Microsoft - AZ-801: Configuring Windows Server Hybrid Advanced Services
Sample Questions
Question: 183
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
You have an on-premises server named Server1 that runs Windows Server.
You have a Microsoft Sentinel workspace named Sentinel1.
You need to collect Windows Defender Firewall events from Server1 to sentinel1.
Which two pages should you use in the Azure portal?
(To answer, select the appropriate pages in the answer area. NOTE: Each correct selection is worth one point.)
| A | Content hub |
| B | Repositories |
| C | Workspace manager (Preview) |
| D | Data connectors |
| E | Automation |
| F | Settings |
Correct answer: A, DExplanation:
After you onboard Microsoft Sentinel into your workspace, use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which integrate in real time.
To add more data connectors, install the solution associated with the data connector from the Content Hub.
From Content hub, we need to install the Windows Firewall solution. Installing this solution will deploy two data connectors:
- Windows Firewall Events via AMA - This data connector helps in ingesting Windows Firewall Events into your Log Analytics Workspace using the new Azure Monitor Agent.
- Windows Firewall - This solution installs the data connector to ingest Windows Firewall events using the Windows Firewall solution for Azure.
From Data Connectors, we need to integrate the Windows Firewall Events via AMA connector and configure a data collection rule that enables the collection of one or more firewall profiles from Server1.
References:
Microsoft Sentinel data connectors
Windows Firewall
Question: 184
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run Windows Server as shown in the following table.
You need to implement Microsoft Defender for Identity. The solution must meet the following requirements:
- Ensure that all AD DS authentication events are captured.
- Prevent the use of port mirroring.
What should you create in the domain, and what is the minimum number of Defender for Identity sensors that you should deploy?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Create: A computer object
Number of sensors to deploy: 1 |
| B | Create: A computer object
Number of sensors to deploy: 4 |
| C | Create: A group managed service account (gMSA)
Number of sensors to deploy: 2 |
| D | Create: A group managed service account (gMSA)
Number of sensors to deploy: 4 |
| E | Create: A service principal name (SPN)
Number of sensors to deploy: 3 |
| F | Create: A service principal name (SPN)
Number of sensors to deploy: 1 |
Correct answer: DExplanation:
Microsoft Defender for Identity uses Directory Service Accounts (DSAs). For example, when you have a DSA configured, the DSA is used to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities
Defender for Identity uses sensors to collect signals from your on-premises identity infrastructure to detect threats. There are two types of sensors.
Microsoft Defender for Identity sensor
This is the recommended sensor type. The Defender for Identity sensor must be installed on each domain controller including read-only domain controllers (RODCs), each Active Directory Federation Services (AD FS) server, each Active Directory Certificate Services (AD CS) server, and on each Entra Connect server.
Use the table below to select the recommended sensor version.
Microsoft Defender for Identity standalone sensor
Standalone sensors can be installed on servers that are in a workgroup and are capable of monitoring multiple domain controllers. The usage of standalone sensors requires the use of port mirroring.
References:
Directory Service Accounts for Microsoft Defender for Identity
Microsoft Defender for Identity deployment overview
Question: 185
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
You have an Azure subscription that contains two virtual machines named VM1 and VM2. VM1 runs Windows Server. VM2 runs Ubuntu Linux.
You need to monitor VM1 and VM2 by using VM insights. The solution must meet the following requirements:
- Ensure that you can monitor the memory usage on VM1.
- Ensure that you run the Map feature on VM2.
The solution must minimize the number of agents required for each virtual machine.
