You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam, Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the Microsoft 365 E5 plan. You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements: * To the manager of the developers, send ...

To address the requirements and the goals outlined in the question, let's evaluate each option: A) In Azure Active Directory (Azure AD), create an access review of Application1. - Explanation: Azure AD Access Reviews allow you to periodically review user access to resources (like Application1) and request managers to approve or revoke access. This feature directly supports the goal of sending monthly email reminders to the manager about the access permissions and allowing automatic revocation if the manager doesn't respond. - Why selected: Azure AD Access Reviews are designed to meet the requirement of verifying permissions periodically, notifying managers, and automatically revoking access if no action is taken. It's built for such scenarios and provides an out-of-the-box solution with minimal development effort. - Scenario fit: This solution works best in this scenario as it requires minimal custom development and directly addresses the problem of access review, verification, and automatic revocation. B) Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet. - Explanation: The Get-AzRoleAssignment cmdlet retrieves role assignments in Azure, but this solution would require custom automation scripts to check role assignments, send emails, and implement automatic revocation based on user actions (or lack thereof). - Why rejected: While this could work, it would require significant development effort to create a fully functional solution that automates the entire process (e.g., sending emails, handling user responses, and revoking permissions). Additionally, it doesn’t natively support access reviews, which is a core requirement in this scenario. C) In Azure Active D...

Author: Noah · Last updated May 22, 2026

You have an Azure subscription. The subscription has a blob container that contains multiple blobs. Ten users in the finance department of your company plan to access the blobs during the month of April. You need to recommend a solution to enable access ...

To meet the requirement of granting access to the blobs only during the month of April, let's evaluate each option: A) Shared Access Signatures (SAS) - Explanation: A Shared Access Signature (SAS) allows you to grant limited access to Azure resources (such as blobs) for a specific time period, such as one month in this case. You can specify the start and expiry time of the SAS, making it an ideal solution to restrict access only to the month of April. - Why selected: SAS is the most suitable solution because it allows you to grant access for a limited period (e.g., April), and it can be configured with specific permissions such as read, write, or delete. Additionally, it is easy to implement and doesn’t require any changes to the user authentication or management systems. - Scenario fit: This is a perfect fit for scenarios where access needs to be restricted to a specific time window. The SAS token can be easily configured with an expiration date at the end of April, effectively limiting the access as required. B) Conditional Access policies - Explanation: Conditional Access policies in Azure AD are typically used to enforce specific access requirements based on conditions like user location, device compliance, or sign-in risk. While they can be used to control when and how users access applications, they are generally not used for controlling access to resources based on specific dates. - Why rejected: While Conditional Access could be part of a broader security strategy, it is not designed to directly manage time-limited access to specific resources like ...

Author: Emily · Last updated May 22, 2026

You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain. You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses Integrated Windows authentication. Some users work remotely and do NOT have VPN access to the on-premises network. You need to provide the remote users with single sign-on (SSO) access to ...

To provide remote users with single sign-on (SSO) access to WebApp1, which uses Integrated Windows Authentication (IWA), we need to enable remote access to the on-premises web application in a secure way while allowing seamless SSO functionality. Let's evaluate the options: A) Azure AD Application Proxy - Explanation: Azure AD Application Proxy is a service that allows remote users to securely access on-premises applications (like WebApp1) without needing a VPN. It supports Integrated Windows Authentication (IWA), which is necessary for WebApp1, and enables SSO for users who are authenticated through Azure AD. The proxy acts as a bridge, forwarding user requests to the on-premises web application while maintaining the authentication context. - Why selected: This solution is the best fit because Azure AD Application Proxy allows remote users to securely access on-premises resources and integrates with Azure AD to provide SSO. It specifically supports IWA, which is required for WebApp1, and doesn't require VPN access. - Scenario fit: This is the ideal choice for providing remote users access to an on-premises app with IWA, especially when VPN access is not available. B) Azure AD Privileged Identity Management (PIM) - Explanation: Azure AD PIM is primarily used for managing privileged accounts and roles, such as Azure AD administrator roles. It is focused on managing just-in-time access and auditing for elevated roles. - Why rejected: PIM does not address the need for remote access or providing SSO to an on-premises application. It is irrelevant for the specific use case of enabling access to WebApp1 remotely. - Scenario fit: Not applicable here because PIM is about managing roles and privileges, not providing access to on-premises applications. C) Conditional Access policies - Explanation: Conditional Access policies allow you to enforce specific access controls based on conditions such as user location, device compliance, or authentication strength. While Conditional Access can be used to control when and where users can access resources, it doesn't directly provide access to on-premises applications or integrate with IWA. - Why rejected: Conditional Access can complement a solution like Azure AD Application Proxy, but by itself, it doesn't enable remote access to on-premises resources or handle Integrated Windows Authentication. - ...

Author: Ishaan · Last updated May 22, 2026

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users. You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements: * The evaluation must be repeated automatically every three months. * Every member must be able to report whether they need to be in Group1. * Users who report that they do ...

To meet the requirements of evaluating membership for Group1, let's assess each option: A) Implement Azure AD Identity Protection - Explanation: Azure AD Identity Protection is designed to manage and protect against risky sign-ins and user accounts, by detecting suspicious activities and enforcing policies such as multi-factor authentication (MFA) and conditional access. While it focuses on security and risk management, it does not address evaluating or managing group membership. - Why rejected: Azure AD Identity Protection is not designed to automate group membership evaluations, nor does it meet the requirement of automatically removing users based on their responses. It's focused on security incidents, not user access reviews. - Scenario fit: Not relevant, as it does not address group membership evaluation or automatic removal based on user responses. B) Change the Membership type of Group1 to Dynamic User - Explanation: Dynamic groups in Azure AD are used to automatically add or remove members based on user attributes, such as department or location. This would be useful if you want to automate group membership based on specific user attributes. However, it does not meet the requirement to allow users to report whether they should remain in the group, nor does it support an automatic evaluation every three months. - Why rejected: Dynamic groups are based on attributes but do not support manual user reporting or recurring evaluations. It doesn't allow users to report their membership status or provide automatic removals based on user input. - Scenario fit: Only relevant for attribute-based membership management, not for manual reporting and evaluations. C) Create an access review - Explanation: Access reviews in Azure AD allow you to periodically review access to resources and group...

