AZ-104 (AZ-104) — Questions 175

1170 questions total · 16pages · All types, answers revealed

Page 1 of 16

Page 2
1
MCQmedium

Two legacy application VMs must survive planned maintenance and a single host failure. The vendor requires both VMs to stay in the same region, and a datacenter outage is not part of the requirement. What should the administrator use?

A.An availability set that places the VMs in separate fault and update domains.
B.Availability zones with one VM in each zone.
C.A virtual machine scale set in a single zone.
D.A proximity placement group for both VMs.
AnswerA

Availability sets are designed for host-level resilience inside one datacenter. They spread VMs across fault domains and update domains, which helps reduce impact from hardware failures and planned maintenance. Because the requirement does not include surviving a full datacenter outage, an availability set is the right level of protection without the added complexity of zones.

Why this answer

An availability set protects against planned maintenance and single host failures by placing VMs in separate fault domains (different physical hardware) and update domains (different maintenance windows). This ensures that during planned Azure maintenance, only one VM is rebooted at a time, and if a host fails, only VMs in that fault domain are affected. Since the requirement specifies a single host failure (not a datacenter outage) and both VMs must stay in the same region, an availability set is the correct choice.

Exam trap

The trap here is that candidates confuse availability zones (which protect against datacenter outages) with availability sets (which protect against host and rack failures), leading them to choose zones even though the requirement explicitly excludes a datacenter outage.

How to eliminate wrong answers

Option B is wrong because availability zones place VMs in physically separate datacenters within a region, which protects against a datacenter outage—a requirement not specified here—and introduces cross-zone latency that the legacy application may not tolerate. Option C is wrong because a virtual machine scale set in a single zone does not provide fault domain isolation across separate physical hosts; it only scales within that zone and does not guarantee survival of both VMs during a single host failure. Option D is wrong because a proximity placement group only ensures low network latency by co-locating VMs, but it does not provide any fault or update domain protection against host failures or planned maintenance.

2
Matchingeasy

Match each Azure CLI command to the action it performs for a virtual machine.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Starts a stopped virtual machine without changing its disks or NICs.

Stops the VM and releases the compute host, which can reduce compute charges.

Moves the VM to a new Azure host to help resolve host-level issues.

Changes the VM size, such as moving from a smaller to a larger SKU.

Why these pairings

Each Azure CLI command performs the corresponding VM lifecycle action: create, start, stop, deallocate (releases resources), delete, or list.

3
MCQmedium

A team needs to deploy 25 identical Ubuntu VMs every month from source control. The deployment must be repeatable, and each VM must include a system-assigned managed identity at creation time. Which approach should be used?

A.Azure portal manual creation of each VM.
B.A Bicep template deployment.
C.An Azure Policy assignment at the subscription level.
D.An Azure Monitor alert rule that triggers VM creation.
AnswerB

Bicep is declarative, versionable in source control, and can define VM identity settings at deployment time.

Why this answer

A Bicep template is an Infrastructure as Code (IaC) solution that declaratively defines Azure resources, including VMs with system-assigned managed identities. It ensures repeatable, version-controlled deployments of 25 identical Ubuntu VMs every month, meeting the requirements for automation and identity assignment at creation time.

Exam trap

The trap here is confusing Azure Policy (which enforces compliance) with Azure Resource Manager templates (which deploy resources), leading candidates to select Policy thinking it can create VMs, when it only audits or remediates existing ones.

How to eliminate wrong answers

Option A is wrong because manual creation via the Azure portal is not repeatable, scalable, or source-control-friendly for 25 identical VMs each month, and it lacks automation. Option C is wrong because an Azure Policy assignment enforces compliance rules (e.g., requiring managed identities) but does not deploy VMs; it can only audit or remediate existing resources, not create them. Option D is wrong because an Azure Monitor alert rule triggers actions based on metrics or logs, not proactive VM deployment; it is designed for reactive responses, not scheduled or repeatable provisioning.

4
Matchingmedium

A support engineer has several recovery scenarios after Azure VM backup. Match each recovery need to the restore option that best fits.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Restore virtual machine

Restore disks

File recovery

Create virtual machine

Cross-region restore

Why these pairings

Azure VM Backup offers multiple restore options: File Recovery for individual files, Create new VM for a fresh VM, Restore to a restore point for point-in-time recovery, Replace existing VM to overwrite, Cross-region restore for disaster recovery, and Restore disks to restore only disks.

5
Multi-Selectmedium

Finance wants every resource created in one production resource group to receive the tag CostCenter=FINSVC automatically, but deployments should not be blocked if a template omits the tag. Existing resources should be updated when possible. Which two actions should the administrator take? Select two.

Select 2 answers
A.Assign a Modify policy that adds or updates the CostCenter tag.
B.Run a remediation task for noncompliant existing resources.
C.Apply a ReadOnly lock to the resource group to keep tags consistent.
D.Assign Reader to the resource group to ensure tag visibility.
E.Use only an Audit policy so teams can see missing tags.
AnswersA, B

The Modify effect can automatically add or update tags without blocking the deployment. That matches the requirement to keep deployments flowing while enforcing the tag.

Why this answer

Option A is correct because a Modify effect policy definition can automatically add or update the CostCenter tag on resources during creation or update, without blocking deployments if the tag is missing. This satisfies the requirement that deployments should not be blocked, as the Modify effect only applies the tag rather than denying non-compliant requests.

Exam trap

The trap here is that candidates often confuse Audit and Modify effects, thinking Audit can automatically fix tags, or they mistakenly believe a ReadOnly lock is needed to enforce consistency, when in fact Modify with remediation is the correct approach for automatic tag application without blocking deployments.

6
MCQeasy

Based on the exhibit, which OS disk option best fits a development VM that is rebuilt often and does not need the disk contents to survive deallocation?

A.A Standard HDD managed OS disk.
B.An ephemeral OS disk.
C.A premium managed data disk used as the OS disk.
D.A shared disk attached to multiple VMs.
AnswerB

An ephemeral OS disk is the best match because it provides very fast local storage for the operating system and does not need to preserve data after deallocation. This is ideal for rebuildable development VMs where performance matters more than retaining the OS disk contents.

Why this answer

An ephemeral OS disk is created on the local VM host and not stored in Azure Storage, so it provides lower latency and is automatically deleted when the VM is deallocated. This makes it ideal for development VMs that are rebuilt often and do not require disk persistence across deallocations.

Exam trap

The trap here is that candidates may assume a Standard HDD managed disk is the cheapest option for a development VM, overlooking that ephemeral disks incur no storage cost and automatically reset the OS on each rebuild, which is more cost-effective and operationally simpler for the described use case.

How to eliminate wrong answers

Option A is wrong because a Standard HDD managed OS disk persists in Azure Storage and survives VM deallocation, incurring ongoing costs and requiring manual cleanup for frequently rebuilt VMs. Option C is wrong because a premium managed data disk used as the OS disk would still be a persistent managed disk stored in Azure Storage, not ephemeral, and would survive deallocation, defeating the requirement. Option D is wrong because a shared disk attached to multiple VMs is designed for clustered workloads (e.g., SQL Server FCI) and cannot be used as an OS disk, as Azure does not support sharing the OS disk across VMs.

7
MCQhard

The subscription activity log is being sent to a Log Analytics workspace. An alert must fire when any resource group is deleted, but delete operations initiated by the automation account rg-cleaner@contoso.com must be ignored. Which query should be used in the alert rule?

A.AzureActivity | where ResourceProviderValue == "Microsoft.Resources" | where OperationName contains "delete"
B.AzureActivity | where OperationNameValue == "Microsoft.Resources/subscriptions/resourceGroups/delete" | where ActivityStatusValue == "Succeeded" | where Caller != "rg-cleaner@contoso.com" | summarize Count = count()
C.Heartbeat | where Computer == "rg-cleaner@contoso.com" | where TimeGenerated > ago(1d)
D.SecurityEvent | where EventID == 4688 | where Account == "rg-cleaner@contoso.com"
AnswerB

This query targets the exact delete operation for resource groups in AzureActivity, limits results to successful deletions, and excludes the automation account caller. A log alert can trigger when the result count is greater than zero. It is the most accurate choice because it filters by both operation identity and exception handling, which prevents false alerts from the known automation runbook.

Why this answer

Option B is correct because it filters for the exact operation that deletes a resource group (Microsoft.Resources/subscriptions/resourceGroups/delete), ensures the deletion succeeded, and excludes the caller 'rg-cleaner@contoso.com'. This meets the requirement to fire an alert only when a resource group is deleted by any user except the automation account.

Exam trap

The trap here is that candidates often choose Option A because they see 'delete' in the operation name, but they fail to realize that a broad 'contains' filter will match many unrelated delete operations and does not exclude the automation account's caller identity.

How to eliminate wrong answers

Option A is wrong because it uses a generic 'contains delete' filter on OperationName, which would match many unrelated delete operations (e.g., deleting a VM or storage account) and does not filter by caller or success status. Option C is wrong because it queries the Heartbeat table, which is used for agent health monitoring, not for tracking resource group deletions or caller identity. Option D is wrong because it queries SecurityEvent for process creation (EventID 4688), which logs local process execution, not Azure resource group deletions or the caller's identity in Azure Activity Log.

8
MCQeasy

A reporting application stores files in Azure Blob Storage. The business wants the secondary region to be readable if the primary region becomes unavailable. Which redundancy option should you use?

A.LRS, because it stores all copies in one region only.
B.ZRS, because it replicates across availability zones.
C.RA-GRS, because it provides geo-replication with read access to the secondary endpoint.
D.Archive, because archived blobs are stored cheaply for long-term retention.
AnswerC

RA-GRS keeps a replicated copy in a paired region and allows read access to the secondary endpoint, which fits the requirement for secondary-region reads.

Why this answer

Option C (RA-GRS) is correct because it provides geo-replication by asynchronously copying data to a secondary region and enables read access to that secondary endpoint. If the primary region becomes unavailable, the application can continue reading from the secondary region, meeting the business requirement for readable secondary access during a primary outage.

Exam trap

The trap here is that candidates often confuse ZRS (zone-redundant within a region) with geo-redundant options, or mistakenly think LRS provides any cross-region resilience, when only RA-GRS offers both geo-replication and read access to the secondary region.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) stores three replicas within a single data center in one region only, providing no protection against a regional outage or secondary region read access. Option B is wrong because ZRS (Zone-Redundant Storage) replicates across availability zones within a single region, offering no geo-replication to a secondary region for disaster recovery. Option D is wrong because the Archive access tier is for cost-effective long-term storage of infrequently accessed data, not for replication or providing readable secondary access during an outage.

9
MCQmedium

A production resource group contains several VMs and a storage account. The operations manager wants to prevent accidental deletion of the resource group and its resources, but still allow normal configuration changes during maintenance windows. Which lock should be applied to the resource group?

A.ReadOnly lock at the resource group scope.
B.CanNotDelete lock at the resource group scope.
C.Azure Policy assignment that denies all delete requests.
D.Apply the lock only to individual virtual machines.
AnswerB

CanNotDelete is the correct lock when the goal is to prevent accidental removal while still allowing updates. It blocks delete operations for the resource group and its resources, but it does not stop normal configuration changes such as resizing, tagging, or network updates. That makes it suitable for production protection without freezing administration.

Why this answer

A CanNotDelete lock at the resource group scope prevents the deletion of the resource group and all its resources, while still allowing configuration changes (e.g., modifying VM settings or updating storage account properties). This meets the operations manager's requirement to block accidental deletion but permit normal maintenance operations. ReadOnly locks would block all write operations, which is too restrictive for maintenance windows.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, mistakenly thinking ReadOnly is safer, but ReadOnly blocks all write operations (including configuration changes), which is too restrictive for maintenance scenarios where updates are required.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock at the resource group scope prevents any write operations, including configuration changes during maintenance windows, which violates the requirement to allow normal changes. Option C is wrong because an Azure Policy assignment that denies all delete requests would block deletions but also requires additional policy management and does not inherently protect against accidental deletion at the resource group level as effectively as a lock; moreover, policies can be bypassed if not properly scoped or if the user has sufficient permissions, whereas locks are a definitive authorization boundary. Option D is wrong because applying the lock only to individual virtual machines leaves the resource group and other resources (like the storage account) unprotected from deletion, failing the requirement to prevent accidental deletion of the entire resource group and its resources.

10
MCQeasy

Based on the exhibit, the web tier can reach the API subnet by name, but the traffic is still blocked. What should the administrator do?

