Azure Administrator Associate
Practice Questions

Your company has acquired another organization. You need to allow users from the acquired company's Azure AD tenant to access resources in your Azure subscription without creating new accounts in your tenant. Which Azure AD feature should you use?

You need to assign Azure AD roles using a group-based approach. The security group 'IT-Admins' should receive the User Administrator role. However, Azure AD requires a specific license for group-based role assignment. Which license feature is required?

An organization needs Azure Policy to automatically add missing tags to existing non-compliant resources AND prevent new resources from being created without required tags. Which two policy effects should you use together? (Choose two.)

You manage cost for multiple departments using Azure subscriptions. The Finance department must not exceed a monthly spend of $10000. You need an automated notification when spending reaches 80% of this budget. What should you configure?

A security audit reveals that several Azure AD accounts have not been used in over 90 days. You need to regularly identify and review inactive accounts. Which two Azure AD features should you use together? (Choose two.)

You create an Azure Blueprint that includes a policy assignment, a role assignment, and an ARM template. You assign the blueprint to a subscription. Later you need to prevent anyone from modifying the resources deployed by the blueprint. Which blueprint lock mode should you use?

Your organization has Azure AD Connect synchronizing identities from on-premises Active Directory. A user's on-premises account is disabled. What happens to the corresponding Azure AD account after the next sync cycle?

A developer needs to create and manage Azure App Services and deployment slots. They should NOT manage VNets or SQL databases. Which two configurations achieve least-privilege access? (Choose two.)

Your company uses Azure Cost Management and needs to allocate shared infrastructure costs (like a hub VNet) across multiple department subscriptions based on usage. Which Cost Management feature helps accomplish this?

You need to configure Azure AD Conditional Access so that users accessing Azure portal from personal unmanaged devices must use a web browser session that times out after 4 hours and cannot persist cookies. Which session control should you configure?

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation. Does this meet the goal?

You have an Azure subscription that contains the resources shown in the following table. You need to assign User1 the Storage File Data SMB Share Contributor role for share1. What should you do first?

You have a Microsoft Entra tenant configured as shown in the following exhibit. The tenant contains the identities shown in the following table. You purchase a Microsoft Fabric license. To which identities can you assign the license?

You have Azure subscription that includes data in following locations: You plan to export data by using Azure import/export job named Export1. You need to identify the data that can be exported by using Export1. Which data should you identify?

You have an Azure subscription that contains the storage accounts shown in the following table. You plan to manage the data stored in the accounts by using lifecycle management rules. To which storage accounts can you apply lifecycle management rules?

You have an Azure App Service app named App1 that contains two running instances. You have an autoscale rule configured as shown in the following exhibit. For the Instance limits scale condition setting, you set Maximum to 5. During a 30-minute period, App1 uses 80 percent of the available memory. What is the maximum number of instances for App1 during the 30-minute period?

You have an Azure subscription that contains a container group named Group1. Group1 contains two Azure container instances as shown in the following table. You need to ensure that container2 can use CPU resources without negatively affecting container1. What should you do?

You have the Azure virtual networks shown in the following table. To which virtual networks can you establish a peering connection from VNet1?

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production. The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet. You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements: ✑ The NVAs must run in an active-active configuration that uses automatic failover. ✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses. Which three actions should you perform?

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1. On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1. You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2. You need to ensure that you can connect Client1 to VNet2. What should you do?

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2. VM1 hosts a frontend application that connects to VM2 to retrieve data. Users report that the frontend application is slower than usual. You need to view the average round-trip time (RTT) of the packets from VM1 to VM2. Which Azure Network Watcher feature should you use?

You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and VNET2 that are peered. You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1. You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1. Which port should you configure for the inbound security rule?

You have an on-premises network. You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and connected to the on-premises network. The subscription contains the virtual machines shown in the following table. You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor. What is the minimum number of connection monitors you should deploy?

You are configuring an Azure Standard Load Balancer health probe. The backend pool contains VMs running a web application on port 8080. The application has a dedicated health endpoint at /health that returns HTTP 200 when healthy. Which health probe configuration is MOST appropriate?

You need to implement a solution that distributes traffic across Azure regions based on geographic location of the client. Users in Europe should be directed to the West Europe deployment, and users in Asia should be directed to the Southeast Asia deployment. Which Azure service should you use?