Author: Ming · Last updated May 22, 2026

HOTSPOT - You plan to deploy Azure Databricks to support a machine learning application. Data engineers will mount an Azure Data Lake Storage account to the Databricks file system. Permissions to folders are granted directly to the data engineers. You need to recommend a design for the planned Databrick deployment. The solution must meet the following requirements: * Ensure that the data engineers can only access folders to which they have permissions. * Minimize deve...

Author: Samuel · Last updated May 22, 2026

HOTSPOT - You plan to deploy an Azure web app named App1 that will use Azure Active Directory (Azure AD) authentication. App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows 10 and are joined to Azure AD. You need to recommend a solution to ensure that the users can connect to App1 without being prompted for authentication and can access App1 only from company-ow...

Author: Amira · Last updated May 22, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity. Several virtual machines exhibit netw...

Let's evaluate whether using Azure Traffic Analytics in Azure Network Watcher would meet the goal of analyzing the network traffic and identifying whether packets are being allowed or denied to virtual machines. Azure Traffic Analytics in Azure Network Watcher: Azure Traffic Analytics provides insights into the traffic patterns and flow in a virtual network. It can help with understanding where traffic is coming from and going to, and whether it's flowing according to expected routes. Traffic Analytics analyzes traffic flows using Network Security Groups (NSG) flow logs, providing detailed information about the source, destination, and type of traffic. However, Traffic Analytics by itself does not directly allow for the identification of whether specific packets are being "allowed" or "denied" in real-time or at a granular packet level. It is more suited for analyzing network flow trends over time, detecting anomalies, and providing insights based on the flow data, but it does not provide explicit insights into real-time access control decisions or whether specific traffic is actively being b...

Author: Emily · Last updated May 22, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity. Several virt...

Azure Advisor provides best practices and recommendations for optimizing the configuration of your Azure resources, but it is not designed to analyze network traffic or to directly identify whether specific packets are being allowed or denied. Key Points About Azure Advisor: - Azure Advisor focuses on providing recommendations to improve the overall efficiency, performance, and security of your Azure environment, including guidance on cost management, high availability, and security. - Azure Advisor does not analyze network traffic or perform packet-level analysis to identify whether traffic is being blocked or allowed. Why it ...

Author: Ava · Last updated May 22, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity. Several virtual machines exhibit ...

Azure Network Watcher provides several tools for monitoring and diagnosing network connectivity issues in Azure environments. One of the key tools available within Azure Network Watcher is IP Flow Verify, which allows you to analyze whether network traffic (packets) is being allowed or denied based on security group (NSG) rules or any other access controls. IP Flow Verify: - IP Flow Verify is specifically designed to check if a packet is allowed or denied based on the current network security group (NSG) rules, user-defined routes (UDRs), and the connectivity status between a source and destination. - It helps identify network connectivity issues by providing a clear response on whether traffic is being allowed or denied and helps in troubleshooting issues with network security or routing. Why this solution meets the goal: - IP Flow Veri...

Author: Joseph · Last updated May 22, 2026

DRAG DROP - You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016 and Linux. You need to use Azure Monitor to design an alerting strategy for security-related events. Which Azure Monitor Logs tables should you query? To answer, drag the appropriate tables to the correct log types. Each table may be used once, more than o...

Author: William · Last updated May 22, 2026

You are designing a large Azure environment that will contain many subscriptions. You plan to use Azure Policy as part of a governance solution. To which three scopes can you assign Azure Policy definitions? Each c...

To assign Azure Policy definitions effectively, it's important to understand the different scopes where policies can be applied within an Azure environment. Let’s analyze each of the options provided. A) Azure Active Directory (Azure AD) administrative units - Not applicable: Azure AD administrative units are primarily used for delegating administrative permissions within Azure AD (like managing users and groups). Azure Policy works at the resource level within Azure subscriptions or management groups, and it is not designed to be assigned directly to Azure AD administrative units. - Rejected: Policies cannot be assigned to Azure AD administrative units because Azure Policy governs Azure resources, not Azure AD objects. B) Azure Active Directory (Azure AD) tenants - Not applicable: An Azure AD tenant is a dedicated instance of Azure Active Directory, and Azure Policy does not apply directly at the tenant level. Policies are meant to be assigned to resource scopes, like subscriptions or management groups, but not to Azure AD tenants. - Rejected: Policies cannot be assigned to Azure AD tenants since Azure Policy works with resources in Azure subscriptions or management groups. C) Subscriptions - Applicable: Azure Policy can be assigned to a subscription to enforce governance rules on the resources within that subscription. This is one of the core use cases for Azure Policy because it allows you to manage resource compliance at the subscription level. - Selected: This option is correct because policies are often applied at the subscription level to enforce compliance within all resource groups or resources inside that subscription. D) Compute resources - Not applicable: Azure Policy is not directly assigned to s...

Author: Nathan · Last updated May 22, 2026

DRAG DROP - Your on-premises network contains a server named Server1 that runs an ASP.NET application named App1. You have a hybrid deployment of Azure Active Directory (Azure AD). You need to recommend a solution to ensure that users sign in by using their Azure AD account and Azure Multi-Factor Authentication (MFA) when they connect to App1 from the internet. Which three features should you recommend be de...

Author: Rahul · Last updated May 22, 2026

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure ...

To generate a monthly report of all new Azure Resource Manager (ARM) resource deployments in your Azure subscription, it's important to choose a solution that tracks resource creation events effectively. Let's analyze each option: A) Azure Activity Log - Why selected: The Azure Activity Log captures detailed information about operations on resources, including deployments, updates, and deletions of resources within an Azure subscription. This is the most suitable option for tracking all new deployments in your subscription, as it logs every management operation that occurs, including the creation of new resources. - Use case: The Activity Log can be filtered to show "Create" operations specifically and can be used to generate reports or exported data. It also integrates with Azure Monitor and Log Analytics for further querying, reporting, and analysis. - Selected option: This is the correct choice for generating a report of new resource deployments. B) Azure Advisor - Not applicable: Azure Advisor provides best practice recommendations based on your environment's configuration. It doesn't focus on tracking specific operations like new resource deployments. Instead, it's more about improving performance, security, and cost efficiency. - Rejected: Azure Advisor is not designed to track deployment events, so it won't help you generate a ...

Author: SilverBear · Last updated May 22, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity. Several virtual machines exhibit network connectivity issues. You need to analyze the network ...