A.Add the API VM NICs to the destination application security group.
B.Increase the priority number of the allow rule so it is evaluated earlier.
C.Replace the ASG with a service endpoint on the API subnet.
D.Remove the web VMs from ASG-Web because ASGs block traffic by default.
AnswerA

The allow rule is written for ASG-Api as the destination, but the exhibit shows that no API NICs are currently members of that ASG. Because NSG rules only match when both source and destination ASG membership is present, traffic will be blocked until the API VM NICs are added to ASG-Api.

Why this answer

The correct answer is A because the web tier can resolve the API subnet's name, but traffic is still blocked. This indicates that the network security group (NSG) rules are not correctly configured to allow traffic from the web VMs (in ASG-Web) to the API VMs (in ASG-API). By adding the API VM NICs to the destination application security group (ASG), the NSG rule that references ASG-API as the destination will match the API VMs, allowing the traffic.

Without this, the NSG rule may be referencing an empty or incorrect destination, causing the traffic to be denied by the default deny rule.

Exam trap

The trap here is that candidates often confuse name resolution with network connectivity, assuming that if a VM can resolve another VM's name via DNS, traffic must be allowed, but NSG rules are evaluated independently of DNS resolution.

How to eliminate wrong answers

Option B is wrong because increasing the priority number (making it a higher value) actually causes the rule to be evaluated later, not earlier; lower priority numbers are evaluated first. Option C is wrong because a service endpoint is used to secure Azure service traffic (e.g., to Azure Storage or SQL Database) to a virtual network, not to allow traffic between subnets or VMs within the same virtual network. Option D is wrong because ASGs do not block traffic by default; they are logical groupings used in NSG rules to define source or destination, and removing VMs from ASG-Web would not resolve the connectivity issue—it would break the existing allow rule that references ASG-Web as the source.

11
MCQhard

An administrator enabled diagnostic settings on a storage account and selected the resource-specific table format for Log Analytics. A coworker later queried AzureDiagnostics and received no rows. What should the administrator tell the coworker to do?

A.Query the dedicated storage resource tables created by the diagnostic setting instead of AzureDiagnostics
B.Recreate the storage account because AzureDiagnostics is only populated by new resources
C.Change the storage account replication type to GRS so diagnostic logs are duplicated
D.Enable Azure Monitor metrics collection on the storage account before querying AzureDiagnostics
AnswerA

Resource-specific export writes to service-specific tables, so AzureDiagnostics will not contain those records.

Why this answer

When diagnostic settings are configured to use the 'Resource specific' destination table format, logs are sent to dedicated tables named after the resource type (e.g., StorageBlobLogs, StorageQueueLogs) rather than the legacy AzureDiagnostics table. Querying AzureDiagnostics returns no rows because logs are not written there under this format. The coworker must query the appropriate resource-specific table instead.

Exam trap

The trap here is that candidates assume all diagnostic logs always land in the AzureDiagnostics table, overlooking the 'Resource specific' destination table format option that creates dedicated tables per resource type.

How to eliminate wrong answers

Option B is wrong because AzureDiagnostics is not 'only populated by new resources'; it is populated based on the diagnostic setting's destination table format, not the age of the resource. Option C is wrong because changing replication to GRS (geo-redundant storage) affects data durability and availability, not the routing or storage of diagnostic logs in Log Analytics. Option D is wrong because enabling Azure Monitor metrics collection is unrelated to the table format used for diagnostic logs; metrics and logs are separate data types and do not affect the presence of rows in AzureDiagnostics.

12
MCQmedium

A partner company needs write access to a single blob container for 24 hours. The partner does not have an Azure subscription in your tenant, and the team does not want to share the storage account key. Which access method is the best choice?

A.Grant the partner Contributor access on the storage account
B.Create a user delegation SAS with write permission and a short expiration time
C.Share the storage account access key and let the partner create their own token
D.Enable anonymous public write access on the container
AnswerB

A user delegation SAS provides temporary access without exposing the storage account key and can be tightly scoped.

Why this answer

A user delegation SAS is the best choice because it provides time-limited, scoped write access to a specific blob container without exposing the storage account key. It is secured with Azure AD credentials and can be configured with a short expiration time (e.g., 24 hours), meeting the partner's requirement for temporary access. This method ensures the partner does not need an Azure subscription in your tenant and avoids sharing the account key.

Exam trap

The trap here is that candidates often confuse a user delegation SAS with a service SAS or account SAS, or mistakenly think that granting RBAC roles like Contributor is the simplest way to provide access, without realizing it grants far more permissions than needed and violates the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because granting Contributor access on the storage account would give the partner full control over the storage account (including the ability to read/write all containers and manage resources), which is overly permissive and not scoped to a single blob container. Option C is wrong because sharing the storage account access key would grant unrestricted access to the entire storage account (all containers, blobs, and operations) and violates the requirement to not share the key. Option D is wrong because enabling anonymous public write access on the container would allow any unauthenticated user to write blobs, which is a severe security risk and does not provide controlled, partner-specific access.

13
Multi-Selecteasy

A storage account should use a private IP address inside a virtual network, and workloads in that VNet must resolve the storage name to the private address. Which two items are required? Select two.

Select 2 answers
A.Create a private endpoint for the storage account in the virtual network so the service gets a private IP.
B.Create and link the appropriate private DNS zone so the storage account name resolves to the private IP.
C.Enable a service endpoint on the subnet, because service endpoints create a private IP for the storage service.
D.Assign a Reader role on the storage account, because RBAC determines the private address used by clients.
E.Disable the storage account firewall, because private endpoints only work when the public endpoint is open.
AnswersA, B

A private endpoint places the storage service on a private IP address inside the VNet.

Why this answer

Option A is correct because a private endpoint assigns a private IP address from the virtual network to the storage account, enabling secure, direct connectivity over the Microsoft backbone without traversing the public internet. This is achieved by creating a network interface in the VNet that receives a private IP from the subnet range, which then routes traffic to the storage service via a private link.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide a private IP, when in fact only private endpoints assign a private IP from the VNet, while service endpoints merely route traffic over the Microsoft backbone using the service's public IP.

14
MCQmedium

A storage account has public network access disabled. A VM in a virtual network must access blob data privately, and the application must resolve the storage endpoint name to a private IP address. What should the administrator deploy?

A.A service endpoint for Microsoft.Storage and a custom hosts file entry on the VM
B.A private endpoint for the storage account plus a private DNS zone linked to the virtual network
C.Allow trusted Microsoft services and keep using the public endpoint
D.A route table that sends traffic for the storage account's public IP to the VPN gateway
AnswerB

A private endpoint places the storage service on a private IP address inside the VNet, which satisfies the private access requirement. A private DNS zone is then needed so the storage account name resolves to that private IP address from within the virtual network. Together, they provide secure, private connectivity with proper name resolution.

Why this answer

A private endpoint assigns the storage account a private IP from the VM's virtual network, enabling direct, secure access over the Microsoft backbone. A private DNS zone linked to the virtual network ensures the storage endpoint name (e.g., mystorageaccount.blob.core.windows.net) resolves to that private IP, meeting the requirement for private name resolution without relying on public DNS or hosts file entries.

Exam trap

The trap here is that candidates confuse service endpoints (which provide source IP preservation but no private IP) with private endpoints (which provide a true private IP and private DNS resolution), leading them to choose Option A or C.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not provide a private IP address; it routes traffic over the Microsoft backbone but still uses the public endpoint's DNS name, requiring a custom hosts file entry that is brittle and not scalable. Option C is wrong because 'Allow trusted Microsoft services' bypasses the firewall for specific Azure services but still uses the public endpoint, not a private IP, and does not resolve the name privately. Option D is wrong because a route table cannot change DNS resolution; it only controls traffic routing, and sending traffic to a VPN gateway does not assign a private IP to the storage endpoint or resolve its name privately.

15
Multi-Selecthard

You are deploying a Windows Server VM for an internal app. The VM must support Secure Boot and vTPM later, its OS disk must survive host moves, and the team wants the lowest-cost managed disk tier that still behaves like a normal writable OS disk. Which two choices should you make? Select two.

Select 2 answers
A.Use a Generation 2 Windows Server Marketplace image.
B.Use an ephemeral OS disk to reduce storage cost.
C.Use a managed Standard SSD OS disk.
D.Use an unmanaged VHD stored in a storage account.
E.Use a Generation 1 image and enable Secure Boot after deployment.
AnswersA, C

Generation 2 images are the correct starting point when you may later enable security features such as Secure Boot and vTPM. They also align with modern Azure VM capabilities and avoid the limitations of older generation images.

Why this answer

Option A is correct because Secure Boot and vTPM are only supported on Generation 2 VMs in Azure. Generation 2 VMs use a UEFI-based boot architecture, which is required for these security features. A Generation 2 Windows Server Marketplace image provides the necessary UEFI firmware and GPT-partitioned OS disk to enable Secure Boot and vTPM.

Exam trap

The trap here is that candidates often assume Generation 1 VMs can be upgraded to support Secure Boot or that ephemeral disks are a cost-saving alternative that still meets durability requirements, but Azure explicitly restricts Secure Boot and vTPM to Generation 2 VMs and ephemeral disks are volatile by design.

16
MCQmedium

A deny policy blocks creation of storage accounts with public network access enabled. A legacy application in RG-Legacy must keep one existing storage account publicly reachable for 45 days while the rest of the subscription remains governed by the policy. What should the administrator configure?

A.A policy exemption at the RG-Legacy scope with an expiration date.
B.A new role assignment that grants Owner on RG-Legacy.
C.A management lock on the storage account.
D.A separate initiative assigned only to RG-Legacy with the deny setting disabled.
AnswerA

An exemption allows the specific scope to bypass the policy temporarily while keeping the policy active elsewhere.

Why this answer

A policy exemption at the RG-Legacy scope with an expiration date is the correct solution because it allows the specific storage account to bypass the deny policy while keeping the policy enforced for all other resources. The exemption can be scoped to the resource group and set to expire in 45 days, ensuring the legacy application retains public access temporarily without permanently weakening the governance posture. This approach directly addresses the requirement to maintain compliance for the rest of the subscription.

Exam trap

The trap here is that candidates often confuse policy exemptions with role assignments or management locks, mistakenly thinking that granting Owner permissions or locking a resource can override a deny policy, when in fact only a policy exemption (or a policy exclusion at assignment scope) can bypass the deny effect.

How to eliminate wrong answers

Option B is wrong because assigning the Owner role on RG-Legacy does not override a deny policy; Azure Policy deny effects are enforced at the Azure Resource Manager layer and cannot be bypassed by role assignments, even for Owners. Option C is wrong because a management lock (e.g., CanNotDelete or ReadOnly) prevents accidental deletion or modification of the storage account but does not affect policy evaluation; the deny policy would still block any attempt to create or update the account with public network access enabled. Option D is wrong because a separate initiative with the deny setting disabled would still be subject to the original deny policy assigned at a higher scope (e.g., subscription or management group); initiatives do not override existing policies unless explicitly excluded via an exemption.

17
MCQmedium

You need to deploy a group of identical Azure virtual machines and ensure they are distributed across fault domains and update domains to reduce the impact of host failures and planned maintenance. Which feature should you use?

A.An availability set
B.A proximity placement group
C.A private endpoint
D.A custom script extension
AnswerA

Availability sets distribute VMs across fault and update domains.

Why this answer

An availability set is the correct feature because it logically groups VMs to isolate them from each other during host failures and planned maintenance. It distributes VMs across up to 3 fault domains (each with separate power, cooling, and network) and up to 20 update domains (which are rebooted sequentially during maintenance), ensuring that not all VMs are impacted simultaneously.

Exam trap

The trap here is that candidates often confuse availability sets with availability zones, thinking zones are required for fault domain distribution, but availability sets provide fault and update domain isolation within a single Azure region without requiring multiple zones.

How to eliminate wrong answers

Option B is wrong because a proximity placement group is used to reduce network latency between VMs by placing them close together, not to distribute them across fault or update domains. Option C is wrong because a private endpoint provides a private IP address for secure connectivity to Azure PaaS services over the Microsoft backbone network, and it has no role in VM distribution or availability. Option D is wrong because a custom script extension is used to run scripts on VMs after deployment for configuration or software installation, and it does not affect the placement or fault/update domain distribution of VMs.

18
MCQhard

A Windows VM in Azure is protected by Azure Backup. A developer accidentally deleted one application folder, but the VM must keep serving users while the administrator restores only that folder. What should the administrator do?

A.Restore the entire VM from the latest recovery point into the production resource group.
B.Use File Recovery from the appropriate recovery point and copy the folder back.
C.Restore the managed disk and attach it to the running VM as a second OS disk.
D.Create a new Recovery Services vault and re-protect the VM before restoring anything.
AnswerB

File Recovery is designed for item-level restore from an Azure VM backup. The administrator can mount the recovery point, browse the backed-up contents, and copy the missing folder back without replacing the whole VM. This is the least disruptive option when the machine must remain online and only a small set of files is needed.

