- (Exam Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?

Correct Answer:A
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
References: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

- (Exam Topic 6)
You have an Azure subscription named Subcription1 that contains the storage accounts shown in the following table.

You plan 10 use the Azure Import/Export service to export data from Subscription1.

Correct Answer:D
Azure Import/Export service supports the following of storage accounts:
Standard General Purpose v2 storage accounts (recommended for most scenarios)
Blob Storage accounts
General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments), Azure Import/Export service supports the following storage types
Import supports Azure Blob storage and Azure File storage
Export supports Azure Blob storage
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements

- (Exam Topic 6)
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Solution:
Box 1: "*/read",
*/read lets you view everything, but not make any changes. Box 2: " Microsoft.Support/*"
The action Microsoft.Support/* enables creating and management of support tickets. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Does this meet the goal?

Correct Answer:A

- (Exam Topic 6)
You have an existing Azure subscription that contains 10 virtual machines.
You need to monitor the latency between your on-premises network and the virtual machines. What should you use?

Correct Answer:C
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

- (Exam Topic 6)
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)

You assign the policy by using the following parameters:

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Solution:
Not allowed resource types (Deny): Prevents a list of resource types from being deployed. This means this policy specifically prevents a list of resource types from being deployed. So that refers that except deployment all the other operations like start/stop or move etc. are not prevented. But to be noted if the resource already exists, it just marks it as non-compliant.
Replicated this scenario in LAB keeping VM running and below are the outcome :
· VM is not deallocated
· Able to stop and start VM successfully.
· Not able to create new virtual network or VM.
· Not able to modify VM size.
· Not able change the address space of the virtual network.
· Successfully moved virtual network and VM in another resource group.
Statement 1 : Yes
Based on above experiment the policy will mark the VNET1 as non-compliant but it can be moved to RG2 . Hence this statement is true.
Statement 2 : No
Based on above experiment the policy will mark the VM as non-compliant but it will still be running, not deallocated. Hence this statement is False.
Statement 3 : No
Based on above experiment the address space for VNET2 can not be modified. Hence this statement is False.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

Does this meet the goal?

Correct Answer:A

- (Exam Topic 3)
You need to meet the user requirement for Admin1. What should you do?

Correct Answer:A
Change the Service administrator for an Azure subscription
Sign in to Account Center as the Account administrator.
Select a subscription.
On the right side, select Edit subscription details.
Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription. References:
https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator