Explanation
You need to configure the Network Security Group that is associated with subnet0.
* In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to Virtual Networks in the left navigation pane.
* In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
* Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
* In the properties of the Network Security Group, click on Inbound Security Rules.
* Click the Add button to add a new rule.
* In the Source field, select Service Tag.
* In the Source Service Tag
* Leave the Source port ranges field as the default values (* and All).
* In the Destination port ranges
* Change the Protocol to TCP.
* Leave the Action option as
* Change the Priority to 100.
* Change the Name from the default to something more descriptive such as Allow_TCP_7777_from_Internet.
* Click the Add button to save the new rule.

Explanation

Box 1: Yes
User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.
Box 2: Yes
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.
Box 3: No
Sign-ins from IP addresses with suspicious activity is low.
Note:

Azure AD Identity protection can detect six types of suspicious sign-in activities:
Users with leaked credentials
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks - High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access

Explanation
Step 1: Register the Application
1. Sign in to your Azure Account through the Azure portal.
2. Select Azure Active Directory.
3. Select App registrations.
4. Select New registration.
5. Name the application App11641655. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI:
https://app.contoso.com , where the access token is sent to.

6. Click Register
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

You need to allow access to Azure services and configure a virtual network rule for the SQL Server.
In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web11597200. Alternatively, browse to SQL Server in the left navigation pane.
In the properties of the SQL Server, click Firewalls and virtual networks.
In the Virtual networks section, click on Add existing. This will open the Create/Update virtual network rule window.
Give the rule a name such as Allow_VNET01-Subnet0 (it doesn't matter what name you enter for the exam).
In the Virtual network box, select VNET01.
In the Subnet name box, select Subnet0.
Click the OK button to save the rule.
Back in the Firewall / Virtual Networks window, set the Allow access to Azure services option to On.