Why this answer

Option B is correct because Azure Backup's File Recovery feature allows you to mount a recovery point as a drive on the running VM, enabling you to copy specific files or folders without restoring the entire VM or disrupting production. This is the only method that meets the requirement of restoring only the deleted folder while the VM continues serving users.

Exam trap

The trap here is that candidates often assume a full VM restore or disk restore is required for file-level recovery, overlooking the Azure Backup File Recovery feature that is specifically designed for granular, non-disruptive restores.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM from the latest recovery point into the production resource group would overwrite the current VM or create a conflicting VM, causing downtime and unnecessary data transfer, and it does not target only the deleted folder. Option C is wrong because restoring the managed disk and attaching it as a second OS disk would require stopping the VM to attach the disk, and the folder would need to be extracted from the OS volume, which is complex and disruptive; moreover, Azure Backup does not directly support restoring a managed disk for file-level recovery without using File Recovery. Option D is wrong because creating a new Recovery Services vault and re-protecting the VM does not restore the deleted folder; it only initiates new backups, and the existing recovery points in the original vault are still accessible for restoration.

19
MCQmedium

A security team requires all outbound internet traffic from a workload subnet to pass through an NVA at 10.1.4.4. The subnet is already associated with an NSG that allows the traffic. Which UDR should the administrator add to the route table for that subnet?

A.Destination 10.1.4.4/32 with next hop type Internet.
B.Destination 0.0.0.0/0 with next hop type Virtual appliance and next hop IP 10.1.4.4.
C.Destination 0.0.0.0/0 with next hop type Virtual network gateway.
D.Destination 10.1.4.0/24 with next hop type None.
AnswerB

To force all internet-bound traffic through a network virtual appliance, the route table needs a default route that matches 0.0.0.0/0 and sends traffic to the appliance's private IP. The next hop type must be Virtual appliance, and the next hop IP should be 10.1.4.4. This overrides Azure's default system route for internet traffic from that subnet, while still allowing NSG rules to control whether the traffic is permitted.

Why this answer

Option B is correct because a User Defined Route (UDR) with destination 0.0.0.0/0 and next hop type 'Virtual appliance' forces all outbound internet traffic from the subnet to be forwarded to the NVA at 10.1.4.4 for inspection. The 0.0.0.0/0 prefix matches all internet-bound traffic, and the 'Virtual appliance' next hop type enables routing to a private IP address within the virtual network, overriding the default system route that would otherwise send traffic directly to the Internet.

Exam trap

The trap here is that candidates often confuse the 'Virtual appliance' next hop type with 'Virtual network gateway' or mistakenly think a specific destination like the NVA's IP is needed, rather than understanding that 0.0.0.0/0 is required to capture all outbound internet traffic.

How to eliminate wrong answers

Option A is wrong because a destination of 10.1.4.4/32 with next hop type 'Internet' would only route traffic destined to the NVA itself out to the internet, not all outbound traffic through the NVA. Option C is wrong because next hop type 'Virtual network gateway' is used for site-to-site VPN or ExpressRoute traffic, not for forcing traffic through an NVA; it would send internet-bound traffic to the gateway instead of the NVA. Option D is wrong because destination 10.1.4.0/24 with next hop type 'None' would blackhole traffic to the NVA's subnet, preventing any traffic from reaching the NVA, and it does not affect outbound internet traffic.

20
Multi-Selectmedium

A VNet peering attempt between VNet-A and VNet-B fails because both VNets include 10.40.0.0/16. VNet-B hosts active workloads, so the team wants to readdress it without downtime. Which two actions should the administrator take? Select two.

Select 2 answers
A.Add a new non-overlapping address space to VNet-B.
B.Migrate the workloads and subnets in VNet-B to the new address space before removing the overlapping range.
C.Enable gateway transit on both VNets to bypass the overlap check.
D.Create a private endpoint in VNet-A so the peering can use private connectivity.
E.Associate a route table with VNet-B to force Azure to accept the peering.
AnswersA, B

This gives VNet-B a range that does not conflict with VNet-A, which is required for peering.

Why this answer

Option A is correct because adding a new non-overlapping address space to VNet-B resolves the IP address overlap that prevents VNet peering. Azure VNet peering requires that the address spaces of both VNets do not overlap; overlapping ranges cause the peering to fail. By adding a new range (e.g., 10.41.0.0/16) to VNet-B, the administrator introduces a non-conflicting address space that can be used for peering while the existing overlapping range remains active for workloads.

Exam trap

The trap here is that candidates may think gateway transit or route tables can override the address space overlap requirement, but Azure strictly enforces non-overlapping address spaces for VNet peering, and only address space modification resolves the conflict.

21
MCQeasy

A user deleted one Excel file from a file share backed up with Azure Backup. You want to restore only that file, not the entire share. What should you use?

A.A full VM restore
B.A file-level restore from the backup recovery point
C.A metric alert rule
D.A private endpoint
AnswerB

File-level restore lets you recover a single file or folder from a specific recovery point without replacing the whole protected workload.

Why this answer

Azure Backup for Azure Files supports file-level restore from a recovery point. When you select a recovery point in the Azure portal, you can browse the file share contents and restore individual files or folders to the original or an alternate location, without restoring the entire share. This is achieved by mounting the recovery point as a read-only share via the SMB protocol, allowing you to copy the specific file.

Exam trap

The trap here is that candidates may assume Azure Backup only supports full share or VM restores, overlooking the file-level restore capability that is explicitly available for Azure Files backups.

How to eliminate wrong answers

Option A is wrong because a full VM restore would restore an entire virtual machine, not a single file from a file share, and is unnecessary and inefficient for this scenario. Option C is wrong because a metric alert rule is used to monitor performance metrics (e.g., IOPS, throughput) and trigger notifications, not to restore files. Option D is wrong because a private endpoint provides secure network connectivity to Azure services over a private IP address, but it does not perform data restoration.

22
MCQhard

Traffic from VM-App01 is taking an unexpected path to the internet through a network virtual appliance. You need to determine which routes are actually applied to the VM network interface. Which Azure feature should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.The subscription activity log
AnswerA

Effective routes display the route entries that are actively applied to the NIC.

Why this answer

Effective routes for a network interface show the actual routes applied to the VM's NIC after combining all route sources (system routes, BGP, and user-defined routes). This allows you to verify whether traffic is being forced through the NVA or taking an unexpected path, by inspecting the next hop type and IP address for the 0.0.0.0/0 route.

Exam trap

The trap here is that candidates confuse 'effective routes' with 'NSG flow logs' because both involve network troubleshooting, but effective routes solve routing-path issues while flow logs solve firewall/security-rule issues.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows and throughput data, not the routing table applied to the NIC. Option C is wrong because Azure Policy compliance checks whether resources meet organizational rules (e.g., requiring a specific tag), not the actual routing configuration. Option D is wrong because the subscription activity log tracks control-plane operations (e.g., creating a VM), not data-plane routing decisions.

23
MCQeasy

A web app in Azure needs to upload files to a blob container. The development team wants the app to authenticate without storing a storage account key or password in code. Which approach should the administrator configure?

A.Embed the storage account key in the application settings
B.Assign a managed identity to the app and grant it storage permissions
C.Use the public endpoint and anonymous access
D.Use an archive tier for the container
AnswerB

A managed identity lets the app authenticate to Azure Storage without storing credentials. Azure handles the identity lifecycle, and access is controlled with role assignments.

Why this answer

Option B is correct because Azure Managed Identity provides an automatically managed service principal in Azure AD, allowing the web app to authenticate to Azure Blob Storage without storing any credentials in code or configuration. By assigning the managed identity to the app and granting it the appropriate RBAC role (e.g., Storage Blob Data Contributor), the app can obtain an Azure AD token to securely access the blob container.

Exam trap

The trap here is that candidates may confuse managed identity with other authentication methods like SAS tokens or connection strings, or incorrectly assume that embedding keys in app settings is acceptable because it's 'not in code,' but Azure explicitly considers this a security risk for production workloads.

How to eliminate wrong answers

Option A is wrong because embedding the storage account key in application settings still stores a secret in the app configuration, violating the requirement to avoid storing keys or passwords in code. Option C is wrong because using the public endpoint with anonymous access bypasses authentication entirely, which is insecure and does not meet the requirement for authenticated uploads. Option D is wrong because an archive tier (e.g., Cool, Cold, or Archive) is a storage optimization tier for cost savings on infrequently accessed data, not an authentication mechanism.

24
Multi-Selectmedium

You are managing an Azure Storage account that hosts a large number of blobs. You need to ensure that data can be recovered if blobs are accidentally deleted or overwritten. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Enable soft delete for blobs.
.Enable blob versioning.
.Configure a lifecycle management policy to move blobs to the Cool tier.
.Enable point-in-time restore for block blobs.
.Enable Azure Defender for Storage.
.Set the default access tier to Archive.

Why this answer

Soft delete for blobs preserves deleted blobs for a specified retention period, allowing recovery from accidental deletion. Blob versioning maintains previous versions of a blob, enabling restoration if a blob is overwritten or deleted. Point-in-time restore for block blobs allows reverting the container to an earlier state, recovering from bulk accidental modifications or deletions.

Together, these three features provide comprehensive protection against accidental data loss.

Exam trap

The trap here is that candidates often confuse lifecycle management or tier changes as data protection mechanisms, but they are cost-management features, not recovery features; the correct answers are all specifically designed for data recovery from accidental deletion or overwrite.

25
MCQhard

An NSG rule allows TCP 8443 from ASG-Web to ASG-Api on the API subnet. The web VM NIC is already in ASG-Web, but the API VM was only placed in the subnet and not added to ASG-Api. Traffic still fails. What is the best fix?

A.Add the API VM's NIC to ASG-Api so the NSG rule can match the destination NIC.
B.Add ASG-Api to the API subnet because ASGs are inherited from subnet membership.
C.Lower the rule priority number on the web subnet to make source traffic more specific.
D.Create a user-defined route from AppSubnet to API subnet to bypass the NSG.
AnswerA

Application security groups are assigned to NICs, not to subnets. If the destination NIC is not in ASG-Api, the rule that references ASG-Api never matches, even if the VM sits in the right subnet. Adding the API NIC to the correct ASG allows the NSG rule to evaluate as intended and is the cleanest fix for the blocked 8443 traffic.

Why this answer

The NSG rule specifies ASG-Api as the destination, but NSGs evaluate traffic based on the NIC membership in an ASG, not the subnet. Since the API VM's NIC is not added to ASG-Api, the rule cannot match the destination, so traffic is dropped by default (implicit deny). Adding the NIC to ASG-Api allows the NSG rule to correctly identify the destination and permit TCP 8443 traffic.

Exam trap

The trap here is that candidates assume subnet membership automatically applies ASG rules, but ASGs require explicit NIC association, and NSG rules with ASG destinations will not match VMs that are only in the subnet.

How to eliminate wrong answers

Option B is wrong because ASGs are not inherited from subnet membership; they are explicit groupings of NICs, and placing an ASG on a subnet does not automatically add VMs to that ASG. Option C is wrong because lowering the rule priority number (making it higher priority) does not fix the destination mismatch—the rule still won't match the API VM's NIC if it's not in ASG-Api. Option D is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; they cannot bypass NSG filtering, and the issue is a missing destination match, not a routing problem.

26
MCQmedium

You deploy a private endpoint for an Azure Storage account. Virtual machines in VNet-App must resolve the storage account name to the private IP address of the endpoint instead of the public endpoint. What should you configure?

A.A network security group on the subnet.
B.A private DNS zone linked to VNet-App.
C.A public DNS zone for the storage account name.
D.A user-defined route table on the subnet.
AnswerB

This enables name resolution of the service to the private endpoint address from resources in the linked VNet.

Why this answer

Option B is correct because a private endpoint requires DNS resolution to map the storage account's fully qualified domain name (FQDN) to its private IP address. By creating a private DNS zone (privatelink.blob.core.windows.net) and linking it to VNet-App, Azure automatically creates an A-record pointing to the private endpoint's IP, ensuring VMs resolve the storage account name privately instead of via the public endpoint.

Exam trap

The trap here is that candidates confuse network-level controls (NSGs, route tables) with DNS resolution, assuming that restricting traffic or routing will force private IP usage, when in fact DNS configuration is the critical missing piece for name resolution.

How to eliminate wrong answers

Option A is wrong because a network security group (NSG) filters traffic at the subnet or NIC level but does not influence DNS resolution or name-to-IP mapping. Option C is wrong because a public DNS zone would publish the storage account's public IP, not the private IP, and is not used for private endpoint resolution within a virtual network. Option D is wrong because a user-defined route (UDR) table controls traffic forwarding paths but cannot change how a hostname is resolved to an IP address; DNS resolution is a separate layer.

