AZ-104 (AZ-104) — Questions 676750

1170 questions total · 16pages · All types, answers revealed

Page 9

Page 10 of 16

Page 11
676
MCQhard

An Azure Automation job running on a VM uses a managed identity to upload and overwrite JSON files in one container named configs. The job must not list, delete, or modify any other containers in the storage account. Which role assignment is the best choice?

A.Storage Blob Data Contributor at the configs container scope
B.Storage Blob Data Owner at the storage account scope
C.Contributor at the resource group scope
D.Storage Queue Data Contributor at the storage account scope
AnswerA

This role grants the blob data permissions the automation job needs while avoiding storage account keys or SAS tokens. Assigning it at the container scope ensures the identity can work only inside the configs container and cannot touch unrelated containers. It is the narrowest assignment that still allows upload and overwrite operations, which makes it the best least-privilege choice.

Why this answer

The Storage Blob Data Contributor role at the container scope grants the managed identity the necessary permissions to upload and overwrite blobs (including JSON files) within the 'configs' container, while explicitly preventing listing, deleting, or modifying other containers in the storage account. This role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write' action, which allows overwriting existing blobs, but does not include any actions on the container itself (like listing or deleting containers) or on other containers. Scoping the role to the specific container ensures the principle of least privilege is strictly followed.

Exam trap

The trap here is that candidates often choose Storage Blob Data Owner at the storage account scope (Option B) because they think 'Owner' is necessary for overwriting files, but they overlook that 'Contributor' at the container scope already includes write permission and avoids granting excessive container management rights.

How to eliminate wrong answers

Option B is wrong because Storage Blob Data Owner at the storage account scope grants full control over all blobs and containers in the entire storage account, including the ability to list, delete, and modify any container, which violates the requirement to restrict access to only the 'configs' container. Option C is wrong because Contributor at the resource group scope provides full management access to all resources in the resource group, including the ability to delete the storage account itself, and does not restrict blob-level operations to a single container. Option D is wrong because Storage Queue Data Contributor is designed for Azure Queue storage (messages), not Blob storage (JSON files), and has no permissions to upload or overwrite blobs in a container.

677
MCQmedium

An administrator grants the Helpdesk group the User Administrator role at the tenant scope. The team should be able to reset passwords only for users in the Europe-Users administrative unit. What should the administrator do?

A.Assign the User Administrator role to Helpdesk for the Europe-Users administrative unit only.
B.Create a Conditional Access policy that targets Helpdesk and Europe-Users.
C.Assign the Password Administrator role at the tenant scope and use Privileged Identity Management.
D.Create a custom RBAC role in the subscription and assign it to Helpdesk.
AnswerA

This scopes the role to the administrative unit and limits administration to users in that unit.

Why this answer

Option A is correct because Azure AD administrative units allow scoping of role assignments to a subset of users, groups, or devices. By assigning the User Administrator role to the Helpdesk group scoped to the Europe-Users administrative unit, the team can reset passwords only for users within that unit, meeting the requirement without granting broader tenant-wide permissions.

Exam trap

The trap here is confusing Azure AD administrative units (which scope directory roles) with Azure RBAC (which scopes resource management) or Conditional Access (which controls authentication policies), leading candidates to select options that address the wrong layer of access control.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control authentication and access conditions (e.g., MFA, location), not role-based permissions like password reset; they cannot scope administrative roles. Option C is wrong because assigning the Password Administrator role at the tenant scope grants the ability to reset passwords for all users in the tenant, not just those in Europe-Users, and Privileged Identity Management (PIM) provides just-in-time activation but does not change the scope of the role. Option D is wrong because custom RBAC roles in Azure subscriptions apply to Azure resources (e.g., VMs, storage), not to Azure AD user objects or password reset operations, which are managed via Azure AD roles.

678
MCQmedium

A subnet uses a user-defined route that sends 0.0.0.0/0 to a firewall appliance. One server in the subnet must download updates directly from 40.90.10.25 over the Internet, while all other outbound traffic should continue through the firewall. What is the best change?

