Vendor: Microsoft

Exam Code: AZ-303

Exam Name: Microsoft Azure Architect Technologies

Version: 21

AZ-303
 Case Study - Contoso, Ltd. (Question 1 - Question 5)
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner
organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and
maintains.
Existing Environment
Currently, Contoso uses multiple types of severs for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client
computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS
only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

QUESTION 1
You need to recommend an identity solution that meets the technical requirements.
What should you recommend?

A. password hash synchronization and single sign-on (SSO)

B. federated single sign-on (SSO) and Active Directory Federation Services (AD FS)

AZ-303
C. Pass-thorough Authentication and single sign-on (SSO)
D. cloud-only user accounts

Answer: C
Explanation:
With Pass-through Authentication the on-premises passwords are never stored in the cloud in any
form.
Scenario:
Prevent user passwords or hashes of passwords from being stored in Azure.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile
phone to verify their identity.
Minimize administrative effort whenever possible.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

QUESTION 2
Hotspot Question
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Yes
Scenario: Move the existing product blueprint files to Azure Blob storage.
Scenario: Use unmanaged standard storage for the hard disks of the virtual machines. Page blobs
are optimized for writes at random locations within a blob. They also support Unmanaged Disks.
Scenario:
SQL Server Data Files in Microsoft Azure enables native support for SQL Server database files
stored as blobs. It allows you to create a database in SQL Server running in on-premises or in a
virtual machine in Microsoft Azure with a dedicated storage location for your data in Microsoft Azure
Blob storage.
Box 2: No
Box 3: No
Reference:
https://docs.microsoft.com/en-us/sql/relational-databases/databases/sql-server-data-files-in-
microsoft-azure

AZ-303
QUESTION 3
Hotspot Question
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: 3
One virtual network for every tier
Box 2: 1
Only one subnet for each tier, to minimize the number of open ports.
Scenario: You have a public-facing application named App1. App1 is comprised of the following
three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS
only.
Technical requirements:

AZ-303
 Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.

QUESTION 4
You need to implement a backup solution for App1 after the application is moved.
What should you create first?

A. an Azure Backup Server

B. a Recovery Services vault
C. a backup policy
D. a recovery plan

Answer: B
Explanation:
Scenario: Ensure that all the virtual machines for App1 are protected by backups.
You can back up Azure VMs using a couple of methods:
Single Azure VM: You can back up an Azure VM directly from the VM settings.
Multiple Azure VMs: You can set up a Recovery Services vault and configure backup for multiple
Azure VMs.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

QUESTION 5
You need to move the blueprint files to Azure.
What should you do?

A. Use the Azure Import/Export service.

B. Use Azure Storage Explorer to copy the files.
C. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File
Explorer.
D. Generate an access key. Map a drive, and then copy the files by using File Explorer.

Answer: D
Explanation:
Scenario: Copy the blueprint files to Azure over the Internet.
To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are
not currently supported for mounting.
Incorrect Answers:
A: Azure Import/Export service is used to securely import large amounts of data to Azure Blob
storage and Azure Files by shipping disk drives to an Azure datacenter.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

Mixed Questions
QUESTION 6
You have an Azure subscription that contains 10 virtual machines on a virtual network.
You need to create a graph visualization to display the traffic flow between the virtual machines.
What should you do from Azure Monitor?

A. From Activity log, use quick insights.

B. From Metrics, create a chart.

AZ-303
C. From Logs, create a new query.
D. From Workbooks, create a workbook.

Answer: C
Explanation:
Navigate to Azure Monitor and select Logs to begin querying the data
Reference:
https://azure.microsoft.com/en-us/blog/analysis-of-network-connection-data-with-azure-monitor- for-
virtual-machines/

QUESTION 7
You have an Azure subscription that contains 100 virtual machines.
You have a set of Pester tests in PowerShell that validate the virtual machine environment.
You need to run the tests whenever there is an operating system update on the virtual machines.
The solution must minimize implementation time and recurring costs.
Which three resources should you use to implement the tests? Each correct answer presents part
of the solution.
NOTE: Each correct selection is worth one point.

A. Azure Automation runbook

B. an alert rule
C. an Azure Monitor query
D. a virtual machine that has network access to the 100 virtual machines
E. an alert action group

Answer: ABE
Explanation:
AE: You can call Azure Automation runbooks by using action groups or by using classic alerts to
automate tasks based on alerts.
B: Alerts are one of the key features of Azure Monitor. They allow us to alert on actions within an
Azure subscription
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook
https://techsnips.io/snips/how-to-create-and-test-azure-monitor-alerts/?page=13

QUESTION 8
You have an Azure subscription that contains an Azure Log Analytics workspace.
You have a resource group that contains 100 virtual machines. The virtual machines run Linux.
You need to collect events from the virtual machines to the Log Analytics workspace.
Which type of data source should you configure in the workspace?

A. Syslog
B. Linux performance counters
C. custom fields

Answer: A
Explanation:
Syslog is an event logging protocol that is common to Linux. Applications will send messages that
may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics
agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent.
The agent then sends the message to Azure Monitor where a corresponding record is created.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

AZ-303
QUESTION 9
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of
10.2.0.0/16.
You need to create the peering.
What should you do first?

A. Configure a service endpoint on VNet2.

B. Add a gateway subnet to VNet1.
C. Create a subnet on VNEt1 and VNet2.
D. Modify the address space of VNet1.

Answer: D
Explanation:
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates
that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps.
We need to change the address space for VNet1.

AZ-303
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-
peering#requirements-and-constraints

QUESTION 10
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed
to a less expensive offering.
Which blade should you use?

A. Metrics
B. Customer sights
C. Monitor
D. Advisor

Answer: D
Explanation:
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and
underutilized resources. You can get cost recommendations from the Cost tab on the Advisor
dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations

QUESTION 11
You have an Azure App Service app.
You need to implement tracing for the app. The tracing information must include the following:
- Usage trends
- AJAX call responses
- Page load speed by browser
- Server and browser exceptions
What should you do?

A. Configure IIS logging in Azure Log Analytics.

B. Configure a connection monitor in Azure Network Watcher.
C. Configure custom logs in Azure Log Analytics.
D. Enable the Azure Application Insights site extension.

Answer: D
Explanation:
For web pages, Application Insights JavaScript SDK automatically collects AJAX calls as
dependencies.
Note: Some of the things you can track or collect are:
What are the most popular webpages in your application, at what time of day and where is that
traffic coming from?
Dependency rates or response times and failure rates to find out if there's an external service that's
causing performance issues on your app, maybe a user is using a portal to get through to your
application and there are response time issues going through there for instance.
Exceptions for both server and browser information, as well as page views and load performance
from the end users' side.
Reference:
https://azure.microsoft.com/en-us/blog/ajax-collection-in-application-insights/
https://blog.pragmaticworks.com/what-is-application-insights

AZ-303
QUESTION 12
You have an Azure subscription that contains the storage accounts shown in the following table.

You enable Storage Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Storage ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. storagecontoso1
B. storagecontoso2
C. storagecontoso3
D. storagecontoso4
E. storagecontoso5

Answer: AB
Explanation:
Storage Threat Detection is available for the Blob Service.