27
MCQeasy

A line-of-business application must keep running even if one datacenter in an Azure region has an outage. Which deployment option should you choose for the VMs?

A.An availability set
B.A single virtual machine with Premium SSD
C.Availability zones
D.A proximity placement group
AnswerC

Availability zones place VMs in separate physical datacenters within the same region. That gives the workload protection from a datacenter-level failure, which is stronger than an availability set. If one zone goes down, VMs in the other zones can continue serving traffic when the application is designed for zone-aware redundancy.

Why this answer

Availability zones (Option C) are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across two or more zones ensures that if one datacenter fails, the application continues running in the other zone, meeting the requirement for resilience against a single datacenter outage.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against datacenter-level failures), leading them to choose Option A when the requirement is for datacenter outage resilience.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not provide redundancy if the entire datacenter goes down. Option B is wrong because a single VM, even with Premium SSD, is a single point of failure and cannot survive a datacenter outage. Option D is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs, not to provide disaster recovery or datacenter-level fault tolerance.

28
MCQmedium

A policy assigned at the management group denies creation of storage accounts with public network access enabled. One legacy storage account in RG-Pilot must stay publicly reachable for 45 days while an application is migrated. What should the administrator configure?

A.Remove the policy assignment from the management group until the migration is finished.
B.Create a policy exemption for the specific storage account with an expiration date.
C.Apply a CanNotDelete lock to the storage account.
D.Assign a Contributor role to the migration team on the storage account.
AnswerB

A policy exemption allows one approved resource to temporarily bypass the deny effect while preserving the policy for everything else. Adding an expiration date ensures the exception is temporary and supports compliance tracking during the migration period.

Why this answer

A policy exemption is the correct tool when a specific resource must temporarily diverge from an enforced policy. The deny policy stays in place for the management group, but the exempted storage account is allowed to remain publicly reachable during the migration window. This keeps governance intact while documenting the exception and its expiration, which is much safer than removing the policy or trying to solve a compliance issue with RBAC.

Why others are wrong: Removing the policy assignment would disable governance for all resources under the management group, not just the one legacy storage account. A CanNotDelete lock protects against deletion only; it does not affect policy evaluation or network access settings. Granting Contributor does not help because Azure Policy is evaluated separately from RBAC, so more permission does not override a deny policy.

29
MCQeasy

Based on the exhibit, three VMs in different resource groups must use the same Azure identity, and the identity must continue working if one VM is deleted and recreated. What should you use?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity attached to all three VMs.
C.A service principal stored in the VM image.
D.A shared access signature assigned to the resource group.
AnswerB

A user-assigned managed identity is correct because it is created independently from any single VM and can be attached to multiple resources. That makes it ideal when several VMs need the same identity and the identity must remain available even if one VM is deleted and recreated.

Why this answer

A user-assigned managed identity is an Azure resource that can be created independently and then assigned to multiple VMs. Because it persists as a separate resource in Azure, deleting and recreating a VM does not affect the identity; you simply reattach the same user-assigned identity to the new VM. This ensures the identity continues working across VM lifecycle changes, meeting the requirement for a shared, resilient identity.

Exam trap

The trap here is that candidates confuse system-assigned managed identities (which are tied to VM lifecycle) with user-assigned managed identities (which are independent resources), leading them to choose Option A despite the requirement for identity persistence across VM deletion and recreation.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of the VM—if the VM is deleted, the identity is also deleted, and recreating the VM creates a new identity with a different principal ID, breaking continuity. Option C is wrong because a service principal stored in the VM image is a static credential embedded in the image; it cannot be shared across VMs in different resource groups without manual key management, and it does not leverage Azure's managed identity infrastructure for automatic rotation and lifecycle management. Option D is wrong because a shared access signature (SAS) is a delegation token for specific Azure storage resources, not an Azure AD identity; it cannot be used for VM authentication to Azure services like Azure AD or Key Vault.

30
MCQmedium

You need a storage redundancy option that keeps data available if an entire availability zone in the primary region fails, but you do not need cross-region replication. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerB

ZRS protects against the loss of a single availability zone in the primary region.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within a single region, ensuring data remains available if an entire zone fails. This meets the requirement of no cross-region replication while providing zone-level fault tolerance.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, thinking LRS provides zone redundancy, but LRS only replicates within one data center, not across zones.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data only within a single data center in a single availability zone, so it cannot survive an entire zone failure. Option C is wrong because Geo-Redundant Storage (GRS) includes cross-region replication to a secondary region, which is not needed per the requirement. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) also includes cross-region replication and adds read access to the secondary region, exceeding the stated need.

31
Multi-Selecteasy

An alert must start automated responses when a metric threshold is reached. Which two resources can an Azure Monitor action group invoke? Select two.

Select 2 answers
A.An Azure Automation runbook
B.An Azure Function
C.A virtual network peering connection
D.A resource lock
E.A storage account access tier
AnswersA, B

Action groups can trigger runbooks to perform scripted operational tasks automatically.

Why this answer

Azure Monitor action groups can invoke an Azure Automation runbook to execute automated remediation or response tasks when a metric alert fires. This allows you to trigger scripts or workflows in response to specific conditions, such as scaling resources or restarting services, without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure resources that can be configured or monitored with resources that can be directly invoked as actions by an alert, leading them to select static resources like peering or locks instead of executable services like runbooks and functions.

32
MCQeasy

A team deploys a Linux VM that must read secrets from Azure Key Vault without storing any usernames, passwords, or client secrets on the VM. What should the administrator enable on the VM?

A.A system-assigned managed identity
B.A storage account access key
C.A service endpoint on the VM subnet
D.A user account in Entra ID with a stored password
AnswerA

A system-assigned managed identity gives the VM an Azure-managed identity that can authenticate to Azure services without embedded credentials. It is tied to the VM’s lifecycle, so there is no secret to rotate or store on the operating system. This is the simplest secure choice when one VM needs to access Key Vault and the identity should exist only while the VM exists.

Why this answer

A system-assigned managed identity enables the Linux VM to authenticate to Azure Key Vault without any stored credentials. Azure automatically creates a service principal in Entra ID for the VM, and the VM can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to authenticate to Key Vault. This eliminates the need to store usernames, passwords, or client secrets on the VM.

Exam trap

The trap here is that candidates often confuse service endpoints (which control network access) with managed identities (which provide identity-based access), leading them to select option C thinking it secures the VM's access to Key Vault without credentials.

How to eliminate wrong answers

Option B is wrong because a storage account access key is used to authenticate to Azure Storage, not to Key Vault, and storing it on the VM would violate the requirement of not storing secrets. Option C is wrong because a service endpoint on the VM subnet extends VNet connectivity to Azure service resources (e.g., Storage, SQL) but does not provide identity-based authentication to Key Vault; it only secures network traffic. Option D is wrong because a user account in Entra ID with a stored password would require the password to be stored on the VM, which directly contradicts the requirement to avoid storing any credentials.

33
MCQmedium

A company is deploying two Linux application VMs in Azure for a production workload. The region supports availability zones, and the business requires the workload to stay online if an entire datacenter in the region becomes unavailable. Which deployment choice best meets this requirement?

A.Place both VMs in the same availability set so Azure separates them across update domains.
B.Deploy the VMs across two availability zones in the same region.
C.Use a single larger VM size with premium SSD storage for better uptime.
D.Deploy the VMs in the same resource group and enable auto-shutdown.
AnswerB

Availability zones place resources in separate datacenters within the same Azure region. That design protects the workload if a full datacenter or zone experiences an outage. For production systems that must survive a zone failure, zones provide stronger resilience than availability sets. This is the best fit when the region supports zones and the application can run with zone-separated instances.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the two Linux VMs across two different zones ensures that if an entire datacenter fails, the VM in the other zone remains online, meeting the requirement for resilience against a full datacenter outage.

Exam trap

The trap here is that candidates confuse availability sets (which protect within a datacenter) with availability zones (which protect against full datacenter failure), leading them to choose option A even though it cannot meet the stated requirement.

How to eliminate wrong answers

Option A is wrong because an availability set protects against hardware failures within a single datacenter (via fault domains) and planned maintenance (via update domains), but it cannot survive the loss of an entire datacenter. Option C is wrong because using a single larger VM with premium SSD improves performance and local redundancy but creates a single point of failure; if that VM's datacenter goes down, the workload is lost. Option D is wrong because placing VMs in the same resource group is a logical management boundary with no impact on availability, and auto-shutdown only schedules power-off times, which would actually cause downtime rather than prevent it.

34
Multi-Selecteasy

An operations team wants an email notification when the average CPU percentage on a VM stays above 85 percent for 10 minutes. Which two Azure Monitor components should they configure? Select two.

Select 2 answers
A.A metric alert rule
B.An action group
C.Azure Bastion
D.A Recovery Services vault
E.A resource lock
AnswersA, B

A metric alert evaluates VM performance data and can trigger when a threshold is crossed.

Why this answer

A metric alert rule is correct because it monitors a specific VM performance metric (e.g., Percentage CPU) and triggers when the average value exceeds 85% for a duration of 10 minutes, as defined by the aggregation granularity and evaluation frequency. This rule evaluates the metric data at regular intervals and fires an alert when the condition is met, enabling automated notification.

Exam trap

The trap here is that candidates often confuse the metric alert rule (which monitors performance metrics) with activity log alerts (which monitor resource configuration changes), or they mistakenly think Azure Bastion or Recovery Services vaults have monitoring capabilities, when in fact only the combination of a metric alert rule and an action group enables email notifications for metric thresholds.

35
Multi-Selecthard

A platform team has a generalized VM image that must be published to East US and West Europe today and patched later without overwriting the original build. They want Azure to keep version history and replicate the image to both regions. Which two actions or resources should they use? Select two.

Select 2 answers
A.Create an Azure Compute Gallery
B.Create an image definition and image version
C.Capture the VM as a single managed image and copy it manually to each region
D.Use an availability set to preserve the image
E.Take a snapshot of the OS disk and deploy VMs directly from the snapshot
AnswersA, B

This provides a managed place to store, version, and share VM images across regions.

Why this answer

Azure Compute Gallery (formerly Shared Image Gallery) allows you to store and manage VM image versions, including version history, and replicate them across multiple Azure regions. By creating an image definition and image version within the gallery, you can publish the generalized VM image to East US and West Europe today, and later create a new image version for patching without overwriting the original build, preserving the version history.

Exam trap

The trap here is that candidates often confuse a single managed image (Option C) with the Azure Compute Gallery’s image version, not realizing that a managed image lacks version history and automated multi-region replication, which are key requirements for this scenario.

36
Matchingmedium

Match each storage networking requirement to the Azure storage network control that should be used.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Storage firewall with a virtual network rule and service endpoint

Private endpoint with private DNS zone

Trusted Microsoft services exception

Storage firewall IP network rule

Why these pairings

Azure storage network controls: service endpoints for VNet access, private endpoints for private connectivity, IP firewall for public IP restrictions, trusted services exception, route tables for custom routing, and disabling public access for complete lockdown.

37
MCQmedium

A production application runs on three Azure VMs in the same region. The business requires the service to stay available if one entire datacenter in the region becomes unavailable because of a power or network outage. Which configuration best meets the requirement?

A.Place the VMs in the same availability set.
B.Deploy the VMs across availability zones.
C.Use a proximity placement group for the VMs.
D.Attach the VMs to the same Azure Load Balancer backend pool.
AnswerB

Availability zones place VMs in separate datacenters within a region, improving resilience to a zone outage.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying VMs across three zones, the application can survive the failure of an entire datacenter because the other zones remain operational. This meets the requirement for high availability against a full datacenter outage.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within a datacenter) with availability zones (which protect against full datacenter outages), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because an availability set protects against rack-level failures (e.g., hardware faults within a single datacenter) but does not protect against an entire datacenter outage — all VMs in an availability set reside in the same datacenter. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs close together, which actually increases the risk of a single datacenter failure affecting all VMs. Option D is wrong because attaching VMs to the same Azure Load Balancer backend pool distributes traffic but does not inherently provide datacenter-level redundancy; the VMs could still all be in the same datacenter unless they are explicitly deployed across zones or regions.

38
Multi-Selectmedium

Every backup job for a newly deployed Azure VM fails immediately and reports that the VM agent is not ready. Which two checks should the administrator perform first? Select two.

Select 2 answers
A.Verify that the Azure VM Agent is installed and the service is running inside the guest.
B.Verify that outbound HTTPS access to the required Azure Backup and Storage endpoints is allowed.
C.Increase the recovery point retention in the backup policy.
D.Recreate the Recovery Services vault in another region.
E.Disable the backup policy until the VM is rebooted several times.
AnswersA, B

A healthy VM agent is required for Azure Backup to coordinate with the guest operating system.

