| Question.76 HOTSPOT You need to design an Azure policy that will implement the following functionality: For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed. For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources. For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values. The solution must use the principle of least privilege. What should you include in the design? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
76. Click here to View Answer
Answer:
Box 1: Modify –
Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.
Incorrect:
* The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy
* Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it’s recommended to use the
Modify effect for tags instead.
Box 2: A managed identity with the Contributor role
The managed identity needs to be granted the appropriate roles required for remediating resources to grant the managed identity.
Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
Incorrect:
User Access Administrator: lets you manage user access to Azure resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
| Question.77 DRAG DROP You plan to deploy an infrastructure solution that will contain the following configurations: External users will access the infrastructure by using Azure Front Door. External user access to the backend APIs hosted in Azure Kubernetes Service (AKS) will be controlled by using Azure API Management. External users will be authenticated by an Azure AD B2C tenant that uses OpenID Connect-based federation with a third-party identity provider. Which function does each service provide? To answer, drag the appropriate functions to the correct services. Each function may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.  |
77. Click here to View Answer
Answer:
| Question.78 HOTSPOT You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The app will use a third-party email service to send email messages to users. The third-party email service requires that the app authenticate by using an API key. You need to recommend an Azure Key Vault solution for storing and accessing the API key. The solution must minimize administrative effort. What should you recommend using to store and access the key? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.  |
78. Click here to View Answer
Answer:
| Question.79 You have 100 servers that run Windows Server 2012 R2 and host Microsoft SQL Server 2014 instances. The instances host databases that have the following characteristics: Stored procedures are implemented by using CLR. The largest database is currently 3 TB. None of the databases will ever exceed 4 TB. You plan to move all the data from SQL Server to Azure. You need to recommend a service to host the databases. The solution must meet the following requirements: Whenever possible, minimize management overhead for the migrated databases. Ensure that users can authenticate by using Azure Active Directory (Azure AD) credentials. Minimize the number of database changes required to facilitate the migration. What should you include in the recommendation? (A) Azure SQL Database elastic pools (B) Azure SQL Managed Instance (C) Azure SQL Database single databases (D) SQL Server 2016 on Azure virtual machines |
79. Click here to View Answer
Answer: B
SQL Managed Instance allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes. At the same time, SQL Managed Instance preserves all PaaS capabilities (automatic patching and version updates, automated backups, high availability) that drastically reduce management overhead and TCO.
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance
| Question.80 You are developing an app that will read activity logs for an Azure subscription by using Azure Functions. You need to recommend an authentication solution for Azure Functions. The solution must minimize administrative effort. What should you include in the recommendation? (A) an enterprise application in Azure AD (B) system-assigned managed identities (C) shared access signatures (SAS) (D) application registration in Azure AD |
80. Click here to View Answer
Answer: B