Notes: Hi all, Microsoft Azure Architect Design Practice Exam Part 2 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take Microsoft Azure Architect Design Actual Exam Version because it include actual exam questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.

Part 1: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-1
Part 2: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-2
Part 3: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-3
Part 4: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-4
Part 5: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-5
Part 6: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-6
Part 7: https://www.awslagi.com/microsoft-azure-architect-design-practice-exam-part-7

41. Your network contains an on-premises Active Directory forest named contoso.com. The forest is synced to an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure AD Domain Services (Azure AD DS) domain named contoso-aad.com. You have an Azure Storage account named Storage1 that contains a file share named Share1. You configure NTFS permissions on Share1. You plan to deploy a virtual machine that will be used by several users to access Share1. You need to ensure that the users can access Share1. Which type of virtual machine should you deploy?

A. a virtual machine that runs Windows Server 2016 and is joined to the contoso.com domain
B. a virtual machine that runs Windows 10 and is joined to the contoso-add.com domain
C. a virtual machine that runs Windows 10 and is hybrid Azure AD joined to the contoso.com domain
D. an Azure virtual machine that runs Windows Server 2016 and is joined to the contoso-add.com domain

Answer: D

42. Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM). Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant. The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks. You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker). Solution: Deploy one Azure Key Vault to each region. Create two Azure AD service principals. Configure the virtual machines to use Azure Disk Encryption and specify a different service principal for the virtual machines in each region. Does this meet the goal?

A. Yes
B. No

Answer: B

43. Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM). Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant. The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks. You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker). Solution: Export a security key from the on-premises HSM. Create one Azure AD service principal. Configure the virtual machines to use Azure Storage Service Encryption. Does this meet the goal?

A. Yes
B. No

Answer: B

44. Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM). Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant. The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016. Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks. You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).
Solution:

– Deploy one Azure key vault to each region
– Export two security keys from the on-premises HSM
– Import the security keys from the HSM into each Azure key vault
Create two Azure AD service principals
– Configure the virtual machines to use Azure Disk Encryption
– Specify a different service principal for the virtual machines in each region
Does this meet the goal?

A. Yes
B. No

Answer: A

45. Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity. Several VMs are exhibiting network connectivity issues. You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs. Solution: Use Azure Advisor to analyze the network traffic. Does the solution meet the goal?

A. Yes
B. No

Answer: B

46. Your network contains an Active Directory domain named contoso.com that is federated to an Azure Active Directory (Azure AD) tenant. The on-premises domain contains a VPN server named Server1 that runs Windows Server 2016. You have a single on-premises location that uses an address space of 172.16.0.0/16. You need to implement two-factor authentication for users who establish VPN connections to Server1. What should you include in the implementation?

A. In Azure AD, create a conditional access policy and a trusted named location
B. Install and configure Azure MFA Server on-premises
C. Configure an Active Directory Federation Services (AD FS) server on-premises
D. In Azure AD, configure the authentication methods. From the multi-factor authentication (MFA) service settings, create a trusted IP range

Answer: A

47. HOTSPOT –
You configure the Diagnostics settings for an Azure SQL database as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: Select stream to an event hub
Box 2: Azure SQL Analytics

48. Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network. You need to enable single sign-on (SSO) for company users. Solution: Install and configure an Azure AD Connect server to use password hash synchronization and select the Enable single sign-on option. Does the solution meet the goal?

A. Yes
B. No

Answer: A

49. You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam, Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the Microsoft 365 E5 plan. You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
– To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
– If the manager does not verify an access permission, automatically revoke that permission.
– Minimize development effort.
What should you recommend?

A. In Azure Active Directory (AD) Privileged Identity Management, create a custom role assignment for the Application1 resources
B. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet
C. Create an Azure Automation runbook that runs the Get-AzureRmRoleAssignment cmdlet
D. In Azure Active Directory (Azure AD), create an access review of Application1

Answer: D

50. Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network. You need to enable single sign-on (SSO) for company users. Solution: Install and configure an Azure AD Connect server to use pass-through authentication and select the Enable single sign-on option. Does the solution meet the goal?

