various applications and resource by using same password.
A. a validation
*B. an authentication
C. a configuration
D. an authorization
Explanation
Single sign-on is an authentication method that allows users to sign in using one set of credentials to login across applications. Single sign-on makes it easier to manage passwords and increases security capabilities.
Question 530
Match the services on the left to the correct descriptions on the right.
Services:
- Pricing calculator
- TCO calculator
- Cost management
Descriptions:
- Estimates workload costs
- Estimates the cost savings by comparing datacenter costs to running the same workload on Azure
- Helps control, analyze, and optimize workload costs
Answer:
Pricing calculator: Estimates workload costs
TCO calculator: Estimates the cost savings by comparing datacenter costs to running the same workload on Azure
Cost management: Helps control, analyze, and optimize workload costs
Explanation
Pricing calculator helps you to estimate workload cost.
TCO Calculator provided approximate cost savings of operating similar workload on Azure to on-premises datacenter.
Azure Cost Management helps to understand Azure bill, manage account.