az-305-quiz-readiness.txt

[{Question 1|Network Security Group rules are processed in which order?|Rules are processed based on source or destination first; less specific source or destination values are processed first.|Rules are processed based on source or destination first; more specific source or destination values are processed first.|Rules with lower priority numbers are processed first. For example, 100 is processed before 110.|Rules with higher priority numbers are processed first. For example, 110 is processed before 100.|Sorry! Explanation:Network security group rules are processed in priority order. Higher numbers are processed after lower numbers.|Correct Answer:Network security group rules are processed in priority order from 100 to 4096, with lower numbers processed before higher numbers.}{Question 2|You are planning to configure object replication for block blobs. Which of the following is not a valid requirement?||The source and destination accounts must be either general-purpose v2 or premium block blob accounts.||You must be assigned the Owner role on the storage account or higher in the scope.||Blob versioning is enabled for both the source and destination account.||The blob change feed must be enabled for the source account.|Sorry!|The blob change feed must be enabled for the source account, but it does not need to be enabled on the destination account.|Correct Answer|You must be assigned the Contributor Azure role.}{Question 3|Azure storage supports multiple storage tiers for Blob storage. Which of the following is NOT a valid storage tier?||Cold||Archive||Glacier||Cool|Good work!|Glacier is not a valid Azure storage tier.}{Question 4|Which of the following is required to deploy Azure Bastion?||A subnet named AzureBastionSubnet with a subnet mask of /26 or larger||A subnet named AzureBastion with a subnet mask of /26 or smaller||Azure Firewall with the Premium SKU||Azure Firewall with the Standard SKU|Good work!|A subnet named AzureBastionSubnet with a subnet mask of /26 or larger is required when you deploy Azure Bastion. Reference: Deploy Azure Bastion (https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal#prerequisites)}{Question 5|You plan to delegate access to a storage account using a shared access signature (SAS). You need to set an expiration time that you may need to extend. Which of the following do you configure?||A storage account access key||An expiration policy for shared access signatures||A stored access policy||A user delegation SAS|Sorry!|A SAS expiration policy can provide a recommended upper expiration limit; this is not enforced and doesn't allow you to extend expiration time of shared access signatures.|Correct Answer|A stored access policy provides additional server side control over shared access signatures (SAS), including the ability to change the start time, expiry time, or permissions. Reference: Create a stored access policy (https://learn.microsoft.com/azure/storage/common/storage-stored-access-policy-define-dotnet)}{Question 6|You have an Azure Web App running on a Standard Azure App Service Plan. You currently have five staging slots that are being used to test various new features. You need to create a new deployment slot. What should you do first?||Scale up your App Service plan.||Scale out your App Service plan.||Modify the App Service plan, and set the maximum deployment slots to at least 6.||Redeploy your App Service plan with a new pricing tier.|Sorry!|The Standard App Service plan provides 5 staging slots. You need to scale up your App Service plan for access to additional staging slots.|Correct Answer|The Standard App Service plan provides five staging slots. Your App Service plan can be scaled up and down at any time. When you scale up your App Service plan, you get access to the additional features of that plan.}{Question 7|You need to find underutilized virtual machines in your Azure subscription. Which tool can you use?||Azure Advisor||Azure Monitor||Activity logs||Cost Management|Sorry!|Azure Monitor is a monitoring solution for collecting, analyzing, and responding to monitoring data from your workloads.|Correct Answer|Azure Advisor offers actionable recommendations to help you optimize your Azure resources across the Well-architected pillars, one of which is cost optimization.}{Question 8|Which of the following is NOT a valid requirement to configure and test self-service password reset for cloud-only users?||An account with Global Administrator or Authentication Policy Administrator privileges||A Microsoft Entra tenant with at least a Microsoft Entra ID Free license||A Microsoft Entra tenant with at least a Microsoft Entra ID P1 license||A non-administrator user account.|Sorry!|Admins are always enabled for self-service password reset. To test self-service password reset, you need a non-administrator user account.|Correct Answer|Microsoft Entra ID P1 is required for self-service password reset/change/unlock and on-premises write-back. Reference: Enable users to unlock their account or reset passwords using Microsoft Entra self-service password reset (https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr)}{Question 9|You have an application that is accessing a storage account using storage account access keys. The application is configured to use key 1. You plan to rotate the storage account access keys. Which steps should you take and in which order?