File Info
| Exam | Designing Microsoft Azure Infrastructure Solutions |
| Number | AZ-305 |
| File Name | Designing Microsoft Azure Infrastructure Solutions.PremiumDumps.AZ-305.2022-11-16.1e.166q.vcex |
| Size | 7.13 Mb |
| Posted | November 16, 2022 |
| Downloads | 41 |
| Download | Designing Microsoft Azure Infrastructure Solutions.PremiumDumps.AZ-305.2022-11-16.1e.166q.vcex |
How to open VCEX & EXAM Files?
Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.
Coupon: MASTEREXAM
With discount: 20%
Demo Questions
You need to recommend a solution that meets the file storage requirements for App2.
What should you deploy to the Azure subscription and the on-premises network? To answer, drag the appropriate services to the correct locations. Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Correct Answer: Exam simulator is required
Scenario: App2 has the following file storage requirements:
Save files to an Azure Storage account.
Replicate files to an on-premises location.
Ensure that on-premises clients can read the files over the LAN by using the SMB protocol.
Box 2: Azure File Sync
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
Reference:
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide
You need to recommend a solution that meets the data requirements for App1.
What should you recommend deploying to each availability zone that contains an instance of App1?
- A: an Azure Cosmos DB that uses multi-region writes
- B: an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
- C: an Azure SQL database that uses active geo-replication
- D: an Azure Storage account that uses geo-zone-redundant storage (GZRS)
Correct Answer: A
Each instance will write data to a data store in the same availability zone as the instance.
Data written by any App1 instance must be visible to all App1 instances.
Azure Cosmos DB: Each partition across all the regions is replicated. Each region contains all the data partitions of an Azure Cosmos container and can serve reads as well as serve writes when multi-region writes is enabled.
Incorrect Answers:
B, D: GZRS protects against failures. Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region.
C: Active geo-replication is designed as a business continuity solution that lets you perform quick disaster recovery of individual databases in case of a regional disaster or a large scale outage. Once geo-replication is set up, you can initiate a geo-failover to a geo-secondary in a different Azure region. The geo-failover is initiated programmatically by the application or manually by the user.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/high-availability
You need to recommend a solution to ensure that App1 can access the third-party credentials and access strings. The solution must meet the security requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer: Exam simulator is required
All secrets used by Azure services must be stored in Azure Key Vault.
Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be shared between services.
Box 1: A service principal
A service principal is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID is known as its client ID and acts like its username. The service principal's client secret acts like its password.
Note: Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the identity of any given security principal.
A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources. Azure assigns a unique object ID to every security principal.
Box 2: A role assignment
You can provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/authentication
You need to recommend an App Service architecture that meets the requirements for Appl. The solution must minimize costs.
What should few recommend?
- A: one App Service Environment (ASE) per availability zone
- B: one App Service plan per availability zone
- C: one App Service plan per region
- D: one App Service Environment (ASE) per region
Correct Answer: A
You need to recommend a solution that meets the data requirements for App1.
What should you recommend deploying to each availability zone that contains an instance of App1?
- A: an Azure Cosmos DB that uses multi-region writes
- B: an Azure Storage account that uses geo-zone-redundant storage (GZRS)
- C: an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
- D: an Azure SQL database that uses active geo-replication
Correct Answer: A
You are evaluating whether to use Azure Traffic Manager and Azure Application Gateway to meet the connection requirements for App1.
What is the minimum numbers of instances required for each service? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer: Exam simulator is required
You have an Azure subscription that contains a custom application named Application was developed by an external company named fabric, Ltd. Developers at Fabrikam were assigned role-based access control (RBAV) permissions to the Application components. All users are licensed for the Microsoft 365 E5 plan.
You need to recommends a solution to verify whether the Faricak developers still require permissions to Application1. The solution must the following requirements.
To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
If the manager does not verify access permission, automatically revoke that permission.
Minimize development effort.
What should you recommend?
- A: In Azure Active Directory (AD) Privileged Identity Management, create a custom role assignmentfor the Application1 resources
- B: Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet
- C: Create an Azure Automation runbook that runs the Get-AzureRmRoleAssignment cmdlet
- D: In Azure Active Directory (Azure AD), create an access review of Application1
Correct Answer: D
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access. Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review.
Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.
Why are access reviews important?
"Azure AD enables you to collaborate with users from inside your organization and with external users. Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. The convenience of using self-service has led to a need for better access management capabilities."
You have an Azure subscription. The subscription has a blob container that contains multiple blobs.
Ten users in the finance department of your company plan to access the blobs during the month of April. You need to recommend a solution to enable access to the blobs during the month of April only. Which security solution should you include in the recommendation?
- A: shared access signatures (SAS)
- B: access keys
- C: conditional access policies
- D: certificates
Correct Answer: A
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
This allows for limited-time fine grained access control to resources. So you can generate URL, specify duration (for month of April) and disseminate URL to 10 team members. On May 1, the SAS token is automatically invalidated, denying team members continued access.
You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain.
You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses Integrated Windows authentication.
Some users work remotely and do NOT have VPN access to the on-premises network.
You need to provide the remote users with single sign-on (SSO) access to WebApp1.
Which two features should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A: Azure AD Application Proxy
- B: Azure AD Privileged Identity Management (PIM)
- C: Conditional Access policies
- D: Azure Arc
- E: Azure AD enterprise applications
- F: Azure Application Gateway
Correct Answer: AC
You can configure single sign-on to an Application Proxy application.
C: Microsoft recommends using Application Proxy with pre-authentication and Conditional Access policies for remote access from the internet. An approach to provide Conditional Access for intranet use is to modernize applications so they can directly authenticate with AAD.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-config-sso-how-to
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group'. Group i is configured Tor assigned membership. Group I has 50 members. including 20 guest users.
You need To recommend a solution for evaluating the member ship of Group1. The solution must meet the following requirements:
The evaluation must be repeated automatically every three months
Every member must be able to report whether they need to be in Group1
Users who report that they do not need to be in Group 1 must be removed from Group1 automatically
Users who do not report whether they need to be m Group1 must be removed from Group1 automatically.
What should you include in me recommendation?
- A: implement Azure AU Identity Protection.
- B: Change the Membership type of Group1 to Dynamic User.
- C: Implement Azure AD Privileged Identity Management.
- D: Create an access review.
Correct Answer: D
Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.
An administrator creates an access review of Group C with 50 member users and 25 guest users.
Makes it a self-review. 50 licenses for each user as self-reviewers.* https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#example-license-scenarios
There are 4 requirements and every single one is only met by access reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-use-access-reviews
Dynamic User is needed if a user must be automatically granted access on base of its attributes
https://techcommunity.microsoft.com/t5/itops-talk-blog/dynamic-groups-in-azure-ad-and-microsoft-365/ba-p/2267494
Implementing Azure AD PIM is no solution and absolutely not necessary for access reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#where-do-you-create-reviews
