Assign Reader Role for Azure Virtual Network (VNet1) - Microsoft Azure Exam AZ-100

Assigning Reader Role for VNet1 in Azure Subscription - Step-by-Step Guide

Prev Question

Question

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.

Subscription1 has a user named User1. User1 has the following roles:

-> Reader

-> Security Admin

-> Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

Answers

A. Assign User1 the Owner role for VNet1

B. Assign User1 the Network Contributor role for VNet1

C. Assign User1 the Network Contributor role for RG1

D. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Testlet 2 -

Case study -

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All

Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and

New York.

The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has

200 employees.

All the resources used by Contoso are hosted on-premises.

Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.

Existing Environment -

The network contains an Active Directory forest named contoso.com. All domain controllers are configured as

DNS servers and host the contoso.com DNS zone.

Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.

Contoso.com contains a user named User1.

All the offices connect by using private links.

Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.

All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires

1GB of memory.

The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).

Planned Changes -

Contoso plans to implement the following changes:

-> Deploy Azure ExpressRoute to the Montreal office.

-> Migrate the virtual machines hosted on Server1 and Server2 to Azure.

-> Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).

-> Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Technical requirements -

Contoso must meet the following technical requirements:

-> Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.

-> Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the

Montreal office.

-> Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.

-> Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.

-> Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com

-> Connect the New York office to VNet1 over the Internet by using an encrypted connection.

-> Create a workflow to send an email message when the settings of VM4 are modified.

-> Create a custom Azure role named Role1 that is based on the Reader role.

-> Minimize costs whenever possible.

QUESTION 1 -

HOTSPOT -

You need to meet the connection requirements for the New York office.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Section: [none]

Explanation -

Testlet 3 -

To start the case study -

Overview -

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -

Currently, Contoso uses multiple types of servers for business operations, including the following:

-> File servers

-> Domain controllers

-> Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

-> A SQL database

-> A web front end

-> A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -

Contoso plans to implement the following changes to the infrastructure:

-> Move all the tiers of App1 to Azure.

-> Move the existing product blueprint files to Azure Blob storage.

-> Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements -

Contoso must meet the following technical requirements:

-> Move all the virtual machines for App1 to Azure.

-> Minimize the number of open ports between the App1 tiers.

-> Ensure that all the virtual machines for App1 are protected by backups.

-> Copy the blueprint files to Azure over the Internet.

-> Ensure that the blueprint files are stored in the archive storage tier.

-> Ensure that partner access to the blueprint files is secured and temporary.

-> Prevent user passwords or hashes of passwords from being stored in Azure.

-> Use unmanaged standard storage for the hard disks of the virtual machines.

-> Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

-> Minimize administrative effort whenever possible.

User Requirements -

Contoso identifies the following requirements for users:

-> Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

-> Designate a new user named Admin1 as the service administrator of the Azure subscription.

-> Admin1 must receive email alerts regarding service outages.

-> Ensure that a new user named User3 can create network objects for the Azure subscription.

QUESTION 1 -

HOTSPOT -

You need to recommend a solution for App1. The solution must meet the technical requirements. What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Section: [none]

Explanation -

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:

-> A SQL database

-> A web front end

-> A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Technical requirements include:

-> Move all the virtual machines for App1 to Azure.

-> Minimize the number of open ports between the App1 tiers.

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

QUESTION 2 -

You are planning the move of App1 to Azure.

You create a network security group (NSG).

You need to recommend a solution to provide users with access to App1.

What should you recommend?

A. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.

B. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.

C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

Section: [none]

Explanation -

As App1 is public-facing we need an incoming security rule, related to the access of the web servers.

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: a

SQL database, a web front end, and a processing middle tier.

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Testlet 4 -

To start the case study -

Overview -

Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.

Existing Environment -

Active Directory Environment -

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012.

You recently provisioned an Azure Active Directory (Azure AD) tenant.

Network Infrastructure -

Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Each office has several link load balancers that provide access to the servers.

Active Directory Issue -

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Licensing Issue -

You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

You verify that the Azure subscription has the available licenses.

Requirements -

Planned Changes -

Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.

Planned Azure AD Infrastructure -

The on-premises Active Directory domain will be synchronized to Azure AD.

All client computers in the Paris office will be joined to an Azure AD domain.

Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:

-> Default Azure system routes that will be the only routes used to route traffic

-> A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

-> A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

-> A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows

Server 2016, or Red Hat Linux.

Department Requirements -

Humongous Insurance identifies the following requirements for the company's departments:

-> Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.

-> During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Authentication Requirements -

Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless

SSO) when accessing resources in Azure.

QUESTION 1 -

HOTSPOT -

You are evaluating the connectivity between the virtual machines after the planned implementation of the

Azure networking infrastructure.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:

Section: [none]

Explanation -

Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered

VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.

All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and

Subnet4, which are on AllOffices-VNet will have access to the Internet.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview https://docs.microsoft.com/en-us/azure/networking/networking-overview#internet-connectivity

QUESTION 2 -

HOTSPOT -

You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:

Section: [none]

Explanation -

Box 1: Yes -

All client computers in the Paris office will be joined to an Azure AD domain.

