Sample questions
AZ-104 practice questions
A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?
Trap 1: Assign Storage Account Contributor at the resource group scope.
This grants management-plane control over the storage account and is much broader than needed.
Trap 2: Assign Reader and give the service principal a storage account…
This introduces stored credentials and does not follow the Entra-based least-privilege requirement.
Trap 3: Assign Contributor at the subscription scope and restrict access…
Naming conventions do not enforce security, and subscription scope is unnecessarily broad.
- A
Assign Storage Account Contributor at the resource group scope.
Why wrong: This grants management-plane control over the storage account and is much broader than needed.
- B
Create a custom role with blob dataActions only and assign it at the container scope.
This allows data access while avoiding storage account management permissions and limiting scope.
- C
Assign Reader and give the service principal a storage account access key.
Why wrong: This introduces stored credentials and does not follow the Entra-based least-privilege requirement.
- D
Assign Contributor at the subscription scope and restrict access with naming conventions.
Why wrong: Naming conventions do not enforce security, and subscription scope is unnecessarily broad.
A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Subnet-Mgmt and deny RDP from all other sources. What should you do?
Trap 1: Create a route table that sends RDP traffic to the management…
Route tables do not implement port-based access control.
Trap 2: Deploy a private endpoint for each application server.
Private endpoints are for Azure PaaS services, not exposing VM RDP selectively.
Trap 3: Enable service endpoints on the application subnet.
Service endpoints are unrelated to RDP access control.
- A
Create an NSG rule allowing TCP 3389 from the Subnet-Mgmt address range and rely on the default deny afterward.
This is the correct way to permit RDP from a specific source while denying other sources.
- B
Create a route table that sends RDP traffic to the management subnet.
Why wrong: Route tables do not implement port-based access control.
- C
Deploy a private endpoint for each application server.
Why wrong: Private endpoints are for Azure PaaS services, not exposing VM RDP selectively.
- D
Enable service endpoints on the application subnet.
Why wrong: Service endpoints are unrelated to RDP access control.
A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that subscription. Which two types of logs can be sent to Log Analytics and queried later? Select two.
Trap 1: Azure Backup vault names
Vault names are configuration details, not a log type that can be queried.
Trap 2: Virtual network address spaces
Address spaces describe networking, but they are not log records for analysis.
Trap 3: Managed disk size settings
Disk size is a resource property, not a log stream for Log Analytics.
- A
Activity log entries
Activity logs record subscription-level events such as create, update, and delete operations.
- B
Resource diagnostic logs
Diagnostic logs capture service-specific events and can be sent to a workspace.
- C
Azure Backup vault names
Why wrong: Vault names are configuration details, not a log type that can be queried.
- D
Virtual network address spaces
Why wrong: Address spaces describe networking, but they are not log records for analysis.
- E
Managed disk size settings
Why wrong: Disk size is a resource property, not a log stream for Log Analytics.
Based on the exhibit, which Azure feature should the administrator use to track this kind of platform-wide service issue?
Exhibit
Azure portal > Service Health Incident: Azure Virtual Machines Region: East US Status: Active incident Impact: Some customers may experience failed VM start operations Recommended action: Monitor the incident for updates and mitigation status.
Trap 1: Resource Health, because it shows whether a specific virtual…
Resource Health is focused on the status of an individual resource. It is useful for one VM, but not for tracking a broader regional Azure service incident.
Trap 2: Activity Log, because it lists every administrative action taken in…
Activity Log records control-plane events such as create, update, and delete operations. It does not provide official incident status for Azure platform outages.
Trap 3: Azure Advisor, because it gives recommendations to improve the…
Azure Advisor provides optimization recommendations and best practices. It does not monitor live Microsoft service incidents or outage notifications.
- A
Service Health, because it reports Azure platform incidents that affect customers in a region.
Service Health is the right source for official Azure platform incidents and advisories. It tells administrators when a Microsoft-managed service is having a regional or global issue that may affect their resources.
- B
Resource Health, because it shows whether a specific virtual machine is healthy or unavailable.
Why wrong: Resource Health is focused on the status of an individual resource. It is useful for one VM, but not for tracking a broader regional Azure service incident.
- C
Activity Log, because it lists every administrative action taken in the subscription.
Why wrong: Activity Log records control-plane events such as create, update, and delete operations. It does not provide official incident status for Azure platform outages.
- D
Azure Advisor, because it gives recommendations to improve the virtual machine configuration.
Why wrong: Azure Advisor provides optimization recommendations and best practices. It does not monitor live Microsoft service incidents or outage notifications.
An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or client secrets on the VM. What should the administrator configure first?
Trap 1: A shared local account on the VM
A local account helps with operating system access, but it does not securely authenticate to Azure APIs.
Trap 2: An Azure Policy exemption
Policy exemptions affect governance rules, not authentication for scripts or Azure resource creation.
Trap 3: A public IP address on the VM
A public IP affects network reachability, but it does not replace Azure authentication credentials.
- A
A shared local account on the VM
Why wrong: A local account helps with operating system access, but it does not securely authenticate to Azure APIs.
- B
A system-assigned managed identity on the VM
A managed identity lets the VM authenticate to Azure directly, so the script can use Azure CLI or PowerShell without secrets.
- C
An Azure Policy exemption
Why wrong: Policy exemptions affect governance rules, not authentication for scripts or Azure resource creation.
- D
A public IP address on the VM
Why wrong: A public IP affects network reachability, but it does not replace Azure authentication credentials.
A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?
Trap 1: az login with a username and password.
A username and password requires credential storage and is not appropriate for secretless automation.
Trap 2: Connect-AzAccount with device code authentication.
Device code authentication is interactive and not suitable for unattended nightly automation on a VM.
Trap 3: An app registration secret stored in a PowerShell variable.
A secret in a variable is still a secret on the machine and violates the stated security requirement.
- A
az login with a username and password.
Why wrong: A username and password requires credential storage and is not appropriate for secretless automation.
- B
az login --identity.
The Azure CLI can sign in with the VM's managed identity by using az login --identity. That allows the script to authenticate without storing a password or client secret. After sign-in, the identity can be granted access to the target subscription or resource group, which makes the solution both secure and automation-friendly for nightly jobs.
- C
Connect-AzAccount with device code authentication.
Why wrong: Device code authentication is interactive and not suitable for unattended nightly automation on a VM.
- D
An app registration secret stored in a PowerShell variable.
Why wrong: A secret in a variable is still a secret on the machine and violates the stated security requirement.
A storage account becomes unavailable because Azure has a regional platform issue. The operations team wants a notification whenever Azure marks the resource or region unhealthy, and they want to avoid continuous log ingestion just to detect the outage. What should they configure?
Trap 1: A metric alert on storage capacity with an action group.
Capacity metrics do not indicate platform outage conditions or regional service health events.
Trap 2: A log alert on storage diagnostic logs that watches for 503…
This depends on continuous log collection and may miss the platform-level health signal the team wants.
Trap 3: An Azure Policy assignment that audits the storage account state.
Policy can report compliance, but it does not notify operators about live availability incidents.
- A
A metric alert on storage capacity with an action group.
Why wrong: Capacity metrics do not indicate platform outage conditions or regional service health events.
- B
A log alert on storage diagnostic logs that watches for 503 responses.
Why wrong: This depends on continuous log collection and may miss the platform-level health signal the team wants.
- C
A Service Health alert based on the Activity log, scoped appropriately.
Service Health alerts are the right choice when you need to know about Azure platform incidents, regional issues, or service degradations that affect a resource or region. They are generated from the Activity log and do not require you to ingest operational logs continuously just to detect an outage. This makes them both efficient and appropriate for platform availability monitoring.
- D
An Azure Policy assignment that audits the storage account state.
Why wrong: Policy can report compliance, but it does not notify operators about live availability incidents.
A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.
Trap 1: Microsoft.Compute/virtualMachines/delete gives the ability to…
Delete is far too permissive for a support-only role. It would allow destruction of the virtual machine, which is explicitly not required and would create unnecessary risk. This option is the opposite of least privilege for routine operations.
Trap 2: Microsoft.Network/networkInterfaces/write is needed because a VM…
Starting or restarting a VM does not require permission to change the network interface. Granting NIC write access would broaden the role into network administration, which the requirement explicitly excludes. That would be excessive and unrelated to the task.
Trap 3: Microsoft.Authorization/roleAssignments/write would let the…
Role assignment write permissions are administrative access-control rights, not VM operations. Including them would let the engineer modify authorization for many resources, which is not needed and would violate the requirement to avoid granting access-management capabilities.