A.Remove the default route so all traffic uses the system routes.
B.Add a more specific /32 route for 40.90.10.25 with next hop type Internet.
C.Create a service endpoint for the server and the update site.
D.Attach a NAT gateway to the subnet so the server can bypass the firewall.
AnswerB

Azure uses longest-prefix matching when selecting routes. A specific /32 route for one destination is more specific than the broader 0.0.0.0/0 forced-tunnel route, so traffic to that IP can bypass the firewall and go directly to the Internet. This is the cleanest way to create a targeted exception without changing the behavior for all other outbound traffic from the subnet.

Why this answer

Option B is correct because adding a more specific /32 route for 40.90.10.25 with next hop type Internet overrides the default route (0.0.0.0/0) for traffic destined to that specific IP. User-defined routes (UDRs) follow the longest prefix match principle, so the /32 route takes precedence over the /0 route, allowing the server to reach the update site directly via the internet while all other outbound traffic continues through the firewall appliance.

Exam trap

The trap here is that candidates often think a NAT gateway or service endpoint can bypass a firewall for specific traffic, but they fail to understand that route precedence (longest prefix match) is the only way to override a default route for a specific destination in Azure.

How to eliminate wrong answers

Option A is wrong because removing the default route would break all outbound traffic that needs to go through the firewall, leaving the subnet with no path to the internet for other workloads. Option C is wrong because a service endpoint is used to securely connect to Azure PaaS services (like Azure Storage or SQL Database) over the Azure backbone, not to route traffic to a public IP address like 40.90.10.25 over the internet. Option D is wrong because attaching a NAT gateway to the subnet would translate the server's private IP to a public IP but would not bypass the firewall; the NAT gateway still uses the effective route table, and the default route to the firewall would still apply unless overridden by a more specific route.

679
Drag & Dropmedium

Arrange the steps to deploy an Azure Policy that enforces tagging on resources.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to Policy, create definition, define rule, assign, test.

680
MCQmedium

A workload uses Azure Blob Storage for customer uploads. The team wants protection against a datacenter failure within the primary region and wants data copied to a paired region for disaster recovery, but they do not need to read from the secondary region during normal operations. Which redundancy option fits best?

A.ZRS
B.GZRS
C.RA-GZRS
D.GRS
AnswerB

GZRS protects against zone failure and also replicates data to a paired region for disaster recovery.

Why this answer

GZRS (Geo-Zone-Redundant Storage) is correct because it combines ZRS within the primary region (synchronously replicating data across three Azure availability zones) with asynchronous geo-replication to a paired secondary region. This provides protection against both a datacenter failure (via ZRS) and a full region failure (via geo-replication), while the lack of read access from the secondary during normal operations matches the requirement exactly.

Exam trap

The trap here is that candidates often confuse GRS with GZRS, assuming GRS provides zone-level redundancy, but GRS only uses LRS in the primary region, leaving data vulnerable to a single datacenter failure within that region.

How to eliminate wrong answers

Option A (ZRS) is wrong because it only replicates data synchronously across availability zones within a single region, offering no protection against a full datacenter failure that affects the entire primary region. Option C (RA-GZRS) is wrong because it adds read-access to the secondary region, which the team explicitly does not need during normal operations, and this extra capability incurs additional cost and complexity. Option D (GRS) is wrong because it replicates data asynchronously to a paired region but uses LRS within the primary region, meaning a datacenter failure within the primary region could cause data loss if the LRS copy is lost before geo-replication completes.

681
Drag & Dropmedium

Arrange the steps to create an Azure Storage account with a container and upload a blob.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create storage account, create container, set access, upload blob, generate SAS.

682
Multi-Selecthard

A resource group has a ReadOnly lock applied to it. An operator can view the resources, but several portal changes fail. Which two operations will fail because of the lock? Select two.

Select 2 answers
A.Changing the size of an existing virtual machine in the resource group will fail because it is a write operation.
B.Deleting a storage account in the resource group will fail because deletion is also blocked by ReadOnly.
C.Reading the resource group's activity log will fail because lock-protected scopes cannot be queried.
D.Listing the resources in the resource group with Azure CLI will fail because enumeration is a write operation.
E.Fetching the current VM configuration from the ARM API will fail because reads are denied by the lock.
AnswersA, B

Resizing a VM modifies the resource configuration, so it is a write action. A ReadOnly lock blocks all write operations at the locked scope and below, which means even an otherwise valid size change is rejected while the lock remains in place.