A. Yes
B. No

Answer: A

51. Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network. You need to enable single sign-on (SSO) for company users. Solution: Configure an AD DS server in an Azure virtual machine (VM). Configure bidirectional replication. Does the solution meet the goal?

A. Yes
B. No

Answer: B

52. HOTSPOT –
You are building an application that will run in a virtual machine (VM). The application will use Managed Service Identity (MSI). The application uses Azure Key Vault, Azure SQL Database, and Azure Cosmos DB. You need to ensure the application can use secure credentials to access these services. Which authorization methods should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: RBAC
Box 2: RBAC
Box 3: HMAC

53. You are designing a security solution for a company’s Azure Active Directory (Azure AD). The company currently uses Azure AD Premium for all employees.
Contractors will periodically access the corporate network based on demand. You must ensure that all employees and contractors are required to log on by using two-factor authentication. The solution must minimize costs. You need to recommend a solution. What should you recommend?

A. Purchase Azure Multi-Factor Authentication licenses for the employees and the contractors
B. Use the Multi-Factor Authentication provider in Azure and configure the usage model for each authentication type
C. Use the Multi-Factor Authentication provider in Azure and configure the usage model for each enabled user
D. Purchase Azure Multi-Factor Authentication licenses for the contractors only

Answer: B

54. You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts. You discover several login attempts to the Azure portal from countries where administrative users do NOT work. You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA). Solution: Create an Access Review for Group1. Does this solution meet the goal?

A. Yes
B. No

Answer: B

55. You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts. You discover several login attempts to the Azure portal from countries where administrative users do NOT work. You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA). Solution: You implement an access package. Does this solution meet the goal?

A. Yes
B. No

Answer: B

56. You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts. You discover several login attempts to the Azure portal from countries where administrative users do NOT work. You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA). Solution: Implement Azure AD Privileged Identity Management. Does this solution meet the goal?

A. Yes
B. No

Answer: B

57. Your company has several Azure subscriptions that are part of a Microsoft Enterprise Agreement. The company’s compliance team creates automatic alerts by using Azure Monitor. You need to recommend a solution to apply the alerts automatically when new subscriptions are added to the Enterprise Agreement. What should you include in the recommendation?

A. Azure Automation runbooks
B. Azure Log Analytics alerts
C. Azure Monitor action groups
D. Azure Resource Manager templates
E. Azure Policy

Answer: E

58. You store web access logs data in Azure Blob storage. You plan to generate monthly reports from the access logs. You need to recommend an automated process to upload the data to Azure SQL Database every month. What should you include in the recommendation?

A. Microsoft SQL Server Migration Assistant (SSMA)
B. Azure Data Factory
C. Data Migration Assistant
D. AzCopy

Answer: B

59. Your company has the offices shown in the following table.

The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD). All users connect to an application hosted in Microsoft 365. You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to the application from one of the offices. What should you include in the recommendation?

A. a named location and two Microsoft Cloud App Security policies
B. a conditional access policy and two virtual networks
C. a virtual network and two Microsoft Cloud App Security policies
D. a conditional access policy and two named locations

Answer: D

60. HOTSPOT –
You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016. You need to centrally monitor all warning events in the System logs of the virtual machines. What should you include in the solutions? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: A Log Analytics workspace
Box 2: Install the Microsoft Monitoring Agent

61. You are developing a sales application that will contain several Azure cloud services and will handle different components of transactions. Different cloud services will process customer orders, billing, payment, inventory, and shipping. You need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using REST messages. What would you include in the recommendation?

A. Traffic Manager
B. Azure Notification Hubs
C. Azure Blob storage
D. Azure Queue storage

Answer: D

62. You have an Azure subscription that contains an Azure Cosmos DB account. You need to recommend a solution to generate an alert from Azure Log Analytics when a request charge for a query exceeds 50 request units more than 20 times within a 15-minute window. What should you recommend?

A. Create a search query to identify when requestCharge_s exceeds 50. Configure an alert threshold of 20 and a period of 15.
B. Create a search query to identify when duration_s exceeds 20 and requestCharge_s exceeds 50. Configure a period of 15.
C. Create a search query to identify when requestCharge_s exceeds 20. Configure a period of 15 and a frequency of 20.
D. Create a search query to identify when duration_s exceeds 20. Configure a period of 15.

