I am starting a blog to learn
Implementing Microsoft Azure Infrastructure Solutions (70-533). For this
purpose I am posting practice questions with answers from different dumps. The
objective to achieve is to discuss if the answers are correct or incorrect. I
need input (comments) from you people and it will also be helpful for those who
intends to take this exam. First question with its topic is as
follows;
QUESTION-1: Your company network includes two branch offices.
Users at the
company access internal virtual machines (VMs).
You want to ensure secure communications between
the branch offices and the internal VMs and network.
You need to
create a site-to-site VPN connection.
What are two possible ways to achieve this goal?
Each correct answer presents a complete solution.
A. a private IPv4 IP address and a compatible VPN device
B. a private IPv4 IP address and a RRAS running on Windows Server 2012
C. a public-facing IPv4 IP address and a compatible VPN device
D. a public-facing IPv4 IP address and a RRAS running on Windows Server
2012
Answer: CD
Explanation:
C (not A): VPN Device IP Address - This is
public facing IPv4 address of your on-premises VPN device that you'll use to
connect to Azure. The VPN device cannot be located behind a NAT.
D (Not B): At least one or preferably two
publicly visible IP addresses: One of the IP addresses is used on the Windows
Server 2012 machine that acts as the VPN device by using RRAS.
The other optional IP address is to be used as
the Default gateway for out-bound traffic from the on-premises network. If the
second IP address is not available, it is possible to configure network address
translation (NAT) on the RRAS machine itself, to be discussed in the following
sections. It is important to note that the IP addresses must be public. They
cannot be behind NAT and/or a firewall.
QUESTION-2: You manage a
large datacenter that has limited physical space.
You plan to
extend your datacenter to Azure.
You need to create a connection that supports a
multiprotocol label switching (MPLS) virtual private network.
Which connection
type should you use?
A. Site-to-site
B. VNet-VNet
C. ExpressRoute.
D. Site-to-peer
Answer: C
Explanation:
ExpressRoute
provides even richer capabilities by allowing a dedicated MPLS connection to
Azure.
http://azure.microsoft.com/en-us/services/expressroute/
QUESTION-3: You manage a
cloud service on two instances.
The service name
is Service1 and the role name is ServiceRole1.
Service1 has performance
issues during heavy traffic periods.
You need to
increase the existing deployment of Service1 to three instances.
Which Power Shell
cmdlet should you use?
A.
PS C:\>Set-AzureService -ServiceName
"Service1" -Label "ServiceRole1' -Description "Instance
count=3"
B. PS C:\>Set-AzureRole -ServiceName "Service1" -Slot
"Production" -RoleName "ServiceRole1" -Count 3
C. PS C:\>Add-AzureWebRole -Name 'ServiceRole1" -Instances 3
D. PS C:\> $instancecount =
New-Object Hashtable$settings['INSTANCECOUNT=3] PS C:\> Set-AzureWebsite
-AppSettings $instancecount ServiceRole1
Answer: B
Explanation:
The
Set-AzureRole cmdlet sets the number of instances of a specified role to run in
an Azure
deployment
Example
This command sets
the "MyTestRole3" role running in production on the
"MySvc1" service to
three instances.
Windows
PowerShell
C:\PS>Set-AzureRole -ServiceName
"MySvc1" -Slot "Production" -RoleName
"MyTestRole3" -Count 3
QUESTION-4: You manage a cloud service that hosts a customer-facing
application. The application allows users to upload images and create collages.
The cloud service is running in two medium instances and utilizes Azure Queue
storage for image processing. The storage account is configured to be locally
redundant.
The sales department plans to send a newsletter
to potential clients. As a result, you expect a significant increase in global
traffic.
You need to
recommend a solution that meets the following requirements:
- Configure the cloud service to ensure
the application is responsive to the traffic increase.
- Minimize
hosting and administration costs.
What are two possible ways to achieve this goal?
Each correct answer presents a complete solution.
A. Configure the cloud service to run in two Large instances.
B.
Configure the cloud service to auto-scale to
three instances when processor utilization is above 80%.
C. Configure the storage account to be geo-redundant
D. Deploy a new cloud service in a separate data center.
Use Azure Traffic
Manager to load balance traffic between the cloud services.
E. Configure the cloud service to auto-scale when the queue exceeds 1000
entries per machine.
Answer: BE
Explanation:
An autoscaling solution reduces the amount of
manual work involved in dynamically scaling an application. It can do this in
two different ways: either preemptively by setting constraints on the number of
role instances based on a timetable, or reactively by adjusting the number of
role instances in response to some counter(s) or measurement(s) that you can
collect from your application or from the Azure environment.
QUESTION-5: You manage a web application published to Azure Cloud Services.
Your service level agreement (SLA) requires that
you are notified in the event of poor performance from customer locations in
the US, Asia, and Europe.
You need to
configure the Azure Management Portal to notify you when the SLA performance
targets are not
met.
What should you
do?
A. Create an alert rule to monitor web endpoints.
B. Create a Notification Hub alert with response time metrics.
C. Add an endpoint monitor and alert rule to the Notification Hub.
D. Configure the performance counter on the cloud service.
Answer: A
Explanation:
* An alert rule enables you to monitor an
available metric within a supported Azure service. When the value of a
specified metric violates the threshold assigned for a rule, the alert rule
becomes active and registers an alert. When you create an alert rule, you can
select options to send an email notification to the service administrator and
co- administrators, or another administrator, when the rule becomes active, and
when an alert condition is resolved.
* You can configure
cloud service alert rules on:
Web endpoint status
metrics
Monitoring
metrics from the cloud service host operating system Performance counters
collected
from the cloud
service guest virtual machine
http://msdn.microsoft.com/en-us/library/azure/dn306639.aspx
QUESTION-6: You manage a cloud service that utilizes an
Azure Service Bus queue.
You need to
ensure that messages that are never consumed are retained.
What should
you do?
A.
Check the MOVE TO THE DEAD-LETTER SUBQUEUE
option for Expired Messages in the Azure Portal.
B. From the Azure Management Portal, create a new queue and name it
Dead-Letter.
C. Execute the Set-AzureServiceBus PowerShell cmdlet.
D. Execute the New-AzureSchedulerStorageQueueJob PowerShell cmdlet.
Answer: A
Explanation:
The EnableDeadLetteringOnMessageExpiration
property allows to enable\disable the dead-lettering on message expiration.
QUESTION-7: You migrate a Windows Server .NET web
application to Azure Cloud Services.
You need
enable trace logging for the application.
