Free AZ-305 Exam Braindumps (page: 17)

Page 16 of 67

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

  1. Azure Arc
  2. Azure Log Analytics
  3. Application insights
  4. Azure Monitor action groups

Answer(s): B

Explanation:

The Activity log is a platform log in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started.
Activity log events are retained in Azure for 90 days and then deleted.

For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:

to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to two years)
to Azure Event Hubs to forward outside of Azure
to Azure Storage for cheaper, long-term archiving

Note: Azure Monitor builds on top of Log Analytics, the platform service that gathers log and metrics data from all your resources. The easiest way to think about it is that Azure Monitor is the marketing name, whereas Log Analytics is the technology that powers it.


Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log



HOTSPOT (Drag and Drop is not supported)
You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The app will use a third-party email service to send email messages to users. The third-party email service requires that the app authenticate by using an API key.

You need to recommend an Azure Key Vault solution for storing and accessing the API key. The solution must minimize administrative effort.

What should you recommend using to store and access the key? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Secret
Tutorial: Use Key Vault references in an ASP.NET Core app.

Add a secret to Key Vault
To add a secret to the vault, you need to take just a few additional steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called Message, and you store the value "Hello from Key Vault" in it.

1. From the Key Vault properties pages, select Secrets.
2. Select Generate/Import.
3. In the Create a secret pane, enter the following values:
4. Upload options: Enter Manual.
5. Name: Enter Message.
6. Value: Enter Hello from Key Vault.
7. Leave the other Create secret properties with their default values.
8. Select Create.

Box 2: A managed service identity (MSI)
Grant your app access to Key Vault
Azure App Configuration won't access your key vault. Your app will read from Key Vault directly, so you need to grant your app read access to the secrets in your key vault. This way, the secret always stays with your app. The access can be granted using either a Key Vault access policy or Azure role-based access control.

You use DefaultAzureCredential in your code above. It's an aggregated token credential that automatically tries a number of credential types, like EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and VisualStudioCredential.

Alternatively, you can set the AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET environment variables, and DefaultAzureCredential will use the client secret you have via the EnvironmentCredential to authenticate with your key vault. After your app is deployed to an Azure service with managed identity enabled, such as Azure App Service, Azure Kubernetes Service, or Azure Container Instance, you grant the managed identity of the Azure service permission to access your key vault. DefaultAzureCredential automatically uses ManagedIdentityCredential when your app is running in Azure. You can use the same managed identity to authenticate with both App Configuration and Key Vault.


Reference:

https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core



DRAG DROP (Drag and Drop is not supported)
You have two app registrations named App1 and App2 in Azure AD. App1 supports role-based access control (RBAC) and includes a role named Writer.

You need to ensure that when App2 authenticates to access App1, the tokens issued by Azure AD include the Writer role claim.

Which blade should you use to modify each app registration? To answer, drag the appropriate blades to the correct app registrations. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: App roles
App1 supports role-based access control (RBAC) and includes a role named Writer.

Implement role-based access control
Define app roles
The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly.

Box 2: Token configuration
You need to ensure that when App2 authenticates to access App1, the tokens issued by Azure AD include the Writer role claim.

Configure optional claims
You can configure optional claims for your application through the Azure portal or application manifest.

1. Go to the Azure portal.
2. Search for and select Azure Active Directory.
3. Under Manage, select App registrations.
4. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
5. Under Manage, select Token configuration
6. Etc.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-implement-rbac-for-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims



You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

  1. Application Insights
  2. Azure Arc
  3. Azure Log Analytics
  4. Azure Monitor metrics

Answer(s): C

Explanation:

The Activity log is a platform log in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started.
Activity log events are retained in Azure for 90 days and then deleted.

For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:

to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to two years)
to Azure Event Hubs to forward outside of Azure
to Azure Storage for cheaper, long-term archiving

Note: Azure Monitor builds on top of Log Analytics, the platform service that gathers log and metrics data from all your resources. The easiest way to think about it is that Azure Monitor is the marketing name, whereas Log Analytics is the technology that powers it.


Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log






Post your Comments and Discuss Microsoft AZ-305 exam with other Community members:

AZ-305 Discussions & Posts