The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 741
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: Adding resource groups in an Azure subscription generates additional costs: No
Statement 2: Copying 10 GB of data to Azure from an on-premises network over a VPN generates additional Azure data transfer costs: No
Statement 3: Copying 10 GB of data from Azure to an on-premises network over a VPN generates additional Azure data transfer costs: Yes
Explanation
Statement 1: Adding resource groups in an Azure subscription generates additional costs: No
Resource groups are logical containers for Azure resources. You do not pay for resource groups.
Statement 2: Copying 10 GB of data to Azure from an on-premises network over a VPN generates additional Azure data transfer costs: No
Data ingress over a VPN is data ‘coming in’ to Azure over the VPN. You are not charged data transfer costs for data ingress.
Statement 3: Copying 10 GB of data from Azure to an on-premises network over a VPN generates additional Azure data transfer costs: Yes
Data egress over a VPN is data ‘going out’ of Azure over the VPN. You are charged for data egress.
Question 742
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: In Azure Active Directory Premium P2, at least 99.9 percent availability is guaranteed: Yes
Statement 2: The Service Level Agreement (SLA) for Azure Active Directory Premium P2 is the same as the SLA for Azure Active Directory Free: No
Statement 3: All paying Azure customers receive a credit if their monthly uptime percentage is below the guaranteed amount in the Service Level Agreement (SLA): Yes
Explanation
Statement 1: In Azure Active Directory Premium P2, at least 99.9 percent availability is guaranteed: Yes
Microsoft guarantee at least 99.9% availability of the Azure Active Directory Premium edition services. The services are considered available in the following scenarios:
- Users are able to login to the service, login to the Access Panel, access applications on the Access Panel and reset passwords.
- IT administrators are able to create, read, write and delete entries in the directory or provision or de-provision users to applications in the directory.
Statement 2: The Service Level Agreement (SLA) for Azure Active Directory Premium P2 is the same as the SLA for Azure Active Directory Free: No
No SLA is provided for the Free tier of Azure Active Directory.
Statement 3: All paying Azure customers receive a credit if their monthly uptime percentage is below the guaranteed amount in the Service Level Agreement (SLA): Yes
You can claim credit if the availability falls below the SLA. The amount of credit depends on the availability. For example: You can claim 25% credit if the availability is less than 99.9%, 50% credit for less than 99% and 100% for less than 95% availability.
Question 743
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: Storing 1 TB of data in Azure Blob storage will always cost the same, regardless of the Azure region in which the data is located: No
Statement 2: When you use a general-purpose v2 Azure Storage account, you are only charged for the amount of data that is stored. All read and write operations are free: No
Statement 3: Transferring data between Azure Storage accounts in different Azure regions is free: No
Explanation
Statement 1: Storing 1 TB of data in Azure Blob storage will always cost the same, regardless of the Azure region in which the data is located: No
The price of Azure storage varies by region. If you use the Azure storage pricing page, you can select different regions and see how the price changes per region.
Statement 2: When you use a general-purpose v2 Azure Storage account, you are only charged for the amount of data that is stored. All read and write operations are free: No
You are charged for read and write operations in general-purpose v2 storage accounts.
Statement 3: Transferring data between Azure Storage accounts in different Azure regions is free: No
You would be charge for the read operations of the source storage account and write operations in the destination storage account.
Question 744
You have a resource group named RG1.
You need to prevent the creation of virtual machines only in RG1. The solution must ensure that other objects can be created in RG1.
What should you use?
A. a lock
B. an Azure role
C. a tag
*D. an Azure policy
Explanation
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
Question 745
You create a resource group named RG1 in Azure Resource Manager.
You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use?
Settings:
- Quickstart
- Resource costs
- Deployments
- Policies
- Properties
- Locks
- Automation script
Answer:
Locks
Explanation
You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Question 746
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: You can configure the Azure Active Directory (Azure AD) activity logs to appear in Azure Monitor: Yes
Statement 2: From Azure Monitor, you can monitor resources across multiple Azure subscriptions: Yes
Statement 3: From Azure Monitor, you can create alerts: Yes
Explanation
Statement 1: You can configure the Azure Active Directory (Azure AD) activity logs to appear in Azure Monitor: Yes
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it’s consuming.
Statement 2: From Azure Monitor, you can monitor resources across multiple Azure subscriptions: Yes
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.
Statement 3: From Azure Monitor, you can create alerts: Yes
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple sources.
Question 747
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.
You need to recommend a solution to minimize the impact on users after the planned migration.
What should you recommend?
A. Implement Azure Multi-Factor Authentication (MFA)
*B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
C. Instruct all users to change their password
D. Create a guest user account in Azure Active Directory (Azure AD) for each user
Explanation
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Question 748
To what should an application connect to retrieve security tokens?
A. an Azure Storage account
*B. Azure Active Directory (Azure AD)
C. a certificate store
D. an Azure key vault
Explanation
Azure AD authenticates users and provides access tokens. An access token is a security token that is issued by an authorization server. It contains information about the user and the app for which the token is intended, which can be used to access Web APIs and other protected resources.
Instead of creating apps that each maintain their own username and password information, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as Conditional Access policies that require a user to be in a specific location, the use of multi-factor authentication, as well as enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is referred to as Single Sign On (SSO).
Question 749
Match the term to the correct definition. Each term may be used once, more than once, or not at all.
Terms:
- Azure Government
- GDPR
- ISO
- NIST
Definitions:
- An organization that defines international standards across all industries
- An organization that defines standards used by the United States government.
- A European policy that regulates data privacy and data protection.
- A dedicated public cloud for federal and state agencies in the United States.
Answer:
- ISO: An organization that defines international standards across all industries
- NIST: An organization that defines standards used by the United States government.
- GDPR: A European policy that regulates data privacy and data protection.
- Azure Government: A dedicated public cloud for federal and state agencies in the United States.
Explanation
ISO: An organization that defines international standards across all industries. ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for example ISO 9001 or 27001 are commonly used in IT companies.
NIST: An organization that defines standards used by the United States government. The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce.
GDPR: A European policy that regulates data privacy and data protection. GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and replaces the now deprecated Data Protection Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Azure Government: A dedicated public cloud for federal and state agencies in the United States. US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only).
Question 750
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password.
Which Azure service should you use?
A. Azure AD Connect Health
B. Azure AD Privileged Identity Management
C. Azure Advanced Threat Protection (ATP)
*D. Azure AD Identity Protection
Explanation
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password.