Which two actions
should you perform? Each correct answer presents part of the solution.
A. Update the service definition file.
B. Update the Azure diagnostics configuration.
C. Update the service configuration file.
D. Enable verbose monitoring.
E. Update the application web.config file.
Answer: AB
Explanation:
You can use
Azure logging right out of the box--it's part of Azure SDK.
A: Azure Service Definition Schema (.csdef File)
The service definition file defines the service model for an application. The
file contains the definitions for the roles that are available to a cloud
service, specifies the service endpoints, and establishes configuration
settings for the service.
B: Take Control of Logging and Tracing in Microsoft Azure The
Microsoft.WindowsAzure.Diagnostics namespace, which inherits from and extends
standard System.Diagnostics classes, enables the use of System.Diagnostics as a
logging framework in Azure environment.
http://msdn.microsoft.com/en-us/library/azure/ee758711.aspx http://msdn.microsoft.com/en-us/magazine/ff714589.aspx
QUESTION-8: Your network includes a legacy application
named LegacyApp1.
The application
only runs in the Microsoft .NET 3.5 Framework on Windows Server 2008.
You plan to
deploy to Azure Cloud Services.
You need to
ensure that LegacyApp1 will run correctly in the new environment.
What are two possible ways to achieve this goal?
Each correct answer presents a complete solution.
A. Upload a VHD with Windows Server 2008 installed.
B. Deploy LegacyApp1 to a cloud service instance configured with Guest OS
Family 2.
C. Deploy LegacyApp1 to a cloud service instance configured with Guest OS
Family 1.
D. Deploy LegacyApp1 to a cloud service instance configured with Guest OS
Family 3.
Answer: AB
Explanation:
Mo
December 10, 2017 at 10:39 pm
A&B – The application only runs in
the Microsoft .NET 3.5 Framework on Windows Server 2008. To run Windows Server 2008 in Azure you
must upload the vhd from on-prem
QUESTION-9: Your company has a subscription to Azure.
You configure
your contoso.com domain to use a private Certificate Authority.
You deploy a
web site named MyApp by using the Shared (Preview) web hosting plan.
You need to
ensure that clients are able to access the MyApp website by using https.
What should you
do?
A. Back up the Site and import into a new website.
B. Use the internal Certificate Authority and ensure that clients download
the certificate chain.
C. Add custom domain SSL support to your current web hosting plan.
D. Change the web hosting plan to Standard.
Answer: D
Explanation:
Enabling HTTPS
for a custom domain is only available for the Standard web hosting plan mode
of Azure
websites.
http://azure.microsoft.com/en-us/pricing/details/websites/
QUESTIO-10: You administer an Azure Web Site named
contosoweb that is used to sell various products.
Contosoweb
experiences heavy traffic during weekends.
You need to
analyze the response time of the product catalog page during peak times, from
different
locations.
What should you
do?
A. Configure endpoint monitoring.
B. Add the Requests metric.
C. Turn on Failed Request Tracing.
D. Turn on Detailed Error Messages.
Answer: A
Explanation:
Endpoint monitoring configures
web tests from geo-distributed locations that test response time and uptime of
web URLs. The test performs an HTTP get operation on the web URL to determine
the response time and uptime from each location. Each configured location runs
a test every five minutes. After you configure endpoint monitoring, you can
drill down into the individual endpoints
QUESTION-11: You administer a DirSync server configured with
Azure Active Directory (Azure AD).
You need to provision a user in Azure AD without
waiting for the default DirSync synchronization interval.
What are two possible ways to achieve this goal?
Each correct answer presents a complete solution.
A. Restart the DirSync server.
B. Run the Start-OnlineCoexistenceSync PowerShell cmdlet.
C. Run the Enable-SyncShare PowerShell cmdlet.
D. Run the Azure AD Sync tool Configuration Wizard.
E. Replicate the Directory in Active Directory Sites and Services.
Answer: BD
Explanation:
If you don't want to wait for the recurring synchronizations
that occur every three hours, you can force directory synchronization at any
time.
B: Force
directory synchronization using Windows PowerShell
You can use the directory synchronization
Windows PowerShell cmdlet to force synchronization. The cmdlet is installed
when you install the Directory Sync tool. On the computer that is running the
Directory Sync tool, start PowerShell, type Import- Module DirSync, and then
press ENTER. Type Start-OnlineCoexistenceSync, and then press ENTER.
D: Azure Active Directory Sync
Services (AAD Sync) In September 2014 the Microsoft Azure AD Sync tool was
released. This changed how manual sync requests are issued.
To perform a manual update we now use the
DirectorySyncClientCmd.exe tool. The Delta and Initial parameters are added to
the command to specify the relevant task.
This tool is
located in:
C:\Program
Files\Microsoft Azure AD Sync\Bin
You can use the directory synchronization
Windows PowerShell cmdlet to force synchronization. The cmdlet is installed
when you install the Directory Sync tool. On the computer that is running the
Directory Sync tool, start PowerShell, type Import- Module DirSync, and then
press ENTER. Type Start-OnlineCoexistenceSync, and then press ENTER.
QUESTION-12: You administer a DirSync server configured with
Azure Active Directory (Azure AD).
You need to provision a user
in Azure AD without waiting for the default DirSync synchronization interval.
What are two possible ways to
achieve this goal? Each correct answer presents a complete solution.
A.
Restart the DirSync server.
B.
Run the Start-OnlineCoexistenceSync PowerShell
cmdlet.
C.
Run the Enable-SyncShare PowerShell cmdlet.
D.
Run the Azure AD Sync tool Configuration
Wizard.
E.
Replicate the Directory in Active Directory
Sites and Services.
Answer: BD
Explanation:
If you don't want to wait for
the recurring synchronizations that occur every three hours, you can force
directory synchronization at any time.
B: Force directory synchronization using
Windows PowerShell
You can use the directory synchronization
Windows PowerShell cmdlet to force synchronization. The cmdlet is installed
when you install the Directory Sync tool. On the computer that is running the
Directory Sync tool, start PowerShell, type Import- Module DirSync, and then
press ENTER. Type Start-OnlineCoexistenceSync, and then press ENTER.
D: Azure Active Directory Sync
Services (AAD Sync) In September 2014 the Microsoft Azure AD Sync tool was
released. This changed how manual sync requests are issued.
To perform a manual update we
now use the DirectorySyncClientCmd.exe tool. The Delta and Initial parameters
are added to the command to specify the relevant task.
