| Question 21 Your company has an Azure subscription that includes two virtual machines, named VirMac1 and VirMac2, which both have a status of Stopped (Deallocated). The virtual machines belong to different resource groups, named ResGroup1 and ResGroup2. You have also created two Azure policies that are both configured with the virtualMachines resource type. The policy configured for ResGroup1 has a policy definition of Not allowed resource types, while the policy configured for ResGroup2 has a policy definition of Allowed resource types. You then create a Read-only resource lock on VirMac1, as well as a Read-only resource lock on ResGroup2. Which of the following is TRUE with regards to the scenario? (Choose all that apply.) A. You will be able to start VirMac1. B. You will NOT be able to start VirMac1. C. You will be able to create a virtual machine in ResGroup2. D. You will NOT be able to create a virtual machine in ResGroup2. |
21. Click here to View Answer
Answer:
BD
Explanation:
When you will create a virtual machine in ResGroup2 it will give you error
“The selected resource group is read only”
| Question 22 You have been tasked with delegate administrative access to your company’s Azure key vault. You have to make sure that a specific user can set advanced access policies for the key vault. You also have to make sure that access is assigned based on the principle of least privilege. Which of the following options should you use to achieve your goal? A. Azure Information Protection B. RBAC C. Azure AD Privileged Identity Management (PIM) D. Azure DevOps |
22. Click here to View Answer
Correct Answer: B
Explanation:
The answer is B, because PIM is where you can manage, control, and monitor the access.
The management plane uses RBAC – this is where you manage Key Vault itself which implies creating and deleting key vaults, retrieving Key Vault properties, and updating access policies.
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features#access-model-overview
| Question 23 You have been tasked with delegate administrative access to your company’s Azure key vault. You have to make sure that a specific user is able to add and delete certificates in the key vault. You also have to make sure that access is assigned based on the principle of least privilege. Which of the following options should you use to achieve your goal? A. A key vault access policy B. Azure policy C. Azure AD Privileged Identity Management (PIM) D. Azure DevOps |
23. Click here to View Answer
Answer:
A
Explanation:
These operations are done on the key vault’s data plane. The suitable built-in role would be a Key Vault Certificates Officer – able to perform any action on the certificates of a key vault, except manage permissions.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
| Question 24 You have an Azure virtual machine that runs Windows Server R2. You plan to deploy and configure an Azure Key vault, and enable Azure Disk Encryption for the virtual machine. Which of the following is TRUE with regards to Azure Disk Encryption for a Windows VM? A. It is supported for basic tier VMs. B. It is supported for standard tier VMs. C. It is supported for VMs configured with software-based RAID systems. D. It is supported for VMs configured with Storage Spaces Direct (S2D). |
24. Click here to View Answer
Answer:
B
Explanation:
Windows VMs are available in a range of sizes. Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs. Azure Disk Encryption is also available for VMs with premium storage.
Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory. For more exceptions, see Azure Disk Encryption: Unsupported scenarios.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows
| Question 25 You have an Azure virtual machine that runs Ubuntu 16.04-DAILY-LTS. You plan to deploy and configure an Azure Key vault, and enable Azure Disk Encryption for the virtual machine. Which of the following is TRUE with regards to Azure Disk Encryption for a Linux VM? A. It is NOT supported for basic tier VMs. B. It is NOT supported for standard tier VMs. C. OS drive encryption for Linux virtual machine scale sets is supported. D. Custom image encryption is supported. |
25. Click here to View Answer
Answer:
A
Explanation:
“Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:
Encrypting basic tier VM or VMs created through the classic VM creation method.”
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux