Practice Test #5

Answering "No" would imply that the Owner role at the subscription scope is insufficient to enable Traffic Analytics, which is not accurate. Owner provides broad permissions to create, update, and configure the required Network Watcher and Log Analytics-related resources and settings. While some scenarios can fail if permissions are limited to a narrower scope or different subscription, the question explicitly assigns Owner at the subscription level, which is the highest practical RBAC scope for that subscription. Thus, "No" does not align with Azure RBAC capabilities for this task.

The operating system is defined by the image or OS disk configuration captured in the template. A template created from an existing Windows Server 2019 VM will deploy a VM based on that same OS configuration unless the template itself is edited to reference a different image. The question does not indicate that the template was modified to make the OS selectable. Therefore, operating system is not something you can configure during deployment in this scenario.

The administrator username is part of the VM's OS profile in the template. Although ARM templates can be manually authored to parameterize admin credentials, a saved template from an existing VM does not imply that this field is exposed for change during deployment. In exam wording, you should not assume optional parameterization unless it is explicitly stated. Therefore, administrator username is not a guaranteed configurable setting here.

Virtual machine size is stored in the VM hardware profile within the template generated from VM1. While it is technically possible to edit a template to change the size or author the template with a size parameter, the question asks what can be configured during deployment from the saved template as given. Without explicit parameterization, VM size is not assumed to be selectable in the deployment experience. Therefore, virtual machine size is not the best answer for this exam question.

Incorrect. User1 (the joiner) is indeed added to the local Administrators group, but Global Administrators are also granted local admin rights on all Azure AD–joined devices by default. Therefore, User2 must be included as well, making “User1 only” incomplete.

Incorrect. Global Administrators (User2) do have local admin rights on Azure AD–joined devices, but the user who performs the Azure AD join (User1) is also added to the local Administrators group on that specific device. So “User2 only” omits User1.

Incorrect. User3 is a Cloud device administrator, but that role is not automatically added to the local Administrators group on Azure AD–joined devices unless configured via “Additional local administrators on Azure AD joined devices” (or another explicit local admin assignment). Since the setting is None, User3 is not included.

Incorrect. Neither Cloud device administrator (User3) nor Intune administrator (User4) are automatically members of the local Administrators group on Azure AD–joined devices by default. They would only be included if explicitly configured (for example, via the “Additional local administrators…” setting), which is set to None.

Incorrect. Adding a custom domain (e.g., contoso.com) is useful for branding, UPNs, and DNS verification, but it does not control B2B guest invitation authorization. Guests can be invited using Microsoft accounts or other identities regardless of whether the tenant has a custom domain configured.

Incorrect. Adding an identity provider in Organizational relationships is used to configure federation/trust for specific external identity sources (and in some cases cross-tenant access settings). It is not the primary control for enabling/disabling guest invitations for Microsoft accounts, and it won’t fix a tenant policy that blocks invitations.

Incorrect. The Security administrator role manages security-related settings (e.g., security policies, alerts) but does not inherently grant permission to invite B2B guest users. Guest invitation capability is controlled by External collaboration settings and/or roles like Global Administrator, User Administrator (depending on policy), or Guest Inviter.

Changing the priority of the RDP rule is unnecessary because the current priority of 300 is already evaluated before the default inbound rules at 65000 and higher. That means the allow rule for TCP 3389 will match before DenyAllInBound is considered. There is no evidence of another higher-priority deny rule blocking RDP traffic. Adjusting the priority would not address the actual prerequisite that the VM must be running.

Attaching a network interface is not the correct first action because the question states that the network interface named vm1173 has already been added to VM1. The exhibit confirms the NIC exists, has a private IP, a public IP association, and an NSG applied. Since the NIC is already attached, repeating that action would not help establish connectivity. The more immediate issue is that the VM must be powered on to accept RDP.

Deleting the DenyAllInBound rule is incorrect because it is a default NSG rule intended to block traffic not explicitly allowed. Azure NSG processing is priority-based, so the explicit RDP allow rule at priority 300 takes precedence over the default deny at 65500. Removing the default deny would weaken security and is not required for RDP to function. The presence of DenyAllInBound does not prevent traffic that matches the existing allow rule.

Not first. RG1 IAM is where you ultimately grant permissions (role assignment) so VM1’s identity can manage RG1 resources. However, you can’t assign a role to VM1’s managed identity until that identity exists. The correct sequence is: enable managed identity on VM1, then configure RG1 IAM to grant the required role.

Incorrect. Setting IAM on VM1 controls who can manage VM1 (the VM resource) and does not grant VM1 permission to manage other resources in RG1. RBAC must be assigned at the scope of the resources being accessed (RG1). VM1’s own IAM settings won’t allow a process on VM1 to deploy/manage resources in the resource group.

Incorrect. Azure Policy is used to enforce standards and assess compliance (e.g., allowed SKUs, required tags, deny public IPs). It does not grant an identity permissions to manage resources. Even with policies configured, the service on VM1 still needs RBAC permissions via a managed identity and role assignment.

Modifying Groups in the Azure Active Directory blade changes group membership and group objects in the tenant. While adding Admin1 to a group can be part of an access strategy, it does not by itself grant permissions to Azure resources. You would still need an RBAC role assignment for that group at the subscription (or other) scope. Therefore, this option is incomplete for meeting an access requirement.

Azure Active Directory Properties controls tenant-level settings (for example, directory properties, user settings, and some administrative configurations). These settings do not grant Admin1 permissions to manage Azure resources within a subscription. Resource access is governed by Azure RBAC role assignments, not by changing Azure AD tenant properties. This is a common confusion between identity configuration and authorization to Azure resources.

Subscription Properties typically includes subscription metadata such as subscription name, offer type, and sometimes directory association context, but it does not manage RBAC permissions. Changing properties will not grant Admin1 any ability to create, modify, or delete resources. For authorization requirements, you must use Access control (IAM) to create role assignments at the appropriate scope.