Reference:
https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-storage-now-in-
public-preview/

AZ-303
QUESTION 13
You have an Azure virtual machine named VM1 and an Azure Active Directory (Azure AD) tenant
named adatum.com.
VM1 has the following settings:
- IP address: 10.10.0.10
- System-assigned managed identity: On
You need to create a script that will run from within VM1 to retrieve the authentication token of VM1.
Which address should you use in the script?

A. vm1.adatum.com.onmicrosoft.com
B. 169.254.169.254
C. 10.10.0.10
D. vm1.adatum.com

Answer: B
Explanation:
Your code that's running on the VM can request a token from the Azure Instance Metadata Service
identity endpoint, accessible only from within the VM:
http://169.254.169.254/metadata/identity/oauth2/token
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/overview

QUESTION 14
You are designing an Azure solution.
The solution must meet the following requirements:
- Distribute traffic to different pools of dedicated virtual machines
(VMs) based on rules.
- Provide SSL offloading capabilities.
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?

A. Azure Application Gateway

B. Azure Load Balancer
C. Azure Traffic Manager
D. server-level firewall rules

Answer: A
Explanation:
If you require "SSL offloading", application layer treatment, or wish to delegate certificate
management to Azure, you should use Azure's layer 7 load balancer Application Gateway instead
of the Load Balanacer.
Incorrect Answers:
D: Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided.
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/overview

QUESTION 15
You are implementing authentication for applications in your company. You plan to implement self-
service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory
(Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete

AZ-303
solution.
NOTE: Each correct selection is worth one point.

A. Authenticator app
B. Email addresses
C. App passwords
D. Short Message Service (SMS) messages
E. Security questions

Answer: AD
Explanation:
The following authentication mechanisms can be used for both MFA and SSPR:
Short Message Service (SMS) messages
Azure AD passwords
Microsoft Authenticator app
Voice call
Incorrect Answers:
B, E: The following authentication mechanisms are used for SSPR only:
Email addresses
Security questions
E: App passwords authentication mechanisms can be used for MFA only, but only in certain cases.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-
methods

QUESTION 16
Your company has the groups shown in the following table.

The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant
named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in
the Managers groups.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?

A. Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.

B. Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
C. Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
D. Purchase an Azure AD Premium P1 license for each user in the Managers group.

Answer: D
Explanation:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise

AZ-303
Mobility + Security (EMS) license.
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-
enable

QUESTION 17
Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company's help desk reports an increase in calls from users who receive MFA requests while
they work from the company's main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?

A. From Conditional access in Azure Active Directory (Azure AD), create a named location.
B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Azure Active Directory (Azure AD), configure organizational relationships.

Answer: B
Explanation:
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to
consider configuring some of the available settings. One of the most important features is a trusted
IPs list. This will allow you to whitelist a range of IPs for your network. This way, when users are in
the office, they will not get prompted with MFA, and when they take their devices elsewhere, they
will. Here's how to do it:
Log in to your Azure Portal.
Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.
Reference:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/

QUESTION 18
You have an application named App1 that does not support Azure Active Directory (Azure AD)
authentication.
You need to ensure that App1 can send messages to an Azure Service Bus queue. The solution
must prevent App1 from listening to the queue.
What should you do?

A. Configure Access control (IAM) for the Service Bus.

B. Add a shared access policy to the queue.
C. Modify the locks of the queue.
D. Configure Access control (IAM) for the queue.

Answer: B
Explanation:
There are two ways to authenticate and authorize access to Azure Service Bus resources: Azure
Activity Directory (Azure AD) and Shared Access Signatures (SAS).
Each Service Bus namespace and each Service Bus entity has a Shared Access Authorization
policy made up of rules.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-authentication-and-
authorization
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas

AZ-303
QUESTION 19
An administrator plans to create a function app in Azure that will have the following settings:
- Runtime stack: .NET Core
- Operating System: Linux
- Plan type: Consumption
- Enable Application Insights: Yes
You need to ensure that you can back up the function app.
Which settings should you recommend changing before creating the function app?

A. Runtime stack
B. Enable Application Insights
C. Operating System
D. Plan type

Answer: D
Explanation:
The Backup and Restore feature requires the App Service plan to be in the Standard, Premium or
Isolated tier.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup#requirements-and-
restrictions

QUESTION 20
You have 10 Azure virtual machines on a subnet named Subnet1. Subnet1 is on a virtual network
named VNet1.
You plan to deploy a public Azure Standard Load Balancer named LB1 to the same Azure region
as the 10 virtual machines.
You need to ensure that traffic from all the virtual machines to the internet flows through LB1. The
solution must prevent the virtual machines from being accessible on the internet.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add health probes to LB1.

B. Add the network interfaces of the virtual machines to the backend pool of LB1.
C. Add an inbound rule to LB1.
D. Add an outbound rule to LB1.
E. Associate a network security group (NSG) to Subnet1.
F. Associate a user-defined route to Subnet1.

Answer: ABD
Explanation:
A: To allow the Load Balancer to monitor the status of your app, you use a health probe. The health
probe dynamically adds or removes VMs from the Load Balancer rotation based on their response
to health checks.
B: To distribute traffic to the VMs, a backend address pool contains the IP addresses of the virtual
(NICs) connected to the Load Balancer.
D: A Load Balancer rule is used to define how traffic is distributed to the VMs. Only outbound traffic
is allowed.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-
portal2

AZ-303
QUESTION 21
You have SQL Server on an Azure virtual machine named SQL1.
You need to automate the backup of the databases on SQL1 by using Automated Backup v2 for
the virtual machines. The backups must meet the following requirements:
- Meet a recovery point objective (RPO) of 15 minutes.
- Retain the backups for 30 days.
- Encrypt the backups at rest.
What should you provision as part of the backup solution?

A. Elastic Database jobs

B. Azure Key Vault
C. an Azure Storage account
D. a Recovery Services vault

Answer: C
Explanation:
An Azure storage account is used for storing Automated Backup files in blob storage. A container
is created at this location to store all backup files. The backup file naming convention includes the
date, time, and database GUID.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/automated-backup

QUESTION 22
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual
machines shown in the following table.

KeyVault1 has an access policy that provides several users with Create Key permissions.
You need to ensure that the users can only register secrets in KeyVault1 from VM1.
What should you do?

A. Create a network security group (NSG) that is linked to Subnet1.

B. Configure the Firewall and virtual networks settings for KeyVault1.
C. Modify the access policy for KeyVault1.
D. Configure KeyVault1 to use a hardware security module (HSM).

Answer: C
Explanation:
You grant data plane access by setting Key Vault access policies for a key vault.
Note 1: Grant our VM's system-assigned managed identity access to the Key Vault.
1. Select Access policies and click Add new.
2. In Configure from template, select Secret Management.
3. Choose Select Principal, and in the search field enter the name of the VM you created earlier.
Select the VM in the result list and click Select.
4. Click OK to finishing adding the new access policy, and OK to finish access policy selection.
Note 2: Access to a key vault is controlled through two interfaces: the management plane and the
data plane. The management plane is where you manage Key Vault itself. Operations in this plane
include creating and deleting key vaults, retrieving Key Vault properties, and updating access
policies. The data plane is where you work with the data stored in a key vault. You can add, delete,

AZ-303
and modify keys, secrets, and certificates.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/tutorial-windows-vm-access-nonaad
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault2

QUESTION 23
You have resources in three Azure regions. Each region contains two virtual machines. Each virtual
machine has a public IP address assigned to its network interface and a locally installed application
named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure
Front Door.
What should you implement?