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

Box 2: Yes -

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

Box 3: No -

Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records.

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

Question Set 1 -

QUESTION 1 -

You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.

You need to assign the User administrator administrative role to AdminUser1.

What should you do from the user account properties?

A. From the Directory role blade, modify the directory role.

B. From the Groups blade, invite the user account to a new group.

C. From the Licenses blade, assign a new license.

Section: [none]

Explanation -

Assign a role to a user -

1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.

2. Select Azure Active Directory, select Users, and then select a specific user from the list.

3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.

4. Press Select to save.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-

QUESTION 2 -

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Section: [none]

Explanation -

Box 1: Group 1 only -

First rule applies -

Box 2: Group1 and Group2 only -

Both membership rules apply.

https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

QUESTION 3 -

You have an Active Directory forest named contoso.com.

You install and configure Azure AD Connect to use password hash synchronization as the single sign-on

(SSO) method. Staging mode is enabled.

You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.

You need to ensure that the synchronization completes successfully.

What should you do?

A. From Synchronization Service Manager, run a full import.

B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.

C. From Azure PowerShell, run Start-AdSyncSyncCycle -PolicyType Initial.

D. Run Azure AD Connect and disable staging mode.

Section: [none]

Explanation -

Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-

QUESTION 4 -

You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless

SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.

You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.

What should you do first?

A. From the on-premises network, deploy Active Directory Federation Services (AD FS).

B. From Azure AD, add and verify a custom domain name.

C. From the on-premises network, request a new certificate that contains the Active Directory domain name.

D. From the server that runs Azure AD Connect, modify the filtering options.

Section: [none]

Explanation -

Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure

AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:

-> State: Verified

Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.

-> State: Not verified

Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified.

-> Action Required: Verify the custom domain in Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin

QUESTION 5 -

You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.

You have a Microsoft account that you use to sign in to both tenants.

You need to configure the default sign-in tenant for the Azure portal.

What should you do?

A. From the Azure portal, configure the portal settings.

B. From the Azure portal, change the directory.

C. From Azure Cloud Shell, run Set-AzureRmContext.

D. From Azure Cloud Shell, run Set-AzureRmSubscription.

Section: [none]

Explanation -

Change the subscription directory in the Azure portal.

The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure

Active Directory (AAD), is now available in Azure portal. It used to be available only to Service Admins with

Microsoft accounts, but now it's available to users with AAD accounts as well.

To get started:

1. Go to Subscriptions.

2. Select a subscription.

3. Select Change directory.

Incorrect Answers:

C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information.

https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-portal/

QUESTION 6 -

You sign up for Azure Active Directory (Azure AD) Premium.

You need to add a user named

as an administrator on all the computers that will be joined to the Azure AD domain.

What should you configure in Azure AD?

A. Device settings from the Devices blade.

B. General settings from the Groups blade.

C. User settings from the Users blade.

D. Providers from the MFA Server blade.

Section: [none]

Explanation -

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:

-> The Azure AD global administrator role

-> The Azure AD device administrator role

-> The user performing the Azure AD join

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

1. Sign in to your Azure portal as a global administrator or device administrator.

2. On the left navbar, click Azure Active Directory.

3. In the Manage section, click Devices.

4. On the Devices page, click Device settings.

5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

QUESTION 7 -

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant.

You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.

Which three settings should you configure? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Section: [none]

Explanation -

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

QUESTION 8 -

HOTSPOT -

Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure

AD) tenant named adatum.onmicrosoft.com.

Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

You need to implement Azure AD Connect. The solution must follow the principle of least privilege.

Which user accounts should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Section: [none]

Explanation -

Box 1: User5 -

In Express settings, the installation wizard asks for the following:

AD DS Enterprise Administrator credentials

Azure AD Global Administrator credentials

The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The

Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.

Box 2: UserA -

Azure AD Global Admin credentials credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-

[email protected]

To allow User1 to assign the Reader role for VNet1 to other users, you need to grant User1 the appropriate permission on the specific resource or resource group.

Option A, assigning User1 the Owner role for VNet1 would give User1 full control over VNet1, which includes the ability to assign any role to any user. However, this level of access may be too much for what is required in this scenario.

Option B, assigning User1 the Network Contributor role for VNet1 would grant User1 permission to manage all aspects of the VNet, including its subnets, but would not give User1 permission to assign roles to other users.

Option C, assigning User1 the Network Contributor role for RG1 would grant User1 permission to manage all aspects of the VNet and any other resources within RG1, but would not give User1 permission to assign roles to other users.

Option D, removing User1 from the Security Reader role for Subscription1 and assigning User1 the Contributor role for RG1 would grant User1 permission to manage all resources within RG1, but would not give User1 permission to assign roles to other users specifically for VNet1.

Therefore, the correct answer is Option B: Assign User1 the Network Contributor role for VNet1. This will allow User1 to manage VNet1 and also assign the Reader role for VNet1 to other users.

Prev Question