Question 1

You work for an open source development company. You use Microsoft Azure for a
variety of storage needs. Up to now, all the storage was used for internal purposes
only. It is organized in block blobs. Each block blob is in its own container. Each
container is set to default settings. In total, you have 50 block blobs. The
company has decided to provide read access to the data in the block blobs, as part
of releasing more information about their open source development efforts. You need
to reconfigure the storage to meet the following requirements:

● All block blobs must be readable by anonymous internet users.

You need to configure the storage to meet the requirements. What should you do?
Select one:
Create a new container, move all the blobs to the new container, and then set the
public access level to Blob.
Set the public access level to Blob on all the existing containers.
Create a new shared access signature for the storage account and then set the
allowed permissions to Read, set the allowed resource types to Object, and set the
allowed services to Blob.
Create a new access key for the storage account and then provide the connection
string in the storage connectivity information to the public.

Correct!

In this scenario, you need to reconfigure 50 containers. While you can do that, it
goes against the requirement to reduce the administrative overhead of future access
changes. A shared access signature could work here, but not with the settings
outlined in the answer choice. An access key is meant for use by your apps when
communicating internally in Azure to the storage. In this scenario, you should
create a new container, move the existing blobs, and then set the public access
level to Blob. In the future, when access changes are required, you can configure
the single container (which would contain all blobs).

Question 2
Your company is planning to storage log data, crash dump files, and other
diagnostic data for Azure VMs in Azure. The company has issued the following
requirements for the storage:

● Administrators must be able to browse to the data in File Explorer.

● Access over SMB 3.0 must be supported.
● The storage must support quotas.

You need to choose the storage type to meet the requirements. Which storage type
should you use?
Select one:
Azure Files
Table storage
Blob storage
Queue storage

Correct!

Azure Files supports SMB 3.0, is reachable via File Explorer, and supports quotas.
The other storage types do not support the requirements. While blob storage is good
for unstructured data, it cannot be accessed over SMB 3.0.

Question 3
Your company provides cloud software to audit administrative access in Microsoft
Azure resources. The software logs all administrative actions (including all clicks
and text input) to log files. The software is about to be released from beta and
the company is concerned about storage performance. You need to deploy a storage
solution for the log files to maximize performance. What should you do?
Select one:
Deploy Azure Files using SMB 3.0.
Deploy Azure Table Storage.
Deploy Azure Queues Storage.
Deploy blob storage using block blobs.
Deploy blob storage using append blobs.

Correct!

Append blobs optimize append operations (writes adding onto a log file, for
example). In this scenario, the company needs to write data to log files, most
often appending data (until a new log file is generated). Block blobs are cost
efficient but not designed specifically for append operations, so performance isn't
as high. Queue Storage is used for apps to communicate. Table Storage is a NoSQL
database but not optimized for this scenario. Azure Files is geared for SMB
storage, such as from Windows Servers but doesn't offer the optimized solution that
append blobs do.

Question 4
Your company is building an app in Azure. The app has the following storage
requirements:

● Storage must be reachable programmatically through a REST API.

● Storage must be globally redundant.
● Storage must be accessible privately within the company's Azure environment.
● Storage must be optimal for unstructured data.

Which type of Azure storage should you use for the app?
Select one:
Azure Data Lake store
Azure Table Storage
Azure Blob Storage
Azure File Storage

Correct!

Azure Blob Storage is optimal for unstructured data and meets the requirements for
the company's app. Azure Data Lake supports some of the requirements, such as
unstructured data and REST API access. However, Azure Data Lake is geared for
analytics workloads and is only available as locally-redundant (multiple copies of
data in a single Azure region).

Question 5
You use a Microsoft Azure storage account for storing large numbers of video and
audio files. You create containers to store each type of file and want to limit
access to those files for specific periods. Additionally, the files can only be
accessed through shared access signatures (SAS). You need the ability to revoke
access to the files and to change the period for which users can access the files.
What should you do in order to accomplish this in the most simple and effective
way?
Select one:
Create an SAS for each user and delete the SAS when you want to prevent access.
Use Azure Rights Management Services (RMS) to control access to each file.
Implement stored access policies for each container to enable revocation of access
or change of duration.
Periodically regenerate the account key to control access to the files.
Correct!

