Microsoft Microsoft Certifications AZ-800 Questions & Answers

• Question 161:

  You have servers that run Windows Server 2022 as shown in the following table.

  

  Server2 contains a .NET app named App1.

  You need to establish a WebSocket connection from App1 to the SQL Server instance on Server1. The solution must meet the following requirements:

  1.

  Minimize the number of network ports that must be open on the on-premises network firewall.

  2.

  Minimize administrative effort. What should you create first?

  A. an Azure Relay namespace

  B. an Azure VPN gateway

  C. a WFC relay connection

  D. a hybrid connection

  Correct Answer: A

  Hybrid Connections The Hybrid Connections feature in >>Azure Relay<< is a secure, and open-protocol evolution of the Relay features that existed earlier. You can use it on any platform and in any language. Hybrid Connections feature in Azure Relay is based on HTTP and WebSockets protocols. It allows you to send requests and receive responses over web sockets or HTTP(S). This feature is compatible with WebSocket API in common web browsers.

• Question 162:

  You have an on-premises server named Server1 that runs Windows Server. Server1 contains an app named App1 and a firewall named Firewall1.

  You have an Azure subscription.

  Internal users connect to App1 by using WebSockets.

  You need to make App1 available to users on the internet. The solution must minimize the number of inbound ports open on Firewall1.

  What should you include in the solution?

  A. Microsoft Application Request Routing (ARR) Version 2

  B. Azure Application Gateway

  C. Azure Relay

  D. Web Application Proxy

  Correct Answer: B

• Question 163:

  Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the offices shown in the following table.

  

  You need to deploy a Network Policy Server (NPS) named NPS1 to enforce network access policies for all remote connections. What is the minimum number of RADIUS clients that you should add to NPS1?

  A. 1

  B. 3

  C. 8

  D. 180

  E. 188

  Correct Answer: C

  You configure a VPN server as a RADIUS client.

  We have eight VPN servers, so we need eights RADIUS clients.

  Note: Configure VPN server as a RADIUS client

  1.

  On the NPS server, open your firewall rules to allow UDP ports 1812, 1813, 1645, and 1646 inbound.

  2.

  In the NPS console, double-click RADIUS Clients and Servers.

  3.

  Right-click RADIUS Clients and select New to open the New RADIUS Client dialog box.

  4.

  Verify that the Enable this RADIUS client check box is selected.

  5.

  In Friendly name, enter a display name for the VPN server.

  6.

  In Address (IP or DNS), enter the IP address or FQDN of the VPN server.

  7.

  Etc.

  Reference: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-setup

• Question 164:

  Your network contains a DHCP server.

  You plan to add a new subnet and deploy Windows Server to the subnet.

  You need to use the server as a DHCP relay agent.

  Which role should you install on the server?

  A. Network Policy and Access Services

  B. Remote Access

  C. Network Controller

  D. DHCP Server

  Correct Answer: B

  DHCP and Remote Access Overview

  When a remote computer connects to a remote access server (RRAS), it is automatically provided with an IP address when the Point-to-Point Protocol (PPP) connection is established.

  You can configure the RRAS server to allocate IP addresses to remote clients from:

  A static range of IP addresses: This method is usually implemented when there are no internal DHCP servers.

  An existing DHCP Server: This is achieved by relaying clients to the DHCP server for IP address allocation.

  If you have an internal DHCP server, you should configure the remote access server to allocate IP addresses via this server. If your DHCP server is not within broadcast range of the RRAS server, you must perform the one of the following

  configuration as well:

  1.

  Configure the DHCP Relay Agent on the remote access server.

  2.

  Configure the DHCP Relay Agent on the same subnet as the remote access server. Reference:

  https://www.tech-faq.com/dhcp-and-remote-access.html

• Question 165:

  You have an Azure virtual machine named VM1 that runs Windows Server.

  You need to ensure that administrators request access to VM1 before establishing a Remote Desktop connection.

  What should you configure?

  A. Azure Front Door

  B. Microsoft Defender for Cloud

  C. Azure AD Privileged Identity Management (PIM)

  D. a network security group (NSG)

  Correct Answer: C

  Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. PIM provide just-in-time privileged access to Microsoft Entra ID and

  Azure resources.

  PIM supports the following scenarios:

  Privileged Role Administrator permissions

  -Enable approval for specific roles

  -Specify approver users or groups to approve requests https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

• Question 166:

  You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.

  You build an app named App1.

  You need to configure continuous integration and continuous deployment (CI/CD) of App1 to VM1.

  What should you create first?