This tool is located in:
C:\Program Files\Microsoft Azure AD Sync\Bin
You can use the directory
synchronization Windows PowerShell cmdlet to force synchronization. The cmdlet
is installed when you install the Directory Sync tool. On the computer that is
running the Directory Sync tool, start PowerShell, type Import- Module DirSync,
and then press ENTER. Type Start-OnlineCoexistenceSync, and then press ENTER.
QUESTION-13:
You
administer an Azure Active Directory (Azure AD) tenant that has a SharePoint
web application named TeamSite1. TeamSite1 accesses your Azure AD tenant for
user information. The application access key for TeamSite1 has been
compromised.
You need to ensure that users can continue to
use TeamSite1 and that the compromised key does not allow access to the data in
your Azure AD tenant.
Which two actions should you
perform? Each correct answer presents part of the solution.
A. Remove
the compromised key from the application definition for TeamSite1.
B.
Delete the application definition for
TeamSite1.
C.
Generate a new application key for TeamSite1.
D.
Generate a new application definition for TeamSite1.
E.
Update the existing application key.
Answer: AC
QUESTION-14: You manage a cloud service
that supports features hosted by two instances of an Azure virtual machine
(VM).
You discover that occasional
outages cause your service to fail.
You need to minimize the
impact of outages to your cloud service.
Which two actions should you
perform? Each correct answer presents part of the solution.
A.
Deploy a third instance of the VM.
B.
Configure Load Balancing on the VMs.
C.
Redeploy the VMs to belong to an Affinity
Group.
D.
Configure the VMs to belong to an Availability
Set.
Answer: BD
Explanation:
Adding your virtual machine to an availability
set helps your application stay available during network failures, local disk
hardware failures, and any planned downtime.
Combine the Azure Load Balancer with an
Availability Set to get the most application resiliency. The Azure Load
Balancer distributes traffic between multiple virtual machines.
http://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-manage-availability/
QUESTION 15: You administer an Azure
subscription with an existing cloud service named contosocloudservice.
Contosocloudservice contains a set of related virtual machines (VMs) named
ContosoDC, ContosoSQL and ContosoWeb1.
You want to provision a new
VM within contosocloudservice.
You need to use the latest gallery image to
create a new Windows Server 2012 R2 VM that has a
target IOPS of 500 for any
provisioned disks.
Which PowerShell command
should you use?
A.
Option A
B.
Option B
C.
Option C
D.
Option D
Answer: D
http://msdn.microsoft.com/library/azure/dn197896.aspx
QUESTION 16: Drag and Drop Question
You administer an Azure Virtual Machine (VM)
named server!. The VM is in a cloud service named ContosoService1.
You discover that the VM is experiencing
storage issues due to increased application logging on the server.
You need to create a new
256-GB disk and attach it to the server.
Which Power Shell cmdlets should you use? To
answer, drag the appropriate cmdlet to the correct location in the Power Shell
command. Each cmdlet may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.
Answer:
Explanation:
This example gets a virtual machine object for
the virtual machine named "MyVM" in the "myservice" cloud
service, updates the virtual machine object by attaching an existing data disk from the repository using the disk name, and then updates the
Azure virtual machine.
Windows PowerShell
C:\PS>Get-AzureVM
"myservice" -Name "MyVM" `| Add-AzureDataDisk -Import -
DiskName
"MyExistingDisk"
-LUN 0 `| Update-AzureVM
QUESTION 17: Your company has two cloud services named CS01
and CS02.
You create a virtual machine
(VM) in CS02 named Accounts.
You need to ensure that users in CS01 can
access the Accounts VM by using port 8080. What should you do?
A.
Create a firewall rule.
B.
Configure load balancing.
C.
Configure port redirection.
D.
Configure port forwarding.
E.
Create an end point.
Answer: E
Explanation:
All virtual machines that you
create in Azure can automatically communicate using a private
network channel with other
virtual machines in the same cloud service or virtual network.
However, other resources on
the Internet or other virtual networks require endpoints to handle the
inbound network traffic to
the virtual machine.
http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
QUESTION 18: Your company network includes an On-Premises
Windows Active Directory (AD) that has a DNS domain named contoso.local and an
email domain named contoso.com. You plan to migrate from On-Premises Exchange
to Office 365.
You configure DirSync and set all Azure Active
Directory {Azure AD) usernames as %username%@contoso.onmicrosoft.com.
You need to ensure that each
user is able to log on by using the email domain as the username.
Which two actions should you
perform? Each correct answer presents part of the solution.
A.
Verify the email domain in Azure AD domains.
B.
Run the Set-MsolUserPnncipalName
-UserPnncipalName %username%@co ntoso.onmicrosoft.com - NewUserPrincipalName
%usemame %@contoso.com Power Shell cmdlet.
C.
Edit the ProxyAddress attribute on the
On-Premises Windows AD user account.
D.
Verify the Windows AD DNS domain in Azure AD
domains.
E.
Update the On-Premises Windows AD user account
UPN to match the email address.
Answer: AB
Explanation:
If you have already set up
Active Directory synchronization, the user’s UPN may not match the
user’s on-premises UPN
defined in Active Directory. To fix this, rename the user’s UPN using the
Set-MsolUserPrincipalName
cmdlet in the Microsoft Azure Active Directory Module for Windows
PowerShell.
https://msdn.microsoft.com/en-us/library/azure/jj151786.aspx
QUESTION 19: You develop a Windows Store application that
has a web service backend.
You plan to use the Azure Active Directory Authentication
Library to authenticate users to Azure Active Directory (Azure AD) and access
directory data on behalf of the user.
You need to ensure that users
can log in to the application by using their Azure AD credentials.
Which two actions should you perform?
Each correct answer presents part of the solution.
A.
Create a native client application in Azure AD.
B.
Configure directory integration.
C.
Create a web application in Azure AD.
D.
Enable workspace join.
E.
Configure an Access Control namespace.
Answer: AB
Explanation:
B: An application that wants to
outsource authentication to Azure AD must be registered in Azure AD, which
registers and uniquely identifies the app in the directory.
C (not A):
NativeClient-WindowsStore
A Windows Store application
that calls a web API that is secured with Azure AD.
Authentication Scenarios for Azure AD, Basics
of Authentication in Azure AD
http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx#BKMK_Auth
https://github.com/AzureADSamples/NativeClient-WindowsStore
QUESTION-20 : Your company plans to migrate
from On-Premises Exchange to Office 365.
The existing directory has numerous service
accounts in your On-Premises Windows Active Directory (AD), stored in separate
AD Organizational Units (OU) for user accounts.
You need to prevent the service accounts in
Windows AD from syncing with Azure AD. What should you do?
A.
Create an OU filter in the Azure AD Module for
Windows PowerShell.
B.
Configure directory partitions in
miisclient.exe.
C.
Set Active Directory ACLs to deny the DirSync
Windows AD service account MSOL_AD_SYNC access to the service account OUs.
D.
Create an OU filter in the Azure Management
Portal.
Answer: B
Explanation:
One customer, who was looking for OU level
filtering to import selected users from On-Premises active directory to
Office365.
Configure OU level filtering
for Office365 directory synchronization.
1. Logged in to your Domain
controller
2. Created an OU (Organisational
Unit) from your AD (Active Directory) a. In my case I named it
"DirSync"
3. Move all those users you want
to sync, to that DirSync OU.
4. From your DirSync Server
navigate to <Drive>\Program Files\Microsoft Online Directory
Sync\SYNCBUS\Synchronization Service\UIShell
5. Double click on
miisclient.exe
6. This opens a console
something similar to the below screen capture
Identity Manager, click
Management Agents, and then double-click SourceAD.
8. Click Configure Directory
Partitions, and then click Containers, as shown in the below screen capture.
12. Perform a full sync: on the
Management Agent tab, right-click SourceAD, click Run, click Full Import Full
Sync, and then click OK.
Etc.
http://blogs.msdn.com/b/denotation/archive/2012/11/21/installing-and-configure-dirsync-with-ou-level-filtering-for-office365.aspx
QUESTION-21:
You
manage an Azure Active Directory (AD) tenant
You plan to allow users to log in to a
third-party application by using their Azure AD credentials. To access the
application, users will be prompted for their existing third-party user names
and passwords.
You need to add the
application to Azure AD.
Which type of application
should you add?
A.
Existing Single Sign-On with identity
provisioning
B.
Password Single Sign-On with identity
provisioning
C.
Existing Single Sign-On without identity
provisioning
D.
Password Single Sign-On without identity
provisioning
Answer: D
Explanation:
Simon E.S.
September 26, 2016 at 2:34 am
I believe it’s D.
Identity provisioning is not
needed because the question mentions “their existing third-party user names and
passwords” — in other words, accounts do not need to be created. Furthermore,
the question doesn’t suggest that some kind of third-party account–AD account
synchronisation is needed. That makes it C or D.
Next, the question says that
users will “log in to [the] application by using their Azure AD credentials”.
Here I assume that “log in” is talking about every time you use the
application, like logging in to Windows. So AAD authentication is needed when
they want to use the app.
But the question also says
“to access the application, users will be prompted for their existing
third-party user names and passwords”.
For the nuance of the word
“access”, see this text (taken from
https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/):
“Administrators can assign
applications to end users or groups, and allow the end users to enter their own
credentials directly upon accessing the application for the first time in their
access panel.”
So when users want to use the
application for the first time, they have to tell AAD what their application
username and password are. From then on, users will log in by using their AAD
credentials.
So that makes the answer D,
because you’ll enter your username and password once, and AAD will store it for
you. After that, you can log in by using your AAD credentials.
QUESTION-22:
You
plan to use Password Sync on your DirSync Server with Azure Active Directory
{Azure AD) on your company network.
You configure the DirSync server and complete
an initial synchronization of the users.
Several remote users are unable to log in to
Office 365.
You discover multiple event
log entries for "Event ID 611 Password synchronization failed for
domain."
You need to resolve the password
synchronization issue.
Which two actions should you
perform? Each correct answer presents part of the solution.
A.
Restart Azure AD Sync Service.
B.
Run the Set-FullPasswordSync Power Shell
cmdlet.
C.
Force a manual synchronization on the DirSync
server.
D.
Add the DirSync service account to the Schema
Admins domain group.
Answer: BC
Explanation:
Changed AB to BC
http://jermsmit.com/office-365-initiate-a-full-password-sync-using-dirsync-jermsmit/
https://jaapwesselius.com/2014/07/28/force-dirsync-to-synchronize-with-office-365/
A.Not Correct, Azure AD Sync
or AADSync is the new version of DirSync.
QUESTION-23:
You
administer an Access Control Service namespace named contosoACS that is used by
a web application. ContosoACS currently utilizes Microsoft and Yahoo accounts.
Several users in your
organization have Google accounts and would like to access the web application
through ContosoACS.
You need to allow users to
access the application by using their Google accounts.
What should you do?
A.
Register the application directly with Google.
B.
Edit the existing Microsoft Account identity
provider and update the realm to include Google.
C.
Add a new Google identity provider.
D.
Add a new WS-Federation identity provider and
configure the WS-Federation metadata to point to the Google sign-in URL.
Answer: C
Explanation:
Configuring Google as an
identity provider eliminates the need to create and manage
authentication and identity
management mechanism. It helps the end user experience if there are
familiar authentication procedures.
http://msdn.microsoft.com/en-us/library/azure/gg185976.aspx
QUESTION-24: You publish an application named MyApp to Azure
Active Directory (Azure AD). You grant access to the web APIs through OAuth
2.0.
MyApp is generating numerous
user consent prompts.
You need to reduce the amount
of user consent prompts.
What should you do?
A.
Enable Multi-resource refresh tokens.
B.
Enable WS-federation access tokens.
C.
Configure the Open Web Interface for .NET.
D.
Configure SAML 2.0.
Answer: A
Explanation: When using the Authorization Code Grant Flow,
you can configure the client to call multiple resources. Typically, this would
require a call to the authorization endpoint for each target service. To avoid
multiple calls and multiple user consent prompts, and reduce the number of
refresh tokens the client needs to cache, Azure Active Directory (Azure AD) has
implemented multi-resource refresh tokens. This feature allows you to use a
single refresh token to request access tokens for multiple resources.
QUESTION-25: Your company network includes users in multiple
directories.
You plan to publish a software-as-a-service
application named SaasApp1 to Azure Active Directory.
You need to ensure that all
users can access SaasApp1.
What should you do?
A.
Configure the Federation Metadata URL
B.
Register the application as a web application.
C.
Configure the application as a multi-tenant.
D.
Register the application as a native client
application.
Answer: C
Explanation:
* When you get deeper into
using Windows Azure Active Directory, you'll run into new terminology. For
instance, is called "directory" is also referred to as a Windows
Azure AD Tenant or simply as "tenant." This stems from the fact that
WAAD ()Windows Azure Active Directory is a shared service for many clients. In
this service, every client gets its own separate space for which the client is
the tenant. In the case of WAAD this space is a directory. This might be a
little confusing, because you can create multiple directories, in WAAD
terminology multiple tenants, even though you are a single client.
* Multitenant Applications in
Azure
A multitenant application is a shared resource
that allows separate users, or "tenants," to view the application as
though it was their own. A typical scenario that lends itself to a multitenant
application is one in which all users of the application may wish to customize
the user experience but otherwise have the same basic business requirements.
Examples of large multitenant applications are Office 365, Outlook.com, and
visualstudio.com. http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx
QUESTION-26: Drag and Drop Question
You administer an Azure SQL
database named contosodb that is running in Standard/Si tier.
You also administer a
database server named server2 that is a test environment. Both database servers
are in the same subscription and the same region but are on different physical
clusters. You need to copy contosodb to the test environment.
Which three steps should you perform in
sequence? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
Answer:
QUESTION-27: You are migrating a local virtual machine (VM)
to an Azure VM.
You upload the virtual hard
disk (VHD) file to Azure Blob storage as a Block Blob.
You need to change the Block
8lob to a page blob.
What should you do?
A.
Delete the Block Blob and re-upload the VHD as
a page blob.
B.
Update the type of the blob programmatically by
using the Azure Storage .NET SDK.
C.
Update the metadata of the current blob and set
the Blob-Type key to Page.
D.
Create a new empty page blob and use the Azure
Blob Copy Power Shell cmdlet to copy the current data to the new blob.
Answer: A
Explanation:
* To copy the data files to
Windows Azure Storage by using one of the following methods: AzCopy Tool, Put
Blob (REST API) and Put Page (REST API), or Windows Azure Storage Client
Library for .NET or a third-party storage explorer tool.
Important: When using this new enhancement,
always make sure that you create a page blob not a block blob.
* Azure has two main files
storage format:
Page blob: mainly used for vhd's
(CloudPageBlob) Block Blob: for other files (CloudBlockBlob) http://msdn.microsoft.com/en-us/library/dn466429.aspx
QUESTION-28: You administer a Microsoft
Azure SQL Database data base in the US Central region named contosodb.
Contosodb runs on a Standard tier within the SI performance level. You have
multiple business-critical applications that use contosodb.
You need to ensure that you can bring contosodb
back online in the event of a natural disaster in the US Central region.
You want to achieve this goal
with the least amount of downtime.
Which two actions should you
perform? Each correct answer presents part of the solution.
A.
Upgrade to S2 performance level.
B.
Use active geo-replication.
C.
Use automated Export.
D.
Upgrade to Premium tier.
E.
Use point in time restore.
F.
Downgrade to Basic tier.
Answer: BD
Explanation:
B: The Active Geo-Replication
feature implements a mechanism to provide database redundancy within the same
Microsoft Azure region or in different regions (geo- redundancy).
One of the primary benefits of Active
Geo-Replication is that it provides a database-level disaster recovery solution.
Using Active Geo-Replication, you can configure a user database in the Premium
service tier to replicate transactions to databases on different Microsoft
Azure SQL Database servers within the same or different regions. Cross-region
redundancy enables applications to recover from a permanent loss of a
datacenter caused by natural disasters, catastrophic human errors, or malicious
acts.
D: Active Geo-Replication is
available for databases in the Premium service tier only.
http://msdn.microsoft.com/en-us/library/azure/dn741339.aspx
QUESTION-29: Drag and Drop Question
You manage an application
deployed to a cloud service that utilizes an Azure Storage account.
The cloud service currently
uses the primary access key.
Security policy requires that all shared access
keys are changed without causing application downtime.
Which three steps should you perform in
sequence? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
2-
update the cloud service with the secondary access key
3-
Regenerate primary access key
QUESTION-30:
You
manage an Azure web app in standard service tier at the following address:
contoso.azurewebsites.net
Your company has a new domain
for the site named www.contoso.com that must be accessible by secure socket
layer(SSL) encryption.
You need to add a custom domain to the Azure
web app and assign an SSL certifcate.
Which three actions should you perform? Each
correct answer presents part of the solution.
A.
Add SSL binding for the www.contosco.com domain
with the IP-based SSL option selected.
B.
Create a CNAME record from www.contoso.com to
contoso.azurewebsites.net.
C. Create a new file that will redirect the site
to the new URL and upload it to the Azure Web site.
D.
Add SSL binding for the www.contoso.com domain
with the server Nameindication (SNL)SSL option selected.
E.
Add www.contoso.com to the list of domain names
as a custom domain.
Answer: BDE
Explanation:
Explanation:
Step 1: When adding a CNAME record, you must
set the Host Name field to the sub-domain you wish to use.
For example, www. You must set the Address
field to the .azurewebsites.netdomain name of your Azure
Website. For example, contoso.azurwebsites.net.
* Step 2: Modify the service definition and
configuration files
Your application must be configured to use the
certificate, and an HTTPS endpoint must be added. As a result,
the service definition and service
configuration files need to be updated.
* Step 3:
IP based SSL associates a certificate with a
domain name by mapping the dedicated public IP address of the
server to the domain name. This requires each
domain name (contoso.com,
fabricam.com, etc.) associated with your
service to have a dedicated IP address. This is the traditional method
of associating SSL certificates with a web
server.
QUESTION-
31: You
manage two datacenters in different geographic regions and one branch office.
You plan to implement a
geo-redundant backup solution.
You need to ensure that each
datacenter is a cold site for the other.
A.
Install the provider.
B.
Upload a certificate to the vault.
C.
Generate a vault key.
D.
Set all virtual machines to DHCP.
E.
Prepare System Center Virtual Machine Manager
(SCVMM) servers.
F.
Create mappings between the virtual machine
(VM) networks.
Answer: C
Explanation:
Within the Azure Portal screen, scroll down to
Recovery Services (on the left menu), and click on "Create a New
Vault" (this is where your VMs will be replicated to) which will bring up
a Data Services / Recovery Services / Site Recovery Vault option, select Quick
Create
For the name of the Vault, give it something
you'd remember, in my case, I'll call it RandsVault, and I'll choose the Region
West US since I'm in the Western United States, then click Create Vault
Once the Vault has been created, click on the
Right Arrow next to the name of your vault. Under Setup Recovery, choose
"Between an on-premise site and Microsoft Azure" so that you are
telling the configuration settings that you are going to be replicating between
your on-premise datacenter and Azure in the cloud.
You will now see a list of things you need to
do which the first thing is to create a key exchange of certificates between
Microsoft Azure and your VMM server.
QUESTION-32: You manage a collection of large video files
that is stored in an Azure Storage account.
A user wants access to one of
your video files within the next seven days.
You need to allow the user
access only to the video file, and then revoke access once the user no
longer needs it.
What should you do?
A.
Give the user the secondary key for the storage
account.
Once the user is done with
the file, regenerate the secondary key.
B. Create an Ad-Hoc Shared Access Signature for
the Blob resource. Set the Shared Access Signature to expire in seven days.
C.
Create an access policy on the container.
Give the external user a Shared Access
Signature for the blob by using the policy. Once the user is done with the
file, delete the policy.
D.
Create an access policy on the blob.
Give the external user access by using the
policy. Once the user is done with the file, delete the policy.
Answer: C
Explanation:
C is the correct answer because you should be able to revoke
the access which you can not do with Ad-hoc key.
Ad-HOC SAS will expire and cannot be revoked
SAS with stored access policy can be revoked.
see https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/ the part of “Controlling a SAS with a stored access policy”
SAS with stored access policy can be revoked.
see https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/ the part of “Controlling a SAS with a stored access policy”
Shared Access Policy cannot be applied on Blob. It can only
be applied on Container. (Probably a known fact here)
Adhoc SAS key should not be applied to container. To revoke, the storage account key will need to be changed. (not needed here)
Between B & C:
B seems right because it is only needed for 7 days so it is safe to generate adhoc on blob and share SAS key. This poses one limitation. To manually revoke, you need to change the Storage Account Key. There is no other way to “revoke access once user no longer needs it”.
C sounds better because B has the revoke constraint. By generating Shared Access Policy, you can define constraints (read-only for Blob) and time limit. To revoke access, simply delete the policy.
Therefore, my vote is for C
Adhoc SAS key should not be applied to container. To revoke, the storage account key will need to be changed. (not needed here)
Between B & C:
B seems right because it is only needed for 7 days so it is safe to generate adhoc on blob and share SAS key. This poses one limitation. To manually revoke, you need to change the Storage Account Key. There is no other way to “revoke access once user no longer needs it”.
C sounds better because B has the revoke constraint. By generating Shared Access Policy, you can define constraints (read-only for Blob) and time limit. To revoke access, simply delete the policy.
Therefore, my vote is for C
QUESTION-33: You administer an Azure
Storage account named contoso storage.
The account has queue
containers with logging enabled.
You need to view all log
files generated during the month of July 2014.
Which URL should you use to
access the list?
A.
http://contosostorage.queue.core.windows.net/Slogs?
restype=container&comp=list&prefix=queue/2014/07
B.
http://contosostorage.queue.core.windows.net/Sfiles?
restype=container&comp=list&prefix=queue/2014/07
C.
http://contosostorage.blob.core.windows.net/Sfiles?
restype=container&comp=list&prefix=blob/2014/07
D.
http://contosostorage.blob.core.windows.net/Slogs?
restype=container&comp=list&prefix=blob/2014/07
Answer: D
Explanation:
All logs are stored in block blobs in a
container named $logs, which is automatically created when Storage Analytics is
enabled for a storage account. The $logs container is located in the blob
namespace of the storage account, for example:
http://.blob.core.windows.net/$logs.
This container cannot be
deleted once Storage Analytics has been enabled, though its contents
can be deleted.
http://msdn.microsoft.com/library/azure/hh343262.aspx
QUESTION-34: You manage an Azure subscription with virtual
machines (VMs) that are running in Standard mode.
You need to reduce the
storage costs associated with the VMs.
What should you do?
A.
Locate and remove orphaned disks.
B.
Add the VMs to an affinity group.
C.
Change VMs to the Basic tier.
D.
Delete the VHD container.
Answer: C
Explanation:
Explanation:
Standard offers 50 GB of storage space, while Basic only gives 10 GB but it will save costs.
http://azure.microsoft.com/en-us/pricing/details/websites/
Standard offers 50 GB of storage space, while Basic only gives 10 GB but it will save costs.
http://azure.microsoft.com/en-us/pricing/details/websites/
QUESTION 35: You manage several Azure virtual machines
(VMs).
You create a custom image to
be used by employees on the development team.
You need to ensure that the custom image is
available when you deploy new servers. Which Azure Power Shell cmdlet should
you use?
A. Update-AzureVMImage
B.
Add-AzureVhd
C.
Add-AzureVMImage
D.
Update-AzureDisk
E.
Add-AzureDataDisk
Answer: C
Explanation:
The Add-AzureVMImage cmdlet
adds an operating system image to the image repository.
The image should be a generalized operating
system image, using either Sysprep for Windows or, for Linux, using the
appropriate tool for the distribution. Example
This example adds an
operating system image to the repository.
Windows PowerShell
C:\PS>Add-AzureVMImage
-ImageName imageName -MediaLocation
http://yourstorageaccount.blob.core.azure.com/container/sampleImage.vhd
-Label
QUESTION-36: You manage an Azure virtual network that hosts
15 virtual machines (VMs) on a single subnet which is used for testing a line
of business (LOB) application. The application is deployed to a VM named
TestWebServiceVM.
You need to ensure that
TestWebServiceVM always starts by using the same IP address.
You need to achieve this goal
by using the least amount of administrative effort.
What should you do?
A.
Use the Management Portal to configure
TestWebServiceVM.
B.
Use RDP to configure TestWebServiceVM.
C.
Run the Set-AzureStaticVNetIP PowerShell
cmdlet.
D.
Run the Get-AzureReservedIP PowerShell cmdlet.
Answer: C
Explanation:
Specify a static internal IP
for a previously created VM
If you want to set a static IP address for a VM
that you previously created, you can do so by using the following cmdlets. If
you already set an IP address for the VM and you want to change it to a
different IP address, you'll need to remove the existing static IP address
before running these cmdlets. See the instructions below to remove a static IP.
For this procedure, you'll use the Update-AzureVM cmdlet. The Update-AzureVM
cmdlet restarts the VM as part of the update process. The DIP that you specify
will be assigned after the VM restarts. In this example, we set the IP address
for VM2, which is located in cloud service StaticDemo. Get-AzureVM -ServiceName
StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress
192.168.4.7 | Update-AzureVM
http://msdn.microsoft.com/en-us/library/azure/dn630228.aspx
QUESTION-37: Drag and Drop Question
You administer two virtual
machines (VMs) that are deployed to a cloud service.
The VMs are part of a virtual
network.
The cloud service monitor and virtual network
configuration are configured as shown in the exhibits. (Click the Exhibits
button.
You need to create an internal load balancer
named fabLoadBalancer that has a static IP address of 172.16.0.100.
Which value should you use in each parameter of
the Power Shell command? To answer, drag the appropriate value to the correct
location in the Power Shell command. Each value may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll
to view content.
QUESTION-38:
Your
network environment includes remote employees.
You need to create a secure connection for the
remote employees who require access to your
Azure virtual network.
What should you do?
A.
Deploy Windows Server 2012 RRAS.
B.
Configure a point-to-site VPN.
C.
Configure an ExpressRoute.
D.
Configure a site-to-site VPN.
Answer: B
Explanation:
New Point-To-Site
Connectivity
With today's release we've added an awesome new
feature that allows you to setup VPN connections between individual computers
and a Windows Azure virtual network without the need for a VPN device. We call
this feature Point-to-Site Virtual Private Networking. This feature greatly simplifies setting up secure connections between
Windows Azure and client machines, whether from your office environment or from
remote locations.
It is especially useful for developers who want
to connect to a Windows Azure Virtual Network (and to the individual virtual
machines within it) from either behind their corporate firewall or a remote
location. Because it is point-to-site they do not need their IT staff to
perform any activities to enable it, and no VPN hardware needs to be installed
or configured. Instead you can just use the built-in Windows VPN client to
tunnel to your Virtual Network in Windows Azure.
http://azure.microsoft.com/blog/2013/04/26/virtual-network-adds-new-capabilities-for-cross-premises-connectivity/
QUESTION-39: Drag and Drop Question
Your development team has created a new
solution that is deployed in a virtual network named fabDevVNet.
Your testing team wants to
begin testing the solution in a second Azure subscription.
You need to create a virtual
network named fabTestVNet that is identical to fabDevVNet.
You want to achieve this goal
by using the least amount of administrative effort.
Which three steps should you perform in
sequence? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
Answer:
QUESTION-40:
Drag
and Drop Question
You have a solution deployed
into a virtual network in Azure named fabVNet.
The fabVNet virtual network has three subnets
named Apps, Web, and DB that are configured as shown in the exhibit. (Click the
Exhibits button.)
You want to deploy two new
VMs to the DB subnet.
You need to modify the virtual network to
expand the size of the DB subnet to allow more IP addresses.
Which three steps should you perform in
sequence? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
QUESTION-41:
You manage a cloud service that has a web role
named fabWeb.
You create a virtual network
named fabVNet that has two subnets defined as Web and Apps.
You need to be able to deploy
fabWeb into the Web subnet.
What should you do?
A.
Modify the service definition (csdef) for the
cloud service.
B.
Run the Set-AzureSubnet PowerShell cmdlet.
C.
Run the Set-AzureVNetConfig PowerShell cmdlet.
D.
Modify the network configuration file.
E.
Modify the service configuration (cscfg) for
the fabWeb web role.
Answer: E
Explanation:
To deploy a cloud service into the Apps subnet
in the virtual network, you need to add a element to the cloud service
configuration file with settings identify-ing the Apps subnet in the virtual
network.
When the cloud service with this configuration
is deployed, Azure will identify the network configuration and provision the
virtual machine instances in the Apps subnet. https://outhereinthefield.wordpress.com/2014/05/23/adding-a-windows-azure-cloud-service-to-virtual-network/
QUESTION-42: Drag and Drop Question
You manage two solutions in
separate Azure subscriptions.
You need to ensure that the
two solutions can communicate on a private network.
Which three actions should
you perform in sequence? To answer, move the appropriate actions
Explanation:
Note: In this procedure, we'll walk you through
connecting two virtual networks, VNet1 and VNet2. You'll need to be comfortable
with networking in order to substitute the IP address ranges that are
compatible with your network design requirements. From an Azure virtual network,
connecting to another Azure virtual network is the same as connecting to an on
premises network via Site-to-site (S2S) VPN.
This procedure primarily uses the Management
Portal, however, you must use Microsoft Azure PowerShell cmdlets to connect the
VPN gateways.
QUESTION-43: Your company has recently signed up for Azure.
You plan to register a Data Protection Manager
(DPM) server with the Azure Backup service. You need to recommend a method for
registering the DPM server with the Azure Backup vault. What are two possible
ways to achieve this goal? Each correct answer presents a complete solution.
A.
Import a self-signed certificate created using
the makecert tool.
B.
Import a self-signed certificate created using
the createcert tool.
C.
Import an X.509 v3 certificate with valid
clientauthentication EKU.
D.
Import an X.509 v3 certificate with valid
serverauthentication EKU.
Answer: AC
Explanation:
A: You can create a self-signed
certificate using the makecert tool, or use any valid SSL certificate issued by
a Certification Authority (CA) trusted by Microsoft, whose root certificates
are distributed via the Microsoft Root Certificate Program.
C: The certificate must have a valid
ClientAuthentication EKU. http://technet.microsoft.com/en-us/library/dn296608.aspx
QUESTION-44: Hotspot Question
You manage an Azure
subscription.
You develop a storage plan
with the following requirements:
- Database
backup files that are generated once per year are retained for ten years.
- High
performance system telemetry logs are created constantly and processed for
analysis every month.
In the table below, identify the storage
redundancy type that must be used. Make only one selection in each column.
QUESTION-45:
You
administer an Azure Storage account with a blob container.
You enable Storage account
logging for read, write and delete requests.
You need to reduce the costs
associated with storing the logs.
What should you do?
A.
Execute Delete Blob requests over https.
B.
Create an export job for your container.
C.
Set up a retention policy.
D.
Execute Delete Blob requests over http.
Answer: C
Explanation:
To ease the management of your logs, we have
provided the functionality of retention policy which will automatically cleanup
`old' logs without you being charged for the cleanup. It is recommended that
you set a retention policy for logs such that your analytics data will be
within the 20TB limit allowed for analytics data (logs and metrics combined).
http://blogs.msdn.com/b/windowsazurestorage/archive/2011/08/03/windows-azure-storage-logging-using-logs-to-track-storage-requests.aspx
QUESTION-46: You administer an Azure
Storage account named contosostorage.
The account has a blob
container to store image files.
A user reports being unable
to access an image file.
You need to ensure that anonymous users can
successfully read image files from the container. Which log entry should you
use to verify access?
A.
Option A
B.
Option B
C.
Option C
D.
Option D
Answer: A
Explanation:
http://blogs.msdn.com/b/windowsazurestorage/archive/2011/08/03/windows-azure-storage-
logging-using-logs-to-track-storage-requests.aspx
QUESTION-47: Hotspot Question
You have an Azure SQL
Database named Contosodb.
Contosodb is running in the Standard/S2 tier
and has a service level objective of 99 percent. You review the service tiers
in Microsoft Azure SQL Database as well as the results of running performance
queries for the usage of the database for the past week as shown in the
exhibits. (Click the Exhibits button.)
For each of the following statements, select
Yes if the statement is true. Otherwise, select No.
Explanation:
* The P1 performance level has
100 DTUs compared to the 200 DTUs of the P2 performance level. That means that
the P1 performance level provides half the performance of the P2 performance
level. So 50% of CPU utilization in P2 equals 100% CPU utilization in P1. As
long as the application does not have timeouts, it may not matter if a big job
takes 2 hours or 2.5 hours to complete as long as it gets done today. An
application in this category can probably just use a P1 performance level. You
can take advantage of the fact that there are periods of time during the day
where resource usage is lower, meaning that any "big peak" might
spill over into one of the
QUESTION-48:
Your
company is launching a public website that allows users to stream videos.
You upload multiple video
files to an Azure storage container.
You need to give anonymous users read access to
all of the video files in the storage container. What should you do?
A.
Edit each blob's metadata and set the access
policy to Public Blob.
B.
Edit the container metadata and set the access
policy to Public Container.
C.
Move the files into a container sub-directory
and set the directory access level to Public Blob.
D.
Edit the container metadata and set the access
policy to Public Blob.
Answer: D
Explanation:
By default, the container is
private and can be accessed only by the account owner. To allow
public read access to the
blobs in the container, but not the container properties and metadata,
use the "Public
Blob" option. To allow full public read access for the container and
blobs, use the
"Public Container"
option.
https://azure.microsoft.com/en-gb/documentation/articles/storage-manage-access-to-resources/
QUESTION-49: Hotspot Question
You manage a public-facing web application
which allows authenticated users to upload and download large files. On the
initial public page there is a promotional video. You plan to give users access
to the site content and promotional video.
In the table below, identify the access method
that should be used for the anonymous and authenticated parts of the
application. Make only one selection in each column.
Explanation:
https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1
https://docs.microsoft.com/en-us/azure/storage/storage-manage-access-to-resources
QUESTION-50: Drag and Drop Question
Your company network includes
a single forest with multiple domains.
You plan to migrate from
On-Premises Exchange to Exchange Online.
You want to provision the On-Premises Windows
Active Directory (AD) and Azure Active Directory (Azure AD) service accounts.
You need to set the required
permissions for the Azure AD service account.
Which settings should you use? To answer, drag
the appropriate permission to the service account. Each permission may be used
once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
Explanation:
When you run the Directory Sync tool
Configuration Wizard, you must provide the following information:
Enterprise admin credentials
for the on-premises Active Directory schema Global admin
credentials for the Microsoft
cloud service
https://support.microsoft.com/kb/2684395?wa=wsignin1.0
QUESTION-51:
Hotspot
Question
You administer an Azure
Active Directory (Azure AD) tenant.
You add a custom application
to the tenant.
The application must be able
to:
- Read
data from the tenant directly.
In the table below, identify the permission
that must be granted to the application. Make only one selection in each
column.
Explanation:
http://msdn.microsoft.com/en-us/library/azure/dn132599.aspx
QUESTION-52: Your company plans to migrate from On-Premises
Exchange to Exchange Online in Office 365. You plan to integrate your existing
Active Directory Domain Services (AD DS) infrastructure with Azure AD.
You need to ensure that users
can log in by using their existing AD DS accounts and passwords.
You need to achieve this goal
by using minimal additional systems.
Which two actions should you
perform? Each answer presents part of the solution.
A.
Configure Password Sync.
B.
Set up a DirSync Server.
C.
Set up an Active Directory Federation Services
Server.
D.
Set up an Active Directory Federation Services
Proxy Server.
Answer: AB
Explanation:
Directory Sync with Password Sync Scenario'
Applies To: Azure, Office 365, Windows Intune Password sync is an extension to
the Directory Sync Scenario. With directory sync, you can manage the entire
lifecycle of your cloud user and group accounts using your on- premise Active
Directory management tools.
When password sync is enabled on your directory
sync computer, your users will be able to sign into Microsoft cloud services,
such as Office 365, Dynamics CRM, and Windows InTune, using the same password
as they use when logging into your on-premises network. When your users change
their passwords in your corporate network, those changes are synchronized to
the cloud. http://technet.microsoft.com/en-us/library/dn441214.aspx
You publish a multi-tenant application named
MyApp to Azure Active Directory (Azure AD). You need to ensure that only
directory administrators from the other organizations can access MyApp's web
API.
How should you configure MyApp's manifest JSON
file? To answer, drag the appropriate PowerShell command to the correct location
in the application's manifest JSON file. Each value may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll
to view content.
Answer:
QUESTION-44:
You
manage a software-as-a-service application named SaasApp1 that provides user
management features in a multi-directory environment.
You need to ensure that
SaasApp1 can access directory objects.
What should you do?
A.
Configure the Federation Metadata URL
B.
Register SaasApp1 as a native client
application.
C.
Register SaasApp1 as a web application.
D.
Configure the Graph API.
Answer: D
Explanation:
The Azure Active Directory Graph API provides
programmatic access to Azure AD through REST API endpoints. Applications can
use the Graph API to perform create, read, update, and delete (CRUD) operations
on directory data and objects. For example, the Graph API supports the
following common operations for a user object:
/ Create a new user in a
directory
/ Get a user's detailed
properties, such as their groups / Update a user's properties, such as their
location and phone number, or change their password
/ Check a user's group
membership for role-based access / Disable a user's account or delete it
entirely
http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx
QUESTION-45: You administer an Azure Active Directory (Azure
AD) tenant where Box is configured for:
- Application
Access
- Password
Single Sign-on
An employee moves to an organizational unit
that does not require access to Box through the Access Panel.
You need to remove only Box
from the list of applications only for this user.
What should you do?
A.
Delete the user from the Azure AD tenant.
B.
Delete the Box Application definition from the
Azure AD tenant.
C.
From the Management Portal, remove the user's
assignment to the application.
D.
Disable the user's account in Windows AD.
Answer: C
Explanation:
Note: Use Azure AD to manage user access,
provision user accounts, and enable single sign-on with Box. Requires an
existing Box subscription
very nice blog.
ReplyDeleteAWS Online TrainingB