You should implement stored access policies which will let you change access based
on permissions or duration by replacing the policy with a new one or deleting it
altogether to revoke access. While Azure RMS would protect the files, there would
be administrative complexity involved whereas stored access policies achieves the
goal in the simplest way. Creating a SAS for each user would also involve a great
amount of administrative overhead. Regenerating keys would prevent all users from
accessing all files at the same time.

Question 6
You need to provide a contingent staff employee temporary read-only access to the
contents of an Azure storage account container named media. It is important that
you grant access while adhering to the security principle of least-privilege. What
should you do?
Select one:
Set the public access level to Container.
Generate a shared access signature (SAS) token for the container.
Share the container entity tag (Etag) with the contingent staff member.
Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account.

Correct!

You should generate a SAS token for the container which provides access either to
entire containers or blobs. You should not share the Etag with the contingent staff
member. Azure uses Etags to control concurrent access to resources and do not
deliver the appropriate security controls. Setting the public access level to
Container would not conform to the principle of least privilege as the container
now becomes open to public connections with no time limitation. CORS is a Hypertest
Transfer Protocol (HTTP) mechanism that enables cross-domain resource access but
does not provide security-based resource access control.

Question 7
You are using blob storage. Which of the following is true?
Select one:
The cool access tier is for frequent access of objects in the storage account.
The hot access tier is for storing large amounts of data that is infrequently
accessed.
The performance tier you select does not affect pricing.
You can switch between hot and cool performance tiers at any time.

Correct!

You can switch between performance tiers at any time. Changing the account storage
tier from cool to hot incurs a charge equal to reading all the data existing in the
storage account. However, changing the account storage tier from hot to cool incurs
a charge equal to writing all the data into the cool tier (GPv2 accounts only).

Question 8
You are planning a delegation model for your Azure storage. The company has issued
the following requirements for Azure storage access:

● Apps in the non-production environment must have automated time-limited access

● Apps in the production environment must have unrestricted access to storage
resources

You need to configure storage access to meet the requirements. What should you do?
Each answer presents part of the solution. Select two:
Use shared access signatures for the non-production apps.
Use shared access signatures for the production apps.
Use access keys for the non-production apps.
Use access keys for the production apps.
Use Stored Access Policies for the production apps.
Use Cross Origin Resource Sharing for the non-production apps.

Correct!

Shared access signatures provide a way to provide more granular storage access than
access keys. For example, you can limit access to “read only” and you can limit the
services and types of resources. Shared access signatures can be configured for a
specified amount of time, which meets the scenario’s requirements. Access keys
provide unrestricted access to the storage resources, which is the requirement for
production apps in this scenario.

Question 9
Your company has a file server named FS01. The server has a single shared folder
that users' access to shared files. The company wants to make the same files
available from Microsoft Azure. The company has the following requirements:

● Microsoft Azure should maintain the exact same data as the shared folder on FS01.

● Files deleted on either side (on-premises or cloud) shall be subsequently and

automatically deleted from the other side (on-premises or cloud).

You need to implement a solution to meet the requirements. What should you do?
Select one:
Deploy DFS Namespaces.
Install and use AZCopy.
Deploy Azure File Sync.
Install and use Azure Storage Explorer
Deploy storage tiering.

Correct!

In this scenario, only Azure File sync can keep FS01 and Azure synced up and
maintaining the same data. While AZCopy can copy data, it isn't a sync solution to
have both sources maintain the exact same files. Storage tiering is used for
internal tiering (SSD and HDD, for example). While DFS Replication could fit here,
DFS Namespace doesn't offer the replication component. Storage Explorer is a tool
for managing different storage platforms.

Question 10
Which of the following replicates your data to a secondary region, maintains six
copies of your data, and is the default replication option.
Select one:
Locally-redundant storage
Geo-redundant storage
Read-access geo-redundant storage
Zone-redundant storage

Correct!

Read-access geo-redundant storage (GRS) is the default replication option.

Question 11
You have an existing storage account in Microsoft Azure. It stores unstructured
data. You create a new storage account. You need to move half of the data from the
existing storage account to the new storage account. What tool should you use?
Select one:
Use the Azure portal
Use File Server Resource Manager
Use the Robocopy command-line tool
Use the AzCopy command-line tool

Correct!

The key in this scenario is that you need to move data between storage accounts.
The AzCopy tool can work with two different storage accounts. The other tools do
not copy data between storage accounts. Alternatively, although not one of the
answer choices, you can use Storage Explorer to copy data between storage accounts.