A backup job from an Azure service must write to a storage account that has the network firewall set to deny all public traffic. The team does not want to create a private endpoint for this workload. What should the administrator enable?

Add the backup server's public IP address to the storage firewall

Azure backup workloads typically do not rely on a stable customer-controlled public IP that can be safely allowlisted here, and this would not match the private-by-design requirement.

Create a service endpoint on the subnet that hosts the backup job

Service endpoints apply to subnets and are intended for VM or subnet-based traffic, not for every Microsoft-managed backup integration scenario.

Disable the storage account firewall temporarily during each backup window

Temporarily disabling the firewall weakens security and is not a sustainable or recommended operational control.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Allow trusted Microsoft services to access the storage account — If a supported Microsoft-managed service needs access while the storage firewall blocks public traffic, the correct option is to allow trusted Microsoft services. This keeps the firewall in place for general traffic but permits selected platform services to operate. It is the least disruptive and most secure choice when a private endpoint is not being used for that integration. Why others are wrong: A assumes a customer-managed public IP that may not exist or be stable for the platform service. C is for subnet-based access from resources you control, not for all Azure service integrations. D is operationally risky and defeats the purpose of the firewall.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.