Azure Administrator Associate认证续期测试题

去年这个时候笔者刚考完的Azure Administrator Associate认证，最近收到邮件提醒需要renew续期证书，认证有效期不得不吐槽吐槽下。 分享下遇到的测试题和答案吧（不保证都是对的，欢迎纠正）

web application with Azure App Service

1. You have an Azure subscription that includes a virtual network named VNet1.
   You plan to create a web app named WebApp1 and deploy it to VNet1.
   You need to prepare the environment for the planned web app. The solution must minimize costs.
   Which app service plan size should you use?

DEV /TEST F1

2. You plan to deploy an Azure web app that will have the following settings:
   • Name: WebApp1
   • Publish: Docker container
   • Operating system: Windows
   • Region: West US
   • Windows Plan (West US): ASP-RG1-8bcf
   You need to ensure that WebApp1 uses the ASP.NET V4.8 runtime stack.
   Which setting should you modify?

Publish

3. You plan to deploy an Azure web app that will have the following settings:
   • Name: WebApp1
   • Publish: Code
   • Runtime stack: Java 11
   • Operating system: Linux
   • Continuous deployment: Disable
   You need to ensure that you can integrate WebApp1 with GitHub Actions.
   Which setting should you modify?

Deployment center

4. You have an Azure subscription that contains the following fully peered virtual networks:
   • VNet1, located in the West US region. 5 virtual machines are connected to VNet1.
   • VNet2, located in the West US region. 7 virtual machines are connected to VNet2.
   • VNet3, located in the East US region, 10 virtual machines are connected to VNet3.
   • VNet4, located in the East US region, 4 virtual machines are connected to VNet4.
   You plan to protect all of the connected virtual machines by using Azure Bastion.
   What is the minimum number of Azure Bastion hosts that you must deploy?

4

5. You have an Azure subscription.
   You plan to run a data warehouse in an Azure virtual machine named VM1.
   You need to ensure that VM1 is optimized for running a data warehouse.
   Which VM type should you use for VM1?
   Select only one answer.

• General purpose (D-Series)
• Compute optimized (F-Series)
• Memory optimized (M-Series)
• Storage optimized (Ls-Series)
• High performance computing (H-Series)

Memory optimized (M-Series)

Build a containerized web application with Docker

1. You have a Docker image named Image1 that contains a corporate app.
   You need to deploy Image1 to Azure and make the app accessible to users.
   Which two Azure services should you deploy? Each correct answer presents complete solution.

Azure APP Service

Azure Container Registry

2. You have an Azure subscription that contains the following resources:
   • a storage account named storage123
   • a container instance named AppContainer
   The subscription contains a virtual network named VirtualNet4 that has the following subnets:
   • SubnetA- storage123 is connected to SubnetA.
   • SubnetB- AppContainer is connected to SubnetB.
   • SubnetC- No resources.
   You plan to deploy an Azure container instance named container5 to VirtualNet4.
   To which subnets can you deploy container5?

3- SubnetB and SubnetC only works

3. You have an Azure virtual machine named VM1.
   You need to update continuous delivery for VM1.
   What should you create first?

• an Azure storage account
• a Log Analytics workspace
• an Azure automation account
• an Azure DevOps Organization.

an Azure DevOps Organization. 
https://learn.microsoft.com/en-us/azure/devops/get-started/?view=azure-devops

Secure your Azure Storage account

1. You have an Azure subscription that contains the following storage accounts:
   • storage1, configured as StorageV2 kind
   • storage2, configured as BlobStorage kind
   • storage3, configured as FileStorage kind
   Which storage account or storage accounts can you use Lifecycle management?

storage1 and storage2

2. You plan to create an Azure container instance named container1 that will use a Docker image named Image1.
   You need to ensure that container1 has persistent storage.
   Which Azure resources should you deploy for the persistent storage?

an Azure storage account and a file share

3. You have an Azure Storage account named storage1.
   You create the following encryption scopes for storage1:
   • Scope1 that has an encryption type of Microsoft-managed keys
   • Scope2 that has an encryption type of Customer-managed keys
   Which storage services can be used with Scope2?

