Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-305

Free Microsoft AZ-305 Exam Questions (page: 16)

Page 8 of 42
PDF with 317 Questions

HOTSPOT (Drag and Drop is not supported)

You have a Microsoft Entra tenant that contains a management group named MG1.

You have the Azure subscriptions shown in the following table.



The subscriptions contain the resource groups shown in the following table.



The tenant contains the Azure AD security groups shown in the following table.



The tenant contains the user accounts shown in the following table.




You perform the following actions:

Assign User3 the Contributor role for Sub1.

Assign Group1 the Virtual Machine Contributor role for MG1.

Assign Group3 the Contributor role for the Tenant Root Group.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
User1 is member of Group1.
Group1 is assigned the Virtual Machine Contributor role for MG1.

MG1 is in Sub1.
RG1 is in Sub1.

Virtual Machine Contributor
Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Box 2: No
User2 is a member of Group2.
User2 has no special permissions to Group2.

Box 3: Yes
User3 is a member of Group3.
Group3 is assigned the Contributor role for the Tenant Root Group. As a member of the Tenant Root Group User3 can create storage accounts in RG2.

Note: Each Microsoft Entra tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/governance/management-groups/manage https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles



You have an Azure subscription that contains 1,000 resources.

You need to generate compliance reports for the subscription. The solution must ensure that the resources can be grouped by department.

What should you use to organize the resources?

  1. application groups and quotas
  2. Azure Policy and tags
  3. administrative units and Azure Lighthouse
  4. resource groups and role assignments

Answer(s): B

Explanation:

Compliance Report using Azure Policy
Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole

Azure deployment.
Enforce tags for resource creation
So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.


Reference:



DRAG DROP (Drag and Drop is not supported)

You have a Microsoft Entra tenant that contains an administrative unit named MarketingAU. MarketingAU contains 100 users.

You create two users named User1 and User2.

You need to ensure that the users can perform the following actions in MarketingAU:

User1 must be able to create user accounts.

User2 must be able to reset user passwords.

The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: User Administrator for the MarketingAU
User1 must be able to create user accounts.

User Administrator
Can manage all aspects of users and groups, including resetting passwords for limited admins.

Create users
Etc.

Roles that can be assigned with administrative unit scope
The following Microsoft Entra roles can be assigned with administrative unit scope.
* Helpdesk Administrator
* User Administrator
* Etc.

Box 2: Helpdesk Administrator for the MarketingAU
User2 must be able to reset user passwords.

Helpdesk Administrator
Can reset passwords for non-administrators and Helpdesk Administrators.

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles



HOTSPOT (Drag and Drop is not supported)

You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The app will use a third-party email service to send email messages to users. The third-party email service requires that the app authenticate by using an API key.

You need to recommend an Azure Key Vault solution for storing and accessing the API key. The solution must minimize administrative effort.

What should you recommend using to store and access the key? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Secret
Tutorial: Use Key Vault references in an ASP.NET Core app.

Add a secret to Key Vault
To add a secret to the vault, you need to take just a few additional steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called Message, and you store the value “Hello from Key Vault” in it.

1. From the Key Vault properties pages, select Secrets.
2. Select Generate/Import.
3. In the Create a secret pane, enter the following values:
4. Upload options: Enter Manual.
5. Name: Enter Message.
6. Value: Enter Hello from Key Vault.
7. Leave the other Create secret properties with their default values.
8. Select Create.

Box 2: A managed service identity (MSI)
Grant your app access to Key Vault
Azure App Configuration won’t access your key vault. Your app will read from Key Vault directly, so you need to grant your app read access to the secrets in your key vault. This way, the secret always stays with your app. The access can be granted using either a Key Vault access policy or Azure role-based access control.

You use DefaultAzureCredential in your code above. It’s an aggregated token credential that automatically tries a number of credential types, like EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and VisualStudioCredential.

Alternatively, you can set the AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET environment variables, and DefaultAzureCredential will use the client secret you have via the EnvironmentCredential to authenticate with your key vault. After your app is deployed to an Azure service with managed identity enabled, such as Azure App Service, Azure Kubernetes Service, or Azure Container Instance, you grant the managed identity of the Azure service permission to access your key vault. DefaultAzureCredential automatically uses ManagedIdentityCredential when your app is running in Azure. You can use the same managed identity to authenticate with both App Configuration and Key Vault.


Reference:

https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core



DRAG DROP (Drag and Drop is not supported)

You have two app registrations named App1 and App2 in Azure AD. App1 supports role-based access control (RBAC) and includes a role named Writer.

