exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam

Exam AZ-301 topic 2 question 33 discussion

Actual exam question from Microsoft's AZ-301
Question #: 33
Topic #: 2
[All AZ-301 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).
Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.
The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.
Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.
You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).
Solution:
✑ Deploy one Azure key vault to each region
✑ Export two security keys from the on-premises HSM
✑ Import the security keys from the HSM into each Azure key vault
Create two Azure AD service principals

✑ Configure the virtual machines to use Azure Disk Encryption
✑ Specify a different service principal for the virtual machines in each region
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys.
The Key Vault has to be in the same region as the VM that will be encrypted.
Note: If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-
AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM.
References:
https://www.ciraltos.com/azure-disk-encryption-v2/
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Wildsheep
Highly Voted 4 years, 11 months ago
The answer given is correct. However this method is now deprecated. You no longer need service principals to store your disk encryption keys in the key vault https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault-aad
upvoted 10 times
ct84
4 years, 11 months ago
This is an important point to remember!
upvoted 2 times
...
...
glam
Most Recent 4 years, 5 months ago
A. Yes
upvoted 1 times
...
ysm
5 years, 4 months ago
How can we use only two service principals for 10 VMs?
upvoted 1 times
Andy001
5 years, 4 months ago
The answer is correct. Please have a look at the term "user-assigned managed identity" https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
upvoted 7 times
HemantArora
5 years ago
The explanation is linked to Service Principal and not managed identities
upvoted 1 times
tartar
4 years, 9 months ago
A is ok
upvoted 2 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...