- A
Microsoft.Compute/virtualMachines/start/action grants the ability to start the VM without broader management permissions.
This action is the precise permission needed to power on a virtual machine. It is narrower than Contributor and does not expose unrelated capabilities such as deleting the VM or changing attached resources. Using this action supports least privilege for operational support tasks.
- B
Microsoft.Compute/virtualMachines/restart/action permits a controlled restart operation on the target VM.
This action authorizes the restart operation specifically, which is separate from generic write or delete permissions. It allows the support engineer to perform the required maintenance task while keeping the role tightly scoped and avoiding access to networking or access-control operations.
- C
Microsoft.Compute/virtualMachines/delete gives the ability to remove the VM from the subscription.
Why wrong: Delete is far too permissive for a support-only role. It would allow destruction of the virtual machine, which is explicitly not required and would create unnecessary risk. This option is the opposite of least privilege for routine operations.
- D
Microsoft.Network/networkInterfaces/write is needed because a VM start or restart always requires NIC modification rights.
Why wrong: Starting or restarting a VM does not require permission to change the network interface. Granting NIC write access would broaden the role into network administration, which the requirement explicitly excludes. That would be excessive and unrelated to the task.
- E
Microsoft.Authorization/roleAssignments/write would let the engineer grant access to other users and manage permissions.
Why wrong: Role assignment write permissions are administrative access-control rights, not VM operations. Including them would let the engineer modify authorization for many resources, which is not needed and would violate the requirement to avoid granting access-management capabilities.
A storage account must stay online for applications, but administrators have a temporary freeze on configuration changes. Users can still view the account, but attempts to change the access tier, create a container, or update networking all fail. What most likely caused the behavior?
Trap 1: A CanNotDelete lock was applied to the storage account.
CanNotDelete blocks deletion only and would not stop normal write operations such as changing settings.
Trap 2: An Azure Policy audit assignment was applied to the storage account.
Audit policies report compliance but do not block configuration changes or create this type of failure symptom.
Trap 3: The account was moved to a different subscription.
A subscription move would not specifically produce the described write failures while still allowing read access.
- A
A CanNotDelete lock was applied to the storage account.
Why wrong: CanNotDelete blocks deletion only and would not stop normal write operations such as changing settings.
- B
A ReadOnly lock was applied to the storage account.
ReadOnly is the correct explanation because it blocks write operations on the locked scope. That includes changing account settings, creating child resources such as containers, and modifying networking configuration. Read-only access still allows users to view the resource, which matches the symptom described in the scenario. This lock is useful when all configuration changes must be paused.
- C
An Azure Policy audit assignment was applied to the storage account.
Why wrong: Audit policies report compliance but do not block configuration changes or create this type of failure symptom.
- D
The account was moved to a different subscription.
Why wrong: A subscription move would not specifically produce the described write failures while still allowing read access.
You create a private endpoint for an Azure Storage account. Virtual machines in VNet-Prod must resolve the storage account name to the private IP address of that endpoint. Which Azure feature should you configure?
Trap 1: A user-defined route
A route affects packet forwarding, not DNS resolution.
Trap 2: An Azure Firewall policy
Firewall policy governs filtering and does not provide service name mapping.
Trap 3: A Recovery Services vault
A Recovery Services vault is unrelated to private endpoint DNS resolution.
- A
A private DNS zone linked to VNet-Prod
A private DNS zone provides the required name resolution for the private endpoint.
- B
A user-defined route
Why wrong: A route affects packet forwarding, not DNS resolution.
- C
An Azure Firewall policy
Why wrong: Firewall policy governs filtering and does not provide service name mapping.
- D
A Recovery Services vault
Why wrong: A Recovery Services vault is unrelated to private endpoint DNS resolution.
A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?
Trap 1: The entire subscription that contains vm-app01.
That scope would grant access to every resource in the subscription, which is broader than required.
Trap 2: The resource group that contains vm-app01.
This would allow management of every VM in the resource group, not just one machine.
Trap 3: The management group that contains the subscription.
This is the broadest option and would affect many subscriptions and resources.
- A
The entire subscription that contains vm-app01.
Why wrong: That scope would grant access to every resource in the subscription, which is broader than required.