A. Azure Private Link

B. service endpoints
C. network security groups (NSGs) with service tags
D. network security groups (NSGs) with application security groups

Answer: C
Explanation:
Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP
address space and Azure's infrastructure services only. Refer the IP details below for ACLing your
backend:
Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4
backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your
network security groups.
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq

QUESTION 24
You have an Azure key vault named KV1.
You need to ensure that applications can use KV1 to provision certificates automatically from an
external certification authority (CA).
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. From KV1, create a certificate issuer resource.

B. Obtain the CA account credentials.
C. Obtain the root CA certificate.
D. From KV1, create a certificate signing request (CSR).
E. From KV1, create a private key,

Answer: CD
Explanation:
C: Obtain the root CA certificate (step 4 in the picture below)
D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below) Note:
Creating a certificate with a CA not partnered with Key Vault This method allows working with other
CAs than Key Vault's partnered providers, meaning your organization can work with a CA of its
choice.

AZ-303
The following step descriptions correspond to the green lettered steps in the preceding diagram.
1. In the diagram above, your application is creating a certificate, which internally begins by creating
a key in your key vault.
2. Key Vault returns to your application a Certificate Signing Request (CSR).
3. Your application passes the CSR to your chosen CA.
4. Your chosen CA responds with an X509 Certificate.
5. Your application completes the new certificate creation with a merger of the X509 Certificate
from your CA.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios

QUESTION 25
You create the following Azure role definition.

AZ-303
You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part
of the solution.
NOTE: Each correct selection is worth one point.

A. AssignableScopes
B. Description
C. DataActions
D. IsCustom
E. Id

Answer: AD
Explanation:
Part of example:
"IsCustom": true,
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role
can be used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.", "Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

QUESTION 26
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.

AZ-303
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.
Solution: You add the following line to the Dockerfile.
COPY File1.txt /Folder1/
You then build the container image.
Does this meet the goal?

A. Yes
B. No

Answer: A
Explanation:
Copy is the correct command to copy a file to the container image.
Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/

QUESTION 27
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.
Solution: You add the following line to the Dockerfile.
XCOPY File1.txt C:\Folder1\
You then build the container image.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
Copy is the correct command to copy a file to the container image. Furthermore, the root directory
is specified as '/' and not as 'C:/'.
Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/

QUESTION 28
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,

AZ-303
these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container
image.
Solution: You add the following line to the Dockerfile.
ADD File1.txt C:/Folder1/
You then build the container image.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
Copy is the correct command to copy a file to the container image. The ADD command can also
be used.
However, the root directory is specified as '/' and not as 'C:/'.
Reference:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
https://docs.docker.com/engine/reference/builder/

QUESTION 29
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all
the other identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity
Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-
management-overview

AZ-303
QUESTION 30
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all
the other identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You purchase an Azure Directory Premium P2 license for contoso.com.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

QUESTION 31
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all
the other identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that

AZ-303
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

QUESTION 32
Your network contains an on-premises Active Directory domain named contoso.com that contains
a member server named Server1.
You have the accounts shown in the following table.

You are installing Azure AD Connect on Server1.

You need to specify the account for Azure AD Connect synchronization. The solution must use the
principle of least privilege.
Which account should you specify?

A. CONTOSO\User2
B. SERVER1\User4
C. CONTOSO\User1
D. CONTOSO\User3

Answer: A
Explanation:
The default Domain User permissions are sufficient
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-
permissions

QUESTION 33
You have an Azure subscription that contains the web apps shown in the following table.

For which web app can you configure a WebJob?

AZ-303
A. WebApp1
B. WebApp4
C. WebApp2
D. WebApp3

Answer: B
Explanation:
Publishing a .NET Core WebJob to App Service from Visual Studio uses the same tooling as
publishing an ASP.NET Core app.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-dotnet-deploy-vs

QUESTION 34
The developers at your company request that you create databases in Azure Cosmos DB as shown
in the following table.

You need to create the Azure Cosmos DB databases to meet the developer request. The solution
must minimize costs.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Create three Azure Cosmos DB accounts, one for the databases that use the Core (SQL) API, one
for CosmosDB2, and one for CosmosDB4.
B. Create two Azure Cosmos DB accounts, one for CosmosDB2 and CosmosDB4 and one for
CosmosDB1 and CosmosDB3.
C. Create one Azure Cosmos DB account for each database.
D. Create three Azure Cosmos DB accounts, one for the databases that use the MongoDB API, one
for CosmosDB1, and one for CosmosDB3.

Answer: BD
Explanation:
Note:
Microsoft recommends using the same API for all access to the data in a given account.

AZ-303
One throughput provisioned container per subscription for SQL, Gremlin API, and Table accounts.
Up to three throughput provisioned collections per subscription for MongoDB accounts.
The throughput provisioned on an Azure Cosmos container is exclusively reserved for that
container. The container receives the provisioned throughput all the time.
Incorrect Answers:
A: DB2 and DB4 can use the same account.
C: The most costly alternative.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/set-throughput#set-throughput-on-a-container

QUESTION 35
You have three Azure SQL Database servers shown in the following table.

You plan to specify sqlserver1 as the primary server in a failover group.

Which servers can be used as a secondary server?

A. sqlserver4 and sqlserver5 only

B. sqlserver2 and sqlserver3 only
C. sqlserver1 and sqlserver3 only
D. sqlserver2 and sqlserver4 only

Answer: D
Explanation:
The Resource Group must be the same.
The secondary server can have another location.
The secondary server cannot be the same as the primary server.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-configure

QUESTION 36
You have two Azure SQL Database managed instances in different Azure regions.
You plan to configure the managed instances in an instance failover group.
What should you configure before you can add the managed instances to the instance failover
group?

A. an internal Azure Load Balancer instance that has managed instance endpoints in a backend pool
B. Azure Private Link that has endpoints on two virtual networks
C. an Azure Application Gateway that has managed instance endpoints in a backend pool
D. a Site-to-Site VPN between the virtual networks that contain the instances

Answer: D

AZ-303
Explanation:
For two managed instances to participate in a failover group, there must be either ExpressRoute
or a gateway configured between the virtual networks of the two managed instances to allow
network communication.
You create the two VPN gateways and connect them.
1. Create the gateway for the virtual network of your primary managed instance using the Azure
portal.
2. Create the gateway for the virtual network of your secondary managed instance using the Azure
portal.
3. Create a bidirectional connection between the two gateways of the two virtual networks.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/failover-group-add-instance-
tutorial?tabs=azure-portal#4---create-a-primary-gateway

QUESTION 37
Hotspot Question
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
- Replicates synchronously
- Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in
a single region.
LRS would not remain available if a data center in the region fails GRS and RA GRS use
asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

QUESTION 38
Hotspot Question
You plan to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager
template.
You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

AZ-303
Explanation:
Within your template, the dependsOn element enables you to define one resource as a dependent
on one or more resources. Its value can be a comma-separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources:
Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more
resources.
The resource depends on two other resources:
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks

AZ-303
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-
create-templates-with-dependent-resources

QUESTION 39
Hotspot Question
Your network contains an Active Directory domain named adatum.com and an Azure Active
Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.