Why this answer

A is correct because changing the size of an existing virtual machine is a write operation that modifies the VM's configuration. A ReadOnly lock on the resource group prevents all write and delete operations, so any attempt to resize the VM will fail. The lock does not affect read operations, which remain functional.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with read-only permissions, incorrectly assuming that all read operations (like listing resources or fetching configurations) are also blocked, when in fact only write and delete operations are denied.

683
MCQmedium

You want Azure to identify security improvements, underutilized resources, and cost-saving opportunities across your subscriptions. Which Azure service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor provides optimization and best-practice recommendations.

Why this answer

Azure Advisor is the correct service because it provides personalized recommendations across five categories: Reliability, Security, Performance, Operational Excellence, and Cost. It analyzes your deployed resources and usage patterns to identify security improvements (e.g., missing network security groups), underutilized resources (e.g., idle virtual machines), and cost-saving opportunities (e.g., reserved instance purchases). This aligns directly with the question's requirement for a unified service that delivers these insights across subscriptions.

Exam trap

The trap here is that candidates confuse Azure Advisor's proactive recommendations with Azure Policy's reactive compliance enforcement, mistakenly thinking Policy can identify underutilized resources or cost-saving opportunities when it only enforces rules.

How to eliminate wrong answers

Option B is wrong because Azure Policy is a governance tool that enforces compliance rules (e.g., tagging requirements, allowed SKUs) across resources, but it does not analyze usage patterns or provide cost-saving or security improvement recommendations. Option C is wrong because Azure Backup is a data protection service for creating and managing backup policies for Azure resources (e.g., VMs, SQL databases), not for identifying underutilized resources or cost-saving opportunities. Option D is wrong because Virtual network peering is a networking feature that connects two Azure virtual networks for direct traffic routing, with no capability to analyze resource utilization or provide security or cost recommendations.

684
Multi-Selecteasy

A VM-hosted application must read blobs from Azure Storage without storing any keys or passwords. Which two identity types can the VM use to authenticate to Azure Storage? Select two.

Select 2 answers
A.System-assigned managed identity, because it is tied to one VM and can request tokens without stored secrets.
B.User-assigned managed identity, because it can be reused by multiple resources without embedding credentials.
C.Storage account shared key, because it is the preferred credential when you want to avoid passwords.
D.Basic authentication with a storage account name and password, because Azure Storage supports that model directly.
E.Anonymous public access, because it lets the VM read blobs without any authentication at all.
AnswersA, B

A system-assigned managed identity is attached to one resource and avoids storing any secret in the application.

Why this answer

System-assigned managed identity is correct because it is directly tied to a single VM and can request tokens from Azure AD without storing any secrets or keys. The VM uses its managed identity to authenticate to Azure Storage by obtaining an OAuth 2.0 token, which is then passed to the storage service via the Authorization header. This eliminates the need for any stored credentials, meeting the requirement of not storing keys or passwords.

Exam trap

The trap here is that candidates often confuse managed identities with shared access signatures (SAS) or shared keys, thinking that any identity-based method requires storing a secret, or they incorrectly assume that anonymous access is a valid identity type for application authentication.

685
Multi-Selecteasy

A Windows VM in Azure must upload log files to a blob container every hour. Security policy forbids storing the storage account key or any long-lived SAS token on the VM. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Contributor role to that identity on the storage account or container.
C.Copy the storage account access key into a configuration file on the VM.
D.Assign the Reader role at the resource group scope to the VM identity.
E.Create a shared access signature that never expires and place it on the VM.
AnswersA, B

A system-assigned managed identity gives the VM an Azure identity without storing secrets on the server. It can authenticate to Azure Storage through Microsoft Entra ID.

Why this answer

A system-assigned managed identity on the VM allows it to authenticate to Azure AD without storing any credentials. By assigning the Storage Blob Data Contributor role to that identity on the storage account or container, the VM can upload logs using Azure AD authentication, which satisfies the security policy forbidding storage account keys or long-lived SAS tokens.

Exam trap

The trap here is that candidates often confuse the Reader role (which only grants control plane read access) with data plane roles like Storage Blob Data Contributor, or mistakenly think a non-expiring SAS is acceptable despite the explicit security policy forbidding long-lived credentials.