The proposed solution involves installing the Azure Monitoring Agent and the Dependency Agent on all virtual machines and using VM Insights in Azure Monitor to analyze network traffic. Let's break this down to determine if it meets the goal of analyzing network traffic to identify whether packets are being allowed or denied. Solution Review: - Azure Monitoring Agent: This agent collects monitoring data and sends it to Azure Monitor, but its primary focus is on performance metrics, logs, and diagnostics data. It helps provide insights into the health and performance of your virtual machines. - Dependency Agent: The Dependency Agent is used for application dependency mapping, helping to track communication between applications and services. It does not directly help analyze network traffic for identifying allowed or denied packets. - VM Insights in Azure Monitor: VM Insights is a powerful tool within Azure Monitor that can provide performance metrics and telemetry data about virtual machines. It helps monitor the health and performance of VMs, includ...

Author: Ahmed · Last updated May 22, 2026

DRAG DROP - You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must be stored in Azure Cosmos DB. Which services should you include in the design? To answer, drag the appropriate services to the correct targets. Each service may be used once, more than once, or not at all...

Author: Kunal · Last updated May 22, 2026

Your company, named Contoso, Ltd., implements several Azure logic apps that have HTTP triggers. The logic apps provide access to an on-premises web service. Contoso establishes a partnership with another company named Fabrikam, Inc. Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-party OAuth 2.0 identity management to authenticate its users. Developers at Fabrikam plan to use a subset of the logic apps to build applications that will integrate with the on-premises web service of Contoso. You need to design a solution to provide the Fabrikam developers with access to the logic apps. The solution must meet the following requirements: * Requests to the logic apps from the developers must be limited to lo...

Let's break down the requirements and constraints for the solution: 1. Requests from the developers must be limited to lower rates than requests from users at Contoso: - This suggests that we need some form of traffic management or rate limiting that can differentiate between requests originating from Contoso users and those from Fabrikam developers. 2. The developers must be able to rely on their existing OAuth 2.0 provider: - Fabrikam uses a third-party OAuth 2.0 provider for authentication, which means we cannot leverage Azure Active Directory (Azure AD) for authentication directly. The solution must integrate with OAuth 2.0. 3. The solution must NOT require changes to the logic apps: - This means that the logic apps cannot be modified in any way. The solution must work with the existing configuration and functionality of the logic apps. 4. The solution must NOT use Azure AD guest accounts: - Since the solution should not involve Azure AD guest accounts, we must look for alternatives to grant external access to the logic apps without using Azure AD directly. Analysis of the options: A) Azure Front Door: - Azure Front Door provides global load balancing and application acceleration. While it can offer traffic management, it does not directly integrate with OAuth 2.0 identity providers. It is primarily focused on routing and performance but does not address authentication or rate-limiting on its own. - It cannot easily handle the OAuth 2.0 authentication requirement for Fabrikam and doesn't provide a robust way to control access from external developers without changing the logic apps. - Rejected because it does not meet the authentication requirements for Fabrikam and lacks OAuth 2.0 integration. B) Azure AD Application Proxy: - Azure AD Application Proxy is used for securing access to on-premises applications, typically by leveraging Azure AD for authentication. However, since the requirement specifically states that the solution cannot involve Azure AD guest accounts, this option is not su...

Author: Ella · Last updated May 22, 2026

HOTSPOT - You have an Azure subscription that contains 300 virtual machines that run Windows Server 2019. You need to centrally monitor all warning events in the System logs of the virtual machines. What should you include in the solution? To answer, s...

Author: Leo · Last updated May 22, 2026

HOTSPOT - You have several Azure App Service web apps that use Azure Key Vault to store data encryption keys. Several departments have the following requests to support the web app: Which service should you recommend for each department's request? To answer, ...

Author: Daniel · Last updated May 22, 2026

HOTSPOT - Your company has the divisions shown in the following table. You plan to deploy a custom application to each subscription. The application will contain the following: * A resource group * An Azure web app * Custom role assignments * An Azure Cosmos DB account You need to use Azure Blueprints to deploy the application to each subscription. What is the minimum number...

Author: Daniel · Last updated May 22, 2026

HOTSPOT - You need to design an Azure policy that will implement the following functionality: * For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed. * For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources. * For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values. The s...

Author: Ravi Patel · Last updated May 22, 2026

HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You create an Azure SQL database named DB1 that is hosted in the East US Azure region. To DB1, you add a diagnostic setting named Settings1. Settings1 archive SQLInsights to storage1 and sends SQLIn...

Author: Mia · Last updated May 22, 2026

You plan to deploy an Azure SQL database that will store Personally Identifiable Information (PII). You need to ensure that only privileged use...

In this scenario, the requirement is to ensure that only privileged users can view Personally Identifiable Information (PII) stored in an Azure SQL database. Let's evaluate each of the options and their suitability for this use case. Key Factors for Reasoning: 1. Dynamic Data Masking: Dynamic Data Masking (DDM) is a feature that limits sensitive data exposure by masking it in the result set. It provides a way to obfuscate sensitive data like PII but doesn't prevent users with higher privileges (such as database administrators) from accessing the original unmasked data. DDM works by masking sensitive data based on user roles and can help limit exposure but doesn't restrict privileged users from accessing the data. 2. Role-based Access Control (RBAC): Role-based Access Control (RBAC) is a powerful tool for controlling who can access and manage Azure resources. However, RBAC controls access to Azure resources at the subscription, resource group, and resource levels (such as the Azure SQL Database resource), but it doesn't control access to the data inside the SQL database itself. It doesn't provide direct control over specific database columns or PII data stored in the database. 3. Data Discovery & Classification: Data Discovery & Classification is a feature in Azure SQL that helps identify and classify sensitive data (such as PII) within the database. While it helps identify which data needs protection and classify it appropriately, it doesn't provide direct access control to ensure that only privileged users can view PII. It’s a good step for discovering and classifying sensitive data, but it doesn't enforce user access restrictions. 4. Transparent Data Encryption (TDE): Transpare...

Author: Maya · Last updated May 22, 2026

You plan to deploy an app that will use an Azure Storage account. You need to deploy the storage account. The storage account must meet the following requirements: * Store the data for multiple users. * Encrypt each user's data by using a separate ...

