Question 1 of 50
You have a Microsoft Entra tenant named contoso.com. Microsoft Entra Connect is configured to sync users to the tenant.
You need to assign licenses to the users based on Microsoft Entra ID attributes. The attribute values will be set by the HR department.
Which two actions should you perform? Each correct answer presents part of the solution.
To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and configure rules based on custom attributes. The dynamic group must be added to a license group for automatic synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the organization that are in scope for an assignment policy rule and creates assignments for the users who don't have assignments to an access package; automatic assignment policies are not used for licensing.
Assign licenses to a group - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure user and group accounts - Training | Microsoft Learn
Question 2 of 50
UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com
For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of [email protected].
B2B collaboration overview - Azure AD - Microsoft Entra | Microsoft Learn
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Question 4 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named VM1 connected to a virtual network named Network1.
A user named Admin1 must be able to change the settings of Network1.
You need to use PowerShell to assign Admin1 the appropriate role and permissions.
Which two PowerShell statements should you use to complete the task? Each correct answer presents part of the solution.
Before assigning an RBAC role to a user, you must use the Get-AzADUser cmdlet to obtain the ID of the user. The New-AzRoleAssignment cmdlet can be used to assign an RBAC role to any resource. If you assign the Virtual Machine Contributor role to RG1, it will only allow changes to the virtual machine, it will not allow Admin1 to manage the virtual network. To modify network settings, you must assign the Network Contributor role.
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn
Assign Azure roles using Azure PowerShell - Azure RBAC | Microsoft Learn
For a service principal, the ObjectId identifies the application or service that the service principal represents.
For an Azure AD user, the ObjectId identifies the person who the user represents.
Question 7 of 50
You have several management groups and Azure subscriptions.
You want to prevent the accidental deletion of resources.
To which three resource types can you apply delete locks? Each correct answer presents a complete solution.
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use delete locks on management groups or storage account data.
Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
Virtual machines屬於resource
Question 8 of 50
You have an Azure subscription that contains 25 virtual machines.
You need to ensure that each virtual machine is associated to a specific department for reporting purposes.
What should you use?
Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as virtual machines and associating each resource to a department for billing and reporting purposes.
Administrative units are containers used for delegating administrative roles to manage a specific portion of Microsoft Entra. Administrative units cannot contain Azure virtual machines.
Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure subscriptions.
Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A storage account cannot contain virtual machines.
Configure virtual machines - Training | Microsoft Learn
Question 9 of 50
You have an Azure subscription that contains 200 virtual machines.
You plan to use Azure Advisor to provide cost recommendations when underutilized virtual machines are detected.
You need to ensure that all Azure admins are notified whenever an Advisor alert is generated. The solution must minimize administrative effort.
What should you configure?
Whenever Azure Advisor detects a new recommendation for resources, an event is stored in the Azure Activity log. You can set up alerts for these events from Azure Advisor. You can select a subscription and optionally a resource group to specify the resources for which you want to receive alerts. You also need to create an action group that will contain all the users to be notified.
Question 10 of 50
You have an Azure subscription that contains a tenant named contoso.com.
All users in contoso.com are currently able to invite external users to B2B collaboration.
You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can invite guest users.
What should you configure?
External collaboration settings let you specify which roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains and options for restricting which external guest users can see in your Microsoft Entra directory.
Conditional Access allows you to apply rules to strengthen authentication and block access to resources from unknown locations.
Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra organization.
Access reviews are not used to control who can invite guest users.
Create Azure users and groups in Azure Active Directory - Training | Microsoft Learn
Enable B2B external collaboration settings - Microsoft Entra | Microsoft Learn
Question 11 of 50
Your company has a main office in Seattle and a branch office in New York.
You have an Azure subscription that contains an application named App1 and a user named User1 located in the Seattle office.
User1 travels to the New York office and receives the following error message when attempting to sign in to App1: “Your sign-in was blocked.”
When located in the Seattle office, the access of User1 functions properly, and no other users report issues with accessing App1.
You need to ensure that User1 can sign in to App1.
What should you do from the Microsoft Azure portal?
Identity Protection provides organizations with three reports that they can use to investigate identity risks in their environment. These reports are Risky users, Risky sign-ins, and Risk detections. Investigation of events is key to better understanding and identifying any weak points in your security strategy. When users sign in to Azure from a remote location, Identity protection may identify these users as risky users. Unless the user risk is remediated, they will not be able to sign in. You can dismiss a user risk from the Risky users report in Identity Protection.
Question 13 of 50
You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine named VM1.
You need to use VM1 as a template to create a new Azure virtual machine.
Which three methods can you use to complete the task? Each correct answer presents a complete solution.
From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM) template from the resource group properties. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.
By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet.
From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual machine and use the configuration of VM1 as the template.
The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution.
The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.
Export template in Azure portal - Azure Resource Manager | Microsoft Learn
Export template in Azure PowerShell - Azure Resource Manager | Microsoft Learn
Automate Azure tasks using scripts with PowerShell - Training | Microsoft Learn