Blob,Files,Queue and Table

https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
Data in Blob storage and Azure Files is always protected by customer-managed keys
Data stored in Queue and Table storage isn't automatically protected by a customer-managed key when customer-managed keys are enabled for the storage account. You can optionally configure these services to be included in this protection at the time that you create the storage account.

4. You have an Azure AD user named User1 and an Azure storage account named storage1 that contains a file share named share1.
   You need to assign the Storage File Data SMB Share Reader role on share1 to User1.
   What should you do first?

•	Change the tier for share1.
•	Modify the Security protocol settings for Azure file shares.
•	Configure identity-based authentication for Azure file shares.
•	From the Azure portal setting on the storage1, modify the Azure AD authorization settings.

5. You have an Azure Storage account named storage1 that is configured to use the Hot access tier.
   Storage1 has a container named container1 and the lifecycle management rule with following settings:
   • Move blob to cool storage: Selected
   • Days after last modification: 3
   • Move blob to archive storage: Selected
   • Days after last modification: 5
   On December 1, you create a file named File1 in container1.
   On December 10, you rehydrate File1 and move the file to the Hot access tier.
   When will File1 be moved to archive storage?

6. You have an Azure subscription that contains a storage account named storage1.
   You create a blob container named container1 in storage1.
   What is the maximum number of stored access policies that you can create for container1?

5
https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy

7. You have an Azure storage account named storage1.
   Three users use the following methods to access the data in storage1:
   • User1 uses the Azure portal
   • User2 uses the Azure Storage Explorer
   • User3 uses File Explorer in Windows 11
   You generate a storage access signature named SAS1 for storage1.
   Which user or users can access storage1 by using SAS1?

8. Your Azure AD contains three users named User1, User2, and User3.
   You have an Azure storage account named storage1 that has the following access:
   • User1 is assigned the Storage Account Contributor role on storage1
   • User2 has a access key for storage1
   • User3 has a shared access signature for storage1
   You rotate the keys for storage1.
   Which user or users can access storage1?

User1 only

Host your domain on Azure DNS

1. You have an Azure virtual machine named VM1 that connects to a virtual network named VNET1.
   You create a private DNS zone named contoso.com and add an A record named host1 to the zone.
   You need to ensure that VM1 can resolve host1.contoso.com.
   What should you do?
   • Modify the Access control (IAM) settings of the zone
   • From the zone, add a virtual network link
   • From the properties of the network interface, modify the options of the DNS servers
   • From the properties of VNET1, modify the options of the DNS servers

A：From the zone, add a virtual network link
https://learn.microsoft.com/en-us/azure/dns/private-dns-overview	

2. You have an Azure subscription that contains the following virtual networks:
   • VNet1 in the West US region. No private DNS zone linked to VNet1.
   • VNet2 in the West US region. A private DNS zone is linked to VNet2 and the link has auto-registration enabled.
   • VNet3 in the East US region. No private DNS zone linked to VNet3.
   You create a private DNS zone named Zone1 in the West US region.
   To which virtual network or virtual networks can you link Zone1 and then enable auto-registration on the link?

https://learn.microsoft.com/en-us/azure/dns/private-dns-overview	
A specific virtual network can be linked to only one private zone if automatic registration of VM DNS records is enabled. You can however link multiple virtual networks to a single DNS zone.

3. You have an Azure private DNS zone named contoso.com that is linked to a virtual network named VNet1 and has auto-registration enabled.
   You deploy a virtual machine that runs Windows Server to VNet1 with the following settings:
   • VM name: VM1
   • Windows Server name: Server1
   • Private IP address: 10.10.1.5
   • Public IP address: 168.61.186.27
   Which DNS record is automatically added to contoso.com?

