Azure Management Groups and Policies

Questions and Answers

What is the effect of inheriting a deny policy?

• It overrides all allowed permissions
• It is allowed by default
• It overrides any allowed permissions (correct)
• It has no effect on existing permissions

Where can virtual networks be created?

• At the root management group
• At any management group level (correct)
• Nowhere, virtual networks are not allowed
• Only at the subscription level

What is required to create Virtual Machines on a Management Group?

• The required RBAC permissions (correct)
• Owner permissions
• Contributor permissions
• No permissions are required

Can subscriptions be moved between Management Groups?

Yes, provided the user has the required RBAC permissions (B)

What is the effect of the policy in Exhibit?

You are prevented from creating Azure SQL servers anywhere in Subscription 1 (D)

What is the purpose of Management Groups?

To organize subscriptions (C)

What is required to move a subscription between Management Groups?

The required RBAC permissions (C)

What is the effect of inheriting an allow policy?

It overrides any deny policies (B)

What is the purpose of verifying your custom domain name on the Fabrikam - Custom domain names page?

To ensure your custom domain is properly registered and valid for Azure AD (D)

Which of the following record types can be used to verify a custom domain name for Azure AD?

Both TXT and MX (D)

What role should you assign to the Developers group to provide them with the ability to create Azure logic apps?

Logic App Contributor role (B)

What is the primary function of the DevTest Labs User role?

Connect, start, restart, and shutdown virtual machines (A)

What is the purpose of the Azure AD tenant named Adatum?

To contain a group named Developers (C)

What is the name of the resource group in Subscription1 that you need to provide the Developers group with access to?

Dev (C)

What is the correct sequence of steps to verify a custom domain name for Azure AD?

Select the custom domain name, then select Verify (B)

What is the primary goal of providing the Developers group with the ability to create Azure logic apps?

To manage Azure logic apps (B)

What is the first step in an import job?

Attach an external disk to Server1 and then run waimportexport.exe (A)

What is the purpose of the WAImportExport tool?

To copy data to disk drives. (D)

What is required to be provided during job creation?

Return address and carrier account number for shipping the drives back. (D)

What happens to the drives after they are received at the Azure data center?

They are processed and the data is imported to Azure storage. (D)

What is the purpose of the drive journal files?

To track the delivery of the drives. (C)

What is the purpose of Server1 and Server2 in Azure File Sync?

To register as a server endpoint. (C)

What is the cloud endpoint of Group1 in Azure File Sync?

Share1 (D)

What is the server endpoint of Group1 in Azure File Sync?

D:\Folder1 (D)

Where can a Log Analytics workspace be created in relation to the location and subscription of your vaults?

In a different location and subscription than your vaults (C)

What type of storage account is used to host premium file shares?

FileStorage account (A)

Which storage accounts can be used to host premium file shares?

contoso101, contoso102, and contoso103 only (A)

What is the purpose of the net use command in relation to file shares?

To connect to file shares (C)

What access does the IP 193.77.134.1 have on the SAS?

Will have no access (A)

What is the purpose of a shared access signature (SAS)?

To grant temporary access to a file share (A)

Which storage accounts can be used to host standard file shares?

Any of the above (D)

What is the purpose of a Log Analytics workspace?

To analyze and report on data from Azure resources (D)

What is a requirement for a sync group in Azure File Sync?

It must contain one cloud endpoint and one or more server endpoints. (D)

What is the purpose of a cloud endpoint in Azure File Sync?

To represent an Azure file share. (C)

What is the name of the Azure Storage account in the given scenario?

contosostorage (C)

What is the UNC path for accessing files from the data file share?

\contosostorage\file.core.windows.net\data (D)

What command should you run to create a container named vmimages?

az storage container create vmimages (D)

What is the purpose of a server endpoint in Azure File Sync?

To represent a server or a cluster of servers. (A)

What is required to create a sync group in Azure File Sync?

One cloud endpoint and one or more server endpoints. (A)

What is the name of the file share in the given scenario?

data (B)

Study Notes

Azure Management Groups

• Management groups are used to organize Azure subscriptions and resources
• A subscription can be moved between management groups if the user has the required RBAC permissions
• Virtual networks are not allowed at the root and are inherited, deny overrides are allowed

Azure Policies

• Azure policies can be created to manage Azure resources
• Policies can be used to allow or deny specific actions on Azure resources
• For example, a policy can be created to prevent the creation of Azure SQL servers in a specific subscription or resource group

Azure Logic Apps

• Logic App Contributor role is required to manage logic apps, but not to access them
• Developers group needs the Logic App Contributor role to create logic apps in the Dev resource group

Azure Data Import/Export

• Import job involves attaching an external disk to a server, copying data to disk drives, encrypting the disk drives, and shipping the drives to an Azure data center
• The WAImportExport tool is used to copy data to disk drives
• The import job is created in the Azure portal, and the drives are shipped to the Azure data center for processing

Azure File Sync

• Azure File Sync is used to sync files between on-premises servers and Azure file shares
• A sync group must contain one cloud endpoint, which represents an Azure file share, and one or more server endpoints
• Server endpoints can be added to the sync group, and files can be synced between the servers and the Azure file share

Azure Storage Accounts

• An Azure storage account can contain multiple file shares
• A UNC path is used to reference files in a file share, in the format \.file.core.windows.net\
• A container can be created in a storage account using the Azure CLI

Shared Access Signatures (SAS)

• A SAS is a URI that grants limited access to a resource in a storage account
• A SAS can be created with specific permissions and a specific duration
• A SAS can be used to grant access to a file share or container in a storage account

Description

Test your knowledge of Azure management groups and policies. Learn how to add subscriptions and create policies in Azure.