686
Multi-Selecthard

An application runs on two VMs in one Azure region. The business wants protection from a single hardware host failure and planned maintenance, but it does not require protection from an entire datacenter outage. Which two choices should the administrator make? Select two.

Select 2 answers
A.Place the workload in a single VM with a premium SSD.
B.Place both VMs in an availability set.
C.Use availability zones across the region.
D.Keep at least two running VMs in that availability set.
E.Replicate the VMs to another region with Azure Site Recovery.
AnswersB, D

Correct. Availability sets are the standard option for protecting VMs from host and maintenance domain failures.

Why this answer

An availability set distributes VMs across multiple fault domains (hardware hosts) and update domains within a single Azure datacenter. This protects against a single hardware host failure and planned maintenance (update domains ensure VMs are not rebooted simultaneously during updates). Option B is correct because it provides this isolation without requiring protection from an entire datacenter outage.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter failure) with availability sets (which protect against host failure and maintenance), leading them to select option C when the requirement is only for host-level and maintenance protection.

687
MCQmedium

An administrator archived monthly log exports in a blob container six weeks ago. An auditor now needs to open one of those files later today, and the file must be readable from Azure Storage rather than restored from a separate backup copy. What should the administrator do?

A.Open the blob directly from the Archive tier because archived blobs remain online for read access.
B.Start rehydration of the blob to the Hot tier before opening it.
C.Change the blob to the Cold tier, because Cold is designed for archived content.
D.Use a snapshot of the archived blob, because snapshots can be opened even when the base blob is archived.
AnswerB

Archived blobs are not immediately readable, so the administrator must rehydrate the blob back to an online tier first. Hot is appropriate when the file needs to be accessible again as soon as the rehydration completes and may be used actively during the audit. This is the correct operational response when the blob must be read later the same day.

Why this answer

Option B is correct because blobs in the Archive tier are offline and cannot be read directly. To access the data, the blob must first be rehydrated to the Hot or Cool tier, which changes its state to online and readable. Rehydration can take up to 15 hours, so the administrator must start this process well before the auditor needs the file.

Exam trap

The trap here is that candidates assume archived blobs are still readable because they appear in the storage account listing, but Azure's Archive tier explicitly stores data offline, requiring explicit rehydration before any read operation.

How to eliminate wrong answers

Option A is wrong because archived blobs are stored offline and are not accessible for read operations until rehydrated; they remain online only for metadata and tier changes. Option C is wrong because the Cold tier is a separate access tier designed for infrequently accessed data, not for archived content; changing to Cold does not rehydrate the blob from the Archive tier. Option D is wrong because snapshots of an archived blob are also in the Archive tier and inherit the same offline state; they cannot be read without rehydrating the base blob or the snapshot itself.

688
MCQeasy

Based on the exhibit, the spoke virtual network must use the hub's existing VPN gateway to reach on-premises networks. Which peering setting should be enabled on the spoke-to-hub peering?

A.Allow forwarded traffic on the spoke peering.
B.Use remote gateways on the spoke peering.
C.Delete the peering and create a virtual network gateway in the spoke.
D.Enable service endpoints on the spoke subnet.
AnswerB

To let the spoke use the hub's VPN gateway, the spoke-to-hub peering must be configured with Use remote gateways enabled. This tells Azure that the spoke should send gateway-bound traffic through the remote VNet's gateway rather than deploying its own gateway. It is the required setting in a hub-and-spoke design with shared VPN connectivity.

Why this answer

Option B is correct because the 'Use remote gateways' setting on the spoke-to-hub peering allows the spoke virtual network to use the hub's existing VPN gateway for connectivity to on-premises networks. This setting forwards traffic from the spoke through the hub's gateway, enabling transitive routing without deploying a separate gateway in the spoke. It requires the hub-to-spoke peering to have 'Allow gateway transit' enabled.

Exam trap

The trap here is that candidates often confuse 'Allow forwarded traffic' with 'Use remote gateways', mistakenly thinking that enabling forwarded traffic alone is sufficient to route spoke traffic through the hub's VPN gateway, when in fact 'Use remote gateways' is the specific setting required for gateway transit.

How to eliminate wrong answers

Option A is wrong because 'Allow forwarded traffic' on the spoke peering only permits traffic from the hub to be forwarded to the spoke, but it does not enable the spoke to use the hub's VPN gateway; it is a prerequisite for gateway transit but not sufficient alone. Option C is wrong because deleting the peering and creating a virtual network gateway in the spoke would introduce unnecessary cost and complexity, contradicting the requirement to use the hub's existing VPN gateway. Option D is wrong because service endpoints provide secure access to Azure PaaS services (e.g., Storage, SQL) from the spoke subnet, but they have no role in routing traffic through a VPN gateway to on-premises networks.

689
Matchingeasy

Match each VM identity concept to its best use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best for one VM; the identity is deleted with the VM.

Can be attached to multiple VMs.

Lets an app get Azure tokens without storing secrets.

Grants permissions to an Azure resource at a chosen scope.

Why these pairings

Managed identities (system or user-assigned) eliminate credential management; Azure AD app identity is for custom apps; IMDS provides tokens; role assignments grant access to resources.

690
MCQmedium

A developer deleted a single configuration file on a Windows Azure VM. The administrator wants to restore only that file from the latest backup without replacing the entire VM. Which restore workflow should be used?

A.Restore the entire VM to a new instance
B.Use file recovery from the backup item
C.Create a new storage account and copy the file from there
D.Enable a resource lock on the VM
AnswerB

File recovery lets an administrator mount the backup content and copy back only the deleted file or folder. That is the most efficient option when the VM itself is healthy and only a small set of files needs to be recovered. It avoids downtime and avoids replacing the whole virtual machine or disk set.

Why this answer

Option B is correct because Azure Backup provides file-level recovery for Azure VMs using the 'File Recovery' feature. This allows you to mount the recovery point as a drive on the VM (or another machine) and copy individual files without restoring the entire VM. It uses iSCSI to present the backup snapshot directly to the VM for granular file access.

Exam trap

The trap here is that candidates may assume file-level recovery is not possible with Azure VM backups and choose the full VM restore option, not realizing that Azure Backup supports granular file recovery via iSCSI mounting.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new instance would replace the entire VM and is overkill for a single file, incurring unnecessary time and cost. Option C is wrong because creating a new storage account and copying the file from there does not leverage Azure Backup's recovery points; the file is not directly accessible from a storage account without restoring the backup first. Option D is wrong because enabling a resource lock on the VM prevents accidental deletion or modification but does not provide any file restoration capability.

691
MCQmedium

A stateless web application is hosted on an Azure virtual machine scale set. Traffic is predictable: CPU usage stays below 20% overnight, then rises above 70% during business hours. The administrator wants the instance count to increase automatically when average CPU stays high for 10 minutes and to decrease after demand drops. What should be configured?

A.A proximity placement group for the scale set instances.
B.Manual scale operations only.
C.Autoscale rules on the virtual machine scale set.
D.An availability set with three update domains.
AnswerC

Autoscale rules can add or remove VMSS instances based on CPU thresholds and time conditions.

Why this answer

Autoscale rules on the virtual machine scale set allow the administrator to define a scale-out condition (e.g., average CPU > 70% for 10 minutes) and a scale-in condition (e.g., average CPU < 20% for a specified duration). This matches the requirement for automatic, metric-based scaling based on predictable traffic patterns.

Exam trap

The trap here is that candidates may confuse availability sets or proximity placement groups with autoscaling, thinking they provide automatic instance count adjustments, when in fact they only address placement or fault tolerance.

How to eliminate wrong answers

Option A is wrong because a proximity placement group is used to reduce network latency between VMs by ensuring they are physically close, not for automatic scaling based on CPU metrics. Option B is wrong because manual scale operations require an administrator to manually change the instance count, which does not meet the requirement for automatic scaling when CPU stays high or drops. Option D is wrong because an availability set with update domains is a high-availability feature for VMs, not a scaling mechanism; it does not provide automatic scaling based on CPU usage.

692
Multi-Selecteasy

Which two Network Watcher tools can help you diagnose whether a VM can reach another address and whether a specific flow is allowed or denied? Select two.

Select 2 answers
A.Connection troubleshoot
B.IP flow verify
C.Packet capture
D.Effective routes
E.Network topology
AnswersA, B

Correct because Connection troubleshoot checks reachability from a source VM to a destination and reports blocking issues.

