Microsoft AZ-600 Practice Test - Questions Answers, Page 7

E: You can determine whether an update is required for home or guest directories by viewing the directories pane in the admin portal. Each directory listing shows the type of directory. The type can be a home or guest directory, and its status is shown.

F: .Synopsis

Gets the health report of identity application in the Azure Stack home and guest directories .DESCRIPTION Gets the health report for Azure Stack identity applications in the home directory as well as guest directories of Azure Stack. Any directories with an unhealthy status need to have their permissions updated.

.EXAMPLE

$adminResourceManagerEndpoint = "https://adminmanagement.local.azurestack.external"$homeDirectoryTenantName = "<homeDirectoryTenant>.onmicrosoft.com"Get-AzsHealthReport -AdminResourceManagerEndpoint $adminResourceManagerEndpoint `-DirectoryTenantName $homeDirectoryTenantName -VerboseExamples.

Example 1: Get details for a tenant

PS C:\>Get-AzureADTenantDetail

ObjectId DisplayName VerifiedDomains

-------- ----------- ---------------

85b5ff1e-0402-400c-9e3c-0f9e965325d1 Coho Vineyard & Winery {class VerifiedDomain {..

Reference: https://learn.microsoft.com/en-us/azure-stack/operator/enable-multitenancy

https://github.com/Azure/AzureStack-Tools/blob/master/Identity/AzureStack.Identity.psm1

Note: Upgrade GPUs or add to an existing node

The following section provides a high-level overview of the process to add a GPU.

The entire scale unit must be shut down, as a rolling GPU upgrade isn't supported. Stop Azure Stack Hub using the steps documented in the Start and stop Azure Stack Hub article. Add or upgrade the memory on each physical computer using your hardware manufacturer's documentation. Start Azure Stack Hub using the steps in Start and stop Azure Stack Hub.

Note: Stop Azure Stack Hub

Stop or shut down Azure Stack Hub with the following steps:

1. Prepare all workloads running on your Azure Stack Hub environment's tenant resources for the upcoming shutdown.

2. Open a privileged endpoint session (PEP) from a machine with network access to the Azure Stack Hub ERCS VMs. For instructions, see Using the privileged endpoint in Azure Stack Hub.

3. From the PEP, run:

Stop-AzureStack

Wait for all physical Azure Stack Hub nodes to power off.

Note

You can verify the power status of a physical node by following the instructions from the original equipment manufacturer (OEM) who supplied your Azure Stack Hub hardware.

4. (Optional) If the stop operation times out, you can monitor its progress using the following PowerShell cmdlet:

Get-ActionStatus Stop-AzureStack

Reference: https://learn.microsoft.com/en-us/azure-stack/operator/manage-gpu-capacity

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-start-and-stop

Reference:

https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-app-service-add-workerroles?view=azs-2008&tabs=az

Your choice of either Azure AD or AD FS is determined by the mode in which you deploy Azure Stack Hub:

When you deploy it in a connected mode, you can use either Azure AD or AD FS.

When you deploy it in a disconnected mode, without a connection to the internet, only AD FS is supported. E:

Rotate certificate for AD FS identity application

The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. If the application's object ID is unknown, follow these steps to discover it:

Go to the Azure Stack Hub administrator portal.

Go to Subscriptions and select Default Provider Subscription.

Select Access Control (IAM) and select the AzureStack-AppService-<guid> application.