- B
The resource group that contains vm-app01.
Why wrong: This would allow management of every VM in the resource group, not just one machine.
- C
The vm-app01 virtual machine resource itself.
This is the narrowest scope that grants access only to the targeted VM.
- D
The management group that contains the subscription.
Why wrong: This is the broadest option and would affect many subscriptions and resources.
A team deploys a Linux VM that must read secrets from Azure Key Vault without storing any usernames, passwords, or client secrets on the VM. What should the administrator enable on the VM?
Trap 1: A storage account access key
A storage account key is unrelated to Key Vault authentication and would require storing a long-lived secret on the VM. It does not solve the requirement to avoid usernames, passwords, or client secrets. It is also broader than necessary and weakens security because the key can be reused outside the VM if exposed.
Trap 2: A service endpoint on the VM subnet
A service endpoint affects network routing and service access control, not identity authentication. It can help a VM reach certain Azure services securely over the Azure backbone, but it does not provide the VM with a credential-free identity. Key Vault access still needs an authentication method such as managed identity.
Trap 3: A user account in Entra ID with a stored password
A user account with a password still requires the VM or application to store a credential, which violates the requirement. It also creates extra operational work for password management and rotation. Managed identities are the Azure-native way to eliminate this problem for a single VM.
- A
A system-assigned managed identity
A system-assigned managed identity gives the VM an Azure-managed identity that can authenticate to Azure services without embedded credentials. It is tied to the VM’s lifecycle, so there is no secret to rotate or store on the operating system. This is the simplest secure choice when one VM needs to access Key Vault and the identity should exist only while the VM exists.
- B
A storage account access key
Why wrong: A storage account key is unrelated to Key Vault authentication and would require storing a long-lived secret on the VM. It does not solve the requirement to avoid usernames, passwords, or client secrets. It is also broader than necessary and weakens security because the key can be reused outside the VM if exposed.
- C
A service endpoint on the VM subnet
Why wrong: A service endpoint affects network routing and service access control, not identity authentication. It can help a VM reach certain Azure services securely over the Azure backbone, but it does not provide the VM with a credential-free identity. Key Vault access still needs an authentication method such as managed identity.
- D
A user account in Entra ID with a stored password
Why wrong: A user account with a password still requires the VM or application to store a credential, which violates the requirement. It also creates extra operational work for password management and rotation. Managed identities are the Azure-native way to eliminate this problem for a single VM.
A team has Windows VMs in a subnet that need to access an Azure Storage account. The storage account should remain reachable through its public endpoint, but only traffic from that one subnet should be allowed. Which configuration best meets the requirement?
Trap 1: Create a private endpoint and disable public network access on the…
This changes the access model to private IP access instead of keeping the public endpoint available.
Trap 2: Place the subnet behind a NAT gateway and use a shared public IP.
A NAT gateway controls outbound internet translation, not authorization to a storage account.
Trap 3: Add a VPN gateway and route storage traffic through the branch…
A VPN gateway is for hybrid connectivity and does not by itself restrict storage access to one subnet.
- A
Create a private endpoint and disable public network access on the storage account.
Why wrong: This changes the access model to private IP access instead of keeping the public endpoint available.
- B
Enable a service endpoint on the subnet and add a virtual network rule for that subnet on the storage account firewall.
A service endpoint lets resources in the subnet access the storage account through the service's public endpoint while presenting the subnet's Azure identity to the firewall. By adding a virtual network rule for that subnet, the storage account allows traffic from that subnet and blocks traffic from others. This satisfies the requirement to keep the public endpoint and restrict access to a single subnet.
- C
Place the subnet behind a NAT gateway and use a shared public IP.
Why wrong: A NAT gateway controls outbound internet translation, not authorization to a storage account.
- D
Add a VPN gateway and route storage traffic through the branch office.
Why wrong: A VPN gateway is for hybrid connectivity and does not by itself restrict storage access to one subnet.
A team needs one Azure Files share that can be mounted by both Windows and Linux VMs. The VMs are joined to the same on-premises Active Directory Domain Services domain, and the security team forbids storage account keys. The team also wants to manage access with existing AD group memberships. What should the administrator configure?
Trap 1: Use a blob container and mount it through the Blob API
Blob containers are object storage, not shared file systems, and they do not provide the same SMB file-share experience.