You deploy a NAT Gateway and associate it with Subnet-App (10.0.1.0/24). VMs in Subnet-App currently have public IPs assigned. After NAT Gateway deployment, which public IP is used for outbound internet traffic from these VMs?

You have an NSG rule that allows inbound HTTPS (port 443) from the internet (priority 100). You add another rule to deny all inbound traffic from the internet (priority 200). A third rule allows inbound SSH (port 22) from the internet (priority 150). Which ports are accessible from the internet?

You are configuring Azure Private Endpoint for an Azure SQL Database. After creating the private endpoint, users can still access the database via its public FQDN from the internet. What additional step must you take to block public access?

You deploy Azure Monitor and need to collect custom performance metrics from a Linux VM that are not captured by default. Which Azure Monitor component must be installed on the VM?

You need to create an Azure Monitor alert that fires when the total number of failed requests across all your App Services exceeds 50 within any 5-minute window. The alert should automatically resolve when failures drop below the threshold. Which alert type should you use?

Your company has an Azure AD tenant with 500 users. You need to allow a specific group of 20 users to manage password resets for non-admin users only. Which Azure AD role should you assign to these users?

You are managing multiple Azure subscriptions under a single Azure AD tenant. You need to apply a policy that prevents the creation of resources in regions outside of West Europe and North Europe across ALL subscriptions. At which scope should you assign the Azure Policy?

A company requires that all Azure resources must have a 'CostCenter' tag. If a resource is created without this tag, the deployment must be denied. Which Azure Policy effect should you use?

You have an Azure subscription with several resource groups. A new team member needs to deploy and manage virtual machines ONLY in the 'Development' resource group. Which two configurations should you apply? (Choose two.)

Your organization has three departments: Finance, HR, and Engineering. Each department has its own Azure subscription. You need to ensure that the Engineering subscription cannot create any public IP addresses. Which approach should you use?

You need to create a custom RBAC role that allows users to restart virtual machines but not delete or create them. Which three actions should you include in the role definition? (Choose three.)

Your company is implementing Azure AD Conditional Access. You need to require multi-factor authentication for all users accessing Azure portal from outside the corporate network. Which two conditions should you configure in the Conditional Access policy? (Choose two.)

You have an Azure Storage account with blob versioning enabled. A developer accidentally overwrites a critical blob. You need to restore the previous version. Which two actions should you perform? (Choose two.)

A storage account named stgfinance must allow access ONLY from a specific virtual network subnet and a trusted Azure service. All other public access must be blocked. Which two configurations should you apply? (Choose two.)

You need to synchronize files between an on-premises Windows file server and an Azure file share. The on-premises server must act as a local cache for frequently accessed files. Which Azure service should you use?

You are migrating an application from on-premises to Azure. The application uses a REST API to store and retrieve data using key-value pairs with partition keys and row keys. Which Azure Storage service should you use?

You deploy an Azure Virtual Machine running Windows Server 2022. After deployment you need to install IIS and additional software components automatically without logging into the VM. Which feature should you use?

Your company needs to deploy 100 identical VMs for a batch processing workload. The VMs should automatically scale based on CPU usage and distribute evenly across fault domains. Which Azure resource should you use?

You have a Virtual Machine Scale Set with 5 instances. You need to update the OS image on all instances without causing downtime. Which upgrade policy should the VMSS use?

You need to deploy a containerized web application to Azure without managing any underlying infrastructure. The application receives sporadic traffic with periods of zero requests. You want to minimize costs. Which service should you use?

You have an Azure VM that runs a critical production database. The VM uses a Standard SSD for the OS disk and Premium SSD for data. You need to ensure the VM can be restored to a specific point in time if data corruption occurs. What should you configure?

You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the resource group. Which cmdlet should you run to deploy the template?

You have an Azure subscription that contains three virtual machines named VM1, VM2, and VM3. All the virtual machines are in an availability set named AVSet1. You need to scale up VM1 to a new virtual machine size, but the intended size is unavailable. What should you do first?

You have an Azure subscription that has the public IP addresses shown in the following table. You plan to deploy an Instance of Azure Firewall Premium named FW1. Which IP addresses can you use?