Adatum.onmicrosoft.com contains the user accounts in the following table.

AZ-303
You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use in Adatum.com and Adatum.onmicrosoft.com to implement
Azure AD Connect? To answer select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Box 1: User5
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory.
These credentials are only used during the installation and are not used after the installation has
completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in
Active Directory can be set in all domains.
Box 2: UserA
Azure AD Global Admin credentials are only used during the installation and are not used after the
installation has completed. It is used to create the Azure AD Connector account used for
synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-
accounts-permissions

QUESTION 40
Hotspot Question
You have an Azure subscription that contains the resource groups shown in the following table.

You create an Azure Resource Manager template named Template1 as shown in the following
exhibit.

AZ-303
From the Azure portal, you deploy Template1 four times by using the settings shown in the following
table.

What is the result of the deployment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

QUESTION 41
Hotspot Question
You have an Azure subscription that contains multiple resource groups.
You create an availability set as shown in the following exhibit.

AZ-303
You deploy 10 virtual machines to AS1.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: 6
Two out of three update domains would be available, each with at least 3 VMs. An update domain
is a group of VMs and underlying physical hardware that can be rebooted at the same time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs
across these update domains. This approach ensures that at least one instance of your application
always remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions

QUESTION 42
Hotspot Question
You have an Azure Resource Manager template for a virtual machine named Template1.
Template1 has the following parameters section.

AZ-303
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Box 1: Yes
The Resource group is not specified.
Box 2: No
The default value for the operating system is Windows 2016 Datacenter.
Box 3: Yes
Location is no default value.
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/virtual-machines/windows/ps-template

QUESTION 43
Hotspot Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains
the users shown in the following table.

The tenant contains computers that run Windows 10. The computers are configured as shown in
the following table.

You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Enterprise State Roaming provides users with a unified experience across their Windows devices
and reduces the time needed for configuring a new device.
Box 1: Yes
Box 2: No
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/azure//////active-directory/devices/enterprise-state-roaming-
overview

QUESTION 44
Hotspot Question
You have an Azure Resource Manager template named Template1 in the library as shown in the
following exhibit.

AZ-303
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax

QUESTION 45
Hotspot Question
Your company hosts multiple websites by using Azure virtual machine scale sets (VMSS) that run
Internet Information Server (IIS).
All network communications must be secured by using end to end Secure Socket Layer (SSL)
encryption. User sessions must be routed to the same server by using cookie-based session affinity.
The image shown depicts the network traffic flow for the websites to the VMSS.

Use the drop-down menus to select the answer choice that answers each question.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: Azure Application Gateway
You can create an application gateway with URL path-based redirection using Azure PowerShell.
Box 2: Path-based redirection and Websockets
Reference:
https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/tutorial-url-redirect-powershell

QUESTION 46
Drag and Drop Question
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual
machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following
table.

You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the
hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.

AZ-303
Answer:

Explanation:
Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space
once a virtual network is peered with another virtual network. To add or remove address ranges,
delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

QUESTION 47
Hotspot Question
You have an Azure subscription named Subscription1. Supscription1 contains the resources in the
following table.

AZ-303
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses
a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative
effort.
Which two actions should you perform? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
We cannot just move a virtual machine between networks. What we need to do is identify the disk
used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target
virtual network and then attach the original disk to it.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-
vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-
azure-vm-between-vnets

QUESTION 48
Hotspot Question
You company has an Azure Container Registry named Registry1.
You have an Azure virtual machine named Server1 that runs Windows Server 2019.
From Server1, you create a container image named image1.
You need to add image1 to Registry1.
Which command should you run on Server1? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
An Azure container registry stores and manages private Docker container images, similar to the
way Docker Hub stores public Docker images. You can use the Docker command-line interface
(Docker CLI) for login, push, pull, and other operations on your container registry.
Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli
https://docs.docker.com/engine/reference/commandline/push/

QUESTION 49
Hotspot Question
You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
QUESTION 50
Drag and Drop Question
You are designing a solution to secure a company's Azure resources. The environment hosts 10
teams. Each team manages a project and has a project manager, a virtual machine (VM) operator,
developers, and contractors.

Project managers must be able to manage everything except access and authentication for users.
VM operators must be able to manage VMs, but not the virtual network or storage account to which
they are connected. Developers and contractors must be able to manage storage accounts.
You need to recommend roles for each member.
What should you recommend? To answer, drag the appropriate roles to the correct employee types.
Each role may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
QUESTION 51
Hotspot Question
Your company has a virtualization environment that contains the virtualization hosts shown in the
following table.

The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption
(BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB. VMC cannot be migrates as
the Data disk on VMC is larger than 4TB.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-
requirements

QUESTION 52
Hotspot Question
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor
authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the
answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

AZ-303
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

QUESTION 53
Hotspot Question
You have an Azure Active Directory (Azure AD) tenant that contains the user groups shown in the
following table.

You enable self-service password reset (SSPR) for Group1.

AZ-303
You configure the Notifications settings as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Yes
Notify all admins when other admins reset their passwords: Yes.
Box 2: No
Notify users on password resets: No.
Box 3: No
Notify users on password resets
If this option is set to Yes, then users resetting their password receive an email notifying them that
their password has been changed. The email is sent via the SSPR portal to their primary and
alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.
Notify all admins when other admins reset their passwords
If this option is set to Yes, then all administrators receive an email to their primary email address
on file in Azure AD. The email notifies them that another administrator has changed their password
by using SSPR.
Example: There are four administrators in an environment. Administrator A resets their password
by using SSPR. Administrators B, C, and D receive an email alerting them of the password reset.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

AZ-303
QUESTION 54
Hotspot Question
You have an Azure logic app named App1 and an Azure Service Bus queue named Queue1.
You need to ensure that App1 can read messages from Queue1. App1 must authenticate by using
Azure Active Directory (Azure AD).
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
On App1: Turn on the managed identity
To use Service Bus with managed identities, you need to assign the identity the role and the
appropriate scope. The procedure in this section uses a simple application that runs under a
managed identity and accesses Service Bus resources.
Once the application is created, follow these steps:
1. Go to Settings and select Identity.