In this scenario, you need to deploy an Azure Storage account that will meet the following requirements: 1. Store data for multiple users. 2. Encrypt each user's data with a separate key. 3. Encrypt all data using customer-managed keys. Let's evaluate the options and analyze their suitability for these requirements. Key Factors for Reasoning: 1. Storing data for multiple users: This requirement implies that the storage account should be able to handle and segregate data for different users. This typically involves capabilities to manage multiple containers, files, or blobs for different user data. 2. Encrypting each user's data with a separate key: This means you need encryption at a granular level, likely per file or blob. Azure supports customer-managed keys (CMK) for encryption, and it allows you to manage the keys through Azure Key Vault. 3. Encrypting all data using customer-managed keys: This specifies that the encryption for all data must be controlled by the customer and not managed by Microsoft. Azure Storage offers the option to use customer-managed keys with encryption, but not all storage types or configurations support this feature. Analysis of Options: A) Files in a Premium File Share Storage Account - Files in a premium file share: Premium file shares are designed for high-performance file storage, often used for enterprise workloads. However, premium file shares do not support granular encryption per user. While they support customer-managed keys for data encryption at the account level, they do not offer per-user encryption or the flexibility needed to manage encryption keys separately for each user. - Rejected: Does not meet the requirement of encrypting each user's data with a separate key. B) Blobs in a General Purpose v2 Storage Account - General Purpose v2 storage accounts: This type of storage account supports multiple storage types (blobs, files, queues, tables) and can use customer-managed keys for encryption. - Granular encryption: With blob storage, you can use Azure Storage Service Encryption (SSE) with customer-managed keys (CMK). In addition, you can configure separate keys for individual blobs or containers...

Author: Matthew · Last updated May 22, 2026

HOTSPOT - You have an Azure App Service web app that uses a system-assigned managed identity. You need to recommend a solution to store the settings of the web app as secrets in an Azure key vault. The solution must meet the following requirements: * Minimize changes to the app code. * Use the principle of least privilege. What should you in...

Author: Leah · Last updated May 22, 2026

You plan to deploy an application named App1 that will run on five Azure virtual machines. Additional virtual machines will be deployed later to run App1. You need to recommend a solution to meet the following requirements for the virtual machines that will run App1: * Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database. * Avoid assigning new roles and permissions for Azure services when you dep...

To meet the requirements for App1 running on Azure virtual machines (VMs), let's break down the key requirements and evaluate each option based on how well they satisfy those needs: Key Requirements: 1. Authenticate to Azure Active Directory (Azure AD): The VMs should authenticate to Azure AD to access Azure services like Azure Key Vault, Azure Logic Apps, and Azure SQL Database. 2. Avoid assigning new roles and permissions for Azure services when adding more VMs: The solution should be scalable, so we shouldn't have to manually assign new roles or permissions every time we add more virtual machines. 3. Avoid storing secrets and certificates on the virtual machines: The solution should allow the VMs to authenticate without requiring secrets or certificates stored directly on them. 4. Minimize administrative effort for managing identities: The solution should require minimal ongoing management of identities. Evaluation of Each Option: A) System-assigned managed identity - System-assigned managed identity is automatically created for an Azure resource (in this case, a VM) and is tied to the lifecycle of the resource. - Benefits: - It avoids storing secrets and certificates on the VM because Azure automatically manages the authentication credentials. - No new roles/permissions need to be assigned when deploying additional VMs. The identity is tied to the VM and can be granted access to Azure services like Azure Key Vault, Azure Logic Apps, and Azure SQL Database via Azure AD. - It minimizes administrative effort because Azure automatically handles identity management and authentication. - The identity is unique to each VM and can be granted access to specific resources with role-based access control (RBAC). - Scenario: This is the best choice because it satisfies all requirements, especially the need for scalable, automatic management of identities for VMs. Each VM has its own identity, and access is granted through RBAC without needing to store credentials locally on the VM. B) A service principal t...

Author: Aarav · Last updated May 22, 2026

You have the resources shown in the following table: CDB1 hosts a container that stores continuously updated operational data. You are designing a solution that will use AS1 to analyze the operational data daily. You need to recommend a solution to analyze the da...

To design a solution that analyzes operational data without affecting the performance of the operational data store (CDB1 in this case), it’s crucial to select an option that efficiently handles real-time or near-real-time data analysis without causing performance degradation in the operational store. Let's evaluate the options provided: A) Azure Cosmos DB Change Feed - Description: The Cosmos DB change feed captures changes made to the data in real-time, allowing other systems to listen and react to these changes. - Suitability: This is ideal for scenarios where you need to track or process changes in the data without affecting the operational database. The change feed is often used in event-driven architectures and can be used to stream data into analytics systems or processing pipelines asynchronously. - Reason for Rejection: While the change feed can help in tracking and capturing data changes, it doesn't provide a direct analytics capability. You would still need to integrate it with another service for analysis, which may increase complexity. Also, it's best for real-time data processing rather than daily batch processing. B) Azure Data Factory with Azure Cosmos DB and Azure Synapse Analytics connectors - Description: Azure Data Factory (ADF) is an ETL service that can integrate with Cosmos DB and Synapse Analytics to orchestrate and automate the movement of data. - Suitability: This option would help extract operational data from Cosmos DB and load it into Azure Synapse Analytics, where it could be analyzed. ADF can schedule the data pipelines to run at a specific frequency (e.g., daily), ensuring that the operational database's performance remains unaffected. - Reason for Rejection: ADF could be a valid option, but it is more of an ETL tool for extracting, transforming, and loading data. It doesn't inherently provide real-time analysis capabilities like some of the other options. ADF is more suited for batch processing and is less efficient for continuously updated data or real-time analytics compared to other options, such as Azure Synapse Link. C) Azure Synapse Link for Azure Cosmos DB - Description: Azure Synapse Link is specifically designed to bridge Azure Cosmos DB with Azure Synapse Analytics. It allows for near real-time analytics on Cosmos DB data without impacting the...

Author: Rohan · Last updated May 22, 2026

HOTSPOT - You deploy several Azure SQL Database instances. You plan to configure the Diagnostics settings on the databases as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement base...

Author: Suresh · Last updated May 22, 2026

You have an application that is used by 6,000 users to validate their vacation requests. The application manages its own credential store. Users must enter a username and password to access the application. The application does NOT support identity providers. You plan to upgrade the application to use single ...