Trap 2: Use anonymous access on an Azure File share
Anonymous access is not appropriate for a secured enterprise file share and would not satisfy the access control requirement.
Trap 3: Use a premium NFS file share with a shared access signature
NFS does not provide the same Windows-and-AD-DS file-sharing model, and a SAS is a secret-based access mechanism that violates the key restriction.
- A
Use Azure Files over SMB and enable AD DS authentication
Azure Files over SMB supports both Windows and Linux clients, and AD DS authentication lets the team use existing domain identities and groups instead of storage keys. This keeps permissions centralized and avoids embedding secrets in scripts or mount commands. It is the most appropriate choice when both operating systems must share the same file data and access control should come from the established directory service.
- B
Use a blob container and mount it through the Blob API
Why wrong: Blob containers are object storage, not shared file systems, and they do not provide the same SMB file-share experience.
- C
Use anonymous access on an Azure File share
Why wrong: Anonymous access is not appropriate for a secured enterprise file share and would not satisfy the access control requirement.
- D
Use a premium NFS file share with a shared access signature
Why wrong: NFS does not provide the same Windows-and-AD-DS file-sharing model, and a SAS is a secret-based access mechanism that violates the key restriction.
A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.
Trap 1: Create a custom RBAC role that blocks resources deployed outside…
RBAC authorizes actions, but it cannot conditionally deny based on a resource property such as region.
Trap 2: Add a CanNotDelete lock to every resource group.
Locks prevent deletion or writes, but they do not validate required tags or allowed locations.
Trap 3: Grant User Access Administrator to the deployment team.
This only changes authorization capabilities and does not enforce deployment compliance rules.
- A
Assign an allowed-locations policy at the management group or subscription scope.
Location is a resource property that policy can evaluate and deny, while RBAC cannot inspect deployment metadata like region.
- B
Create a custom RBAC role that blocks resources deployed outside approved regions.
Why wrong: RBAC authorizes actions, but it cannot conditionally deny based on a resource property such as region.
- C
Assign a policy that enforces the Environment tag on new resources.
Tag enforcement is a classic Azure Policy use case, especially with deny, append, or modify effects.
- D
Add a CanNotDelete lock to every resource group.
Why wrong: Locks prevent deletion or writes, but they do not validate required tags or allowed locations.
- E
Grant User Access Administrator to the deployment team.
Why wrong: This only changes authorization capabilities and does not enforce deployment compliance rules.
A switch administrator wants log entries from multiple devices to be collected on one central server for later review. Which service should be configured?
Trap 1: DNS
DNS resolves names, not log messages.
Trap 2: NTP
NTP synchronizes time.
Trap 3: SNMP trap suppression
That is not a general log collection service.
- A
DNS
Why wrong: DNS resolves names, not log messages.
- B
NTP
Why wrong: NTP synchronizes time.
- C
Syslog
Syslog centralizes device logging.
- D
SNMP trap suppression
Why wrong: That is not a general log collection service.
A hub VNet already has a VPN gateway connected to on-premises. A new spoke VNet must reach on-premises through the hub gateway and should not deploy its own gateway. What configuration should be enabled on the peering?
Trap 1: Create a service endpoint from the spoke to the hub.
Service endpoints are for PaaS service access, not for routing traffic through a VPN gateway in another VNet.
Trap 2: Add a default route to Internet in the spoke subnet.
Sending traffic to Internet would bypass on-premises connectivity instead of forwarding it to the hub gateway.
Trap 3: Enable accelerated networking on the spoke subnet.
Accelerated networking improves VM NIC performance, but it does not configure shared gateway routing across peered VNets.
- A
Enable gateway transit on the hub peering and Use remote gateways on the spoke peering.
This is the correct hub-and-spoke configuration when only the hub should own the VPN gateway. Gateway transit allows the hub to share its gateway with peered VNets, and the spoke must be configured to use the remote gateway. Together, these settings let the spoke route on-premises traffic through the hub gateway without deploying another gateway or duplicating connectivity infrastructure.
- B
Create a service endpoint from the spoke to the hub.
Why wrong: Service endpoints are for PaaS service access, not for routing traffic through a VPN gateway in another VNet.
- C
Add a default route to Internet in the spoke subnet.