Why this answer

The Azure VM Agent is required for the Azure Backup service to communicate with the VM and orchestrate snapshot operations. If the agent is not installed or the service (Windows: WindowsAzureGuestAgent, Linux: waagent) is not running, backup jobs will fail immediately with the 'agent not ready' error. Verifying agent status is the first logical step because without a functioning agent, no backup can proceed.

Exam trap

The trap here is that candidates often jump to network connectivity (Option B) as the sole cause, forgetting that the agent must be installed and running first—without it, even perfect network access will not fix the backup failure.

39
MCQmedium

Based on the exhibit, which network feature should you use so only the subnet can reach the storage account while still using the public endpoint?

A.Create a private endpoint and disable the storage account public endpoint.
B.Enable a service endpoint on app-subnet and allow that subnet on the storage firewall.
C.Add a NAT gateway to app-subnet and use the NAT public IP for firewall rules.
D.Peer app-subnet with a new VNet and access the storage account through peering.
AnswerB

A service endpoint is the correct choice when you want the storage account to remain on its public endpoint but only allow traffic from a specific subnet. It extends the subnet identity to the service without requiring static public IP addresses on the VMs.

Why this answer

Option B is correct because enabling a service endpoint on the app-subnet allows traffic from that subnet to reach the storage account over the Azure backbone network while still using the public endpoint. By then adding the subnet to the storage account firewall, you restrict access to only that subnet, ensuring no other internet traffic can reach the storage account. This approach leverages the public endpoint but with subnet-level access control, meeting the requirement.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking that only private endpoints can provide secure access, but service endpoints allow subnet-specific access while keeping the public endpoint enabled.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint and disabling the public endpoint would remove public endpoint access entirely, which contradicts the requirement to 'still use the public endpoint'. Option C is wrong because adding a NAT gateway to the app-subnet would only change the source IP of outbound traffic, but the storage firewall would need to allow that specific NAT public IP, not the subnet; this does not restrict access to only the subnet and still relies on IP-based rules rather than subnet-level identity. Option D is wrong because peering app-subnet with a new VNet does not inherently provide access to the storage account; you would still need to configure routing or service endpoints/private endpoints, and peering alone does not enforce subnet-only access while using the public endpoint.

40
MCQeasy

A container group runs a one-time import job in Azure Container Instances. After the job finishes successfully, it should not restart. Which restart policy should you choose?

A.Always
B.OnFailure
C.Never
D.Manual
AnswerC

Never is the correct restart policy for a one-time task that should run once and then stop. Azure Container Instances will not try to restart the container after it exits, even if it finishes successfully. That behavior matches import jobs, batch scripts, and other short-lived workloads that should complete and remain stopped.

Why this answer

The 'Never' restart policy ensures that the container group does not restart after the job completes, which is ideal for a one-time import job that should run exactly once. Azure Container Instances supports three restart policies: Always, OnFailure, and Never. For a job that must not restart after successful completion, 'Never' is the correct choice because it prevents any automatic restart regardless of the exit code.

Exam trap

The trap here is that candidates may confuse 'OnFailure' with 'Never' for a successful job, but 'OnFailure' still allows restarts on failure, which violates the 'should not restart' requirement; the question explicitly states the job finishes successfully, so the correct policy is 'Never' to guarantee no restart under any condition.

How to eliminate wrong answers

Option A is wrong because 'Always' restarts the container group regardless of the exit code, which would cause the import job to run repeatedly instead of once. Option B is wrong because 'OnFailure' restarts the container group only if the job fails (non-zero exit code), but the scenario specifies the job finishes successfully, so this policy would not trigger a restart; however, the requirement is that it should not restart at all, making 'OnFailure' inappropriate because it could restart on failure. Option D is wrong because 'Manual' is not a valid restart policy in Azure Container Instances; the only supported policies are Always, OnFailure, and Never.

41
MCQeasy

Based on the exhibit, what is the best way to simplify access management for the project team?

A.Keep assigning RBAC roles directly to each user account.
B.Assign the RBAC role to an Entra ID group and manage membership there.
C.Create a resource lock on RG-App.
D.Create an Azure Policy assignment for RG-App.
AnswerB

Using a group centralizes access control so membership changes automatically update who has the role.

Why this answer

The best practice is to assign the RBAC role to an Entra ID group instead of individual users. That way, access management is handled by adding or removing members from the group, which is much easier and less error-prone. The role assignment remains stable while team membership changes over time, which is exactly what the requirement describes.

Why others are wrong: A works initially but becomes difficult to maintain as team membership changes. C does not control access at all. D is a governance mechanism, not an authorization mechanism, so it cannot replace group-based RBAC.

42
MCQmedium

A developer packages an internal web app as a Linux container. The app must be published with built-in HTTPS, deployment slots, and autoscale, and the team does not want to manage OS patching or container hosts. Which Azure service should the administrator choose?

A.Azure Container Instances
B.Azure App Service
C.Azure Virtual Machines
D.Azure Kubernetes Service
AnswerB

App Service supports web hosting features such as HTTPS, deployment slots, autoscale, and no server management.

Why this answer

Azure App Service is the correct choice because it natively supports Linux containers, built-in HTTPS via TLS/SSL, deployment slots for staging and production swaps, and autoscale based on metrics or schedules. It also abstracts OS patching and container host management, meeting the team's requirement to avoid managing infrastructure.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (D) for containerized apps, overlooking that App Service provides a simpler, fully managed solution with built-in deployment slots and autoscale, while AKS requires cluster management and lacks native slot support.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances does not provide built-in deployment slots or autoscale; it is designed for simple, single-container scenarios without advanced deployment features. Option C is wrong because Azure Virtual Machines require the team to manage OS patching, container hosts, and autoscale configuration manually, contradicting the requirement to avoid such management. Option D is wrong because Azure Kubernetes Service involves managing a Kubernetes cluster (including node patching and scaling) and does not offer built-in deployment slots; it is more complex than needed for a single web app.

43
MCQmedium

Based on the exhibit, a site-to-site VPN gateway deployment fails. What prerequisite should the administrator provide so the gateway can be created successfully?

A.A public IP address resource that will be associated with the VPN gateway.
B.A NAT gateway on the GatewaySubnet to translate tunnel traffic.
C.A private endpoint in the GatewaySubnet for tunnel termination.
D.A network security group that allows inbound TCP 443 to the subnet.
AnswerA

Azure VPN gateways need a public-facing IP resource so the gateway can accept encrypted tunnels from the on-premises device. The exhibit shows the gateway subnet is already present, but no public IP was attached. Creating and associating the public IP resource satisfies the deployment prerequisite.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address resource to be associated with it for the tunnel to be established. The VPN gateway uses this public IP as the endpoint for on-premises VPN devices to connect to over the internet. Without a public IP, the gateway cannot be provisioned because it has no routable external address for IPsec/IKE negotiation.

Exam trap

The trap here is that candidates often confuse the prerequisite for a VPN gateway with that of an Azure Firewall or NAT gateway, mistakenly thinking a NAT gateway or NSG is required, when in fact only a public IP is mandatory for the VPN gateway to function.

How to eliminate wrong answers

Option B is wrong because a NAT gateway is used for outbound internet connectivity from a virtual network, not for translating tunnel traffic in a site-to-site VPN; the VPN gateway handles its own IPsec encapsulation. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services over a private IP, not for terminating VPN tunnels; VPN tunnels terminate on the gateway's public IP. Option D is wrong because a network security group (NSG) on the GatewaySubnet is not required for VPN gateway creation; in fact, NSGs on the GatewaySubnet are not supported and will cause deployment failures.

44
MCQhard

A VM in AppSubnet must reach a database VM in DbSubnet on TCP 1433. AppSubnet's NSG has an outbound deny rule for TCP 1433 to Any at priority 200. DbSubnet's NSG has an inbound allow rule for TCP 1433 from ASG-App to ASG-Db at priority 300. Both NICs are in the correct application security groups. Connectivity tests fail. What should the administrator change?

A.Remove the inbound allow rule from DbSubnet so the default rules can take over.
B.Move the inbound allow rule on DbSubnet to priority 100 so it is evaluated sooner.
C.Create an outbound allow rule on AppSubnet with a lower priority number than 200 for TCP 1433 to ASG-Db.
D.Assign the database VM NIC to ASG-App so the destination rule matches a broader group.
AnswerC

NSG evaluation is priority-based and stateful, but an outbound deny still blocks the initial connection. A higher-priority outbound allow on the source subnet must match before the deny rule. Because the destination rule already allows the traffic, adding or moving the source-side allow above priority 200 resolves the failure without changing the application subnets or ASG design.

Why this answer

Option C is correct because the AppSubnet's NSG has an outbound deny rule for TCP 1433 to Any at priority 200, which blocks all outbound traffic on that port regardless of destination. To allow the VM in AppSubnet to reach the database VM in DbSubnet, an outbound allow rule must be created with a lower priority number (e.g., 100) so it is evaluated before the deny rule. This rule should specify the destination as ASG-Db (the application security group of the database VM) to precisely permit the required traffic.

Exam trap

The trap here is that candidates often focus on the inbound rule on the destination subnet, overlooking the outbound deny rule on the source subnet that blocks traffic before it can even reach the destination NSG.

How to eliminate wrong answers

Option A is wrong because removing the inbound allow rule from DbSubnet would not help; default rules allow inbound traffic only if it is part of a response to an outbound allow, but the outbound traffic is blocked, so no response would be allowed. Option B is wrong because moving the inbound allow rule on DbSubnet to a higher priority does not address the outbound deny on AppSubnet; the traffic is blocked before it even reaches DbSubnet's NSG. Option D is wrong because assigning the database VM NIC to ASG-App would not match the destination rule (which expects ASG-Db) and would not resolve the outbound block; it would also misconfigure the security group membership.

45
MCQhard

A platform team wants one Azure storage account for application logs in Blob containers and a shared working directory for a Windows admin VM and a Linux automation VM. The account must support blob lifecycle rules, standard performance, and future private endpoint access. Which storage account kind should the administrator create?

A.BlobStorage, because it is optimized for blob data and can store logs efficiently.
B.StorageV2 (general-purpose v2), because it supports blobs, Azure Files, lifecycle management, and modern network features.
C.FileStorage, because it is the best option when Azure Files is required.
D.BlockBlobStorage, because it provides the highest performance for operational data.
AnswerB

General-purpose v2 is the correct choice because it supports both Blob storage and Azure Files, includes lifecycle management for blobs, and offers the current feature set expected for private endpoints and standard administration. It is the normal recommendation when you need multiple storage services in one account.

Why this answer

StorageV2 (general-purpose v2) is the correct choice because it supports Blob storage, Azure Files (required for the shared working directory), blob lifecycle management rules, and advanced networking features like private endpoints. It also provides standard performance, meeting all stated requirements. Other storage kinds lack either Azure Files support or lifecycle management capabilities.

Exam trap

The trap here is that candidates often choose BlobStorage because they focus on 'blob lifecycle rules' and 'logs,' forgetting that the shared working directory requires Azure Files, which BlobStorage does not support.

How to eliminate wrong answers

Option A is wrong because BlobStorage is optimized only for block blobs and append blobs, and it does not support Azure Files, which is needed for the shared working directory. Option C is wrong because FileStorage is designed exclusively for Azure Files with premium performance, not standard performance, and it does not support blob lifecycle management or general-purpose blob containers. Option D is wrong because BlockBlobStorage is a premium performance tier for block blobs only, lacks Azure Files support, and does not support standard performance or lifecycle management rules.

46
MCQmedium

An organization wants a single Azure storage account that can host blob containers, Azure Files shares, and lifecycle management rules for blob data. Which storage account kind should the administrator create?

A.BlobStorage
B.FileStorage
C.General-purpose v2 (StorageV2)
D.BlockBlobStorage
AnswerC

General-purpose v2 is the standard Azure storage account type for most administrative scenarios. It supports blobs and Azure Files, and it includes the features needed for lifecycle management and modern access controls. This makes it the correct choice when an application needs multiple storage services in one account.

Why this answer

General-purpose v2 (StorageV2) is the only storage account kind that supports blobs, Azure Files, and lifecycle management rules for blob data. It provides a unified account for all Azure Storage data services, including blobs, files, queues, and tables, and it natively supports lifecycle management policies to automatically tier or delete blob data based on age or other conditions.

