Microsoft Certified: Azure Solutions Architect Expert Certification Questions and Answer (Dumps and Practice Questions)
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure. The company has
an Azure tenant.
The company has a development department. Developers are creating a new application that will be used by company employees and customers to manage users in Azure Active Directories.
The application must be able to perform the following actions on Azure Active Directory objects:
.Create new users.
.Delete users.
.Update user account properties.
.Change user account password.
You need to ensure that the application can perform the required operations. Which of the following actions should you perform?
1. You should configure Active Directory Federation Services 2.0 (AD FS).
2. You should configure the application to run on Azure a software-as-a-service (SaaS).
3. You should configure the Graph API.
4. You should configure the application as an Identity Provider.
Correct Answer : 3
Explanation: The graph API is used by applications to create, read, update, or delete directory objects in Azure Active Directory. An application must be configured for
either the Read Directory Data or Read And Write Directory Data permissions to use the graph API.
The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and
delete (CRUD) operations on directory data and objects. For example, the Graph API supports the following common operations for a user object:
Create a new user in a directory
Get a user's detailed properties, such as their groups
Update a user's properties, such as their location and phone number, or change their password
Check a user's group membership for role-based access
Disable a user's account or delete it entirely
In addition to user objects, you can perform similar operations on other objects such as groups and applications. To call the Graph API on a directory, the application must be
registered with Azure AD and be configured to allow access to the directory. This is normally achieved through a user or admin consent flow.
The Graph API enables many application scenarios. The following scenarios are the most common:
Line of Business (Single Tenant) Application: In this scenario, an enterprise developer works for an organization that has an Office 365 subscription. The developer is building a web
application that interacts with Azure AD to perform tasks such assigning a license to a user. This task requires access to the Graph API, so the developer registers the single tenant
application in Azure AD and configures read and write permissions for the Graph API. Then the application is configured to use either its own credentials or those of the currently
sign-in user to acquire a token to call the Graph API.
Software as a Service Application (Multi-Tenant): In this scenario, an independent software vendor (ISV) is developing hosted multi-tenant web application that provides user
management features for other organizations that use Azure AD. These features require access to directory objects, and so the application needs to call the Graph API. The developer
registers the application in Azure AD, configures it to require read and write permissions for the Graph API, and then enables external access so that other organizations can consent
to use the application in their directory. When a user in another organization authenticates to the application for the first time, they are shown a consent dialog with the
permissions the application is requesting. Granting consent will then give the application those requested permissions to the Graph API in the user's directory. For more information
on the consent framework, see Overview of the Consent Framework.
Question : You work as a Messaging Administrator at ABC.com. The company has a single Active Directory Domain Services (AD DS) domain and has , employees.
The company currently has a Microsoft Exchange Server on-premises environment. The company plans to implement an Office 365 Exchange online environment in a hybrid configuration.
Some mailboxes will be hosted on Exchange online and some mailboxes will be hosted on Exchange on-premises for a period of time. Eventually, all mailboxes will be migrated to
Exchange online.
You want users to be able to log on the Azure Active Directory (AD) by using their current Active Directory Domain Services (AD DS) user names and passwords.
Which of the following services are the minimum system requirements to achieve this goal?
1. Active Directory Federation Services 2.0 (AD FS) and Directory Sync with Password Sync enabled.
2. Active Directory Domain Services (AD DS) domain controllers hosted on-premise and on Azure.
3. Directory Sync with Password Sync enabled.
4. Active Directory Federation Services Server 2.0 (AD FS), Active Directory Federation Services (AD FS) Proxy and Directory Sync with Password Sync enabled.
5. Active Directory Federation Services 2.0 (AD FS) and Directory Sync.
Correct Answer : 3
Explanation: Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to
maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.
AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made
available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.
Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform
provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Active Directory Federation Services (AD FS) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. You can use AD
FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for
duplicate accounts, management of multiple logons, and other credential management issues that can occur when you establish cross-organizational trusts.
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
The company has an Azure Active Directory (Azure AD) tenant. All users have user accounts in Azure Active Directory (AD).
The company has an Intranet web application hosted in Azure. The web application can read and modify user account information in Azure AD.
You suspect that the application key has been compromised. You need to prevent access to the Azure AD by using the key. Users must continue to be able to use the web application.
Which of the following actions should you perform?
1. Modify the existing key in the application definition.
2. Remove the old key and generate a new key for the application.
3. Delete the web application and configure a new application.
4. Disable the graph API.
Correct Answer : 2
Explanation: If the app secret key is compromised, we can create a new one for 1 or 2 years. When saving the settings, a new key is generated. We can use this key to
replace the old one in our app. So all keys we need in our app can be managed here in the Azure portal. They are stored directly in the WAAD.
We also can manage users and groups here. Change to the Users or Groups menu and add new objects into the AD.
Related Questions
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
You have applications and virtual machines hosted on Windows Azure.
An application hosted in Azure Cloud Services provides a web-based portal that is used by all company employees and selected customers.
Two instances of a virtual machine (VM) running in Windows Azure perform back-end functionality for the portal application.
The portal application sometimes fails due to cloud services outages.
You want to ensure that the virtual machines (VMs) are deployed to separate fault domains to ensure that the portal application remains available during network failures, local disk
hardware failures, or any planned downtime.
Which of the following actions will ensure that the VMs are in separate fault domains?
1. Adding the VMs to an Availability Set.
2. Adding the VMs to separate Availability Sets.
3. Adding the VMs to an Affinity Group.
4. Adding the VMs to separate Affinity Groups.
You should ALWAYS specify an availability set when creating more than one virtual machine for the same purpose.