||Update the application to use key 2, regenerate key 1, update the application to use key 1, and then regenerate key 2.||Regenerate key 1, and update the application to use the new key.||Update the application to use key 2, regenerate key 1, and then update the application to use key 1.||Regenerate key 2, and update the application to use key 2.|Sorry!|Rotating storage account access keys is the process of regenerating both access keys. Key 2 should be regenerated as well.|Correct Answer|This series of steps would successfully rotate the storage account access keys. Reference: Manually rotate access keys (https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage#manually-rotate-access-keys)}{Question 10|Which of the following scopes can you assign Azure (RBAC) roles?||Entra Tenants, administrative units or individual Entra objects like applications.||Management groups, subscriptions, resource groups, and individual resources.||Management groups, subscriptions, and resource groups.||Entra Tenants, administrative units, individual Entra objects like applications, management groups, subscriptions, resource groups, and individual resources.|Sorry!|Role assignments in Azure cannot be scoped to Microsoft Entra Tenants, administrative units, or Entra objects like applications.|Correct Answer|Azure RBAC role assignments can be scoped to management groups, subscriptions, resource groups, and individual resources. Reference: Azure roles, Microsoft Entra roles, and classic subscription administrator roles (https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles)}{Question 11|You need to ensure that all public network access to an Azure storage account is disabled. What should you configure?||Private endpoint connections||Microsoft Defender for Cloud||Firewalls and virtual networks||Containers|Good work!|You can configure the firewalls and virtual networks networking settings on the storage account to prevent public network access is disabled. Reference: Configure Azure Storage firewalls and virtual networks (https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal)}{Question 12|When managing Microsoft Entra and Azure, there are two types of roles that can be used to grant privileges to manage those resources. What are the two role types?||Privileged roles, Standard roles||Azure AD roles, Microsoft Entra roles||User roles, machine roles||Microsoft Entra roles, Azure roles|Good work!|Microsoft Entra roles grant privileges within the Microsoft Entra tenant. Azure roles grant privileges within Azure subscriptions and management groups. Reference: Azure roles, Microsoft Entra roles, and classic subscription administrator roles (https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles)}{Question 13|What is the maximum number of regions an Azure virtual network scan span?||One||Two||Three||None|Sorry!|Virtual Networks cannot be deployed to three regions; to connect virtual networks in more than two regions, consider VNET peering with a hub network.|Correct Answer|Virtual networks are deployed to a single region.}{Question 14|You have a Windows Azure VM, you wish to directly backup only the following folders on the VM:|C:\FinanceApp|E:\Database|You are not using a backup server. Which agent should you deploy to the virtual machine?||None, use the Azure VM agent.||Install the System Center Data Protection Manager (DPM) protection agent.||Microsoft Azure Backup Server (MABS) protection agent.||The Microsoft Azure Recovery Services (MARS) agent.|Sorry!|The Microsoft Azure Backup Server (MABS) protection agent can be used to backup files and folders on a VM when using Microsoft Azure Backup Server.|Correct Answer|The Microsoft Azure Recovery Services (MARS) agent can be used to back up specific files, folders, or volumes on Windows Azure VMs. Reference: Support matrix for Azure VM backups (https://learn.microsoft.com/azure/backup/backup-support-matrix-iaas)}{Question 15|Azure storage supports multiple redundancy options. Which of the following is NOT a valid Azure storage redundancy option?||Read-only Geo-zone-redundant Storage (RA-GZRS)||Zone-redundant Storage (ZRS)||Locally-geo-redundant Storage (LGRS)||Locally-redundant Storage (LRS)|Sorry!|Zone-redundant Storage (ZRS) replicates data to three facilities a single region.|Correct Answer|Locally-geo-redundant Storage (LGRS) is not a valid Azure storage redundancy option.}{Question 16|You need to provide secure delegated access to a blob in an Azure storage account. Which of the following should you use?||A stored access policy||A storage account access key||A shared access signature||An Azure file share|Sorry!|A storage account access key provides full access to a storage account and is not time-restricted.