- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources: 
A virtual network that has a subnet named Subnet1 Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1 A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule: 
Priority: 100 Source: Any Source port range: * Destination: * Destination port range: 3389 Protocol: UDP Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?
Correct Answer:A
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default. References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
- (Exam Topic 4)
You have an Azure subscription named Subcription1 that contains a resource group named RG1. In RG1. you create an internal load balancer named LB1 and a public load balancer named 162.
You need to ensure that an administrator named Admin 1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Caen correct selection is worth one point.
Solution:
Box 1: Network Contributor on RG1
To add to the backend pool, write permission is required on the Resource Group because it writes deployment information. To add a backend pool, you need network contributor role on the LB and on the VMs that will be part of the backend pool.
For this reason the network contributor role must be assigned to the RG where the LB and the VM resides. So the correct answer is Network Contributor on RG1 .
Box 2: Network Contributor on RG1
For Health Probe also, without having access to RG1, no health probe can be added. If only Network Contributor role is assigned to LB then the user would not be able to access the IP addresses of the member pools.
Owner/Contributor can give the user access for everything. So it will not fit into the the principle of least privilege. Hence Owner and contributor role is incorrect choices for the question.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Does this meet the goal?
Correct Answer:A
- (Exam Topic 4)
You have peering configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Solution:
Box 1: vNET6 only
Peering status to both VNet1 and Vnet2 are disconnected. Box 2: delete peering1
Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/ https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-andconst
Does this meet the goal?
Correct Answer:A
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active Directory domain. The domain contains the users shown in the following table.
You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Number of methods required to reset: 2 Methods available to users: Mobile phone, Security questions Number of questions required to register: 3 Number of questions required to reset: 3 You select the following security questions: What is your favorite food? In what city was your first job?
What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Solution:
Box 1: No
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through
Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
An administrator cannot use secret Questions & Answers as a method to reset password. Box 2: Yes
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.
Box 3: Yes References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
Does this meet the goal?
Correct Answer:A
- (Exam Topic 5)
You have the Azure management groups shown in the following table.
You add Azure subscriptions to the management groups as shown in the following table.
You create the Azure policies shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Solution:
Box 1: No
Virtual networks are not allowed at the root and is inherited. Deny overrides allowed. Box 2: Yes
Virtual Machines can be created on a Management Group provided the user has the required RBAC permissions.
Box 3: Yes
Subscriptions can be moved between Management Groups provided the user has the required RBAC permissions.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#moving-management-groups-a
Does this meet the goal?
Correct Answer:A