You have a Microsoft Entra tenant. You need to prevent nonprivileged Microsoft Entra users from creating service principals in Microsoft Entra ID.

A. From the Properties blade, set Enable Security defaults to Yes.

B. From the Properties blade, set Access management for Azure resources to No.

C. From the User settings blade, set Restrict access to Microsoft Entra ID administration portal to Yes.

D. From the User settings blade, set Users can register applications to No.

You have an Azure subscription that contains the resources shown in the following table.



You plan to use service endpoints and service endpoint policies.
Which resources can be accessed by using a service endpoint, and which resources support service endpoint policies? To answer, select the appropriate options in the answer area.
NOTE; Each correct selection is worth one point.

You have an Azure subscription that contains a
You need to grant user1 access to blob1. The solution must ensure that the access expires after six days.
What should you use?

A. a shared access policy

B. a shared access signature (SAS)

C. role-based access control (RBAC)

D. a managed identity

You have an Azure subscription that contains three storage account named storage1, storage2, and storage3, three Log Analytics workspaces named Analytics1, Analytics2, Analytics3, and three Azure event hub named EventHub1, EventHub2, and EventHub3.
For Microsoft Entra ID, you create the diagnostic settings shown in the following table.

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults.
You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?

A. a key vault access policy

B. a linked template

C. a parameters file

D. an automation account

You have an Azure subscription that contains the resources shown in the following table.



You perform the following tasks:
Create a managed identity named Managed1.
Create a Microsoft 365 group named Group1.
You need to identify which service principals were created and which identities can be assigned the Reader role for RG1. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Entra tenant that contains the users shown in the following table.



AII the users have devices that contain certificates issued by a certification authority (CA) named ContosoCA. You create a Conditional Access policy that has the following settings:
• Name: CAPoltcy1
• Assignments
o Users and groups: Group1
o Target resources
* Include: All cloud apps
o Access controls
* Grant access: Require multi-factor authentication
o Enable policy: On
You enable and target certificate-based authentication as shown in the Enable and Target exhibit. (Click the Enable and Target tab.)



You configure certificate-based authentication as shown in the Configure exhibit. (Click the Configure tab.)



For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains the groups shown in the following table.



The servers are configured for Microsoft Entra-only authentication.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

You have a management group named MG1 that contains an Azure subscription named Sub1.
Sub1 contains the resources shown in the following table.



You create an Azure Virtual Network Manager instance named AVNM1 that has the following configurations:
• Management scope: MG1
• Network groups:
o Name: Group1
Group members: VNet1
• Security admin configuration:
o Name: SAT
o Rule collections:
Name: SACollection1
Target network groups: Group1
Security admin rules:
Name: SARule1
Priority: 500
Action: Deny
Direction: Inbound
Source type: Any
Source port *
SA1 is deployed to all Azure regions.
You create a Virtual Network Manager instance named AVNM2 that has the following configurations:
• Management scope: Sub1
• Network groups:
o Name: Group2
Group members: VNet1
• Security admin configuration:
o Name: SA2
o Rule collections:
Name: SACollection2
Target network groups: Group2
Security admin rules:
Name: SARule2
Priority: 500
Action: Always allow
Direction: Inbound
Source type: Any Source port: *
SA2 is deployed to all Azure regions.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE Each correct selection is worth one point.

You have the Azure virtual machines shown in the following table.



For which virtual machine can you enable Update Management?

A. VM2 and VM3 only

B. VM2, VM3, and VM4 only

C. VM1, VM2, and VM4 only

D. VM1, VM2, VM3, and VM4

E. VM1, VM2, and VM3 only