Which agents are required on each virtual machine?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | VM1: The Azure Connected Machine Agent only
VM2: The Azure Linux VM Agent only |
| B | VM1: The Azure Monitor Agent only
VM2: The Azure Linux VM Agent only |
| C | VM1: The Azure Monitor Agent only
VM2: The Azure Monitor Agent and Dependancy Agent only |
| D | VM1: The Azure Monitor Agent and Dependancy Agent only
VM2: The Azure Monitor Agent only |
| E | VM1: The Azure Monitor Agent, Dependancy Agent, and Azure Connected Machine
VM2: The Azure Monitor Agent only |
| F | VM1: The Azure Monitor Agent, Dependancy Agent, and Azure Connected Machine
VM2: The Azure Monitor Agent, Dependancy Agent, and Azure Linux VM Agent |
Correct answer: CExplanation:
The Azure Monitor Agent collects monitoring data from the guest operating system of Azure and hybrid virtual machines (VMs). It delivers the data to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
The Azure Monitor Agent can be installed on Windows and Linux virtual machines.
The Azure Monitor Agent for Windows supports the following data sources:
- Event Logs
- Performance
- File-based logs
- Internet Information Services (IIS) logs
The Azure Monitor Agent for Linux supports the following data sources:
- Syslog
- Performance
- File-based logs
The Azure Monitor for VMs Map feature gets its data from the Microsoft Dependency agent. The Azure VM Dependency agent virtual machine extension for Linux installs the Dependency agent on Azure virtual machines.
References:
Azure Monitor Agent overview
Install and manage the Azure Monitor Agent
Azure Monitor Dependency virtual machine extension for Linux
Question: 186
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
You have an Active Directory Domain Services (AD DS) domain that contains 1,000 users.
The domain has the following password requirements:
- The minimum password length must be 12 characters.
- Passwords must expire in 90 days.
- Passwords must be complex.
You need to ensure that the members of a security team have passwords that meet the following requirements:
- The minimum password length must be 16 characters.
- Passwords must expire in 60 days.
- Passwords must be complex.
The solution must minimize the impact on users who are NOT members of the security team.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Implement: Fine-grained password policy
By using: Group Policy Object Editor |
| B | Implement: Fine-grained password policy
By using: Active Directory Administrative Center |
| C | Implement: The Kerberos Policy policy group
By using: Active Directory Domains and Trust |
| D | Implement: The Password Policy policy group
By using: Active Directory Users and Computers |
| E | Implement: WMI filters on a Group Policy Object (GPO)
By using: Active Directory Administrative Center |
| F | Implement: WMI filters on a Group Policy Object (GPO)
By using: Active Directory Users and Computers |
Correct answer: BExplanation:
The Password Policy settings configured in the Default Domain Policy apply to all domain users. We need to ensure that these settings are configured to meet the domain password requirements.
To configure deviant password requirements for the members of the security team, we can configure an assign a fine-grained password policy which is also refered to as password settings object (PSO).
Fine Grained Password policies provide you with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine grained password policies to specify multiple password policies within a single domain. You can also apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users.
Fine-grained password policies apply only to global security groups and user objects. By default, only members of the Domain Admins group can set fine grained password policies. However, you can also delegate the ability to set these policies to other users.
To create a fine grained password policy, you use the Active Directory Administrative Center (dsac.exe).
Reference: Configure fine grained password policies for Active Directory Domain Services
Question: 187
Measured Skill: Migrate servers and workloads (20-25%)
You have an on-premises Hyper-V deployment that hosts multiple virtual machines.
You have an Azure subscription that contains an Azure Migrate project named Project1.
You plan to migrate the virtual machines to Azure by using Project1.
You need to discover all the Hyper-V hosts and virtual machines running in your environment. The solution must minimize administrative effort.
What should you do first?| A | Register an appliance. |
| B | Create a private endpoint. |
| C | Generate a project key. |
| D | Deploy an Azure Network Adapter. |
Correct answer: AExplanation:
To discover all Hyper-V hosts and virtual machines in your on-premises environment using Azure Migrate, you first need to deploy the Azure Migrate: Discovery and assessment tool, a lightweight Azure Migrate appliance.
You deploy the appliance as a server on a Hyper-V host, to continuously discover servers and their performance metadata, applications that are running on servers, server dependencies, web apps, and SQL Server instances and databases.
References:
Discovery methods in Azure Migrate
Tutorial: Discover servers running on Hyper-V with Azure Migrate: Discovery and assessment