You need to ensure that when App2 authenticates to access App1, the tokens issued by Microsoft Entra ID include the Writer role claim.

Which blade should you use to modify each app registration? To answer, drag the appropriate blades to the correct app registrations. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:


  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: App roles
App1 supports role-based access control (RBAC) and includes a role named Writer.

Implement role-based access control
Define app roles
The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly.

Box 2: Token configuration
You need to ensure that when App2 authenticates to access App1, the tokens issued by Microsoft Entra ID include the Writer role claim.

Configure optional claims
You can configure optional claims for your application through the Azure portal or application manifest.

1. Go to the Azure portal.
2. Search for and select Microsoft Entra ID.
3. Under Manage, select App registrations.
4. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
5. Under Manage, select Token configuration
6. Etc.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-implement-rbac-for-apps https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims



You have an Azure subscription.

You plan to deploy a monitoring solution that will include the following:

Azure Monitor Network Insights

Application Insights

Microsoft Sentinel

VM insights

The monitoring solution will be managed by a single team.

What is the minimum number of Azure Monitor workspaces required?

  1. 1
  2. 2
  3. 3
  4. 4

Answer(s): C

Explanation:

1: A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
1: With workspace-based resources, Application Insights sends telemetry to a common Log Analytics workspace, providing full access to all the features of Log Analytics while keeping your application, infrastructure, and platform logs in a single consolidated location.
1: VM insights collects its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace.
The only requirement of the workspace is that it must be located in a supported location and be configured with the VMInsights solution.


Reference:



You have an Azure subscription that contains 10 web apps. The apps are integrated with Microsoft Entra ID and are accessed by users on different project teams.

The users frequently move between projects.

You need to recommend an access management solution for the web apps. The solution must meet the following requirements:

The users must only have access to the app of the project to which they are assigned currently.

Project managers must verify which users have access to their project’s app and remove users that are no longer assigned to their project.
Once every 30 days, the project managers must be prompted automatically to verify which users are assigned to their projects.

What should you include in the recommendation?

  1. Microsoft Entra ID Protection
  2. Microsoft Defender for Identity
  3. Microsoft Entra Permissions Management
  4. Microsoft Entra ID Governance

Answer(s): D

Explanation:

Microsoft Entra ID Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right principals have the right access to the right resources and at the right time.
The principals (or identities) whose access you can govern include users, groups, and applications (or service principals). The users can be your employees, business partners, vendors, or contractors. The resources to which you can govern access include groups, access packages, and privileged roles.
Note: Microsoft Entra access reviews
Use Microsoft Entra access reviews to configure one-time or recurring access reviews for attestation of a principal’s right to access Microsoft Entra resources. The principals are users or applications (service principals). The Microsoft Entra resources include groups, applications (service principals), access packages, and privileged roles. Access reviews is a feature of Microsoft Entra ID Governance.
Typical customer scenarios for access reviews include:
Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to Microsoft Entra resources.
Customers can review and audit assignments to Microsoft Entra privileged roles. This supports organizations in the management of privileged access.


Reference:



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains 50 Azure SQL databases.

You create an Azure Resource Manager (ARM) template named Template1 that enables Transparent Data Encryption (TDE).

You need to create an Azure Policy definition named Policy1 that will use Template1 to enable TDE for any noncompliant Azure SQL databases.

How should you configure Policy1? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:


  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: DeployIfNotExists
DeployIfNotExists
Similar to AuditIfNotExists, a DeployIfNotExists policy definition executes a template deployment when the condition is met.

DeployIfNotExists evaluation
DeployIfNotExists runs after a configurable delay when a Resource Provider handles a create or update subscription or resource request and has returned a success status code. A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don’t evaluate to true. The duration of the deployment depends on the complexity of resources included in the template.

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource.

Incorrect:
* EnforceRegoPolicy
No such thing in this context.

* Modify
Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter.

Modify evaluation
Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The Modify operations are applied to the request content when the if condition of the policy rule is met. Each Modify operation can specify a condition that determines when it’s applied. Operations with false condition evaluations are skipped.

Box 2: The identity required to perform the remediation task Policy assignments with effect set as DeployIfNotExists require a managed identity to do remediation.

Note: Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.

These effects are currently supported in a policy definition:

Append
Audit
AuditIfNotExists
Deny
DenyAction (preview)
DeployIfNotExists
Disabled
Manual
Modify


Reference:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects



Viewing page 16 of 42



Post your Comments and Discuss Microsoft AZ-305 exam prep with other Community members:

AZ-305 Exam Discussions & Posts