Why wrong: Sending traffic to Internet would bypass on-premises connectivity instead of forwarding it to the hub gateway.
- D
Enable accelerated networking on the spoke subnet.
Why wrong: Accelerated networking improves VM NIC performance, but it does not configure shared gateway routing across peered VNets.
An administrator is deploying a site-to-site VPN gateway in the Azure portal. The deployment fails validation because the gateway does not have a public-facing address to terminate the tunnel. What must be created and associated with the VPN gateway?
Trap 1: A load balancer frontend IP configuration in front of the gateway…
A load balancer is not used to terminate Azure VPN gateway tunnels and does not satisfy the gateway public address requirement.
Trap 2: A NAT gateway attached to GatewaySubnet.
A NAT gateway is for outbound internet translation from subnets, not for creating a VPN tunnel endpoint.
Trap 3: A private endpoint for the virtual network gateway resource.
Private endpoints do not apply to VPN gateways and cannot replace the public endpoint required for S2S connectivity.
- A
A load balancer frontend IP configuration in front of the gateway subnet.
Why wrong: A load balancer is not used to terminate Azure VPN gateway tunnels and does not satisfy the gateway public address requirement.
- B
A public IP address resource associated with the VPN gateway.
Azure VPN gateways require a public IP address resource so the on-premises VPN device can establish the tunnel to a known public endpoint. The gateway is deployed in GatewaySubnet, and the public IP is attached as part of the gateway configuration. Without that resource, the VPN gateway cannot be created successfully.
- C
A NAT gateway attached to GatewaySubnet.
Why wrong: A NAT gateway is for outbound internet translation from subnets, not for creating a VPN tunnel endpoint.
- D
A private endpoint for the virtual network gateway resource.
Why wrong: Private endpoints do not apply to VPN gateways and cannot replace the public endpoint required for S2S connectivity.
A team has an approved Windows VM that already includes their application, patches, and monitoring agent. They want future VMs to start with the same configuration. What should they use?
Trap 1: An availability set
An availability set improves resilience, but it does not capture software, settings, or installed agents.
Trap 2: A snapshot of the OS disk
A snapshot is a point-in-time copy of a disk, but it is not the standard choice for reusable VM templating.
Trap 3: A larger virtual machine size
A larger size increases CPU and memory, but it does not preserve application configuration or installed software.
- A
A managed image created from the approved VM
A managed image captures the configured operating system and installed software so you can deploy new VMs with the same baseline. This is the simplest way to standardize a known-good VM configuration for repeated use. It fits the requirement because the team wants future VMs to start from the same approved setup, not rebuild the software manually each time. It is an operationally common choice for consistent VM deployment.
- B
An availability set
Why wrong: An availability set improves resilience, but it does not capture software, settings, or installed agents.
- C
A snapshot of the OS disk
Why wrong: A snapshot is a point-in-time copy of a disk, but it is not the standard choice for reusable VM templating.
- D
A larger virtual machine size
Why wrong: A larger size increases CPU and memory, but it does not preserve application configuration or installed software.
A team in RG-Apps must be able to start, stop, and deallocate virtual machines and read their properties. Built-in roles available to the team are broader than necessary. What should the administrator do?
Trap 1: Assign Virtual Machine Contributor at the subscription scope.
This would grant VM management rights across the entire subscription, which is broader than the requirement.
Trap 2: Assign Reader and Virtual Machine Contributor together at the…
Combining built-in roles still grants more permissions than needed and does not reduce the VM management surface area.
Trap 3: Assign Owner at the resource group scope to avoid troubleshooting…
Owner grants full control, including permission management and deletion, which is far more access than the team needs.
- A
Assign Virtual Machine Contributor at the subscription scope.
Why wrong: This would grant VM management rights across the entire subscription, which is broader than the requirement.
- B
Create a custom role with only the required VM actions and assign it at RG-Apps scope.
A custom role can include only the required actions, such as VM start, deallocate, and read, without granting unnecessary permissions. Assigning the role at RG-Apps scope keeps the permissions limited to the target resource group and is the cleanest least-privilege design.
- C
Assign Reader and Virtual Machine Contributor together at the resource group scope.
Why wrong: Combining built-in roles still grants more permissions than needed and does not reduce the VM management surface area.
- D
Assign Owner at the resource group scope to avoid troubleshooting access issues.