Take a note of the Object ID, this value is the ID of the Service Principal that must be updated in AD FS. D: To rotate the certificate for the application in AD FS, you need to have access to the privileged endpoint (PEP). Then you update the certificate credential using PowerShell. # Sign in to PowerShell interactively, using credentials that have access to the VM running the

Privileged Endpoint

$Creds = Get-Credential

# Create a new Certificate object from the identity application certificate exported as .cer file

$Cert = New-Object

System.Security.Cryptography.X509Certificates.X509Certificate2("<CertificateFileLocation>")

# Create a new PSSession to the PrivelegedEndpoint VM

$Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint - Credential $Creds -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US) # Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with the App Service identity application $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -

ApplicationIdentifier "<ApplicationObjectId>" -ClientCertificates $using:Cert}

$Session | Remove-PSSession

# Output the updated service principal details

$SpObject

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-identity-overview

https://learn.microsoft.com/en-us/azure-stack/operator/app-service-rotate-certificates

Windows Admin Center is a new, locally-deployed, browser-based management tool set that lets you manage your Windows Servers with no Azure or cloud dependency. Windows Admin Center gives you full control over all aspects of your server infrastructure and is particularly useful for managing servers on private networks that are not connected to the Internet.

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/operator-access-workstation

You can deploy and use Azure Stack Hub without a connection to the internet. However, with a disconnected deployment, you're limited to an Active Directory Federation Services (AD FS) identity store and the capacity-based billing model. Because multitenancy requires the use of Azure Active Directory (Azure AD), multitenancy isn't supported for disconnected deployments. The implementation of Extension Host requires two wild card SSL certificates, one for the Admin portal and one for the Tenant portal. Note: Certificate requirements

The extension host implements two new domain namespaces to guarantee unique host entries for each portal extension. The new domain namespaces require two additional wildcard certificates to ensure secure communication. The table shows the new namespaces and the associated certificates:

Example:

$regionName = 'east' # The region name for your Azure Stack Hub deployment $externalFQDN = 'azurestack.contoso.com' # The external FQDN for your Azure Stack Hub deployment Starting Certificate Request Process for Deployment CSR generating for following SAN(s):

*.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east. azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.co m,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east .azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.co ntoso.com,portal.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation:

C:\Users\username\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_Single CSR_CertRequest_20200710165538.req Certreq.exe output: CertReq: Request Created

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-disconnected-deployment

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-extension-host-prepare

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-get-pki-certs

A DNS entry is created for each endpoint in the external DNS zone that's specified at deployment time. For example, the user portal is assigned the DNS host entry of portal.<region>.<fqdn>. * Azure Resource Manager (user)

Management.<region>.<fqdn>

Incorrect:

Not C: Portal (user)

Portal.<region>.<fqdn>

Not A, Not D: Azure Resource Manager (administrator)

Adminmanagement.<region>.<fqdn>

Note: Portal (administrator)

Adminportal.<region>.<fqdn>

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-integrate-endpoints

User account policy

The following user account policy is applied to the OAW VM:

Built-in Administrator username: AdminUser

MinimumPasswordLength = 14

PasswordComplexity is enabled

MinimumPasswordAge = 1 (day)

MaximumPasswordAge = 42 (days)

NewGuestName = GUser (disabled by default)

Reference:

https://github.com/MicrosoftDocs/azure-stack-docs/blob/main/azure-stack/operator/operatoraccess-workstation.md

Correct: Solution: From a privileged endpoint (PEP) session, you run

Test-AzureStack –Group "UpdateReadiness".

Use a privileged endpoint (PEP) session and Test-AzureStack with UpdateReadiness.

Note:

Running the validation tool and accessing results

You can use the PEP to run the validation tool. The tool can take a while to run. The length of the time depends on the number of virtual machines in your system. Each test returns a PASS/FAIL status in the PowerShell window. Here's an outline of the end-to-end validation testing process:

1. Establish the trust. On an integrated system, run the following command from an elevated Windows PowerShell session to add the PEP as a trusted host on the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation.

2. Access the PEP.

3. Once you're in the PEP, run:

Test-AzureStack

Groups

To improve the operator experience, a Group parameter has been enabled to run multiple test categories at the same time. Currently, there are three groups defined: Default, UpdateReadiness, and SecretRotationReadiness. UpdateReadiness: A check to see if the Azure Stack Hub instance can be updated. When the UpdateReadiness group is run, warnings are displayed as errors in the console output, and they should be considered as blockers for the update.

Reference:

https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-diagnostic-test?view=azs-2008