|Correct Answer|Shared access signatures can be used to provide secure delegated access to Azure storage accounts. Reference: Grant limited access to Azure Storage resources using shared access signatures (SAS) (https://learn.microsoft.com/azure/storage/common/storage-sas-overview)}{Question 17|Which of the following statements is NOT true about resource locks?||You can lock an Azure subscription, resource group, or individual resource.||When you apply a lock at a scope, all resources within that scope inherit the same lock.||Only the Owner, User Access Administrator, and Contributor roles can create and delete management locks.||Data plane operations like data transactions are not impacted by resource locks.|Sorry!|All resources within that scope of the lock inherit the same lock.|Correct Answer|Only the Owner and the User Access Administrator roles can create and delete management locks. Contributor cannot create and delete management locks. Reference: Lock your resources to protect your infrastructure (https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json)}{Question 18|You create a custom Azure policy definition and save it to a subscription named Sub1. Which of the following scopes can you assign the policy?||Only Resource Groups in Sub1.||Anywhere in the management hierarchy.||Resource Groups in Sub1 and Sub1.||Only Sub1.|Sorry!|You can assign the policy to any resources within the scope of Sub1 and Sub1 itself.|Correct Answer|Resources must be within the resource hierarchy of the definition location to target for assignment. Both Resource Groups within Sub1 and Sub1 can be assigned the policy. Reference: Understand scope in Azure Policy (https://learn.microsoft.com/azure/governance/policy/concepts/scope)}{Question 19|For which of the following storage accounts can you configure lifecycle management policies?||Premium block blob, and Blob Storage accounts.||Premium file share only.||General-purpose v2, premium block blob, and Blob Storage accounts.||General-purpose v2 only.|Good work!|Lifecycle management policies are supported for block blobs and append blobs only. The account must be a general-purpose v2, premium block blob, or Blob Storage account. Reference: Optimize costs by automatically managing the data lifecycle (https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-overview)}{Question 20|Which of the following statements about resource groups is NOT true?||Resource groups can be nested.||Resource groups contain Azure resources.||A resource can only be a member of a single resource group.||Many resources can be moved between resource groups.|Good work!|Resource groups cannot be nested.}{Question 21|Which Microsoft-native tools can be used to deploy resources to Azure?||ARM templates, Bicep files, Azure PowerShell, and Azure CLI||ARM templates, Bicep files, Pulumi, Saltstack, Chef, Ansible, and Terraform.||ARM templates, Terraform files, Azure PowerShell, and AzCopy||ARM templates, YAML files, Azure PowerShell, and JSON files|Good work!|ARM templates, Bicep files, Azure PowerShell, and the Azure CLI can all be used to deploy resources to Azure.}{Question 22|A user named User1 has been assigned the Contributor role at the scope of a subscription named Sub1. User1 also has the the Reader role assignment on a subscription named Sub2. User1 has also been assigned the Owner role at the scope of a resource group named RG1 within Sub1. No other role assignments exist for User1. Which of the following actions can the user perform?||Delete all resources within Sub2||Create resources within Sub2||Assign roles on RG1||Assign roles on Sub1|Good work!|User1 can assign roles on RG1 using their Owner role assignment at that scope. Reference: Azure roles, Microsoft Entra roles, and classic subscription administrator roles (https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles).}{Question 23|You have been asked to scale out a virtual machine deployment. What should you do?||Distribute the existing virtual machines to multiple regions||Increase the size of the virtual machine||Increase the number of virtual machine instances deployed||Increase the number of disks attached to the virtual machine|Good work!|Scaling out involves deploying instances of an existing resource.}{Question 24|You have four virtual networks deployed. The virtual networks are deployed in the following regions: Australia East, South Central US, Southeast Asia, and West US. All virtual networks are fully peered. You are deploying Azure Bastion. How many Bastion hosts must you deploy to manage virtual machines deployed in all virtual networks?||3||4||1||2|Sorry!|One Azure Bastion host can be used to manage VMs deployed in peered VNets without deploying an additional bastion host. This includes globally VNet peering.|Correct Answer|Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. Reference: VNet peering and Azure Bastion (https://learn.microsoft.com/azure/bastion/vnet-peering)}{Question 25|You need to provide access to an Azure file share using Server Message Block (SMB). You have been asked which authentication methods are supported. Which of the following should you NOT recommend?||Shared access signatures for SMB||Microsoft Entra Kerberos for hybrid identities||Active Directory Domain Services (AD DS) authentication||Microsoft Entra Domain Services authentication|Good work!