Why wrong: Owner grants full control, including permission management and deletion, which is far more access than the team needs.
A team moved blob data to the Archive tier to minimize cost. They now need to restore a few files for an audit. Which two statements are true about accessing archived blobs? Select two.
Trap 1: Archived blobs can be read immediately through normal blob reads.
Incorrect. Archive data is offline, so a standard read fails until the blob is rehydrated.
Trap 2: Archive tier provides the fastest retrieval time.
Incorrect. Archive has the slowest retrieval behavior because data must first be restored online.
Trap 3: Changing a blob from Archive to Hot completes instantly and…
Incorrect. Archive rehydration takes time and is not an instantaneous synchronous tier change.
- A
Archived blobs can be read immediately through normal blob reads.
Why wrong: Incorrect. Archive data is offline, so a standard read fails until the blob is rehydrated.
- B
Rehydration is required before the blob can be read or copied.
Correct. Archive blobs must be rehydrated before they become readable or available for copy operations.
- C
Rehydration can target Hot or Cool access tier.
Correct. You can rehydrate archived data into either Hot or Cool, depending on retrieval needs.
- D
Archive tier provides the fastest retrieval time.
Why wrong: Incorrect. Archive has the slowest retrieval behavior because data must first be restored online.
- E
Changing a blob from Archive to Hot completes instantly and synchronously.
Why wrong: Incorrect. Archive rehydration takes time and is not an instantaneous synchronous tier change.
Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?
Trap 1: A custom RBAC role assigned at the tenant root
RBAC governs permissions, not which resource types are allowed.
Trap 2: A ReadOnly lock on each subscription
A ReadOnly lock would block many changes but does not selectively restrict resource types.
Trap 3: A budget alert for each subscription
Budget alerts monitor cost and do not enforce deployment standards.
- A
Azure Policy assigned at the management group scope
Management group policy assignments are inherited by child subscriptions and can restrict allowed resource types.
- B
A custom RBAC role assigned at the tenant root
Why wrong: RBAC governs permissions, not which resource types are allowed.
- C
A ReadOnly lock on each subscription
Why wrong: A ReadOnly lock would block many changes but does not selectively restrict resource types.
- D
A budget alert for each subscription
Why wrong: Budget alerts monitor cost and do not enforce deployment standards.
A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?
Trap 1: Audit
Audit reports noncompliance but still allows the resource to be created.
Trap 2: Append
Append can add or modify properties in some cases, but it does not simply block creation.
Trap 3: Disabled
Disabled turns off enforcement and would not help with mandatory tagging.
- A
Audit
Why wrong: Audit reports noncompliance but still allows the resource to be created.
- B
Deny
Deny stops noncompliant deployments, which matches the requirement to block missing tags.
- C
Append
Why wrong: Append can add or modify properties in some cases, but it does not simply block creation.
- D
Disabled
Why wrong: Disabled turns off enforcement and would not help with mandatory tagging.
A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?
Trap 1: Add a subnet-to-subnet peering connection between the web and app…
Peering provides connectivity between VNets, but it does not restrict traffic to only the desired tier or replace NSG rules.
Trap 2: Create a load balancer backend pool rule for TCP 8080.
Load balancer backend pools distribute traffic, but they are not a security control for limiting east-west access between application tiers.
Trap 3: Use a user-defined route that sends TCP 8080 traffic to the app…
Routes select next hops and do not provide an allow-list based on source and destination roles like an NSG rule does.
- A
Use application security groups for the web and app tiers and reference those groups in the NSG rule.
Application security groups let the administrator group VMs by role rather than by IP address. The NSG rule can then allow traffic from the web ASG to the app ASG on TCP 8080. This is a good fit for environments that scale or change frequently because the NSG does not need constant editing whenever VM addresses change.
- B
Add a subnet-to-subnet peering connection between the web and app subnets.
Why wrong: Peering provides connectivity between VNets, but it does not restrict traffic to only the desired tier or replace NSG rules.
- C
Create a load balancer backend pool rule for TCP 8080.
Why wrong: Load balancer backend pools distribute traffic, but they are not a security control for limiting east-west access between application tiers.
- D
Use a user-defined route that sends TCP 8080 traffic to the app tier.
Why wrong: Routes select next hops and do not provide an allow-list based on source and destination roles like an NSG rule does.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.