Why this answer

Connection Troubleshoot (A) is correct because it performs end-to-end connectivity checks between a source VM and a target (IP/FQDN/URL), testing latency, packet loss, and hop-by-hop routing. It also identifies whether the connection is blocked by NSG or firewall rules, making it ideal for diagnosing reachability and flow permission issues.

Exam trap

The trap here is that candidates often confuse 'Packet capture' with flow analysis, but Packet Capture only records traffic without evaluating Azure's NSG or routing policies, whereas IP Flow Verify explicitly checks rule evaluation.

693
MCQmedium

An NSG outbound rule allows TCP 8443 traffic from ASG-Web to ASG-Api. The web VM NIC is in ASG-Web, but the API VM NICs were deployed into the correct subnet and never added to ASG-Api. The traffic still fails. What should the administrator do?

A.Move the NSG to the web subnet so source membership is automatically detected.
B.Add the API VM NICs to ASG-Api.
C.Change the destination port to 443 because ASGs only work with common HTTPS traffic.
D.Create a service endpoint for the spoke subnet so the NSG rule becomes effective.
AnswerB

ASG-based NSG rules match the actual NIC memberships, so the destination VMs must be in ASG-Api.

Why this answer

The NSG rule references ASG-Api as the destination, but the API VM NICs were never added to that application security group. ASGs are logical groupings of VM NICs; a rule targeting an ASG only applies to NICs that are members of that ASG. Since the API NICs are not in ASG-Api, the rule does not match them, and traffic fails.

Adding the API VM NICs to ASG-Api resolves the issue by making them valid destinations for the rule.

Exam trap

The trap here is that candidates assume ASGs automatically include all VMs in the same subnet, but ASGs require explicit NIC membership and do not inherit subnet scope.

How to eliminate wrong answers

Option A is wrong because moving the NSG to the web subnet does not affect destination membership; ASG membership is based on NIC assignment, not subnet location, and the NSG is already associated with the subnet or NIC. Option C is wrong because ASGs have no port restrictions; they work with any TCP/UDP port, and changing to 443 would not fix the membership issue. Option D is wrong because service endpoints are used for secure access to Azure PaaS services (e.g., Storage, SQL) and have no bearing on NSG rule enforcement or ASG membership.

694
MCQhard

Your organization wants all subscriptions under the Corp-MG management group to inherit a policy that blocks deployment of resource types not on an approved list. Which Azure feature should you use?

A.Azure Policy assigned at the management group scope
B.A custom RBAC role assigned at the tenant root
C.A ReadOnly lock on each subscription
D.A budget alert for each subscription
AnswerA

Management group policy assignments are inherited by child subscriptions and can restrict allowed resource types.

Why this answer

Azure Policy assigned at the management group scope is the correct choice because it allows you to enforce governance rules across all subscriptions within a management group hierarchy. By creating a policy definition that blocks deployment of resource types not on an approved list and assigning it to the Corp-MG management group, the policy will be inherited by all child subscriptions, ensuring consistent compliance without manual configuration per subscription.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties and types) with Azure RBAC (which controls user permissions), leading candidates to incorrectly choose a custom RBAC role when the question explicitly asks about blocking resource types.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role assigned at the tenant root controls permissions (who can do what) but does not enforce resource type restrictions; RBAC is for access control, not for blocking specific resource deployments. Option C is wrong because a ReadOnly lock prevents modifications or deletions of existing resources but does not block the creation of new resource types; it is a lock, not a policy-based restriction. Option D is wrong because a budget alert notifies you about spending thresholds but does not prevent deployment of unapproved resource types; it is a cost management tool, not a governance enforcement mechanism.

695
MCQmedium

A company needs to peer VNet-Prod, which uses 10.30.0.0/16, with VNet-Shared, which uses 10.30.64.0/18. The peering creation fails with an address-space overlap error. The team can renumber the shared environment, but they do not want to change any addresses in VNet-Prod. What should the administrator do before retrying the peering?