Exam trap

The trap here is that candidates often confuse the specialized storage account kinds (BlobStorage, FileStorage, BlockBlobStorage) with the general-purpose v2 account, mistakenly thinking that a dedicated account type is required for each service, when in fact general-purpose v2 is the Swiss Army knife that supports all of them plus lifecycle management.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts are legacy accounts that support only block blobs and append blobs, not Azure Files shares or lifecycle management rules (lifecycle management is only available on general-purpose v2 accounts). Option B is wrong because FileStorage accounts are specialized for Azure Files premium shares only, and they do not support blob containers or lifecycle management rules for blob data. Option D is wrong because BlockBlobStorage accounts are designed exclusively for high-performance block blob workloads with premium performance, and they do not support Azure Files shares or lifecycle management rules.

47
Matchingmedium

Match each storage resiliency requirement to the Azure redundancy option that best satisfies it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ZRS

LRS

RA-GRS

RA-GZRS

Why these pairings

LRS replicates within a single datacenter; ZRS across zones; GRS across regions; RA-GRS adds read access to GRS; RA-ZRS adds read access to ZRS. LRS is cheapest, GRS is highest durability.

48
Multi-Selecthard

RG-Prod hosts line-of-business workloads. The business wants to prevent accidental deletion of the resource group during change freezes and also ensure every new resource carries a CostCenter tag for chargeback. Which two governance controls should be used? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to RG-Prod.
B.Apply a ReadOnly lock to RG-Prod.
C.Use Azure Policy with a Modify effect to add the CostCenter tag to new resources.
D.Grant Reader to the finance team on the resource group.
E.Create a private endpoint for RG-Prod.
AnswersA, C

CanNotDelete protects the resource group and its resources from accidental deletion while still allowing normal updates.

Why this answer

Option A is correct because applying a CanNotDelete lock to RG-Prod prevents the resource group from being deleted during change freezes, which directly meets the requirement to prevent accidental deletion. This lock type allows read and update operations but blocks delete operations, making it ideal for protecting critical resources without impacting ongoing workloads.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a CanNotDelete lock, assuming any lock prevents deletion, but ReadOnly locks also block updates, which would break production workloads, while the correct choice is the less restrictive CanNotDelete lock for deletion prevention only.

49
MCQmedium

A compliance team keeps signed contract scans in blob storage. The files are usually not accessed, but when they are needed they must be available immediately without waiting for rehydration. The team wants the lowest-cost online tier that still allows immediate reads. Which access tier should you choose?

A.Hot
B.Cool
C.Cold
D.Archive
AnswerC

Cold is an online tier intended for infrequently accessed data that still must remain immediately readable.

Why this answer

The Cold tier (C) is correct because it is the lowest-cost online access tier that provides immediate read access without requiring rehydration. Unlike the Archive tier, Cold tier data is always online and can be read instantly, while still offering lower storage costs than Cool or Hot tiers for data that is rarely accessed.

Exam trap

The trap here is that candidates often choose Cool or Hot because they assume 'lowest cost' means Archive, forgetting that Archive is offline and requires rehydration, or they overlook the Cold tier as a newer, lower-cost online option.

How to eliminate wrong answers

Option A (Hot) is wrong because it is designed for frequently accessed data and has the highest storage cost, making it unnecessarily expensive for files that are rarely accessed. Option B (Cool) is wrong because although it is lower cost than Hot, it is still more expensive than Cold for data accessed infrequently, and Cold is the lowest-cost online tier. Option D (Archive) is wrong because it is an offline tier that requires rehydration (which can take up to 15 hours) before data can be read, violating the requirement for immediate availability.

50
MCQhard

Traffic from VM-App01 is unexpectedly reaching the internet through a virtual appliance. You need to see which routes are currently applied to the VM network interface. Which Azure tool should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.Activity log
AnswerA

Effective routes display the routing entries currently applied to the NIC.

Why this answer

Effective routes for the network interface shows the actual, evaluated routes applied to a specific VM NIC, including system routes, BGP-advertised routes, and user-defined routes (UDRs). This tool resolves the order of route preference (longest prefix match) and confirms whether traffic is being forced through a virtual appliance (e.g., via a UDR with next hop type VirtualAppliance). It directly answers why VM-App01's traffic is reaching the internet unexpectedly.

Exam trap

The trap here is that candidates confuse NSG flow logs (which show traffic flows) with effective routes (which show routing decisions), leading them to pick NSG flow logs when the question asks about the path traffic takes, not whether it is allowed or denied.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows (source/destination IP, port, protocol) but do not show routing decisions or the next hop path. Option C is wrong because Azure Policy compliance checks whether resources meet defined policies (e.g., tagging, allowed SKUs) and has no visibility into network routing tables or effective routes. Option D is wrong because the Activity log tracks control-plane operations (e.g., creating a VM, modifying a route table) but does not show the data-plane routing state currently applied to a NIC.

51
MCQmedium

After applying a custom image, a VM boots to a black screen with a blinking cursor. The OS never reaches the login prompt. The administrator needs the fastest way to inspect the boot process and view serial console output. What should be enabled or checked?

A.Azure Monitor metrics for the VM
B.Boot diagnostics
C.Network watcher packet capture
D.Azure Advisor recommendations
AnswerB

Boot diagnostics is the quickest way to review startup problems because it captures the VM screenshot and serial console output during the boot process. When the operating system is not reaching the login screen, this feature helps identify whether the failure happens before the guest OS loads successfully.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during boot. When a VM boots to a black screen with a blinking cursor, the serial console log provides the exact kernel or bootloader messages (e.g., GRUB, initramfs errors) without requiring OS-level access. This is the fastest way to inspect the boot process because it works even when the OS is unresponsive.

Exam trap

The trap here is that candidates confuse boot diagnostics (which captures serial console output) with Azure Monitor metrics (which only track performance counters), leading them to choose a monitoring tool that cannot inspect the boot process.

How to eliminate wrong answers

Option A is wrong because Azure Monitor metrics collect performance counters (CPU, memory, disk I/O) but do not capture boot-time serial output or screen state; they are irrelevant to a black-screen boot failure. Option C is wrong because Network Watcher packet capture analyzes network traffic at the virtual network level, not the VM's boot process or console output. Option D is wrong because Azure Advisor provides best-practice recommendations for cost, security, and reliability, but it does not offer real-time or historical boot diagnostics.

52
Multi-Selectmedium

A reporting application must run on an Azure VM with at least 8 vCPUs and 64 GiB of RAM. The team also wants headroom for short spikes without falling below the requirement. Which two VM sizes meet or exceed the requirement? Select two.

Select 2 answers
A.Standard_E8s_v5
B.Standard_D8s_v5
C.Standard_F8s_v2
D.Standard_M8ms
E.Standard_B8ms
AnswersA, D

Meets the requirement exactly with 8 vCPUs and 64 GiB of memory.

Why this answer

Standard_E8s_v5 is correct because it provides 8 vCPUs and 64 GiB of RAM, meeting the minimum requirement exactly. The E-series is memory-optimized, offering a high memory-to-core ratio suitable for reporting workloads, and the v5 generation includes Intel Xeon Platinum 8370C processors with support for premium storage and accelerated networking, ensuring headroom for short spikes without dropping below the requirement.

Exam trap

The trap here is that candidates often overlook the RAM requirement and select sizes like Standard_D8s_v5 or Standard_B8ms because they see '8 vCPUs' and assume the RAM is sufficient, but the D-series and B-series provide only 32 GiB of RAM, not the required 64 GiB.

53
MCQmedium

Your company has an Azure subscription named Prod-Sub. You create a custom role that allows users to restart virtual machines but not create, delete, or resize them. You need to ensure that members of the VMOperators group can use this custom role only for virtual machines in the RG-Prod resource group. What should you do?

A.Assign the custom role to VMOperators at the subscription scope.
B.Assign the custom role to VMOperators at the RG-Prod scope.
C.Assign the Virtual Machine Contributor role to VMOperators at the RG-Prod scope.
D.Assign the custom role to VMOperators at the management group scope.
AnswerB

This applies the permissions only to resources in the RG-Prod resource group and follows least privilege.

Why this answer

Option B is correct because assigning the custom role at the RG-Prod scope restricts the role's permissions to only the virtual machines within that specific resource group. This meets the requirement that VMOperators can restart VMs but not create, delete, or resize them, and only within RG-Prod.

Exam trap

The trap here is that candidates often confuse the scope of role assignments, thinking a subscription-level assignment can be restricted by a condition, but Azure RBAC does not support conditions for built-in or custom roles without Azure Policy or attribute-based access control (ABAC), which is not mentioned in the question.

How to eliminate wrong answers

Option A is wrong because assigning the custom role at the subscription scope would grant the restart permission to all virtual machines in the entire subscription, not just those in RG-Prod. Option C is wrong because the Virtual Machine Contributor role includes permissions to create, delete, and resize VMs, which exceeds the requirement to only allow restart. Option D is wrong because assigning the role at the management group scope would apply the permissions to all subscriptions under that management group, far broader than the RG-Prod resource group.

54
Multi-Selecteasy

A business wants a line-of-business VM workload to keep running if one Azure datacenter in the region goes offline. Which two deployment choices should the administrator use? Select two.

Select 2 answers
A.Deploy the VMs in different availability zones.
B.Place the VMs in the same availability set.
C.Choose an Azure region that supports availability zones.
D.Use a proximity placement group for the VMs.
E.Use a snapshot of the operating system disk.
AnswersA, C

Placing VMs in different availability zones separates them across datacenters within the region, which protects against a single datacenter outage.

Why this answer

Option A is correct because deploying VMs across different availability zones protects against a single datacenter failure. Each availability zone is a physically separate datacenter within an Azure region, with independent power, cooling, and networking. If one zone goes offline, the VM in the other zone remains operational, ensuring business continuity for the line-of-business workload.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within a single datacenter) with availability zones (which protect against full datacenter outages), leading them to select option B instead of A and C.

55
Matchingmedium

A support engineer is investigating a failed Azure VM backup job in Log Analytics. Match each KQL operator to the result it produces.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Keeps only rows that meet the filter condition.

Returns only selected columns and can rename them.

Aggregates rows into totals, counts, or grouped results.

Orders the output by one or more columns.

Why these pairings

These are common KQL operators. 'where' filters, 'project' selects columns, 'extend' adds columns, 'summarize' aggregates, 'join' merges tables, and 'order by' sorts results.

56
Matchingmedium

An administrator is reviewing a KQL query used to investigate failed operations in a Log Analytics workspace. Match each KQL operator to the effect it has on the query output.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters rows so only records that meet the condition remain in the result.

Returns only selected columns and can rename them for cleaner output.

Aggregates data, such as counting failures by hour or by status code.

Adds a calculated column based on existing fields in each row.

Sorts the result set, such as showing the newest records first.

Why these pairings

These are standard KQL operators used in Log Analytics queries. 'where' filters, 'project' selects columns, 'extend' adds computed columns, 'summarize' aggregates, 'join' merges tables, and 'order by' sorts results.

57
MCQmedium

A storage account must be reachable only from one Azure virtual network. The team wants the storage service to have a private IP in that VNet, public network access disabled, and name resolution to work without using the public endpoint. What should the administrator configure?

A.A service endpoint on the subnet and a storage firewall rule
B.A private endpoint and a private DNS zone linked to the VNet
C.A public IP address and IP-based firewall exceptions
D.A shared access signature and blob container ACLs
AnswerB

A private endpoint places a private IP address for the storage service in the VNet, and the private DNS zone ensures the service name resolves to that private IP. Together, they provide private access while allowing public network access to be disabled.

Why this answer

A private endpoint assigns the storage account a private IP from the VNet's address space, making it reachable only within that VNet. Disabling public network access ensures no traffic can reach the storage account via its public endpoint. A private DNS zone linked to the VNet enables name resolution to resolve the storage account's FQDN to the private IP without using the public endpoint.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming a service endpoint provides a private IP and disables public access, when in fact it only routes traffic over the Microsoft backbone while still using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses its public endpoint, which contradicts the requirement for a private IP and disabled public network access. Option C is wrong because a public IP address and IP-based firewall exceptions still rely on the public endpoint, which must be disabled per the requirement, and this does not provide a private IP within the VNet. Option D is wrong because a shared access signature and blob container ACLs control access at the data level, not network-level connectivity, and do not provide a private IP or disable public network access.

58
MCQeasy

A company wants to prevent users from creating storage accounts unless the resources include a costCenter tag. Which Azure feature should be used?

A.Azure RBAC, because it controls whether users can create resources.
B.Azure Policy, because it can evaluate and enforce required resource properties.
C.A resource lock, because it can force resources to use tags.
D.A service endpoint, because it can filter which resources are allowed in a subscription.
AnswerB

This is correct because Azure Policy is designed to enforce standards and assess compliance. A policy can require a tag such as costCenter and deny or audit noncompliant resource creation. RBAC could still allow the user to create storage accounts, but Policy adds the configuration rule that controls whether the deployment is compliant.

