Overall explanation

Option 4 is the correct choice. Microsoft Entra Identity Protection can be utilized to enforce password changes for users accessing the Internet from anonymous IP addresses. Microsoft Entra Identity Protection consists of three key components:

• Automating the detection and resolution of identity-related risks.

• Investigating risks through the portal's data.

• Exporting risk detection data to other tools.

Option 1 is incorrect. Microsoft Entra Connect Health is designed for monitoring identity governance or on-premises identity infrastructure, and does not fulfill the requirements for this scenario. The Microsoft Entra Connect Health portal provides alerts, performance monitoring, usage analytics, and other important information.

Option 2 is not applicable. Privileged identity management in Microsoft Entra offers just-in-time access, protection against malicious activities, and real-time review of privileged roles, but it does not meet the requirements for this case.

Option 3 is also not applicable. Azure Advanced Threat Protection is a service that safeguards organizations against security threats and identity breaches, but it does not fit the requirements for this scenario.

[Reference]

What is Azure Active Directory Identity Protection? - Microsoft Entra | Microsoft Learn

Domain

Describe Azure management and governance

Overall explanation

Option 1 is the correct answer. Cloud services like Azure offer the flexibility to align system costs from capital expenditure (CapEx) to operational expenditure (OpEx). For example, the cost of data center equipment, which would normally mean the purchasing of physical servers, is a capital expenditure. However, by launching virtual servers on Azure, it is possible to convert capital expenditure into operational expenditure.

Option 2 is incorrect. Two Azure virtual machines of the same size do not always have the same monthly cost. This is because the price of the virtual machine depends on the region where it is located, and the size used. Each region in Azure has different costs.

Option 3 is incorrect. Even if you shut down your Azure virtual machine, you'll continue to be charged for storage costs if you don't stop this storage.

Option 4 is incorrect. Azure Advisor informs you of unused resources that can be removed from use.

[Reference]

Preparing for what’s next: Financial considerations for cloud migration | Azure Blog and Updates | Microsoft Azure

Domain

Describe cloud concepts

Overall explanation

Option 3 is the correct answer. With Microsoft Entra Identity Protection, you can enforce MFA conditions during user authentication. Microsoft Entra Identity Protection is also used for risk detection. Specifically, it can detect anonymous IP address logins, unfamiliar sign-ins, compromised credentials, and more.

Microsoft Entra Multi-Factor Authentication uses a username, password and other factors to enforce user authentication. This provides a second layer of security when users sign in.

In order for the user to be able to respond to their MFA prompts, the user must first be signed up for Microsoft Entra Multi-Factor Authentication. Combine Multi-Factor Authentication with Microsoft Entra Identity Protection for more secure settings such as conditional MFA.

Option 1 is incorrect. Azure Monitor is a service that collects application monitoring data (data about the performance and functionality of the code you write, regardless of platform). This answer does not meet the requirements of this case.

Option 2 is incorrect. Microsoft Defender for Cloud is an integrated infrastructure security management system that strengthens your data center security situation. This is a threat prevention feature that can add protection across hybrid workloads in the Azure cloud and on-premises environments. This answer does not meet the requirements of this case.

Option 4 is incorrect. Microsoft Defender for Identity is used to monitor and analyze network-wide user activity and information, such as permissions and group memberships. This answer does not meet the requirements of this case.

[Reference]

Configure the MFA registration policy - Azure Active Directory Identity Protection - Microsoft Entra | Microsoft Learn

Domain

Describe Azure management and governance

Overall explanation

Option 3 is the correct answer. Azure Resource Manager is a service that manages the creation, update, and deletion of Azure resources to maintain consistency across your Azure environment. Protect deployed Azure resources with management features such as access control, locking, and tags for Azure resources. Azure Resource Manager deploys objects to your cloud infrastructure and maintains consistency across your Azure environment.

Option 1 is incorrect. Azure Policy is a function that sets and evaluates rules for compliance when an organization uses Azure resources. Evaluate resources in Azure by comparing their properties against business rules.

Option 2 is incorrect. A resource group is a group that manages related resources of an Azure solution.

Option 4 is incorrect. A management group is a group for integrated management of multiple subscriptions. When you combine multiple subscriptions into a management group, any governance conditions you apply will cascade through inheritance to all associated subscriptions.

[Reference]

Azure Resource Manager | Microsoft Azure

Domain

Describe Azure management and governance

Overall explanation

Option 3 is the correct answer. A local network gateway can be used to specify the IP address of the VPN device for your virtual network. This allows Azure to identify the VPN appliance using the IP address 136.168.103.1.

Option 1 is incorrect. A route table is for routing information saved in a router. This is a table to refer to when performing routing processing. It does not identify the IP address of the VPN appliance.

Option 2 is incorrect. Application gateways are used to load balance traffic to various web applications. It does not identify the IP address of the VPN appliance.

Option 4 is incorrect. Network interfaces allow Azure virtual machines to communicate with internet, Azure, and on-premises resources. It does not identify the IP address of the VPN appliance.

[Reference]

Tutorial - Connect an on-premises network and a virtual network: S2S VPN: Azure portal - Azure VPN Gateway | Microsoft Learn

Domain

Describe Azure architecture and services

Overall explanation

Option 3 is the correct answer. Azure Policy does not affect pre-applied configurations. So, in this case, VNET-A was already created before the Azure policy was created, so it works fine with or without the policy. However, MyRG01 does not allow virtual network creation after the policy is applied.

Azure Policy is a function that sets and evaluates rules for compliance when an organization uses Azure resources. Evaluate resources in Azure by comparing their properties against business rules.

[Reference]

Overview of Azure Policy - Azure Policy | Microsoft Learn

Evaluate the impact of a new Azure Policy definition - Azure Policy | Microsoft Learn

Domain

Describe Azure management and governance

Overall explanation

Option 2 is the correct answer. Azure Functions is a serverless platform that allows you to build applications with just code (without server settings). You can build event-driven applications. Users can execute simple work processing applications such as data registration processing simply by setting the execution code in Azure Functions.

Option 1 is incorrect. Azure App Service is a fully managed development platform for building, deploying and scaling web apps.

Option 3 is incorrect. Azure DevOps is a service for development and operations that enables DevOps work using the latest set of development services.

Option 4 is incorrect. Azure Monitor is a monitoring service for monitoring applications, infrastructure and networks on Azure.

[Reference]

Getting started with Azure Functions | Microsoft Learn

Domain

Describe Azure architecture and services