  A. an App Service Environment

  B. an Azure DevOps organization

  C. a managed identity

  D. an Azure Automation account

  Correct Answer: B

  Azure Pipelines architecture for IaaS Azure Virtual Machines is an option for hosting custom applications when you want flexible and granular management of your compute. Virtual machines (VMs) should be subject to the same level of engineering rigor as Platform-as-a-Service (PaaS) offerings throughout the development lifecycle. For example, implementing automated build and release pipelines to push changes to the VMs.

  This article describes a high-level DevOps workflow for deploying application changes to VMs using continuous integration (CI) and continuous deployment (CD) practices using Azure Pipelines.

  Reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/architectures/devops-pipelines-iaas-vms-architecture

• Question 167:

  Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1.

  You implement Just Enough Administration (JEA) on Server1.

  You need to perform remote administration tasks on Server by using only JEA.

  What should you use?

  A. PowerShell only

  B. Remote Server Administration Tools (RSAT) only

  C. PowerShell or Remote Desktop only

  D. PowerShell or Remote Server Administration Tools (RSAT) only

  E. Remote Server Administration Tools (RSAT) or Remote Desktop only

  F. PowerShell, Remote Server Administration Tools (RSAT), or Remote Desktop

  Correct Answer: A

  Just Enough Administration is a feature included in PowerShell 5.0 and higher.

  Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can:

  Reduce the number of administrators on your machines using virtual accounts or group-managed service accounts to perform privileged actions on behalf of regular users.

  Limit what users can do by specifying which cmdlets, functions, and external commands they can run.

  Better understand what your users are doing with transcripts and logs that show you exactly which commands a user executed during their session.

  Reference:

  https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview

  https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/prerequisites

• Question 168:

  You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.

  You plan to manage VM1 by using a PowerShell runbook.

  You need to create the runbook.

  What should you create first?

  A. an Azure Automation account

  B. an Azure workbook

  C. a Log Analytics workspace

  D. a Microsoft Power Automate flow

  Correct Answer: A

  Create Automation PowerShell runbook using managed identity This tutorial walks you through creating a PowerShell runbook in Azure Automation that uses a managed identity, rather than the Run As account to interact with resources. PowerShell runbooks are based on Windows PowerShell. A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources.

  Prerequisites

  *

  An Azure Automation account with at least one user-assigned managed identity.

  *

  Etc.

  Reference: https://learn.microsoft.com/en-us/azure/automation/learn/powershell-runbook-managed-identity

• Question 169:

  You have a server named Server1 that runs Windows Server and has the DHCP Server role installed. Server1 contains the following single scope:

  1.

  Scope: 192.168.16.0

  2.

  Address pool: 192.168.16.1-192.168.16.254

  3.

  Subnet mask: 255.255.255.0

  4.

  Lease duration: 8 days

  You have four testing devices that are configured with static IP addresses as shown in the following table.

  

  The test devices are turned on once a month.

  You need to prevent Server1 from assigning the IP addresses allocated to the test devices to other devices when the test devices are offline. The solution must minimize administrative effort.

  What should you do?

  A. Create a policy.

  B. Create reservations.

  C. Configure the Scope options.

  D. Create an exclusion range.

  Correct Answer: D

  HOW TO RESERVE IP ADDRESS ON WINDOWS SERVER DHCP?

  DHCP reservation is the creation of a special entry on the DHCP server. Thanks to this, the same IP address from the DHCP scope address pool will be issued for a specific device (MAC address).

  Note: If some network devices (printers, scanners, workstations) require a permanent IP address (instead of manually setting a static IP address in the device settings), you can reserve an IP address on a DHCP server. In the DHCP server on

  Windows Server 2019, you can create a reservation from any leased IP address, or manually create a new entry.

  Open the DHCP Management Console (System Manager > Tools > DHCP) or simply run the dhcpmgmt.msc command. Expand your DHCP server, select IPv4, then select the scope where you want to manage reservations.

  If the DHCP server client already received a dynamic IP address from your DHCP server, you can reserve this address. Go to the Address Leases section, find the DHCP client you need in the list (the fact that this IP address is dynamic is

  indicated by the presence of a date in the Lease Expiration field), right-click on it, and select Add to Reservation.

  Reference:

  https://theitbros.com/reserve-ip-address-dhcp/

• Question 170:

  You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server.

  You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3, but access to the resource is denied.

  You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort.

  What should you do?

  A. Configure Kerberos constrained delegation.

  B. Configure Just Enough Administration (JEA).

  C. Configure selective authentication for the domain.

  D. Disable the Enforce user logon restrictions policy setting for the domain.

  Correct Answer: A

  Configuring Kerberos constrained delegation allows you to pass your credentials from Server1 to Server3 when accessing a resource. Constrained delegation is a Kerberos feature that restricts the servers to which a service can delegate a user's credentials. This ensures that the delegation is secure and limited to specific services.