A.Add an NSG that allows traffic between the two VNets.
B.Reconfigure VNet-Shared to use a non-overlapping address range, then recreate its subnets and migrate workloads.
C.Rename VNet-Shared so Azure treats it as a different network.
D.Enable gateway transit on both VNets so Azure can route around the overlap.
AnswerB

Azure VNet peering requires the two address spaces to be unique and non-overlapping. If any prefix overlaps, the peering cannot be created. The correct fix is to renumber one VNet by introducing a different address range, rebuilding or moving subnets as needed, and then removing the conflicting range. This addresses the root cause instead of trying to work around it with security or routing settings.

Why this answer

VNet peering requires that the address spaces of the two VNets do not overlap. VNet-Prod uses 10.30.0.0/16, which includes the range 10.30.64.0/18 used by VNet-Shared, causing the overlap error. The only way to resolve this without changing VNet-Prod is to reconfigure VNet-Shared to use a non-overlapping address range, which involves deleting and recreating its subnets and migrating workloads, as stated in option B.

Exam trap

The trap here is that candidates may think gateway transit or NSGs can bypass address space overlap, but Azure strictly enforces non-overlapping address spaces for VNet peering, and no network feature can override this fundamental routing requirement.

How to eliminate wrong answers

Option A is wrong because NSGs filter traffic at the subnet or NIC level and do not resolve address space overlap, which is a fundamental routing conflict that prevents peering from being established. Option C is wrong because renaming a VNet does not change its address space; Azure identifies VNets by their resource ID and address prefixes, not by name. Option D is wrong because gateway transit is used to route traffic through a VPN gateway or ExpressRoute gateway, but it does not resolve overlapping address spaces; overlapping ranges still cause routing conflicts even with gateway transit enabled.

696
MCQmedium

You need to ensure that administrators cannot accidentally delete a production virtual network, but they must still be able to update subnet settings. Which Azure feature should you apply?

A.A CanNotDelete lock
B.A ReadOnly lock
C.An Azure Policy deny assignment
D.A budget alert
AnswerA

This prevents deletion while allowing modifications.

Why this answer

A CanNotDelete lock (Azure resource lock) prevents accidental deletion of the virtual network while allowing all other operations, including updates to subnet settings. This lock type blocks DELETE requests at the Azure Resource Manager level, but permits PUT and PATCH operations, so administrators can still modify subnet configurations.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resource properties) with resource locks (which control deletion or modification permissions), leading them to select a deny assignment instead of the simpler CanNotDelete lock.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents all write operations, including updates to subnet settings, which violates the requirement that administrators must be able to update subnet settings. Option C is wrong because an Azure Policy deny assignment enforces compliance rules (e.g., requiring specific tags or SKUs) and is not designed to prevent deletion of a specific resource; it can block creation or modification based on policy conditions but does not provide a simple deletion guard. Option D is wrong because a budget alert only sends notifications when spending exceeds thresholds; it does not block any actions, including deletion.

697
MCQmedium

An organization has one Azure subscription with separate resource groups for Development and Operations. A contractor must start, stop, and read the properties of virtual machines only in RG-Operations. The contractor must not have access to virtual machines in RG-Development. Where should the role assignment be created?

A.At the subscription scope
B.At the RG-Operations resource group scope
C.At the management group scope
D.At an individual virtual machine scope
AnswerB

This limits the assignment to only resources inside RG-Operations, which satisfies least privilege.

Why this answer

Role assignments in Azure are inherited from higher scopes (management group, subscription, resource group) down to lower scopes. To grant the contractor the Virtual Machine Contributor role (or a custom role with start/stop/read permissions) only on VMs in RG-Operations and explicitly deny access to RG-Development, the assignment must be scoped to the RG-Operations resource group. Assigning at a higher scope (subscription or management group) would grant access to all resource groups, including RG-Development, violating the requirement.

Exam trap

The trap here is that candidates often assume assigning a role at the subscription scope is simpler and still allows them to control access via resource group membership, but they forget that role assignments at higher scopes are inherited by all child scopes, granting unintended access to resources in other resource groups like RG-Development.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor the specified permissions on all virtual machines in every resource group under that subscription, including RG-Development, which violates the requirement to restrict access to only RG-Operations. Option C is wrong because a management group scope would apply the role assignment to all subscriptions and resource groups within that management group hierarchy, again granting unintended access to RG-Development. Option D is wrong because while an individual VM scope would restrict access to a single VM, it would require creating separate role assignments for each VM in RG-Operations, which is inefficient and does not scale; the requirement is to grant access to all VMs in the resource group, not per-VM.