Why this answer

Azure Policy is correct because it can enforce organizational standards by evaluating resource properties during creation and modification. By defining a policy that requires a 'costCenter' tag on all storage accounts, Azure Policy will deny creation of any storage account that does not include that tag, ensuring compliance without manual intervention.

Exam trap

The trap here is confusing Azure Policy (which enforces resource properties) with Azure RBAC (which controls permissions), as both are governance tools but serve fundamentally different purposes.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls permissions (who can create resources) but cannot enforce specific resource properties like tags; it only grants or denies the ability to perform actions. Option C is wrong because a resource lock prevents deletion or modification of a resource but cannot enforce tag requirements during creation. Option D is wrong because a service endpoint restricts network access to Azure services from specific subnets, not resource properties or tag enforcement.

59
Multi-Selecteasy

A company wants to stop users from creating resources in regions that are not approved and also require a Department tag on new resources. Which two tasks are best handled by Azure Policy? Select two.

Select 2 answers
A.Restrict allowed deployment locations.
B.Require a Department tag on resources.
C.Give users Contributor access to the subscription.
D.Create Microsoft Entra ID users for contractors.
E.Place a CanNotDelete lock on every resource group.
AnswersA, B

Azure Policy is designed to enforce configuration standards such as allowed locations. It can block or audit deployments that do not match the approved region list, which is a compliance requirement rather than an access-control requirement.

Why this answer

Azure Policy can enforce organizational standards by evaluating resource properties against business rules. Option A is correct because the 'Allowed Locations' policy definition restricts users from deploying resources to any region not explicitly permitted, directly addressing the requirement to block unapproved regions. Option B is correct because the 'Require a tag and its value on resources' policy definition can enforce that a Department tag must exist on all new resources, ensuring compliance with tagging requirements.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or resource locks, thinking that policy can manage user permissions or prevent deletion, when in fact policy is solely for enforcing rules on resource properties like location and tags.

60
MCQhard

A storage account must be reachable only from workloads in one Azure subnet. The team wants to keep using the storage account's public FQDN, avoid creating a private IP address in the virtual network, and avoid managing private DNS zones. What should the administrator configure?

A.A private endpoint for the storage account
B.A service endpoint on the subnet and a storage firewall rule for that subnet
C.An NSG rule that allows TCP 443 to the storage account
D.An application security group tied to the storage account
AnswerB

A service endpoint keeps the public endpoint in place while extending the subnet's identity to the storage service. Combined with a storage firewall rule that allows only that subnet, it restricts access without assigning a private IP or requiring private DNS management. This exactly matches the stated design goals.

Why this answer

A service endpoint on the subnet and a storage firewall rule for that subnet is correct because it allows the storage account to be reachable only from workloads in one Azure subnet while still using the storage account's public FQDN. Service endpoints extend the virtual network identity to the storage account over the Microsoft backbone, and the firewall rule restricts access to that specific subnet. This avoids creating a private IP address in the virtual network and eliminates the need to manage private DNS zones, as the public endpoint is retained.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict access to a single subnet, but service endpoints combined with a storage firewall rule achieve the same goal without private IPs or DNS management.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the virtual network, which contradicts the requirement to avoid creating a private IP address and managing private DNS zones. Option C is wrong because an NSG rule allowing TCP 443 to the storage account only controls traffic at the subnet level but does not restrict access to the storage account's firewall; the storage account would still be reachable from any public IP unless a firewall rule is configured. Option D is wrong because an application security group is used to group virtual machines for network security policy application, not to restrict access to a storage account; it cannot be tied to a storage account or enforce subnet-specific access.

61
MCQmedium

A contractor needs to upload data into one specific blob container for six hours. The administrator must avoid sharing the storage account key and should grant only the minimum permissions needed. Which access method should be used?

A.A service SAS scoped to the container with write permission and an expiry time in six hours.
B.The storage account access key, because it is easier to revoke later.
C.A shared key rotation policy, because it grants time-limited access to one container.
D.A user-assigned managed identity assigned to the contractor’s laptop.
AnswerA

A service SAS can be scoped to a single container, limited to the needed permissions, and set to expire automatically. That makes it the best fit for temporary contractor upload access without exposing the full storage account key.

Why this answer

A service SAS scoped to the container with write permission and an expiry time of six hours is correct because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. This meets the requirement of granting only the minimum permissions needed (write) for the six-hour duration, and the SAS can be revoked by regenerating the storage account key if necessary.

Exam trap

The trap here is that candidates often confuse a service SAS with a stored access policy, or they mistakenly think a managed identity can be assigned to an external device, when in reality managed identities are only for Azure resources and require Azure AD integration.

How to eliminate wrong answers

Option B is wrong because sharing the storage account key grants full administrative access to all storage services (blobs, tables, queues, files) and cannot be scoped to a single container or time-limited, violating the principle of least privilege. Option C is wrong because a shared key rotation policy is not an access method; it is a security policy to automatically rotate storage account keys, and it does not provide time-limited access to a specific container. Option D is wrong because a user-assigned managed identity cannot be assigned to a contractor’s laptop; managed identities are designed for Azure resources (e.g., VMs, App Services) and require Azure AD authentication, which is not feasible for an external contractor’s local device.

62
MCQhard

A storage account must be accessible only from one Azure subnet. The security team does not want a private endpoint or private DNS zone, and they are fine with the storage account continuing to use its public FQDN. Which configuration should you use?

A.Create a service endpoint on the subnet and allow that subnet in the storage account firewall.
B.Create a private endpoint for the storage account and disable public network access.
C.Use an NSG rule to allow only the subnet to reach port 443 on the storage account.
D.Associate a route table that sends storage traffic to an Azure firewall appliance.
AnswerA

A service endpoint is the correct design because it restricts access to a specific subnet without creating a private IP address for the storage account. The storage account can continue to use its public FQDN, which matches the requirement. By enabling the service endpoint on the subnet and then permitting that subnet in the storage firewall, traffic is locked down while avoiding private endpoint and private DNS complexity.

Why this answer

Option A is correct because a service endpoint extends the virtual network identity to the Azure Storage service, allowing the storage account firewall to restrict access to traffic originating from the specific subnet. This meets the requirement of limiting access to one Azure subnet without using a private endpoint or DNS zone, and the storage account continues to use its public FQDN.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP address, when in fact service endpoints provide subnet-level access control while preserving the public endpoint.

How to eliminate wrong answers

Option B is wrong because it requires creating a private endpoint and disabling public network access, which contradicts the requirement that the security team does not want a private endpoint or private DNS zone. Option C is wrong because an NSG rule cannot filter traffic to a storage account's public endpoint by subnet identity; NSGs operate at the network layer and cannot enforce access control based on Azure service-level identities, so traffic from other subnets could still reach the storage account if the public endpoint is accessible. Option D is wrong because associating a route table with an Azure firewall does not restrict access to the storage account by subnet; it only controls routing and inspection, not identity-based access control, and the storage account's public endpoint would still be reachable from any subnet.

63
MCQmedium

A company is building a hub-and-spoke Azure network. The hub VNet already uses 10.50.0.0/16. A new spoke VNet will later be peered to the hub and connected to on-premises through VPN. What is the most important planning step before creating the peering?

A.Reuse 10.50.0.0/16 in the spoke so routing to the hub is simpler.
B.Choose a non-overlapping address space for the spoke and reserve room for future subnets.
C.Create a route table first so peering can learn the spoke routes.
D.Enable a service endpoint to allow the spoke to communicate with the hub.
AnswerB

A spoke VNet must not overlap with the hub or any other connected network. Reserving space for future subnets is also good planning because it reduces redesign later when the environment grows.

Why this answer

Option B is correct because Azure VNet peering requires non-overlapping address spaces to establish connectivity. If the spoke uses the same address space as the hub (10.50.0.0/16), routing conflicts will occur, and the peering will fail or cause unpredictable traffic behavior. Additionally, reserving room for future subnets ensures the spoke can scale without needing to re-architect the network.

Exam trap

The trap here is that candidates often think reusing the same address space simplifies routing (Option A), but Azure explicitly forbids overlapping address spaces for VNet peering, making non-overlapping address planning the critical first step.

How to eliminate wrong answers

Option A is wrong because reusing 10.50.0.0/16 in the spoke would create overlapping address spaces with the hub, which is not allowed for VNet peering; Azure will reject the peering or cause routing loops. Option C is wrong because route tables are not required for peering to learn spoke routes; VNet peering automatically exchanges routes between peered VNets when 'Allow gateway transit' or 'Use remote gateways' is configured, but a route table is not a prerequisite. Option D is wrong because service endpoints are used to secure Azure service access to a VNet, not to enable communication between peered VNets; peering itself handles inter-VNet connectivity.

64
Multi-Selecteasy

A development team wants redundancy within the primary region but does not need replication to a secondary region. Which two Azure storage redundancy options meet this requirement? Select two.

Select 2 answers
A.LRS, because it keeps multiple copies in one datacenter and does not replicate to another region.
B.ZRS, because it keeps copies across zones in one region and also avoids geo-replication.
C.GRS, because it replicates to a secondary region and therefore matches the requirement.
D.RA-GRS, because it adds read access to the secondary region and still remains single-region only.
E.RA-GZRS, because it combines zone redundancy with readable geo-replication to another region.
AnswersA, B

LRS stays in one region and does not create a secondary-region copy.

Why this answer

A is correct because Locally Redundant Storage (LRS) replicates data three times within a single datacenter in the primary region, providing redundancy against local hardware failures without any replication to a secondary region. This meets the requirement of intra-region redundancy only.

Exam trap

The trap here is that candidates often confuse 'redundancy within the primary region' with any option that includes 'redundant' in its name, leading them to select GRS or RA-GRS which actually replicate to a secondary region.

65
MCQmedium

A VM-hosted automation tool must call Azure APIs without storing a password or certificate on disk. The identity should disappear automatically when the VM is deleted. Which identity should the administrator assign?

A.A user-assigned managed identity
B.A service principal with a client secret
C.A system-assigned managed identity
D.A storage account access key
AnswerC

A system-assigned managed identity is tied directly to the VM lifecycle, so it is created with the VM and removed when the VM is deleted. It allows the automation tool to authenticate to Azure services without storing passwords, secrets, or certificates on disk, which is the secure pattern requested.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — when the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure APIs without storing any credentials (password or certificate) on disk, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254.

Exam trap

The trap here is that candidates confuse user-assigned and system-assigned managed identities, failing to recognize that only system-assigned identities are automatically deleted with the VM, while user-assigned identities persist independently.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is a standalone Azure resource that persists independently of the VM; deleting the VM does not automatically delete the identity, and it must be explicitly removed. Option B is wrong because a service principal with a client secret requires storing the secret on disk or in environment variables, violating the requirement to avoid storing a password or certificate on disk. Option D is wrong because a storage account access key is a shared key for accessing Azure Storage, not an identity for authenticating to Azure APIs, and it must be stored on disk or in configuration.

66
MCQmedium

A company has a hub virtual network that contains a custom DNS server at 10.20.0.4. A new spoke virtual network is peered to the hub. VMs in the spoke can reach other resources in Azure, but they cannot resolve internal names such as app01.corp.local. What should the administrator configure to fix name resolution for the spoke VMs?

A.Add a user-defined route that sends DNS traffic to the hub virtual network.
B.Set the spoke virtual network's custom DNS server to 10.20.0.4.
C.Create an NSG rule that allows UDP port 53 from the spoke subnet to the hub subnet.
D.Enable gateway transit on the hub peering so name resolution flows through the VPN gateway.
AnswerB

This directs VMs in the spoke to query the hub DNS server for internal names. In a hub-and-spoke design, peering alone does not make Azure use a custom DNS server automatically. Configuring the spoke VNet to use 10.20.0.4 ensures clients send DNS queries to the server that already hosts the corporate zone records.

Why this answer

Option B is correct because the spoke virtual network must be configured to use the hub's custom DNS server (10.20.0.4) as its own DNS server. Azure virtual networks do not automatically inherit DNS settings from a peered hub; each virtual network must explicitly specify its DNS server. By setting the spoke's custom DNS server to 10.20.0.4, VMs in the spoke will send DNS queries to that server, enabling resolution of internal names like app01.corp.local.

Exam trap

The trap here is that candidates often confuse DNS resolution with network connectivity (NSG rules or UDRs) or assume that VNet peering automatically propagates DNS settings, when in fact each VNet must be explicitly configured with its own DNS server.