When upgrading your application to use single sign-on (SSO) authentication with Azure Active Directory (Azure AD), the goal is to integrate with Azure AD while maintaining security and a smooth user experience. Let's evaluate the options provided for SSO: A) Header-based SSO - Description: This method uses HTTP headers to pass user authentication data between the application and identity provider (Azure AD in this case). Typically, header-based authentication is used when your application is hosted on-premises or in a hybrid setup where you control the headers. - Suitability: While it can be a viable option, header-based SSO is not the most common or straightforward method for integrating with Azure AD. It’s typically used for specific scenarios involving custom solutions and would require additional configuration to securely pass authentication data in headers. - Reason for Rejection: Header-based SSO is not the most commonly used or standard method for applications looking to integrate with Azure AD for SSO. It’s also not as simple as other methods like OpenID Connect or SAML, making it a less favorable option for most users. B) SAML (Security Assertion Markup Language) - Description: SAML is a widely used protocol for SSO that facilitates the exchange of authentication and authorization data between the identity provider (Azure AD) and the service provider (your application). It's often used in enterprise environments where legacy systems are involved. - Suitability: SAML is a robust option for SSO and works well in many enterprise scenarios, especially when dealing with legacy applications. However, for newer, cloud-native applications, other protocols such as OpenID Connect tend to be simpler and more modern. - Reason for Rejection: While SAML is effective for SSO, it is typically more complex to configure than newer protocols like OpenID Connect. Since your application doesn’t support identity providers and is looking to modernize, SAML might require additional configuration and is not as seamless as other options. C) Password-based SSO - Description: Password-based SSO allows users to sign in using their existing credentials from a third-party identity pr...

Author: Scarlett · Last updated May 22, 2026

HOTSPOT - You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual machines are connected to VNET1. You need to design a solution to manage the virtual machines from the internet. The solution must meet the following requirements: * Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication (MFA) before network connectivity is allowed. * Incoming connections must use TLS and connect to TCP ...

Author: Aria · Last updated May 22, 2026

You are designing an Azure governance solution. All Azure resources must be easily identifiable based on the following operational information: environment, owner, department and cost center. You need to ensure that you can use the operationa...

To design an Azure governance solution where all Azure resources must be easily identifiable based on operational information like environment, owner, department, and cost center, and to ensure that this information is usable in reports for Azure resources, let’s evaluate the provided options. Option A: Azure Data Catalog that uses the Azure REST API as a data source - Description: Azure Data Catalog is a service used to register, enrich, and search for data assets across your environment. It is primarily focused on managing data assets and metadata, not on managing resources or enforcing governance rules directly. - Suitability: While Azure Data Catalog can help you organize and track data assets, it does not directly apply to the identification and management of Azure resources (like virtual machines, storage accounts, etc.). It does not provide a way to tag resources or generate reports based on operational data such as environment, owner, department, and cost center. - Reason for Rejection: This option is not relevant to managing Azure resource governance in the way that you require. It is focused more on data asset management, which does not meet the need for resource identification or tagging based on operational information. Option B: An Azure management group that uses parent groups to create a hierarchy - Description: Azure management groups are used to organize subscriptions in a hierarchical structure. This helps with applying policies, role-based access control (RBAC), and organizing resources across multiple subscriptions. However, they are typically used for structuring access control and policy application, not specifically for resource tagging or generating operational reports based on specific attributes (like environment, owner, department, etc.). - Suitability: While management groups can help in organizing resources at a higher level across subscriptions, they do not directly address the need for tagging resources with operational information like environment, owner, and cost center. This would not be sufficient for generating reports based on such tags. - Reason for Rejection: Management groups are good for organizing subscriptions, but they don't enforce tagging, and thus wouldn't provide a reliable method for generating the reports you're looking for. Option C: An Azure policy that enforces tagging rules - Description: Azure Policy allows you to creat...

Author: Grace · Last updated May 22, 2026

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft 365 and an Azure subscription. Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS) and Azure AD Connect. Contoso has a partnership with a company named Fabrikam. Inc. Fabrikam has an Active Directory forest and a Microsoft 365 tenant. Fabrikam has the same on- premises identity infrastructure components as Contoso. A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributo...

To meet the requirement of allowing Fabrikam's developers to access the Contoso Azure resources using their existing credentials and to assign them the Contributor role, let's analyze each option: A) In the Azure AD tenant of Contoso, create cloud-only user accounts for the Fabrikam developers. - Explanation: This option would involve creating new Azure AD accounts specifically for the Fabrikam developers in the Contoso Azure AD tenant. While this would give the developers access to the resources in Contoso, it is not ideal because it would require them to maintain separate credentials for Contoso and Fabrikam. Additionally, it doesn’t meet the requirement of the developers using their existing credentials to access the resources. - Why it's rejected: It violates the requirement to use existing credentials. Also, it adds administrative overhead for maintaining these cloud-only accounts, which is inefficient. B) Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam. - Explanation: A forest trust allows two Active Directory forests to share authentication and authorization data, enabling users from one forest to access resources in another. While this approach would let Fabrikam's developers use their on-premises AD credentials, it’s not the most appropriate solution for Azure-based resources and roles. - Why it's rejected: A forest trust is typically used for on-premises resource sharing, not for Azure AD roles and cloud access. Azure AD role assignments, including Contributor access, are done in the cloud and ...

Author: ThunderBear · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

Let's analyze each of the options provided and see which one would best enable users from the fabrikam.com tenant to authenticate to the Azure App Service (App1) in contoso.com tenant. A) Configure the Azure AD provisioning service. - Explanation: Azure AD provisioning is typically used to automate the creation, update, and deletion of user accounts in Azure AD or other connected systems. It’s primarily used for synchronizing users and groups from external directories or third-party systems into Azure AD. - Why it's rejected: The Azure AD provisioning service doesn't address the specific need for external user authentication to an application (App1) within Contoso's Azure AD tenant. It’s more about identity lifecycle management, not enabling cross-tenant authentication for a web app. B) Enable Azure AD pass-through authentication and update the sign-in endpoint. - Explanation: Azure AD pass-through authentication allows users to sign in to cloud-based resources using their on-premises Active Directory credentials. It essentially passes the authentication request to the on-premises domain controllers to validate the user's identity. - Why it's rejected: While pass-through authentication is helpful for on-premises users, it doesn't address cross-tenant authentication or allowing fabrikam.com users to authenticate to an app in contoso.com tenant. This method is not suited for enabling external users to authenticate to a web app. C) Use Azure AD entitlement management to govern external users. - Explanation: Azure AD entitlement management allows you to manage external users (also called B2B users) by defining access pa...

Author: Zara1234 · Last updated May 22, 2026

HOTSPOT - Your company has 20 web APIs that were developed in-house. The company is developing 10 web apps that will use the web APIs. The web apps and the APIs are registered in the company s Azure Active Directory (Azure AD) tenant. The web APIs are published by using Azure API Management. You need to recommend a solution to block unauthorized requests originating from the web apps from reaching the web APIs. The solution must meet the following requirements: * Use Azure AD-generated claims. ...