Answer: A

63. You are designing a data protection strategy for Azure virtual machines. All the virtual machines are in the Standard tier and use managed disks. You need to recommend a solution that meets the following requirements:
– The use of encryption keys is audited.
– All the data is encrypted at rest always.
– You manage the encryption keys, not Microsoft.
What should you include in the recommendation?

A. BitLocker Drive Encryption (BitLocker)
B. Azure Storage Service Encryption
C. client-side encryption
D. Azure Disk Encryption

Answer: D

64. You have 100 servers that run Windows Server 2012 R2 and host Microsoft SQL Server 2012 R2 instances. The instances host databases that have the following characteristics:
– The largest database is currently 3 TB. None of the databases will ever exceed 4 TB.
– Stored procedures are implemented by using CLR.
You plan to move all the data from SQL Server to Azure. You need to recommend an Azure service to host the databases. The solution must meet the following requirements:
– Whenever possible, minimize management overhead for the migrated databases.
– Minimize the number of database changes required to facilitate the migration.
Ensure that users can authenticate by using their Active Directory credentials. What should you include in the recommendation?

A. Azure SQL Database single databases
B. Azure SQL Database Managed Instance
C. Azure SQL Database elastic pools
D. SQL Server 2016 on Azure virtual machines

Answer: B

65. DRAG DROP –
You are designing a virtual machine that will run Microsoft SQL Server and will contain two data disks. The first data disk will store log files, and the second data disk will store data. Both disks are P40 managed disks. You need to recommend a caching policy for each disk. The policy must provide the best overall performance for the virtual machine. Which caching policy should you recommend for each disk? To answer, drag the appropriate policies to the correct disks. Each policy may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Select and Place:

Answer:
Box 1: None
Box 2: ReadOnly

66. You plan to create an Azure Cosmos DB account that uses the SQL API. The account will contain data added by a web application. The web application will send data daily. You need to recommend a notification solution that meets the following requirements:
– Sends email notification when data is received from IoT devices.
– Minimizes compute cost.
What should you include in the recommendation?

A. Deploy an Azure logic app that has the Azure Cosmos DB connector configured to use a SendGrid action.
B. Deploy a function app that is configured to use the Consumption plan and a SendGrid binding.
C. Deploy an Azure logic app that has a SendGrid connector configured to use an Azure Cosmos DB action.
D. Deploy a function app that is configured to use the Consumption plan and an Azure Event Hubs binding.

Answer: B

67. You have Azure virtual machines that run a custom line-of-business web application. You plan to use a third-party solution to parse event logs from the virtual machines stored in an Azure storage account. You need to recommend a solution to save the event logs from the virtual machines to the Azure Storage account. The solution must minimize costs and complexity. What should you include in the recommendation?

A. Azure VM Diagnostics Extension
B. Azure Monitor
C. event log subscriptions
D. Azure Log Analytics

Answer: A

68. DRAG DROP –
You are planning an Azure solution that will host production databases for a high-performance application. The solution will include the following components:
– Two virtual machines that will run Microsoft SQL Server 2016, will be deployed to different data centers in the same Azure region, and will be part of an Always On availability group.
– SQL Server data that will be backed up by using the Automated Backup feature of the SQL Server IaaS Agent Extension (SQLIaaSExtension)
You identify the storage priorities for various data types as shown in the following table.

Which storage type should you recommend for each data type? To answer, drag the appropriate storage types to the correct data types. Each storage type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Answer:
Box 1: A premium managed disk
Box 2: A premium managed disk
Box 3: A locally-redundant storage (LRS) account

69. HOTSPOT –
Your company deploys several Linux and Windows virtual machines (VMs) to Azure. The VMs are deployed with the Microsoft Dependency Agent and the Log Analytics Agent installed by using Azure VM extensions. On-premises connectivity has been enabled by using Azure ExpressRoute. You need to design a solution to monitor the VMs. Which Azure monitoring services should you use? To answer, select the appropriate Azure monitoring services in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: Azure Traffic Analytics
Box 2: Azure Service Map

70. You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases. You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting. Solution: Create a resources group for each resource type. Assign tags to each resource group. Does this meet the goal?