Examples:
Two or more web servers
Two or more SQL servers
Two or more AD servers
you get the idea
Specifying an availability set in these situations gives you multiple advantages.
Highly Available Hardware
Putting two or more VMs in availability sets guarantees that your VMs are spread across multiple racks in the Windows Azure Data Centers. This means redundant power supply, switches
and servers.
Rolling Host Updates
Grouping VMs in availability sets also gives the Windows Azure Fabric Controller the information it needs to intelligently update the host OSs that your guest VMs are running on.
Without availability sets the FC would have no idea that two machines were serving the same purpose and could reasonable take them both down for host OS updates.
99.95% SLA
If you wish to have the 99.95% SLA guaranteed by Windows Azure for uptime using availability sets is the way to achieve it.
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
You have applications and virtual machines hosted on Windows Azure.
All company employees use an application named CorpApp. The CorpApp application runs as a Windows Azure Cloud Service. Two instances of a virtual machine (VM) running in Windows
Azure perform back-end functionality for the CorpApp application. The VMs access large amounts of data that is stored in a Windows Azure Storage Account.
You want to optimize the performance of the CorpApp application by locating the cloud service and VMs in a data center as close to the storage services as possible.
Which of the following actions should you perform?
1. You should add the services to the same availability group.
2. You should add the services to the same affinity group.
3. You should add the services to the same IP address subnet..
4. You should add the services to the same virtual network.
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
You have applications and virtual machines hosted on Windows Azure. An application named CorpApp runs in a virtual machine named CorpAppVM1 which is part of a
Windows Azure cloud service named TK-AppService1. You need to increase the disk storage capacity of CorpAppVM1 by creating a new virtual hard disk
(VHD) and adding it to the VM. The new VHD must be 256GB in size and be named AppDataDisk2.
Which of the following PowerShell scripts should you run?
1. Update-AzureVM -Name " CorpAppVM1" | Add-AzureDisk -DiskName "AppDataDisk2" -DiskSize 256 -LUN 1
2. Get-AzureVM -ServiceName " TK-AppService1" -Name " CorpAppVM1" | Add-AzureDataDisk -CreateNew ` -DiskSizeInGB 256 -DiskLabel "AppDataDisk2" -LUN 1 | Update-AzureVM
3. Add-AzureVHD -CreateNew ` -DiskSizeInGB 256 -DiskLabel "AppDataDisk2" -LUN 1 | Get-AzureVM -ServiceName " TK-AppService1" -Name " CorpAppVM1 " | Update-AzureVM
4. Set-AzureVM -Name " CorpAppVM1" | Add-AzureDisk -Size 256 -DiskName "AppDataDisk2"
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
You have a Windows Azure cloud service named TK-CLSrv1. You are configuring a virtual machine (VM) named AppVM1 in the TK-CLSrv1 cloud service. AppVM1 will host a custom application.
An on premise server named TK-HV01 runs Windows Server Hyper-V. TK-HV01 hosts a virtual machine (VM) named AppVMData. An application running on AppVMData needs to send data to
AppVM1 using TCP port 8080. Which of the following actions should you perform?
1. You should configure port forwarding on the corporate firewall.
2. You should add an endpoint to AppVM1.
3. You should add a static route to AppVM1.
4. You should configure Network Address Translation (NAT) on the corporate firewall.
Question : You work for a company named ABC.com. The company has a main office in New York and branch offices in several countries including UK, Spain, Germany, India and Japan.
Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
Company employees in every office use mobile devices. The mobile devices run a custom application that sends and retrieves data to and from a web service hosted in a virtual machine
(VM) named TK-VM1. TK-VM1 is hosted on Windows Azure. Users in India and Japan report poor performance when accessing the web service from their mobile devices.
You need to monitor the performance of the web service from multiple locations around the world.
How should you configure the monitoring?
1. You should configure Network Out monitoring.
2. You should configure Network In monitoring.
3. You should configure Disk Write Bytes/sec monitoring.
4. You should configure Endpoint monitoring.
Question : You work for a company named ABC.com. Your role as Cloud Administrator includes the management of the company's public and private cloud infrastructure.
The company has a Windows Azure subscription for each of its three offices. The Windows Azure subscriptions are named NewYork, Boston and Atlanta.
You are based in the Atlanta office. Your default subscription for PowerShell sessions is the Atlanta subscription.
You need to configure virtual machines in the Boston subscription. You need to configure the Boston subscription to be used by default for the current PowerShell session without c
changing the default subscription for all other sessions.
Which of the following PowerShell cmdlets should you run?
1. Select-AzureSubscription -SubscriptionName "Atlanta" -NoDefault
2. Select-AzureSubscription -SubscriptionName "Boston" -Default
3. Select-AzureSubscription -SubscriptionName "Boston" -Current
4. Get-AzureSubscription -SubscriptionName "Boston"
5. Set-AzureSubscription -SubscriptionName "Boston"
Question : You work for a company named ABC.com. The company has a main office in New York and branch offices Atlanta, Dallas and Seattle. Your role as Cloud Administrator
includes the management of the company's public and private cloud infrastructure.
The company has virtual machines running in a Windows Azure subscription. Multiple virtual networks are included in the Windows Azure environment. Sales users often work away from
the office.You have been asked by the Sales Manager to provide a solution to enable the sales users to access the Azure virtual networks when they are working remotely. The solution
must enable the sales users to access the virtual networks from public networks such as coffee shops.
Which secure cross-premise connectivity method should you recommend for the Sales users?
1. Site-to-Site (S2S)
2. Point-to-Site (P2S)
3. ExpressRoute
4. VNet-toVNet