Author: Krishna · Last updated May 22, 2026

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure ...

To recommend a solution for generating a monthly report of all the new Azure Resource Manager (ARM) resource deployments in an Azure subscription, let’s evaluate each of the available options based on the requirements. A) Azure Log Analytics - Explanation: Azure Log Analytics is a service that is part of Azure Monitor and can be used to collect and analyze log data from various Azure resources. It allows you to run queries on the logs and generate reports based on the data collected. Specifically, Azure Activity Logs can track all ARM resource deployment activities, including resource creation, modification, and deletion. - Why it’s selected: Azure Log Analytics can be configured to collect and query Activity Logs from Azure subscriptions, which records all ARM resource deployments. By setting up a scheduled query in Log Analytics, you can generate a report on a monthly basis showing all new deployments, including details such as resource names, types, and the time of deployment. This is a native solution to monitor and report on resource activities, which is exactly what is needed in this case. - Why ...

Author: CrystalWolfX · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users from the fabrikam.com tenant to authenticate to App1 (which is part of contoso.com's Azure Active Directory), let's evaluate each of the provided options in terms of their effectiveness and alignment with the requirements. Option A: Configure the Azure AD provisioning service. - Explanation: Azure AD provisioning is used to automate the creation, management, and deletion of users and groups across different identity systems. It’s primarily used for synchronizing user identities across directories (like moving users from one Active Directory to another or syncing with a third-party system). - Why it's rejected: This option is focused on provisioning users, not authentication. Azure AD provisioning is typically used to create and manage user accounts in Azure AD or connected systems, but it doesn’t enable cross-tenant authentication for users. This option wouldn’t directly help fabrikam.com users authenticate to App1 in contoso.com’s Azure AD. Option B: Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM). - Explanation: Azure AD Privileged Identity Management (PIM) is used to manage and control privileged identities and roles in Azure AD, including just-in-time access to sensitive resources. PIM helps ensure that users who need elevated access to resources do so securely and with proper oversight. - Why it's rejected: While PIM is excellent for managing privileged roles, it’s not the correct tool for cross-tenant authentication. PIM manages roles and access for users already in your Azure AD tenant and doesn’t facilitate cross-tenant authentication between fabrikam.com and contoso.com for App1. Therefore, PIM doesn't address the requirement of enabling users in fabrikam.com to authenticate to App1 in contoso.com. Option C: Use Azure AD entitlement management to govern external users. - Explanation: Azure AD entitlement management allows you to create access packages to assign resources to...

Author: Emily · Last updated May 22, 2026

You are developing an app that will read activity logs for an Azure subscription by using Azure Functions. You need to recommend an authentication solution for Azure Functions. The solution mu...

To recommend an authentication solution for Azure Functions in this scenario, we need to consider the following factors: 1. Security: The solution must ensure secure access to resources in Azure without exposing sensitive credentials. 2. Ease of management: The solution should minimize administrative overhead, such as managing credentials, access keys, or tokens. 3. Scalability: The solution should scale with the growth of the application, without requiring constant reconfiguration. 4. Flexibility: The solution must work well with Azure services and allow fine-grained access control. Option Analysis: 1. A) An enterprise application in Azure AD: - Use Case: This option typically applies to scenarios where an external application (outside Azure) needs to authenticate with Azure resources using Azure Active Directory (AAD) as the identity provider. - Rejected: In this scenario, you are developing an app within Azure Functions, which directly integrates with Azure services. An enterprise application would not be the most fitting solution because it adds unnecessary complexity and external management. It's more suited for scenarios where external third-party apps are involved. 2. B) System-assigned managed identities: - Use Case: This option enables the Azure Functions app to authenticate to Azure resources without managing any credentials. A system-assigned managed identity is automatically created by Azure and can be used for Azure resource access, such as Azure Key Vault, Azure Storage, etc. - Advantage: It simplifies management and eliminates the need to handle credentials, as Azure manages the identity lifecycle automatically. This red...

Author: Emily · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users in the fabrikam.com tenant to authenticate to App1 (which is using Azure AD for single sign-on authentication with users from contoso.com), we need to focus on cross-tenant authentication while minimizing administrative overhead and maintaining security. Option Analysis: 1. A) Configure Azure AD join: - Use Case: This option is meant for devices that need to join Azure AD, allowing users to authenticate with their corporate credentials from Azure AD-joined devices. It’s typically used for scenarios where you need to enable device management and allow users to sign into Windows devices or manage access for corporate resources. - Rejected: Azure AD join is primarily for managing devices, not for cross-tenant authentication for users. This does not address the core requirement of enabling users from fabrikam.com to authenticate to App1. 2. B) Use Azure AD entitlement management to govern external users: - Use Case: Azure AD entitlement management allows administrators to manage access to resources for external users. It can be used to set up policies for inviting users from other organizations, granting them access to resources in the tenant. - Rejected: While this approach could allow you to invite external users to access resources in your tenant, it adds complexity. The process would require you to manage entitlements and user lifecycle, which may not be necessary if you're just looking to enable fabrikam.com users to authenticate to App1. It's more useful for managing large numbers of external users in a systematic way rather than simply enabling cross-tenant authentication for a specific app. 3. C) Enable Azure AD pass-through authentication and update the sign-in endpoint: - Use Case: Azure AD pass-through authentication allows users to authenticate against their on-premises Active Directory without requiring them to syn...

Author: RadiantJaguar56 · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users in the fabrikam.com tenant to authenticate to App1 (which is hosted in the contoso.com tenant and uses Azure AD for authentication), we need to allow cross-tenant authentication without adding excessive complexity. Let's analyze each option and see which one best fits the scenario: Option Analysis: 1. A) Configure Azure AD join: - Use Case: Azure AD Join is used primarily for registering devices with Azure AD. It allows users to sign in to their devices using Azure AD credentials. It’s designed for managing devices and providing access to enterprise resources. - Rejected: This option is not relevant for enabling cross-tenant user authentication. It is focused on device management and doesn't address the need for allowing users from fabrikam.com to authenticate to an app hosted in contoso.com. 2. B) Configure Azure AD Identity Protection: - Use Case: Azure AD Identity Protection helps protect against identity-based risks. It can detect and mitigate risk events related to user sign-ins (e.g., multi-factor authentication challenges based on risk levels). - Rejected: This option is focused on securing user identities and preventing fraudulent access but does not directly solve the problem of enabling users from fabrikam.com to authenticate to App1. While it helps with securing access, it doesn't facilitate cross-tenant authentication. 3. C) Use Azure AD entitlement management to govern external users: - Use Case: Azure AD Entitlement Management is a feature that enables organizations to govern external access by managing who can access which ...