A. Yes
B. No

Answer: B

71. You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases. You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting. Solution: Place all resources in the same resource group. Assign tags to each resource. Does this meet the goal?

A. Yes
B. No

Answer: A

72. You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases. You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting. Solution: Create a new subscription for each department. Does this meet the goal?

A. Yes
B. No

Answer: B

73. HOTSPOT –
You plan to deploy logical Azure SQL Database servers to the East US Azure region and the West US Azure region. Each server will contain 20 databases. Each database will be accessed by a different user who resides in a different on-premises location. The databases will be configured to use active geo-replication. You need to recommend a solution that meets the following requirements:
– Restricts user access to each database
– Restricts network access to each database based on each user’s respective location
– Ensures that the databases remain accessible from client applications if the local Azure region fails
What should you include in the recommendation? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: Transact-SQL
Box 2: Transact-SQL

74. HOTSPOT –
You plan to deploy the backup policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: modify the access tier
Box 2: at the lowest storage cost

75. You plan to use Azure Site Recovery to protect several on-premises physical server workloads. Each server workload is independent of the other. The workloads are stateless. You need to recommend a failover strategy to ensure that if the on-premises data center fails, the workloads are available in Azure as quickly as possible. Which failover strategy should you include in the recommendation?

A. Latest
B. Latest app-consistent
C. Latest multi-VM processed
D. Latest processed

Answer: D

76. DRAG DROP –
Your company identifies the following business continuity and disaster recovery objectives for virtual machines that host sales, finance, and reporting applications in the company’s on-premises data center:
– The finance application requires that data be retained for seven years. In the event of a disaster, the application must be able to run from Azure. The recovery time objective (RTO) is 10 minutes.
– The reporting application must be able to recover point-in-time data at a daily granularity. The RTO is eight hours.
– The sales application must be able to fail over to a second on-premises data center.
You need to recommend which Azure services meet the business continuity and disaster recovery objectives. The solution must minimize costs. What should you recommend for each application? To answer, drag the appropriate services to the correct applications. Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Answer:
Sales: Azure Site Recovery Only
Finance: Azure Site Recovery and Backup
Reporting:Azure Backup Only.

77. You plan to move a web application named App1 from an on-premises data center to Azure. App1 depends on a custom COM component that is installed on the host server. You need to recommend a solution to host App1 in Azure. The solution must meet the following requirements:
– App1 must be available to users if an Azure data center becomes unavailable.
– Costs must be minimized.
What should you include in the recommendation?

A. In two Azure regions, deploy a Traffic Manager profile and a web app.
B. In two Azure regions, deploy a load balancer and a virtual machine scale set.
C. Deploy a load balancer and a virtual machine scale set across two availability zones.
D. In two Azure regions, deploy a load balancer and a web app.

Answer: C

78. You plan to deploy a payroll system to Azure. The payroll system will use Azure virtual machines that run SUSE Linux Enterprise Server and Windows. You need to recommend a business continuity solution for the payroll system. The solution must meet the following requirements:
– Minimize costs.
– Provide business continuity if an Azure region fails.
– Provide a recovery time objective (RTO) of 120 minutes.
– Provide a recovery point objective (RPO) of five minutes.
What should you include in the recommendation?

A. Microsoft System Center Data Protection Manager (DPM)
B. Azure Site Recovery
C. unmanaged disks that use geo-redundant storage (GRS)
D. Azure Backup

Answer: B

79. The accounting department at your company migrates to a new financial accounting software. The accounting department must keep file-based database backups for seven years for compliance purposes. It is unlikely that the backups will be used to recover data. You need to move the backups to Azure. The solution must minimize costs. Where should you store the backups?

A. Azure SQL Database
B. Azure Blob storage that uses the Archive tier
C. a Recovery Services vault
D. Azure Blob storage that uses the Cool tier

Answer: B

80. HOTSPOT –
Your company has two on-premises sites in New York and Los Angeles and Azure virtual networks in the East US Azure region and the West US Azure region. Each on-premises site has Azure ExpressRoute circuits to both regions. You need to recommend a solution that meets the following requirements:
– Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.
– If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Box 1: Border Gateway Protocol (BGP)
Box 2: Border Gateway Protocol (BGP)