How to eliminate wrong answers

Option A is wrong because user-defined routes (UDRs) control traffic forwarding based on IP destination, not DNS resolution; DNS queries are sent to the configured DNS server IP, and a UDR cannot redirect DNS traffic to a different server without breaking standard DNS behavior. Option C is wrong because NSG rules control inbound/outbound traffic at the network layer, but the spoke VMs are already able to reach the hub DNS server (since they can reach other Azure resources); the issue is that the spoke VMs are not configured to use that DNS server, not that traffic is blocked. Option D is wrong because gateway transit is used to allow a spoke to use a hub's VPN gateway for connectivity to on-premises networks, not for DNS resolution; it does not affect how VMs resolve internal DNS names.

67
MCQmedium

Based on the exhibit, which KQL query should you use to find failed storage account delete operations in the last hour and count them by caller?

A.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | where ActivityStatusValue == 'Failed' | summarize Failures=count() by Caller
B.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | where ActivityStatusValue == 'Succeeded' | summarize Failures=count() by Caller
C.SecurityEvent | where EventID == 4670 | summarize count() by Account
D.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | summarize Failures=count() by Caller
AnswerA

This query filters to the last hour, matches the delete operation, keeps only failed records, and groups the results by caller. It returns exactly the data needed to see who attempted the failed deletes.

Why this answer

Option A is correct because it filters AzureActivity logs to the last hour using `TimeGenerated > ago(1h)`, targets only storage account delete operations with `OperationNameValue has 'Microsoft.Storage/storageAccounts/delete'`, restricts to failed operations via `ActivityStatusValue == 'Failed'`, and then counts failures by caller using `summarize Failures=count() by Caller`. This precisely meets the requirement to find failed storage account delete operations in the last hour and count them by caller.

Exam trap

The trap here is that candidates may forget to filter by `ActivityStatusValue == 'Failed'` (as in Option D) or mistakenly filter for `'Succeeded'` (as in Option B), both of which fail to meet the requirement for counting only failed operations.

How to eliminate wrong answers

Option B is wrong because it filters for `ActivityStatusValue == 'Succeeded'`, which would count successful delete operations instead of the required failed ones. Option C is wrong because it queries `SecurityEvent` with `EventID == 4670` (which relates to permission changes, not storage account delete operations) and does not filter by time or operation type. Option D is wrong because it omits the `where ActivityStatusValue == 'Failed'` filter, so it would count all storage account delete operations (both successful and failed) instead of only failed ones.

68
MCQmedium

A partner organization needs write access to a single blob container for 24 hours. You want to avoid sharing the storage account key and minimize access scope. Which access mechanism should you provide?

A.A storage account key
B.A user delegation SAS
C.A container stored access policy without a token
D.An Azure Policy assignment
AnswerB

A user delegation SAS can be limited to the container, permissions, and short lifetime required.

Why this answer

A user delegation SAS is the correct choice because it provides time-limited, delegated access to a specific blob container using Azure AD credentials, without exposing the storage account key. It allows you to grant write access for exactly 24 hours to a single container, minimizing the access scope as required.

Exam trap

The trap here is that candidates may confuse a user delegation SAS with a service SAS or account SAS, but the key distinction is that a user delegation SAS uses Azure AD for signing, avoiding the need to share the storage account key while still providing scoped, time-limited access.

How to eliminate wrong answers

Option A is wrong because sharing a storage account key grants full administrative access to the entire storage account, not just a single container, and violates the requirement to avoid sharing the key. Option C is wrong because a container stored access policy without a token does not provide any access mechanism; it only defines constraints for SAS tokens but requires a SAS to be generated. Option D is wrong because an Azure Policy assignment is used for governance and compliance enforcement, not for granting direct data access to a blob container.

69
MCQeasy

A build pipeline needs to run a Linux container for 10 to 15 minutes at a time. The team does not want to manage servers, clusters, or an always-on VM. Which Azure service should be used?

A.Azure Container Instances
B.Azure Kubernetes Service
C.Azure Virtual Machine
D.Azure App Service
AnswerA

Azure Container Instances is well suited for short-lived, isolated container runs without cluster management. It lets the team start a container on demand, run the job, and stop paying for a continuously running server once the task is complete. For scheduled or event-driven container workloads that do not need orchestration features, it is a simple and practical choice.

Why this answer

Azure Container Instances (ACI) is the correct choice because it allows you to run a Linux container directly on Azure without provisioning or managing any underlying infrastructure. ACI is ideal for short-lived, burstable workloads like a build pipeline that runs for 10–15 minutes, as it supports per-second billing and automatic startup/shutdown without the overhead of a cluster or VM.

Exam trap

The trap here is that candidates often confuse Azure Container Instances with Azure Kubernetes Service, assuming that any container workload requires a full orchestration platform, but ACI is purpose-built for simple, short-lived container execution without cluster management.

How to eliminate wrong answers

Option B (Azure Kubernetes Service) is wrong because it requires managing a Kubernetes cluster (even if serverless options exist, it still involves cluster orchestration overhead) and is overkill for a single container that runs for only 10–15 minutes. Option C (Azure Virtual Machine) is wrong because it requires provisioning and managing an always-on VM, which contradicts the requirement to not manage servers or an always-on VM. Option D (Azure App Service) is wrong because it is designed for long-running web applications and requires an always-on plan or continuous deployment; it does not natively support running a single container on-demand for a short duration without incurring idle costs.

70
Matchingmedium

Match each lifecycle management requirement to the blob tier transition or action that should be configured.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Transition to Cool

Transition to Archive

Rehydrate from Archive

Delete blob

Why these pairings

Lifecycle management rules define actions (tier changes or deletion) based on age or access. The actions correspond to moving to cooler tiers (cool, cold, archive) or deleting, and can apply to snapshots.

71
MCQeasy

A line-of-business app requires protection against a datacenter outage in a region that supports zones. You want the strongest placement resilience available for the VMs. What should you choose?

A.Availability set
B.Availability zone
C.Virtual machine scale set
D.Resource lock
AnswerB

Availability zones place resources in separate datacenters within a region, improving resilience against a datacenter outage.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across zones provides the strongest resilience against a datacenter outage because if one zone fails, the other zones remain operational. This is the highest level of protection available within a single region for IaaS VMs.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against full datacenter outages), leading them to choose the weaker option when the question explicitly demands the strongest placement resilience.

How to eliminate wrong answers

Option A is wrong because an availability set only protects against hardware failures within a single datacenter (by distributing VMs across fault domains and update domains), not against a full datacenter outage. Option C is wrong because a virtual machine scale set is primarily for auto-scaling and load balancing, and while it can use availability zones, the question asks for the strongest placement resilience for VMs, not the scaling mechanism; a scale set without zones offers no datacenter outage protection. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but provides no placement resilience or high availability whatsoever.

72
MCQeasy

A company wants its file share data to be automatically copied to a paired Azure region, and administrators want to read the secondary copy during a disaster test. Which redundancy option should they use?

A.ZRS
B.LRS
C.RA-GRS
D.Cool
AnswerC

RA-GRS replicates data to a paired secondary region and allows read access to that secondary endpoint. This fits the need to test or inspect the secondary copy during a disaster exercise.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is correct because it replicates data to a paired secondary region asynchronously and provides read-only access to that secondary copy. This allows administrators to read the secondary copy during a disaster test without impacting the primary region. ZRS and LRS do not replicate to a paired region, and Cool is a tier, not a redundancy option.

Exam trap

The trap here is that candidates confuse 'redundancy options' with 'access tiers' (like Cool) or assume that any geo-replication option (like GRS) automatically provides read access, but only RA-GRS explicitly enables reading the secondary copy without initiating a failover.

How to eliminate wrong answers

Option A is wrong because ZRS (Zone-Redundant Storage) replicates data synchronously across three Azure availability zones within a single region, not to a paired secondary region, so it does not meet the requirement for cross-region replication. Option B is wrong because LRS (Locally Redundant Storage) replicates data three times within a single datacenter in a single region, providing no cross-region copy for disaster recovery testing. Option D is wrong because Cool is an access tier (for blob storage) that optimizes cost for infrequently accessed data, not a redundancy option; it does not provide any replication or secondary copy.

73
MCQmedium

An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Storage account, public network access on the storage account is disabled, and the company does not want the storage account exposed through a public endpoint. Which solution should the administrator implement?

A.Create a private endpoint for the storage account in a VNet reachable over the VPN and configure private DNS.
B.Enable a service endpoint on the on-premises network and allow the storage account firewall to trust it.
C.Generate a shared access signature and use it from the on-premises application.
D.Associate a NAT gateway with the on-premises VPN connection.
AnswerA

A private endpoint gives the storage account a private IP in a VNet, and that private address can be reached from on-premises over the existing VPN. Because public network access is disabled, this is the correct design for private-only access. Private DNS ensures the application resolves the storage name to the private IP rather than the public endpoint.

Why this answer

A private endpoint assigns the storage account a private IP from a VNet that is reachable over the site-to-site VPN, effectively bringing the storage account into the on-premises network without exposing a public endpoint. Private DNS zones ensure that the storage account's FQDN resolves to the private IP, enabling seamless connectivity from on-premises while public network access remains disabled.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming that enabling a service endpoint on the VNet and trusting it in the firewall will allow on-premises traffic, but service endpoints do not provide private IP connectivity and still require the public endpoint to be enabled.

How to eliminate wrong answers

Option B is wrong because service endpoints extend Azure service connectivity to a VNet, not to an on-premises network; they require the storage account's firewall to allow traffic from the VNet, but the on-premises traffic must first enter that VNet, and service endpoints do not provide a private IP or eliminate public endpoint exposure. Option C is wrong because a shared access signature (SAS) still requires the storage account's public endpoint to be accessible; since public network access is disabled, the SAS token cannot be used to reach the storage account. Option D is wrong because a NAT gateway is used to provide outbound internet connectivity for resources in a subnet, not to enable inbound private connectivity from on-premises over a VPN; it does not affect how the storage account is accessed.

74
Multi-Selecthard

A backup administrator manages three Recovery Services vaults. They need a single place to review the latest job outcome across all vaults, and then drill into the failed job details for one VM. Which two Azure experiences should they use? Select two.

Select 2 answers
A.Azure Backup center
B.Recovery Services vault > Backup jobs
C.Azure Monitor metric chart
D.Azure Activity Log
E.Resource Health
AnswersA, B

Backup center provides a consolidated view for backup management across vaults and subscriptions.

Why this answer

Azure Backup center provides a single, unified dashboard to monitor backup jobs across multiple Recovery Services vaults, enabling you to quickly view the latest job outcome for all protected workloads. From the Backup center, you can drill into a specific failed job for a VM by selecting it, which navigates to the detailed job view within the associated Recovery Services vault's Backup jobs blade. This combination meets the requirement for a centralized review and granular drill-down.

Exam trap

The trap here is that candidates often assume a single Recovery Services vault's Backup jobs blade is sufficient for multi-vault oversight, but the question explicitly requires a single place to review across all vaults, which only Backup center provides, while the vault-specific blade is needed for the drill-down step.

75
MCQmedium

Based on the exhibit, the security team needs 30 days of searchable log data for a storage account and wants to create queries that can be used in workbooks and alerts. The current configuration only sends data to an archive location. What should the administrator configure?

A.Add a Log Analytics workspace destination to the diagnostic setting.
B.Change the storage account redundancy to RA-GRS.
C.Enable a CanNotDelete lock on the storage account.
D.Configure a private endpoint for the storage account.
AnswerA

Log Analytics is the destination that supports KQL searches, workbook visualizations, and log-based alert rules. Adding it to the diagnostic setting gives the security team queryable operational data for the required retention period.

Why this answer

Option A is correct because the current diagnostic setting only archives logs to a storage account, which does not support interactive querying, workbooks, or alert rules. By adding a Log Analytics workspace destination to the same diagnostic setting, logs are sent to a centralized workspace where they become searchable via KQL, enabling real-time queries, workbook visualizations, and alert triggers. This meets the security team's requirement for 30 days of searchable log data without changing the existing archive destination.

Exam trap

The trap here is that candidates may think archiving logs to a storage account is sufficient for querying, but Azure Storage does not provide native log search or alerting capabilities—only Log Analytics workspaces enable interactive queries, workbooks, and alerts.

How to eliminate wrong answers

Option B is wrong because changing the storage account redundancy to RA-GRS only improves data durability and availability through geo-replication, but does not make the stored logs searchable or queryable for workbooks and alerts. Option C is wrong because enabling a CanNotDelete lock prevents accidental deletion of the storage account but has no effect on log searchability or query capabilities. Option D is wrong because configuring a private endpoint for the storage account secures network access by using a private IP address from the virtual network, but does not enable log querying or integration with Log Analytics workbooks and alerts.

Page 1 of 16

Page 2