Author: Ahmed97 · Last updated May 22, 2026

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure s...

To generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription, the solution needs to track and report on activities related to resource provisioning and management. Let's analyze each option: Option Analysis: 1. A) Azure Activity Log: - Use Case: The Azure Activity Log provides detailed information on operations within your Azure subscription, including resource creation, deletion, modification, and other management activities. It specifically tracks management plane operations such as ARM deployments, and you can query the log to get details on new resource deployments. - Selected: This is the most suitable option. The Azure Activity Log will allow you to filter and report on resource creation events within your Azure subscription. By querying the activity log, you can retrieve data on all new ARM resource deployments, and even automate the generation of reports for monthly analysis. You can also use Log Analytics or Azure Monitor to query and format the data as required. 2. B) Azure Arc: - Use Case: Azure Arc extends Azure services to on-premises, multi-cloud, and edge environments, allowing you to manage resources outside of Azure as if they were part of your Azure environment. - Rejected: While Azure Arc is useful for managing resources outside of Azure, it does not provide detailed logs or reporting specifically for Azure Resource Manager (ARM) deployments. It is not suitable for tracking resource ...

Author: Ella · Last updated May 22, 2026

HOTSPOT - You have an Azure subscription that contains an Azure key vault named KV1 and a virtual machine named VM1. VM1 runs Windows Server 2022: Azure Edition. You plan to deploy an ASP.Net Core-based application named App1 to VM1. You need to configure App1 to use a system-assigned managed identity to retrieve secrets from KV1. The solution must minimiz...

Author: Isabella1 · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users in the fabrikam.com tenant to authenticate to App1, we need to address the issue of cross-tenant authentication. Since App1 is already using Azure AD for authentication, and users from contoso.com can authenticate, the solution must extend this capability to users from fabrikam.com. Let's analyze each option: A) Configure Azure AD join: Azure AD join is typically used for devices, allowing them to be registered with Azure Active Directory for management and security purposes. This option is relevant for enabling device management but does not directly impact cross-tenant user authentication. Thus, it would not address the requirement of enabling fabrikam.com users to authenticate to App1. Rejection Reason: This option is not suitable because Azure AD join focuses on device registration, not user authentication between tenants. B) Configure Azure AD Identity Protection: Azure AD Identity Protection is designed to manage and protect user identities by detecting risky sign-ins and enforcing conditional access policies based on the risk levels. While it provides robust security mechanisms, it is not designed to handle cross-tenant authentication directly. It primarily works to protect existing identities in the tenant. Rejection Reason: While important for securing user identities, Azure AD Identity Protection does not provide a solution for cross-tenant user authentication. C) Configure a Conditional Access policy: Conditional Access policies in Azure AD can help define rules for user access based on certain conditions ...

Author: Rohan · Last updated May 22, 2026

You have an Azure AD tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned memberships. Group1 has 50 members, including 20 guest users. You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements: * The evaluation must be repeated automatically every three months. * Every member must be able to report whether they need to be in Group1. * Users who report that they do not need...

To evaluate the membership of Group1 and automatically manage users based on their responses, let's analyze each option based on the requirements: A) Implement Azure AD Identity Protection: Azure AD Identity Protection is used to detect and respond to identity-related risks, such as suspicious sign-ins or risky users. It helps manage security risks related to user accounts, such as enforcing conditional access policies for risky sign-ins. However, it is not designed to evaluate group membership or automate the removal of users from groups based on their responses. Rejection Reason: Azure AD Identity Protection is focused on securing identities and does not address the task of evaluating group membership or automating user removals based on feedback. B) Change the Membership type of Group1 to Dynamic User: Dynamic groups in Azure AD automatically add and remove members based on specific rules set for attributes of the users (such as department, job title, location, etc.). However, dynamic groups don’t fulfill the requirement for self-reporting, and they cannot automate the removal of users who don't provide feedback about their need to be in the group. The membership is automatically adjusted based on user attributes, but not based on whether users self-report their need to stay in the group. Rejection Reason: While dynamic groups are great for automatically adding/removing members based on attributes, they do not support automatic self-reporting or the removal of users who do not respond. This does not meet the scenario requirements. C) Create an access review: An Access Review in Azure AD is specifically designed to evaluate group memberships on a regular basis. It enab...

Author: Isabella · Last updated May 22, 2026

HOTSPOT - You have an Azure subscription named Sub1 that is linked to an Azure AD tenant named contoso.com. You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to 100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com credentials. App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user. You need to recommend an authentication and authorization solution for the apps. The solution must meet the following r...

Author: Samuel · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users from fabrikam.com to authenticate to App1 (an Azure App Service web app) that already uses Azure AD for authentication and currently supports users from contoso.com, we need to configure a solution that allows users from the fabrikam.com tenant to authenticate in a secure and controlled manner. Let's evaluate the options: A) Enable Azure AD pass-through authentication and update the sign-in endpoint: Azure AD pass-through authentication is used to allow users to authenticate to Azure AD using on-premises Active Directory credentials, with no need for synchronization. However, pass-through authentication is meant for scenarios where user authentication is handled by an on-premises AD rather than Azure AD. It doesn't solve the problem of enabling authentication for external users (like fabrikam.com) across different tenants. Rejection Reason: This option is not suitable because Azure AD pass-through authentication is designed for on-premises authentication scenarios and doesn’t address cross-tenant authentication. B) Use Azure AD entitlement management to govern external users: Azure AD entitlement management is a solution that helps manage access to resources for external users (also known as B2B collaboration). It allows you to create access packages and define policies to grant access to external users. With entitlement management, you can allow users from the fabrikam.com tenant to authenticate and access resources (like App1) in your tenant by granting them access through an access package. This solution would allow fabrikam.com users to be invited to your tenant and granted access to App1, making it the ideal option for enabling cross-tenant authentication. Reasoning: This solution is specifically designed for managing externa...