AZ-303
2. Select the Status to be On.
3. Select Save to save the setting.
On Queue1: Configure Access Control (IAM)
Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-
based access control (RBAC). Azure Service Bus defines a set of built-in RBAC roles that
encompass common sets of permissions used to access Service Bus entities and you can also
define custom roles for accessing the data.
Assign RBAC roles using the Azure portal
In the Azure portal, navigate to your Service Bus namespace. Select Access Control (IAM) on the
left menu to display access control settings for the namespace. If you need to create a Service Bus
namespace.
Select the Role assignments tab to see the list of role assignments. Select the Add button on the
toolbar and then select Add role assignment.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/authenticate-application
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-
identity

QUESTION 55
Hotspot Question
You have an Azure subscription.
You plan to deploy an app that has a web front end and an application tier.
You need to recommend a load balancing solution that meets the following requirements:
Internet to web tier:
- Provides URL-based routing
- Supports connection draining
- Prevents SQL injection attacks
Web tier to application tier:
- Provides port forwarding
- Supports HTTPS health probes
- Supports an availability set as a backend pool
Which load balancing solution should you recommend for each tier? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Box 1: An Azure Application Gateway that has a web application firewall (WAF) Azure Application
Gateway offers a web application firewall (WAF) that provides centralized protection of your web
applications from common exploits and vulnerabilities. Web applications are increasingly targeted
by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site
scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC). It offers Secure Sockets
Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based
routing, ability to host multiple websites, and security enhancements.
Box 2: An internal Azure Standard Load Balancer
The internet to web tier is the public interface, while the web tier to application tier should be internal.
Note: When using load-balancing rules with Azure Load Balancer, you need to specify a health
probes to allow Load Balancer to detect the backend endpoint status.
Health probes support the TCP, HTTP, HTTPS protocols.
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

QUESTION 56
Hotspot Question
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.

Which user can perform each configuration? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: User1 only.
User1: The Owner Role lets you manage everything, including access to resources. Not User3:
The Network Contributor role lets you manage networks, but not access to them.
Box 2: User1 and User2 only
The Security Admin role: In Security Center only: Can view security policies, view security states,
edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

QUESTION 57
Hotspot Question
A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs
to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of
maintenance required.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: Join the VMs to a new domain controller VM in Azure Azure provides two solutions for
implementing directory and identity services in Azure:
(Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure,
by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more
common when the on-premises network and the Azure virtual network (VNet) are connected by a
VPN or ExpressRoute connection.
Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises
Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network
(VNet) are connected by a VPN or ExpressRoute connection.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

QUESTION 79
You have an Azure subscription that contains the Azure virtual machines shown in the following
table.

You create an Azure key vault named Vault1 in the East US location.

AZ-303
You need to identify which virtual machines can enable Azure Disk Encryption by using Vault1.
Which virtual machines should you identify?

A. VM2 and VM3 only

B. VM1, VM2, and VM4 only
C. VM1, VM2, and VM3 only
D. VM3 only

Answer: B
Explanation:
Your key vault and VMs must reside in the same Azure region and subscription.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview

QUESTION 80
A company is migrating an existing on-premises third-party website to Azure. The website is
stateless.
The company does not have access to the source code for the website. They have the original
installer.
The number of visitors at the website varies throughout the year. The on-premises infrastructure
was resized to accommodate peaks but the extra capacity was not used.
You need to implement a virtual machine scale set instance.
What should you do

A. Use a webhook to log autoscale failures.

B. Use an autoscale setting to scale instances vertically.
C. Use only default diagnostics metrics to trigger autoscaling
D. Use an autoscale setting to define more profiles that have one or more autoscale rules.

Answer: C
Explanation:
In-guest VM metrics with the Azure diagnostics extension The Azure diagnostics extension is an
agent that runs inside a VM instance. The agent monitors and saves performance metrics to Azure
storage. These performance metrics contain more detailed information about the status of the VM,
such as AverageReadTime for disks or PercentIdleTime for CPU. You can create autoscale rules
based on a more detailed awareness of the VM performance, not just the percentage of CPU usage
or memory consumption.
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
autoscale-overview

QUESTION 81
Note: This question is part of series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The
partition key for Container1 is set to /day. Container1 contains the items shown in the following
table.

AZ-303
You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.
Solution: You run the following query.

You set the EnableCrossPartitionQuery property to False.

Does this meet the goal?

A. Yes
B. No

Answer: B

QUESTION 82
Note: This question is part of series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The
partition key for Container1 is set to /day. Container1 contains the items shown in the following
table.

AZ-303
You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.
Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

A. Yes
B. No

Answer: B

QUESTION 83
Note: This question is part of series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The
partition key for Container1 is set to /day. Container1 contains the items shown in the following
table.

AZ-303
You need to programmatically query Azure Cosmos DB and retrieve item1 and item2 only.
Solution: You run the following query.

You set the EnableCrossPartitionQuery property to True.

Does this meet the goal?

A. Yes
B. No

Answer: A

QUESTION 84
Your company is developing an e-commerce Azure App Service Web App to support hundreds of
restaurant locations around the world.
You are designing the messaging solution architecture to support the e-commerce transactions
and messages. The e-commerce application has the following features and requirements:

AZ-303
You need to choose the Azure messaging solution to support the Shopping Cart feature.
Which Azure service should you use?

A. Azure Service Bus

B. Azure Relay
C. Azure Event Grid
D. Azure Event Hub

Answer: A
Explanation:
Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service
Bus is most commonly used to decouple applications and services from each other, and is a reliable
and secure platform for asynchronous data and state transfer.
One common messaging scenario is Messaging: transfer business data, such as sales or purchase
orders, journals, or inventory movements.
Incorrect Answers:
B: The Azure Relay service enables you to securely expose services that run in your corporate
network to the public cloud.
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

QUESTION 85
Your company is developing an e-commerce Azure App Service Web App to support hundreds of
restaurant locations around the world.
You are designing the messaging solution architecture to support the e-commerce transactions
and messages. The e-commerce application has the following features and requirements:

AZ-303
You need to choose the Azure messaging solution to support the Restaurant Telemetry feature.
Which Azure service should you use?

A. Azure Relay
B. Azure Event Grid
C. Azure Event Hub
D. Azure Service Bus

Answer: C
Explanation:
Azure Event Hubs is a big data pipeline. It facilitates the capture, retention, and replay of telemetry
and event stream data. The data can come from many concurrent sources. Event Hubs allows
telemetry and event data to be made available to a variety of stream-processing infrastructures and
analytics services. It is available either as data streams or bundled event batches. This service
provides a single solution that enables rapid data retrieval for real-time processing as well as
repeated replay of stored raw data. It can capture the streaming data into a file for processing and
analysis.
It has the following characteristics:
low latency
capable of receiving and processing millions of events per second
at least once delivery
Note: Comparison of services

AZ-303
References:
https://docs.microsoft.com/en-us/azure/event-grid/compare-messaging-services

QUESTION 86
Hotspot Question
You have an Azure subscription.
You plan to deploy two Azure web apps that have the requirements shown in the following table.

You need to select the App Service plans for the web apps. The solution must minimize costs.
Which App Service plan should you select for each web app? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:

AZ-303
Reference:
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/

QUESTION 87
Hotspot Question
You have an Azure subscription that contains the storage account shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: No
Azure Files supports two storage tiers: premium and standard. Standard file shares are created in
general purpose (GPv1 or GPv2) storage accounts and premium file shares are created in
FileStorage storage accounts.
You cannot create Azure file shares from Blob storage accounts or premium general purpose
(GPv1 or GPv2) storage accounts. Standard Azure file shares must created in standard general
purpose accounts only and premium Azure file shares must be created in FileStorage storage
accounts only. Premium general purpose (GPv1 and GPv2) storage accounts are for premium page
blobs only.
Box 2: Yes
Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or
ZRS. Along with the three copies of your data stored within a single region, a further three copies
are stored in the twinned Azure region. So using GRS means you get all the features of the LRS
storage within your primary zone, but you also get a second LRS data storage in a neighbouring
Azure region. This data is updated asynchronously, so there is a small lag between the 2 data sets,
but for most cases this is acceptable.
Box 3: Yes
Blob Storage Standard can be used both LRS and GRS.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq
https://www.skylinesacademy.com/blog/2019/7/31/azure-storage-replication
https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction

QUESTION 88
Hotspot Question
You create and save an Azure Resource Manager template named Template1 that includes the
following four sections.
Section1.

