πGet Full PDF
| Question.16 Your company, named Contoso, Ltd., implements several Azure logic apps that have HTTP triggers. The logic apps provide access to an on-premises web service. Contoso establishes a partnership with another company named Fabrikam, Inc. Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-party OAuth 2.0 identity management to authenticate its users. Developers at Fabrikam plan to use a subset of the logic apps to build applications that will integrate with the on-premises web service of Contoso. You need to design a solution to provide the Fabrikam developers with access to the logic apps. The solution must meet the following requirements: β Requests to the logic apps from the developers must be limited to lower rates than the requests from the users at Contoso. β The developers must be able to rely on their existing OAuth 2.0 provider to gain access to the logic apps. β The solution must NOT require changes to the logic apps. β The solution must NOT use Azure AD guest accounts. What should you include in the solution? (A) Azure Front Door (B) Azure AD Application Proxy (C) Azure AD business-to-business (B2B) (D) Azure API Management |
16. Click here to View Answer
Answer: D
Explanation:
Many APIs support OAuth 2.0 to secure the API and ensure that only valid users have access, and they can only access resources to which they’re entitled. To use Azure API Management’s interactive developer console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.
Incorrect:
Azure AD business-to-business (B2B) uses guest accounts.
Azure AD Application Proxy is for on-premises scenarios.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2
| Question.17 HOTSPOT – You have an Azure subscription that contains 300 virtual machines that run Windows Server 2019. You need to centrally monitor all warning events in the System logs of the virtual machines. What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
17. Click here to View Answer
Answer:
Explanation:
Box 1: A Log Analytics workspace
Send resource logs to a Log Analytics workspace to enable the features of Azure Monitor Logs.
You must create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs.
Box 2: Install the Azure Monitor agent
Use the Azure Monitor agent if you need to:
Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises.
Manage data collection configuration centrally
| Question.18 HOTSPOT – You have several Azure App Service web apps that use Azure Key Vault to store data encryption keys. Several departments have the following requests to support the web app:  Which service should you recommend for each department’s request? To answer, configure the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
18. Click here to View Answer
Answer:
Explanation:
Box 1: Azure AD Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator role assignment
Box 2: Azure Managed Identity –
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
Applications may use the managed identity to obtain Azure AD tokens. With Azure Key Vault, developers can use managed identities to access resources. Key
Vault stores credentials in a secure manner and gives access to storage accounts.
Box 3: Azure AD Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
| Question.19 HOTSPOT – Your company has the divisions shown in the following table.  You plan to deploy a custom application to each subscription. The application will contain the following: β A resource group β An Azure web app β Custom role assignments β An Azure Cosmos DB account You need to use Azure Blueprints to deploy the application to each subscription. What is the minimum number of objects required to deploy the application? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
19. Click here to View Answer
Answer:
Explanation:
Management Groups (2):
One management group per tenant to organize the subscriptions within each tenant.
Blueprint Definitions (2):
Since Blueprints are tenant-scoped, you need one Blueprint definition per tenant (East and West).
Blueprint Assignments (4):
Assign the Blueprint to each subscription individually (Sub1, Sub2, Sub3, Sub4) because resource deployments (resource groups, web apps, Cosmos DB accounts) require subscription-level assignments.
Even though you might use the same Blueprint definition within a tenant, you need separate assignments for each subscription to deploy the resources into them.
| Question.20 HOTSPOT – You need to design an Azure policy that will implement the following functionality: β For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed. β For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources. β For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values. The solution must use the principle of least privilege. What should you include in the design? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
20. Click here to View Answer
Answer:
Explanation:
Box 1: Modify –
Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations. Policy assignments with effect set as Modify require a managed identity to do remediation.
Incorrect:
* The following effects are deprecated: EnforceOPAConstraint EnforceRegoPolicy
* Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it’s recommended to use the
Modify effect for tags instead.
Box 2: A managed identity with the Contributor role
The managed identity needs to be granted the appropriate roles required for remediating resources to grant the managed identity.
Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
Incorrect:
User Access Administrator: lets you manage user access to Azure resources.