4. You have the following Azure virtual machines that run Windows Server 2022:
   • Server1- connected to VirtualNET1 and has a Wingtiptoys.com DNS suffix configured in Windows Server 2022
   • Server2- connected to VirtualNET1 and has a Fabrikam.com DNS suffix configured in Windows Server 2022
   • Server3- connected to VirtualNET2 and has a Wingtiptoys.com DNS suffix configured in Windows Server 2022
   • Server4- connected to VirtualNET2 and has a Fabrikam.com DNS suffix configured in Windows Server 2022
   You create a private DNS zone named fabrikam.com and add the following virtual network links to fabrikam.com:
   • Link1- connected to VirtualNET1 and has auto registration enabled
   • Link2- connected to VirtualNET2 and has auto registration enabled
   Which virtual machines will register a DNS record in fabrikam.com?

Server2 and Server4

Secure and isolate access to Azure resources by using network security groups and service endpoints

1. You have Azure subscription that includes virtual network with following subnets:
   • Subnet1, which has connected virtual machine
   • Subnet2, which has connected web app
   • Subnet3, which has connected container instance
   You plan to deploy container instance named container1.
   To which subnets can you connect container1?

Subnet3

2. You have an Azure subscription that includes a network security group named NSG1.
   You plan to add an inbound security rule named Rule1 to NSG1.
   You need to configure a priority for Rule1. Rule1 must have the highest priority for inbound security rules in NSG1.
   Which priority should you configure for Rule1?

100

3. You have an Azure subscription that contains a virtual machine named VM1 and a storage account named storage1.
   You need to ensure that VM1 can access storage1 by using the Azure backbone.
   What should you configure?

service point
https://learn.microsoft.com/zh-cn/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/4-vnet-service-endpoints

4. You have an Azure virtual network named VNET1 has and a network security group (NSG) named NSG1. NSG1 has the following inbound security rules:
   • Rule1 has a priority of 100 and allows port 3389 on TCP protocol from any source and to any destination
   • Rule2 has a priority of 200 and allows ports 80 and 8080 on UDP protocol from any source and to any destination
   • Rule3 has a priority of 300 and denies ports 1-2000 on TCP protocol from any source and to any destination
   • Rule4 has a priority of 400 and allows ports 50-500 on TCP protocol from VirtualNetwork source and to any destination
   • Rule5 has a priority of 500 and allows ports 80 and 443 on TCP protocol from any source and to any destination
   You need to allow http and https connections from the internet to VNET1.
   What should you change for NSG1?

Priority for Rule4 to 250
Protocol for Rule2 to TCP
Priority for Rule3 to 450
Priority for Rule5 to 250     *

6. You have an Azure virtual machine named VM1 that connects to a virtual network named VNET1.
   A network security group (NSG) named NSG1 allows connections to VM1 from VNET1 only.
   You need to add an inbound security rule to NSG1 that meets the following requirements:
   • Allows Azure Backup to back up VM1
   • Minimizes the types of allowed inbound traffic
   What should you use as the source for the inbound security rule?

Network Security Group service tag 

NSG service tag for Azure Backup, now available, aims to ease the process of running backups in an environment locked down using NSGs. With this, you now have the option to simply use the ‘AzureBackup’ tag to allow outbound access to Azure Backup for your workload (SQL Server) agent running inside the VM, instead of managing whitelisting of required IPs. Apart from backup of SQL in VMs, the Azure Backup service tag can also be used when backing up locked down VMs using MARS agent.
https://azure.microsoft.com/en-gb/updates/nsg-service-tag-for-azure-backup-is-now-available/	

Protect your virtual machines by using Azure Backup

1. You have an Azure virtual machine named VM1.
   You plan to backup VM1 by using Azure Backup.
   What is the highest frequency that you can use to back up VM1?

You can back up Windows Server or Windows machines up to three times a day. You can set the scheduling policy to daily or weekly schedules.
You can back up DPM up to twice a day. You can set the scheduling policy to daily, weekly, monthly, and yearly.
You back up Azure VMs once a day.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-backup-faq

2. You have a Recovery Services vault named Recovery1 that includes a backup policy named Policy1.
   You back up several Azure virtual machines to Recovery1 by using Policy1.
   You need to view the Azure Backup reports.
   What should you do first?
   Select only one answer.

- Create an Azure Log Analytics workspace.  *
- Modify the Backup Configuration settings of Recovery1.
- Configure the Diagnostics settings of Recovery1.