|Shared access signatures for SMB is not a valid authentication option.}{Question 26|Which of the following resources is used to route the flow of network traffic to specific network destinations?||Network security groups||Azure firewall||ExpressRoute||User-defined routes|Good work!|User-defined routes can be used to direct the flow of network traffic to specific network destinations.}{Question 27|Which of the following are valid membership types for Microsoft Entra groups?||Hybrid, guest, combined||Assigned, generated||Assigned, dynamic||Classic, Entra|Sorry!|Hybrid, guest, and combined are not valid membership types. Groups can be synchronized from Active Directory Domain Services (AD DS), which would be considered hybrid groups. Guests can be a member of security and Microsoft 365 groups.|Correct Answer|Membership to Microsoft Entra groups can be either assigned or dynamic.}{Question 28|Which of the following statements is true about Entra ID licenses?||Entra ID licenses can be assigned to individual users or groups, but not both.||Entra ID licenses can be assigned to both individual users or groups.||Entra ID licenses can be assigned to individual users only.||Entra ID licenses can be assigned to groups only.|Good work!|Entra ID licenses can be assigned to both users and groups as required. Reference: Assign or remove licenses (https://learn.microsoft.com/entra/fundamentals/license-users-groups)}{Question 29|Which of the following is NOT a valid Azure virtual machine disk type?||Operating System (OS)||Data||Log||Temporary|Sorry!|Some virtual machine sizes have a temporary disk for ephemeral data.|Correct Answer|Log is not a valid disk type.}{Question 30|Network Security Groups (NSGs) can be associated with which of the following Azure resources?||Network interfaces and subnets||Public and private IP addresses||Subnets and endpoints||Network interfaces and service endpoints|Sorry!|Network Security Groups (NSGs) cannot be associated with either service endpoints or private endpoints.|Correct Answer|Network Security Groups (NSGs) can be associated with both network interfaces and subnets.}{Question 31|You have been asked to ensure that all Azure resources associated with a Human Resources (HR) workload are marked as confidential. What should you use?||Microsoft Entra groups||Administrative Units||Tags||Resource locks|Sorry!|Resource locks are a feature available in Azure to prevent the deletion or modification of Azure resources.|Correct Answer|Tags are key-value pairs that help you identify resources based on data to your organization.}{Question 32|You have been asked to allow 100 external user to access resources secured by your Microsoft Entra Tenant, including Microsoft 365. You create a CSV file with a list of email addresses and redirection URLs. In the Microsoft Entra Portal, which step should you take next?||From the All users menu, select New guest and select then select Import.||From the All users menu, select Bulk operations and then select Bulk invite.||From the All users menu, select Bulk operations and then select Bulk create.||From the All guests menu, select Import guests.|Good work!|You should select Bulk operations and then bulk invite guests from the All users menu. Reference: Bulk invite Microsoft Entra B2B collaboration users (https://learn.microsoft.com/en-us/entra/external-id/tutorial-bulk-invite)}{Question 33|When creating an Entra ID group, which group types can you create?||User, Device, Application||Security, Distribution||Security, Microsoft 365||User, Device|Sorry!|You cannot create a Device group, but devices can be a member of Security groups. Applications cannot be a member of a group, but the Security Principals that act as an Identity for the application can be a member.|Correct Answer|Microsoft Entra ID supports two group types, Security, and Microsoft 365. Reference: Learn about groups and access rights in Microsoft Entra ID (https://learn.microsoft.com/entra/fundamentals/concept-learn-about-groups)}{Question 34|Azure Storage provide four storage services. What are they?||Blobs, messages, databases, and files||Containers, tables, queues, and files||Blobs, tables, queues, and files||Disks, tables, queues, and files|Good work!|Azure storage provides unstructured blob storage, non-relational table storage, message storage with queues, and network share file storage with files.}{Question 35|You have an existing storage account. You configure customer-managed keys for the account. Which storage services are encrypted using the customer-managed keys?||Blob storage only||Blob, table, queue, and file storage||Blob, queue, and file storage||Blob, and file storage|Good work!|Data stored in queue and table storage isn't automatically protected by a customer-managed key when customer-managed keys are enabled for an existing storage account. You must configure these services to be included in this protection when you create the storage account. Reference: Enable customer-managed keys for a storage account (https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview#customer-managed-keys-for-queues-and-tables)}]