AZ-303
Section2.

Section3.

Section4.

You deploy Template1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

QUESTION 89
Hotspot Question
You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the virtual machines shown in the following table.

RG2 contains the virtual machines shown in the following table.

AZ-303
All the virtual machines are configured to use premium disks and are accessible from the Internet.
VM1 and VM2 are in an available set named AVSET1. VM3 and VM4 are in the same availability
zone and are in an availability set named AVSET2. VM5 and VM6 are in different availability zones.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Yes
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we
[Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least
99.95% of the time.
Box 2: No
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.
Box 3: Yes
VM5 and VM6 are in different availability zones.
For all Virtual Machines that have two or more instances deployed across two or more Availability
Zones in the same Azure region, we [Microsoft] guarantee you will have Virtual Machine
Connectivity to at least one instance at least 99.99% of the time.
References:

AZ-303
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/

QUESTION 90
Drag and Drop Question
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You install a line-to-business application on VM1.
You need to create an Azure virtual machine by using VM1 as a custom image.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Step 1: Run sysprep.exe on VM1.
If a template, or system image is used, System administrators must run the Sysprep tool to clear
the SID information. The Sysprep tool is usually one of the last tasks performed by a system
administrator when building a server image/template, that way each clone of the template will
generalize a new unique SID for every server image copied from the template and will prepare the
server for a first time boot.
The end result is a System template that functions as a new unique build every time it is deployed.
Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized To create an image, the
VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set the state of the VM as
generalized with Set-AzVm so that the Azure platform knows the VM is ready for use a custom
image
Step 3: Create a virtual machine scale set
Now create a scale set with New-AzVmss that uses the -ImageName parameter to define the
custom VM image created in the previous step.

AZ-303
References:
https://thesolving.com/server-room/when-and-how-to-use-sysprep/
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-use-custom-image-
powershell

QUESTION 91
Hotspot Question
You play to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager
template.
You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Within your template, the dependsOn element enables you to define one resource as a dependent
on one or more resources. Its value can be a comma-separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources:
Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more
resources.
The resource depends on two other resources:
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks

AZ-303
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-
create-templates-with-dependent-resources

QUESTION 92
Hotspot Question
You plan to create a virtual machine as shown in the following exhibit.

AZ-303
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

Explanation:
Box 1: is guaranteed to remain the same
OS disk type: Premium SSD
Premium SSD Managed Disks are high performance Solid State Drive (SSD) based Storage
designed to support I/O intensive workloads with significantly high throughput and low latency. With
Premium SSD Managed Disks, you can provision a persistent disk and configure its size and
performance characteristics.
Box 2: secure enclaves
Virtual machine size: Standard_DC2s
DC-series virtual machines are a new family of VMs to protect the confidentiality and integrity of
your data and code while it's processed in Azure through the use of secure enclaves.
Incorrect:
Not dm-crypt: Azure Disk Encryption helps protect and safeguard your data to meet your
organizational security and compliance commitments. It uses the BitLocker feature of Windows and
the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure
virtual machines (VMs).
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/series/

QUESTION 93

AZ-303
Hotspot Question
You have an Azure Resource Manager template for a virtual machine named Template1.
Template1 has the following parameters section.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

AZ-303
Explanation:
Box 1: Yes
The Resource group is not specified.
Box 2: No
The default value for the operating system is Windows 2016 Datacenter.
Box 3: Yes
Location is no default value.
References:
https://docs.microsoft.com/bs-latn-ba/azure/virtual-machines/windows/ps-template

QUESTION 94
Hotspot Question
You network contains an Active Directory domain that is synced to Azure Active Directory (Azure
AD) as shown in the following exhibit.

You have a user account configured as shown in the following exhibit. For each of the following

AZ-303
statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: No
Password writeback is disabled.
Note: Having a cloud-based password reset utility is great but most companies still have an on-
premises directory where their users exist. How does Microsoft support keeping traditional on-
premises Active Directory (AD) in sync with password changes in the cloud? Password writeback
is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written
back to an existing on- premises directory in real time.
Box 2: No
Box 3: Yes
Yes, there is an Edit link for Location Info.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

QUESTION 95
Hotspot Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains
the users shown in the following table.

AZ-303
The tenant contains computers that run Windows 10. The computers are configured as shown in
the following table.

You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Enterprise State Roaming provides users with a unified experience across their Windows devices
and reduces the time needed for configuring a new device.
Box 1: Yes
Box 2: No
Box 3: Yes
References:
https://docs.microsoft.com/en-us/azure//////active-directory/devices/enterprise-state-roaming-

AZ-303
overview

QUESTION 96
Drag and Drop Question
You have virtual machines (VMs) that run a mission-critical application.
You need to ensure that the VMs never experience down time.
What should you recommend? To answer, drag the appropriate solutions to the correct scenarios.
Each solution may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Scale set
A virtual machine scale set allows you to deploy and manage a set of identical, autoscaling virtual
machines.
Box 2: Availability Set
An Availability Set is a logical grouping capability for isolating VM resources from each other when
they're deployed. Azure makes sure that the VMs you place within an Availability Set run across
multiple physical servers, compute racks, storage units, and network switches. If a hardware or
software failure happens, only a subset of your VMs are impacted and your overall solution stays
operational. Availability Sets are essential for building reliable cloud solutions.
Box 3: Fault domain
A fault domain is a logical group of underlying hardware that share a common power source and
network switch, similar to a rack within an on-premises datacenter. As you create VMs within an
availability set, the Azure platform automatically distributes your VMs across these fault domains.
This approach limits the impact of potential physical hardware failures, network outages, or power
interruptions.
Incorrect Answers:
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the
same time.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-create-vmss

AZ-303
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

QUESTION 97
Hotspot Question
You have an Azure web app named App1 that has the following configurations:
- The app runs on three instances.
- The minimum number of instances is one.
- The maximum number of instances is five.
You create the following autoscale rules for App1:
- Decrease the instance count by one when the CPU percentage is less than
30.
- Decrease the instance count by one when the memory percentage is less
than 50.
- Increase the instance count by one when the CPU percentage is greater
than 80.
- Increase the instance count by one when the memory percentage is greater
than 75.
You expect App1 to be utilized as shown in the following table.

You need to identify the maximum number of instances that will be used by App1 during the
expected periods of utilization.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

AZ-303
Explanation:
On scale out, autoscale runs if any rule is met. On scale-in, autoscale requires all rules to be met.
Therefore, the web app will scale out but will never scale back in because there is no time where
the CPU is less than 30% AND the memory is less than 50%.

QUESTION 98
Hotspot Question
From Azure Cosmos DB, you create the containers shown in the following table.

You add the following item to Container1.

AZ-303
You plan to add items to Azure Cosmos DB as shown in the following table.

You need to identify which items can be added successfully to Container1 and Container2.
What should you identify for each container? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

AZ-303
Answer:

AZ-303
QUESTION 99
Your company has an office in Seattle.
You have an Azure subscription that contains a virtual network named VNET1. You create a site-
to-site VPN between the Seattle office and VNET1.
VNET1 contains the subnets shown in the following table.

You need to redirect all Internet-bound traffic from Subnet1 to the Seattle office.
What should you create?

A. a route for GatewaySubnet that uses the virtual network gateway as the next hop
B. a route for GatewaySubnet that uses the local network gateway as the next hop
C. a route for Subnet1 that uses the local network gateway as the next hop
D. a route for Subnet1 that uses the virtual network gateway as the next hop

Answer: D
Explanation:

AZ-303
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP
address that is not within the address prefix of any other route in a subnet's route table. When a
subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet
next hop type. We need to create a custom route in Azure to use a virtual network gateway in the
Seattle office as the next hop.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

QUESTION 100
You have an Azure subscription that contains the resources shown in the following table.

Subnet1 is on VNET1. VM1 connects to Subnet1.

You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Modify the address space used by VNET1.

B. Modify the address space used by Subnet1.
C. Create a subnet named GatewaySubnet on VNET1.
D. Create a local network gateway.
E. Delete Subnet1.

Answer: AE

QUESTION 108
Note: This question is part of series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all
the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity

AZ-303
Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-
overview

QUESTION 109
Note: This question is part of series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin
center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all
the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator
roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You assign the Service administrator role to Admin1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that
you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
configure

QUESTION 110
Drag and Drop Question
You have an Azure subscription that contains the resources shown in the following table.

In RG2, you need to create a new virtual machine named VM2 that will connect to VNET1. VM2
will use a network interface named VM2_Interface.
In which region should you create VM2 and VM2_Interface? To answer, drag the appropriate
regions to the correct targets. Each region may be used once, more than once, or not at all. You

AZ-303
may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
VM2: West US
In RG2, which is in West US, you need to create a new virtual machine named VM2.
VM2_interface: East US
VM2 will use a network interface named VM2_Interface to connect to VNET1, which is in East US.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/associate-public-ip-address-vm

QUESTION 111
You have an Azure subscription that contains the web apps shown in the following table.

For which web app can you configure a WebJob?

AZ-303
A. WebApp4
B. WebApp3
C. WebApp1
D. WebApp2

Answer: A
Explanation:
Publishing a .NET Core WebJob to App Service from Visual Studio uses the same tooling as
publishing an ASP.NET Core app.
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-dotnet-deploy-vs

QUESTION 112
You create a container image named Image1 on a developer workstation.
You plan to create an Azure Web App for Containers named WebAppContainer that will use
Image1.
You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use
Image1.
To which storage type should you upload Image1?

A. Azure Container Registry

B. an Azure Storage account that contains a blob container
C. an Azure Storage account that contains a file share
D. Azure Container Instances

Answer: A
Explanation:
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure
portal, go to Container settings from the web app and update the Image source, Registry and save.
References:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux

QUESTION 113
A company's development team is currently developing a Docker/Go based application. The
application needs to be deployed to the Azure Web App service using containers on the Linux
platform.
Currently there are no resource groups in place in the company's Azure account that supports the
Linux platform.
You must advise on the necessary and minimum number of steps to provide the ability to host the
application in the company's Azure account.
Which of the following Azure CLI commands would you recommend implementing for this
requirement? (Choose three)

A. az group update
B. az webapp update
C. az group create
D. az appservice plan create
E. az webapp create

Answer: CDE
Explanation:

AZ-303
https://docs.microsoft.com/en-us/azure/app-service/containers/quickstart-docker-go

QUESTION 114
A company has an on-premise setup and a setup defined in Azure. They have gone ahead and
created an Azure Logic App named lead2pass-app. They need this app to query an on-premise
SQL database server.
Which of the following steps need to be performed to fulfil this requirement? (Choose three)

A. Create a Virtual Machine in Azure

B. Install the On-premise data gateway on the Azure Virtual Machine
C. From the Azure portal, create an on-premise data gateway
D. On a computer in the on-premise network, install an on-premise data gateway
E. From the Logic App Designer, add a connector

Answer: CDE
Explanation:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection

QUESTION 115
Your company needs to migrate a Virtual Machine, lead2pass-vm, hosted in Amazon Web Services
to Azure using Azure Site Recovery. The following resources have been created for the
implementation
- A Virtual Network in Azure
- A Replication Policy
- A Recovery Services vault
- An Azure storage account
Which of the following steps would you carry out for the migration? (Choose three)

A. Install Azure Site Recovery Unified Setup

B. Enable Windows Powershell remoting on whizlabs-vm
C. Enable replication for whizlabs-vm
D. Create an Azure Migrate project
E. Deploy another server in Amazon Web Services as the configuration server

Answer: ACE
Explanation:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-aws-azure

QUESTION 116
A company wants to sync their on-premise AD with Azure AD. They have setup Azure AD connect
and configured the setup for Password hash synchronization, Single Sign-On and staging mode is
also enabled. After an initial review it can be seen that the Synchronization Service Manager is not
displaying any sync jobs.
Which of the following step would need to be carried out to resolve this issue?

A. Be sure to configure, Azure AD for Pass-through Authentication

B. Run a full import using the Service Manager
C. From Azure AD Connect, ensure to disable staging mode
D. Run a full import from the local on-premise AD

Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-

AZ-303
server

QUESTION 117
A company has an on-premise network. They want to setup a site-to-site VPN connection with an
Azure Virtual Network named lead2pass-net. The Virtual Network has an address space of
10.0.0.0/16. It also has a subnet with an address space 10.0.0.0/24.
Which of the following steps would you implement for the Site to Site VPN connection? (Choose 4)

A. Create a gateway subnet

B. Create a new DNS domain
C. Create a local gateway
D. Create a data gateway
E. Create a VPN gateway
F. Create a VPN connection

Answer: ACEF
Explanation:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-
manager-portal

QUESTION 118
A company has a number of VMWare Virtual Machines that need to be migrated onto Azure. You
first have to discover and assess the virtual machines for the migration.
Which of the following steps would you implement for this requirement? (Choose 4)

A. From the Azure Portal, download the OVA file

B. Create a collector virtual Machine
C. From the Azure Portal, download the Azure Site Recovery agent
D. Configure the collector to start the discovery
E. Create an assessment
F. Create a backup policy

Answer: ABDE
Explanation:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware

QUESTION 119
A company is developing an ecommerce web application. One of the modules of the application
will be built using a messaging solution architecture. The modules will have the following features
- A Workflow run for several items published on the web application.
- The Workflow would be built using Azure Logic Apps.
- The item data would be stored in Azure BLOB storage.
Which of the following would you additionally incorporate for the module?