You have an Azure AD tenant named contoso.com. You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a wildcard certificate for contoso.com. You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1. You need to configure App1 to use the wildcard certificate of KV1. What should you do first?

You have an Azure subscription that contains an Azure container registry named ContReg1. You enable the Admin user for ContReg1. Which username can you use to sign in to ContReg1?

Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Overview - ADatum Corporation is consulting firm that has a main office in Montreal and branch offices in Seattle and New York. Existing Environment - Azure Environment - ADatum has an Azure subscription that contains three resource groups named RG1, RG2, and RG3. The subscription contains the storage accounts shown in the following table. The subscription contains the virtual machines shown in the following table. The subscription has an Azure container registry that contains the images shown in the following table. The subscription contains the resources shown in the following table. Azure Key Vault - The subscription contains an Azure key vault named Vault1. Vault1 contains the certificates shown in the following table. Vault1 contains the keys shown in the following table. Microsoft Entra Environment - ADatum has a Microsoft Entra tenant named adatum.com that is linked to the Azure subscription and contains the users shown in the following table. The tenant contains the groups shown in the following table. The adatum.com tenant has a custom security attribute named Attribute1. Planned Changes - ADatum plans to implement the following changes: • Configure a data collection rule (DCR) named DCR1 to collect only system events that have an event ID of 4648 from VM2 and VM4. • In storage1, create a new container named cont2 that has the following access policies: o Three stored access policies named Stored1, Stored2, and Stored3 o A legal hold for immutable blob storage • Whenever possible, use directories to organize storage account content. • Grant User1 the permissions required to link Zone1 to VNet1. • Assign Attribute1 to supported adatum.com resources. • In storage2, create an encryption scope named Scope1. • Deploy new containers by using Image1 or Image2. Technical Requirements - ADatum must meet the following technical requirements: • Use TLS for WebApp1. • Follow the principle of least privilege. • Grant permissions at the required scope only. • Ensure that Scope1 is used to encrypt storage services. • Use Azure Backup to back up cont1 and share1 as frequently as possible. • Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines. You need to configure WebApp1 to meet the technical requirements. Which certificate can you use from Vault1?

You have an Azure subscription that contains the resources shown in the following table. LB1 is configured as shown in the following table. You plan to create new inbound NAT rules that meet the following requirements: ✑ Provide Remote Desktop access to VM1 from the internet by using port 3389. ✑ Provide Remote Desktop access to VM2 from the internet by using port 3389. What should you create on LB1 before you can create the new inbound NAT rules?

You have an Azure subscription that contains the following resources: ✑ A virtual network that has a subnet named Subnet1 ✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1 ✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections NSG-Subnet1 has the default inbound security rules only. NSG-VM1 has the default inbound security rules and the following custom inbound security rule: ✑ Priority: 100 ✑ Source: Any ✑ Source port range: * ✑ Destination: * ✑ Destination port range: 3389 Protocol: UDP - ✑ Action: Allow VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1. You need to be able to establish Remote Desktop connections from the internet to VM1. Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol. Does this meet the goal?

You have an Azure subscription that contains the following resources: ✑ A virtual network that has a subnet named Subnet1 ✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1 ✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections NSG-Subnet1 has the default inbound security rules only. NSG-VM1 has the default inbound security rules and the following custom inbound security rule: ✑ Priority: 100 ✑ Source: Any ✑ Source port range: * ✑ Destination: * ✑ Destination port range: 3389 ✑ Protocol: UDP ✑ Action: Allow VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1. You need to be able to establish Remote Desktop connections from the internet to VM1. Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. Does this meet the goal?

Your company has an Azure subscription named Subscription1. The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records. You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed: ✑ The DNS Manager console ✑ Azure PowerShell ✑ Azure CLI 2.0 You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort. What should you use?

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute. You plan to prepare the environment for automatic failover in case of ExpressRoute failure. You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost. Which three actions should you perform?

You have an Azure subscription that contains two virtual machines named VM1 and VM2. You create an Azure load balancer. You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2. Which two additional load balancer resources should you create before you can create the load balancing rule?

You have two Azure subscriptions named Sub1 and Sub2 that are linked to separate Microsoft Entra tenants. You have the virtual networks shown in the following table. Which virtual networks can you peer with VNet1?

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?