Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-801

Microsoft AZ-801 Exam Questions
Configuring Windows Server Hybrid Advanced Services (Page 10 )

Updated On: 19-Feb-2026
Page 10 of 57
PDF with 313 Questions

You have an on-premises server named Server1 that runs Windows Server.

You have an Azure subscription.

You need to onboard Server1 to Microsoft Defender for Cloud.

What should you install on Server1?

  1. the Azure File Sync agent
  2. the Microsoft Entra provisioning agent
  3. the Device Health Attestation role
  4. the Azure Connected Machine agent

Answer(s): D

Explanation:

To onboard an on-premises server like Server1 to Microsoft Defender for Cloud, you need to install the Azure Connected Machine agent. This agent connects on-premises or other cloud servers to Azure services, enabling you to monitor and secure the server using Azure features like Microsoft Defender for Cloud.



You have a management group named MG1 that contains an Azure subscription named Sub1. Sub1 contains the resources shown in the following table.



You need to enable Microsoft Defender for Servers.

From the Azure portal, on which two resources can you enable Defender for Servers? Each correct answer presents a complete solution.

Note: Each correct selection is worth one point.

  1. RG1
  2. Workspace1
  3. Sub1
  4. MG1
  5. VNet1
  6. VM1

Answer(s): B,C



HOTSPOT (Drag and Drop is not supported)

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains an organizational unit (OU) named OU1 and a user named User1.

You plan to deploy a Hyper-V failover cluster named Cluster1.

You need to prestage the account for Cluster1 and ensure that User1 can deploy Cluster1. The solution must follow the principle of least privilege.

Which action should you perform, and which permissions should you grant to User1 for Cluster1? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Action: Create a new computer account named Cluster1.
When deploying a failover cluster, a computer account is needed for the cluster itself. Creating a new computer account named Cluster1 is the appropriate step.

Permissions: Full control.
User1 needs Full control over the computer account for Cluster1 to ensure they can create and manage the cluster.



HOTSPOT (Drag and Drop is not supported)

You have an Active Directory Domain Services (AD DS) domain that contains 1,000 users.

The domain has the following password requirements:

The minimum password length must be 12 characters.
Passwords must expire in 90 days.
Passwords must be complex.

You need to ensure that the members of a security team have passwords that meet the following requirements:

The minimum password length must be 16 characters.
Passwords must expire in 60 days.
Passwords must be complex.

The solution must minimize the impact on users who are NOT members of the security team.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Fine Grained Password Policies
Implement

Configure fine grained password policies for Active Directory Domain Services Fine Grained Password Policies provide you with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine grained password policies to specify multiple password policies within a single domain. You can also apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users.

Fine-grained password policies apply only to global security groups and user objects. By default, only members of the Domain Admins group can set fine grained password policies. However, you can also delegate the ability to set these policies to other users.

Box 2: Active Directory Administrative Center
By using

Create a fine grained password policy

Here's how to create a fine grained password policy using ADAC:

-> 1. Open Active Directory Administrative Center, either from the Tools menu of the Server Manager console or by running an elevated PowerShell session and typing dsac.exe.

2. If the appropriate target domain isn't selected, choose Manage, choose Add Navigation Nodes, and select the appropriate target domain in the Add Navigation Nodes dialog box and then choose OK.

3. In the ADAC navigation pane, open the System container, and then choose Password Settings Container.

4. In the Tasks pane, choose New, and then choose Password Settings.

5. Fill in or edit fields inside the property page to create a new Password Settings object. The Name and Precedence fields are required.

6. Under Directly Applies To, choose Add, type the name of the group to which the fine grained password policy, and then choose OK.

7. Choose OK to submit the creation.


Reference:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/fine-grained-password-policies



You have 500 on-premises servers that run Windows Server.

You have an Azure subscription that contains a Log Analytics workspace named Workspace1.

You plan to use VM insights in Azure Monitor to monitor the on-premises servers.

You need to onboard the servers to Azure Arc by using the template script. The solution must meet the following requirements:

Follow the principle of least privilege.
Minimize administrative effort.

What should you do first?

  1. Create a group managed service account (gMSA).
  2. Generate a Log Analytics key.
  3. Create a Microsoft Entra service principal.
  4. Download the Log Analytics workspace I

Answer(s): C

Explanation:

Connect hybrid machines to Azure at scale
You can enable Azure Arc-enabled servers for multiple Windows or Linux machines in your environment with several flexible options depending on your requirements. Using the template script we provide, you can automate every step of the installation, including establishing the connection to Azure Arc.
One method to connect the machines to Azure Arc-enabled servers is to use a Microsoft Entra service principal. This service principal method can be used instead of your privileged identity to interactively connect the machine. This service principal is a special limited management identity that has only the minimum permission necessary to connect machines to Azure using the azcmagent command. This method is safer than using a higher privileged account like a Tenant Administrator and follows our access control security best practices. The service principal is used only during onboarding; it is not used for any other purpose.


Reference:

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal






Post your Comments and Discuss Microsoft AZ-801 exam dumps with other Community members:

Join the AZ-801 Discussion