A. Azure Event Grid

B. Azure Event Hub
C. Azure HDInsight
D. Azure Service Bus

Answer: D
Explanation:
Option A is incorrect since this is normally used for event processing.

AZ-303
Option B is incorrect since this is a big data ingestion service.
Option C is incorrect since this is an analytics service.
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

QUESTION 120
A company has a set of 10 Virtual Machines created in their Azure subscription.
There is a requirement to ensure that an IT administrator gets an email whenever the following
operations are performed on the Virtual Machine
- Restart of the machine
- Whenever the machine is deallocated
- Whenever the machine is powered off
You need to decide on the minimum number of rules and actions groups required in Azure Monitor
for this requirement. (Choose two)

A. Three rules
B. One rule
C. One action group
D. Three action groups

Answer: AC
Explanation:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview

QUESTION 121
A company is preparing their Azure environment for the backup of their Azure Virtual Machines.
They need to ensure the following when it comes to the backup of the Virtual Machines:
- The Virtual machines need to be backed up daily at 03:00 UTC time
- The backups should be retained for a period of 90 days
Which of the following should you configure in Azure Recovery Services vault?

A. Backup Policy
B. Backup Schedule
C. Backup Logs
D. Backup Infrastructure

Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/backup/backup-introduction-to-azure-backup

QUESTION 122
A company has a web application named lead2pass-app deployed to Azure. The Web App is
deployed using the Azure App Service based on the D1 pricing tier. The application is now being
modified and needs to accept connections on HTTPS. Which of the following needs to be done to
ensure this requirement can be fulfilled? You have to ensure that the cost is minimized for any
changes made.

A. Scale out the App Service Plan

B. Scale up the App Service Plan
C. Change the properties of the Web App
D. Change the Quota of the Web App

Answer: B
Explanation:

AZ-303
Option A is incorrect since this option is used for Autoscaling purpose.
Options C and D are incorrect since these are read-only features.
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/

QUESTION 123
A company is planning on deploying a storage account which will be used to host files shares.
These file shares will be used by a number of Virtual Machines hosted in Azure. There is a
requirement to ensure the highest possible redundancy for the files that would be stored in the
storage account. Which of the following replication technique would you "NOT" employ for the
storage account?

A. Locally redundant storage (LRS)

B. Zone-redundant storage (ZRS)
C. Geo-redundant storage (GRS)
D. Read-access geo-redundant storage (RA-GRS)

Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning#file-share-redundancy

QUESTION 124
A development team has been instructed to implement a simple solution in Azure. The primary
requirement is to ensure that an IT administrator team is notified whenever any infrastructure level
changes are made to a virtual machine defined in their Azure subscription.
Which of the following steps can be used to implement this solution? (Choose two)

A. Create a workflow using the Azure Logic App service

B. Create a workflow using the Azure Event Grid service
C. Use the Event Grid service to check for Virtual Machine level changes
D. Use the Event Hub service to check for Virtual Machine level changes

Answer: AC
Explanation:
Option B is incorrect since workflows should be defined in the Azure Logic App service.
Option D is incorrect since the Event Hub service is NOT used to check for resource level changes.
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-
logic-app

QUESTION 125
Drag and Drop Question
You are the IT administrator for an Azure subscription that contains 20 virtual machines (VMs).
You need to write a Log Analytics query to determine which VMs have not been responsive within
the past hour.
How should you complete the query? To answer, drag the appropriate query elements to their
correct locations in the answer area. A query element may be used once, more than once, or not
at all.

AZ-303
Answer:

Explanation:
You should use the following query:
Heartbeat | where TimeGenerated > ago(1h)
This query finds all computers that have had a heartbeat within the past hour. Computers send a
heartbeat to let Azure know that they are responsive. The ago(1h) means the timestamp is one
hour ago. If TimeGenerated is greater than that timestamp, the heartbeat occurred within the past
hour.
You should not use Perf as a source. This source looks at performance counters. In this scenario,
you need to search the Heartbeat source, not performance counters.
You should not use the following query:
Heartbeat | where TimeGenerated < ago(1h)
This query finds all computers that have sent a heartbeat before one hour ago.

QUESTION 126
Drag and Drop Question
An Azure key vault named measureup exists in your company's cloud subscription. You want to
store a password in the key vault. The password is S3449PT!@90Q.
The name of the entry should be ApplicationPassword. The password should not be stored as plain
text.
You need to use PowerShell to store the password in the key vault.
How should you complete the cm diets? To answer, drag the cm diets to the appropriate locations
in the answer area. A cmdlet may be used once, more than once, or not at all.

AZ-303
Answer:

Explanation:
You should use the following cmdlets:
$value = ConvertTo-SecureString 'S3449PT!@90Q’ -AsPlainText - Force
Set-AzureKeyVaultSecret -VaultName 'measureup' -Name 'ApplicationPassword' -Sec ret Value
$value
The ConvertTo-SecureString cmdlet converts a plain text value into a secure (encrypted) string.
This meets the requirement of the password not being stored as plain text. The first parameter to
this cmdlet is the string to convert. The -AsPlainText parameter indicates that the string to convert
it plain text. The -Force parameter must be used when -AsPlainText is used to verify that you
understand the implications of using - AsPlainText.
The Set-AzureKeyVaultSecret cmdlet stores the password in the key vault with the name specified
as the - Name parameter. The -SecretValue parameter specifies the secret. In this scenario, the
secret is the encrypted password.
You should not use Add-AzureKeyVaultKey. This cmdlet generates a software or hardware key
and saves it in a key vault. In this scenario, you need to store a known secret, not generate a key.

QUESTION 127
Drag and Drop Question
You are the cloud administrator for your company. You want to take advantage of Event Grid so
that Service Bus and blob storage events are captured.
You need to use Azure CLI to enable your Azure subscription to send events to Event Grid.
How should you write the command? To answer, drag the appropriate command segment to each
location. A command segment may be used once, more than once, or not at all.

AZ-303
Answer:

Explanation:
You should use the following command:
az provider register --namespace Microsoft.EventGrid
This command registers the Event Grid resource provider. This allows your subscription to send
events to Event Grid.
You should not use the eventgrid or create command segments. These two segments allow you to
create an Event Grid subscription to either a custom topic or to a resource.

QUESTION 128
You pull a Dockerfile from an online repository. You build a container image from this file, and you
want to add it to an Azure Container Registry named mytestreg. The name of image is my-test-app.
You need to deploy the image to the registry.
Which command should you run from your developer computer?

A. az container create -name mytestreg -image my-test-app

B. az acr create -name mytestreg\my-test-app
C. docker push mytestreg.azurecr.io/my-test-app
D. docker run -p mytestreg my-test-app

Answer: C
Explanation:
You should use the following command: docker push mytestreg.azurecr.io/my-test-app
This command pushes the image named my-test-app to an Azure login server named
mytestreg.azurecr.io. You should not use the following command: docker run -p mytestreg my-test-
app
This command runs a container locally. In this scenario, you need to deploy the container image.
You should not use the following command: az acr create --name mytestreg\my-test-app The az
acr create command creates an Azure Container Registry.
You should not use the following command:
az container create --name mytestreg --image my-test-app
The az container create command creates a container instance in Azure.

AZ-303