Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

AZ-801 by Microsoft - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant by using password hash synchronization.
You have a Microsoft 365 subscription.
All devices are hybrid Azure AD-joined.
Users report that they must enter their password manually when accessing Microsoft 365 applications.
You need to reduce the number of times the users are prompted for their password when they access Microsoft 365 and Azure services.
What should you do?

A In Azure AD, configure a Conditional Access policy for the Microsoft Office 365 applications.
B In the DNS zone of the AD DS domain, create an autodiscover record.
C From Azure AD Connect, enable single sign-on (SSO).
D From Azure AD Connect, configure pass-through authentication.

Question 4

You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have 50 Azure virtual machines that run Windows Server.
You need to ensure that any security exploits detected on the virtual machines are forwarded to Defender for Cloud.
Which extension should you enable on the virtual machines?

A Vulnerability assessment for machines
B Microsoft Dependency agent
C Log Analytics agent for Azure VMs
D Guest Configuration agent

Question 5

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains the domains shown in the following table.

Question 6

You have 10 servers that run Windows Server in a workgroup.
You need to configure the servers to encrypt all the network traffic between the servers. The solution must be as secure as possible.
Which authentication method should you configure in a connection security rule?

A NTLMv2
B pre-shared key
C Kerberos V5
D computer certificate

Question 7

You have an Azure virtual machine named VM1 that runs Windows Server.
You need to encrypt the contents of the disks on VM1 by using Azure Disk Encryption.
What is a prerequisite for implementing Azure Disk Encryption?

A Customer Lockbox for Microsoft Azure
B an Azure key vault
C a BitLocker recovery key
D data-link layer encryption in Azure

Question 8

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers named Server1 and Server2 that run Windows
Server.
You need to ensure that you can use the Computer Management console to manage Server2. The solution must use the principle of least privilege.
Which two Windows Defender Firewall with Advanced Security rules should you enable on Server2? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A the COM+ Network Access (DCOM-In) rule
B all the rules in the Remote Event Log Management group
C the Windows Management Instrumentation (WMI-In) rule
D the COM+ Remote Administration (DCOM-In) rule
E the Windows Management Instrumentation (DCOM-In) rule

Question 9

You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic by using a connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from computers on the same network.
What should you do from Windows Defender Firewall with Advanced Security?

A From the IPsec Settings, configure IPsec defaults.
B Create a new custom outbound rule that allows ICMPv4 protocol connections for all profiles.
C Change the Firewall state of the Private profile to Off.
D From the IPsec Settings, configure IPsec exemptions.

Question 10

You have an Azure virtual machine named VM1.
You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged.
What should you do?

A From a command prompt, run WinRM quickconfig.
B From the local Group Policy, modify the Advanced Audit Policy Configuration settings.
C From Event Viewer, enable the Debug log.
D From the Windows Security app, configure the Virus & threat protection settings.

Question 11

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.
You run Get-BitLockerVolume -MountPoint C,D | fl *, which generates the following output.

Question 12

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Tamper Protection
Does this meet the goal?

A Yes
B No

Question 13

HOTSPOT -
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the accounts shown in the following table.

Question 14

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run Windows Server as shown in the following table.

Question 15

You have an Azure subscription that contains a user named User1 and the resources shown in the following table.

Question 16

HOTSPOT

You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active Directory domain.

You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.

You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.

Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.

NOTE: Each correct selection is worth one point.

Question 17

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server.

You need to ensure that only specific applications can modify the data in protected folders on Server1.

Solution: From App & browser control, you configure Reputation-based protection.

Does this meet the goal?

A Yes
B No

Question 18

DRAG DROP

You have an Azure subscription that contains an Azure key vault named Vault1.

You plan to deploy a virtual machine named VM1 that will run Windows Server.

You need to enable encryption at host for VM1. The solution must use customer-managed keys.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Question 19

HOTSPOT

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server. All the servers are on the same network and have network connectivity.

On Server1, Windows Defender Firewall has a connection security rule that has the following settings:

• Rule Type: Server-to-server
• Endpoint 1: Any IP address
• Endpoint 2: Any IP address
• Requirements: Require authentication for inbound connections and request authentication for outbound connections
• Authentication Method: Computer (Kerberos V5)
• Profile: Domain, Private, Public
• Name: Rule1

Server2 has no connection security rules.