Author: Isabella · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

In this scenario, the goal is to enable users from the fabrikam.com tenant to authenticate to App1, which currently allows authentication only for users from the contoso.com tenant. Since App1 uses Azure AD for single-tenant authentication, we need to extend this authentication capability to users from another tenant (fabrikam.com). Let's evaluate each of the proposed options: A) Configure the Azure AD provisioning service: The Azure AD provisioning service is used for automatically creating, updating, and deleting users and groups in an Azure AD tenant based on a source (such as another directory or an external system). However, provisioning does not directly address enabling cross-tenant authentication. It’s more focused on identity lifecycle management, not authentication. Rejection Reason: This option is not relevant for enabling users from an external tenant (fabrikam.com) to authenticate to App1. B) Enable Azure AD pass-through authentication and update the sign-in endpoint: Azure AD pass-through authentication allows users to authenticate using their on-premises Active Directory credentials without requiring password synchronization to Azure AD. This solution is specifically designed for scenarios where organizations want to use on-premises Active Directory for user authentication in Azure AD. However, pass-through authentication does not solve the problem of enabling external (B2B) users from fabrikam.com to authenticate to App1, since it is focused on on-premises users. Rejection Reason: This is not suitable because pass-through authentication is for on-premises AD users, not for enabling cross-tenant authentication for external users. C) Configure ...

Author: Sofia · Last updated May 22, 2026

HOTSPOT - You have an Azure AD tenant that contains a management group named MG1. You have the Azure subscriptions shown in the following table. The subscriptions contain the resource groups shown in the following table. The subscription contains the Azure AD security groups shown in the following table. The subscription contains the user accounts shown in the following table. You perform the following actions: Assign User3 the Contributor role for Sub1. Assign Group1 the Virtual Machine Contribu...

Author: Liam · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

To enable users from the fabrikam.com tenant to authenticate to App1 (which uses Azure AD for authentication), the main focus should be on enabling cross-tenant authentication. Let’s review the given options: Option A: Configure Azure AD Identity Protection. - Azure AD Identity Protection is designed to detect and respond to risky user sign-ins or risky behaviors. While this tool helps manage security-related issues like sign-in risk, it doesn't directly address cross-tenant authentication or how to allow users from another tenant (fabrikam.com) to authenticate to the application. - Rejected: This option doesn’t solve the issue of enabling users from fabrikam.com to authenticate to App1. Option B: Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM). - Azure AD Privileged Identity Management (PIM) is used to manage, control, and monitor access within Azure AD, but it is focused on managing privileged roles like Global Admin or other elevated roles. It does not solve the issue of enabling users from another tenant to authenticate to a web application. - Rejected: PIM is not relevant to allowing users from fabrikam.com to authenticate to App1. Option C: Configure Supported account types in the application registration and update the sign-in endpoint. - In this case, the Supported account types setting in the application registration determines which types of users can authenticate to the application. By default, an Azure AD a...

Author: Oscar · Last updated May 22, 2026

Your company has the divisions shown in the following table. Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend...

The goal here is to enable users from fabrikam.com to authenticate to App1, which is currently configured for authentication with users from the contoso.com tenant. Let's break down the options: Option A: Use Azure AD entitlement management to govern external users. - Azure AD entitlement management is a feature that helps organizations manage access to resources for external users (e.g., partners, contractors). While it allows external users to request access to applications or resources, it doesn’t directly enable cross-tenant authentication. It is more focused on managing access lifecycle (e.g., requesting and granting access to resources). - Rejected: While entitlement management helps with governance and access control for external users, it does not directly enable users from fabrikam.com to authenticate to App1. Authentication requires configuration in the App Registration and related settings, not just entitlement management. Option B: Enable Azure AD pass-through authentication and update the sign-in endpoint. - Azure AD pass-through authentication is typically used when you want to authenticate users in an on-premises Active Directory (AD) through Azure AD. It allows users to authenticate against on-prem AD rather than Azure AD directly. However, this is mainly for hybrid scenarios where you are using Azure AD to extend your on-prem AD for authentication. - Rejected: Pass-through authentication is not necessary for enabling external users from a different Azure AD tenant to authenticate to your app. This is more suited for hybrid cloud setups with on-prem AD, not for multi-tenant Azure AD authentication. Option C: Configure a Conditional Access policy. - Conditional Access policies are used to enforc...

Author: Noah · Last updated May 22, 2026

You have an Azure subscription that contains 1,000 resources. You need to generate compliance reports for the subscription. The solution must ensure that the resources can ...

To generate compliance reports for your Azure subscription and ensure that resources can be grouped by department, it is important to choose a solution that provides the ability to organize and categorize resources effectively. Let’s review each of the options: Option A: Application groups and quotas - Application groups are used in Azure for managing shared resources in scenarios like Virtual Desktop Infrastructure (VDI) but are not designed to organize resources based on departments. - Quotas are used for limiting resource usage in terms of capacity or number, but they do not help in grouping or organizing resources. - Rejected: This option does not address the need to group resources by department or generate compliance reports. Option B: Azure Policy and tags - Azure Policy allows you to enforce governance across your Azure environment by applying rules that define which resources are compliant with organizational standards, such as ensuring that resources follow specific configurations, locations, or types. - Tags are metadata labels that can be applied to Azure resources to help organize and categorize them. You can use tags to group resources by department (e.g., `Department: HR`, `Department: IT`). - Correct choice: Combining Azure Policy and tags will help enforce compliance rules across your resources and enable you to categorize and generate reports for resources grouped by department (using tags like `Department: <name>`). Policies can be applied to ensure resources adhere to compliance standards, and tags can be used to categorize and filter them in reports. Option C: Administrative units and Azure Lighthouse - Administrative uni...

Author: Noah Williams · Last updated May 22, 2026

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure s...

To generate a monthly report of all new Azure Resource Manager (ARM) resource deployments in your Azure subscription, the focus is on monitoring and auditing the creation of resources over time. Let's analyze each of the provided options: Option A: Azure Arc - Azure Arc is used to extend Azure management to on-premises, multi-cloud, and edge environments. It allows you to manage resources that are outside of the Azure environment but does not specifically cater to monitoring or generating reports on ARM resource deployments within Azure. - Rejected: Azure Arc is not designed for reporting on ARM resource deployments within an Azure subscription. Option B: Azure Monitor metrics - Azure Monitor metrics provide detailed performance and health data for Azure resources. It’s primarily used for real-time monitoring and alerting on the performance and operational health of resources. However, it does not specifically track the deployment of new resources. - Rejected: While Azure Monitor is useful for operational monitoring, it is not specifically intended for tracking and reporting on resource creation or deployments. Option C: Azure Advisor - Azure Advisor provides personalized best practice recommendations for optimizing Azure resources in terms of cost, security, reliability, pe...

Author: Elijah · Last updated May 22, 2026