 A: Create an Azure Log Analytics workspace

3. You use Azure Backup to back up the following Azure virtual machines:
   • VM1, which runs Windows Server
   • VM2, which runs Windows Server and uses Azure Disk Encryption
   • VM3, which runs Linux
   For which virtual machine or virtual machines can you use item level restore?

VM1 and VM3
https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption

4. You have an Azure subscription that contains the following resources:
   • VM1- a virtual machine that runs Microsoft SQL Server and is deployed in the West US location
   • VM2- a virtual machine that runs Microsoft SQL Server and is deployed in the East US location
   • SQL1- an Azure SQL Server deployed to the West US location
   • Vault1- a Recovery Services vault deployed to the West US location
   Which resources can you back up to Vault1?

VM1 and SQL1
Vault and storage accounts should be in same location.

Configure virtual machine availability

1. You have an Azure subscription named Sub1.
   You plan to deploy a virtual machine scale set named VMSS1. VMSS1 will have 8 instances.
   What is the maximum number of availability zones that VMSS1 can use?

Manage users and groups in Azure Active Directory

1. You have an Azure AD tenant that contains a user named User1. The tenant also contains several user accounts from the Marketing department and the Human Resources department.
   You need to ensure that User1 can manage the users from the Marketing department only.
   What should you use?
   Select only one answer.

A： Administrative units

- Management groups 如果你的组织有多个 Azure 订阅，则可能需要一种方法来高效地管理这些订阅的访问权限、策略和符合性。 管理组提供了订阅上方的治理范围。 你将订阅组织到管理组中，你应用的治理条件会按继承关系级联到所有相关的订阅。
https://learn.microsoft.com/zh-cn/azure/governance/management-groups/overview	

- Administrative units

https://learn.microsoft.com/zh-cn/azure/active-directory/roles/administrative-units	

- Custom Azure AD roles


- Security groups that use dynamic user membership

2. You have an Azure AD tenant. You create a user named Admin1.
   You need to ensure that Admin1 can perform following tasks:
   • Assign licenses to Azure AD groups
   • Reset passwords of Azure AD users
   What Azure AD role should you add to Admin1?
   Select only one answer.

User administrator  *
Billing administrator
License administrator
Helpdesk administrator

3. You have an Azure subscription that contains a user named User1, a resource group named RG1, and a virtual machine named VM1.
   You enable a system-assigned managed identity for VM1.
   To which identities can you assign the Reports reader role?
   Select only one answer.

User1 only    *
User1 and RG1 only
User1 and VM1 only
User1, RG1, and VM1

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference	
https://learn.microsoft.com/en-us/answers/questions/598795/reports-reader-role.html	
Assigning the Report Reader built-in role to a Resource Group or VM isn't possible, because the Report Reader is currently an Azure AD role-based access control (RBAC) role.

4. You have an Azure AD tenant that contains the following identities:
   • User1, a user in Azure AD
   • Group1, a security group that uses dynamic user membership
   • Group2, a Microsoft 365 group that uses assigned membership
   • Group3, a security group that uses assigned membership
   Which identities can be added as members of Group3?
   Select only one answer.

User1 only
User1 and Group1 only  *


User1 and Group2 only
User1, Group1 and Group2

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups
We currently don't support:
•	Adding groups to a group synced with on-premises Active Directory.
•	Adding Security groups to Microsoft 365 groups.
•	Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.

5. You have an Azure AD user named User1 and an Azure storage account named storage1 that contains a file share named share1.
   You need to assign the Storage File Data SMB Share Reader role on share1 to User1.
   What should you do first?

•	Change the tier for share1.
•	Modify the Security protocol settings for Azure file shares.
•	Configure identity-based authentication for Azure file shares.
•	From the Azure portal setting on the storage1, modify the Azure AD authorization settings.

6. You have an Azure storage account that contains a blob container named container1.
   You need to configure access to container1.
   Which authorization types can you use?

•	Azure AD only
•	Storage key or shared access signature only
•	Azure AD, shared access signature or certificate only
•	Azure AD, storage key or shared access signature only
•	Azure AD, storage key, shared access signature or certificate