On Server3, Windows Defender Firewall has a connection security rule that has the following settings:

• Rule Type: Server-to-server
• Endpoint 1: Any IP address
• Endpoint 2: Any IP address
• Requirements: Request authentication for inbound and outbound connections
• Authentication Method: Computer (Kerberos V5)
• Profile: Domain, Private, Public
• Name: Rule1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Question 20

Your network contains an Active Directory Domain Services (AD DS) forest. The forest functional level is Windows Server 2012 R2. The forest contains the domains shown in the following table.

Question 21

You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains the resources shown in the following table.

Question 22

HOTSPOT

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains an organizational unit (OU) named OU1. OU1 contains servers that run sensitive workloads.

You plan to add connection security rules that meet the following requirements:

• The servers in OU1 must only accept connections from domain-joined
• The servers in OU1 must only be able to communicate with domain-joined

You create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com.

You need to configure a connection security rule in GPO1 by using Windows Defender Firewall with Advanced Security.

How should you configure the rule? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 23

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Exploit protection settings.
Does this meet the goal?

A Yes
B No

Question 24

DRAG DROP

You have a Windows Server 2022 failover cluster named Cluster that contains the Cluster Shared Volumes (CSV) shown in the following table.

All the nodes in Cluster1 have BitLocker Drive Encryption (BitLocker) installed.

You need to use PowerShell to enable BitLocker on Volume1.

In which order should you run the commands? To answer, drag the appropriate commands to the correct order. You may need to drag the split bar between panes or scroll to view content.

Question 25

You have an on-premises server named Server1 that runs Windows Server 2022 Standard.

You have an Azure subscription that contains the virtual machines shown in the following table.

Page 1 of 7 • Questions 1-25 of 168

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Controlled folder access.
Does this meet the goal?

A Yes
B No

You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-enabled resources are in the same resource group.
You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
What should you use to onboard the servers to Microsoft Sentinel?

A Azure Automation
B Azure Policy
C Azure virtual machine extensions
D Microsoft Defender for Cloud

You are implementing Microsoft Defender for Identity sensors.
You need to install the sensors on the minimum number of domain controllers. The solution must ensure that Defender for Identity will detect all the security risks in both the domains.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

You need to ensure that volume D will be unlocked automatically when Server1 restarts.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

The domain is configured to store BitLocker recovery keys in Active Directory.
Admin1 and Admin2 perform the following configurations:

Admin1 turns on BitLocker Drive Encryption (BitLocker) for volume C on Server1.
Admin1 moves Server1 to OU1.
Admin2 turns on BitLocker for removable volume E on Server2.
Admin2 moves removable volume E from Server2 to Server1 and unlocks the volume.
On which Active Directory object can you view each BitLocker recovery key? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Server1 has the connection security rules shown in the following table.

Server2 has the connection security rules shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

User1 has a computer named Computer1 that runs Windows 11. User1 works from home and establishes a Point-to-Site (P2S) connection to GW1 to access AppSvr1.

You deploy the resources shown in the following table.

User1 cannot access AppSvr2.

You need to ensure that User1 can access AppSvr2.

What should you do?

A On Computer1, download and reinstall the VPN client.
B Create a route table and associate the table with GatewaySubnet on VNet1.
C On Computer1, modify the Windows Defender Firewall settings.
D Add a service endpoint to VNet2.

You create a user named Admin1.

You need to ensure that Admin1 can add a new domain controller that runs Windows Server 2022 to the east.contoso.com domain. The solution must follow the principle of least privilege.

To which groups should you add Admin1?

A EAST\Domain Admins only
B CONTOSO\Enterprise Admins only
C CONTOSO\Schema Admins and EAST\Domain Admins
D CONTOSO\Enterprise Admins and CONTOSO\Schema Admins

Sub1 has Microsoft Defender for Servers enabled. You are assigned the Contributor role for Sub1.

You need to implement just-in-time (JIT) VM access for VM1.

What should you do first?

A Create a network security group (NSG).
B Enable enhanced security in Microsoft Defender for Cloud.
C Request the Owner role for Sub1.
D Create an application security group.

NOTE: Each correct selection is worth one point.

The subscription contains a Microsoft Sentinel instance named Sentinel1 in the Central US Azure region.

You need to implement the Windows Firewall connector.

Which servers can send Windows Firewall logs to Sentinel1?

A VM1 only
B VM2 only
C VM1 and Server1 only
D VM1, VM2, and VM3 only
E VM1, VM2, and Server1 only
F VM1, VM2, VM3, and Server1

AZ-801Preview

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

HOTSPOT

Question 17

Question 18

DRAG DROP

Question 19

HOTSPOT

Question 20

Question 21

Question 22

HOTSPOT

Question 23

Question 24

DRAG DROP

Question 25