698
MCQmedium

Based on the exhibit, what should you configure so the analysts can manage group membership without granting Azure resource permissions?

A.Assign the service desk analysts the User Administrator role in Microsoft Entra ID.
B.Add the service desk analysts as owners of the App-Support group.
C.Create separate local administrator accounts for each analyst.
D.Assign Contributor on the subscription to the service desk analysts.
AnswerB

Group ownership lets those analysts manage membership for that specific group without giving them Azure resource permissions. This is the least-privilege approach for delegating ongoing membership changes.

Why this answer

Option B is correct because adding the service desk analysts as owners of the App-Support group grants them the ability to manage group membership directly within Microsoft Entra ID (formerly Azure AD) without assigning any Azure RBAC permissions on resources. Group owners can add or remove members from the group, but they do not inherit any permissions to manage Azure resources like VMs or storage accounts.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID administrative roles (like User Administrator) with the more granular group ownership delegation, assuming that managing group membership requires a broader directory role rather than simply being added as an owner of the specific group.

How to eliminate wrong answers

Option A is wrong because the User Administrator role in Microsoft Entra ID grants broad permissions to manage all users and groups across the tenant, which is excessive for simply managing membership of a single group and could lead to unintended security risks. Option C is wrong because creating separate local administrator accounts for each analyst would grant full administrative access to the local machine, not just group membership management, and does not address managing group membership in Microsoft Entra ID. Option D is wrong because assigning the Contributor role on the subscription grants full permissions to manage all Azure resources within that subscription, which is far beyond the requirement to only manage group membership and would violate the principle of least privilege.

699
MCQeasy

Based on the exhibit, a stateless web app must add VM instances during business hours and remove them at night based on CPU usage. Which Azure service should the administrator deploy?

A.An availability set with two virtual machines.
B.An Azure virtual machine scale set.
C.A single Azure VM with a larger size.
D.A recovery services vault.
AnswerB

A virtual machine scale set is designed for identical VM instances that can scale out and scale in automatically. It works well for stateless workloads, and autoscale rules can use CPU thresholds or schedules to adjust capacity over time. This exactly matches the requirement for business-hour scaling.

Why this answer

An Azure virtual machine scale set (VMSS) is the correct choice because it automatically scales the number of VM instances in or out based on CPU usage metrics, and it supports scheduled scaling to add instances during business hours and remove them at night. This aligns with the stateless web app requirement for elastic, automated scaling without manual intervention.

Exam trap

The trap here is that candidates often confuse availability sets (which provide high availability) with scale sets (which provide autoscaling), leading them to pick Option A for a scenario that explicitly requires dynamic scaling based on load and schedule.

How to eliminate wrong answers

Option A is wrong because an availability set only provides high availability by distributing VMs across fault and update domains, but it does not offer any autoscaling capability based on CPU usage or time-based schedules. Option C is wrong because a single larger VM cannot dynamically add or remove instances; it only provides fixed compute capacity and cannot scale out to handle variable load. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery, not for scaling compute resources.

700
Multi-Selecthard

A company has an Azure Storage account that stores application files in Blob Storage. VMs in AppSubnet must access the blobs by using the standard storage account name, but traffic must stay private and the public endpoint must not be used. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private endpoint for the blob service in AppSubnet.
B.Enable a service endpoint for Microsoft.Storage on AppSubnet.
C.Link a private DNS zone for privatelink.blob.core.windows.net to the VNet.
D.Generate a shared access signature and email it to the VMs.
E.Add a virtual network rule to the storage account and keep the public endpoint open.
AnswersA, C

A private endpoint gives the storage account a private IP address inside the VNet, so the VM traffic stays on private addressing and avoids the public endpoint.

Why this answer

Option A is correct because a private endpoint assigns the blob service a private IP address from the AppSubnet, allowing VMs to access the storage account using the standard storage account name (e.g., mystorageaccount.blob.core.windows.net) while keeping all traffic within the Microsoft Azure backbone network and bypassing the public endpoint entirely. This satisfies the requirement that traffic must stay private and the public endpoint must not be used.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide the same level of privacy, but service endpoints still use the public endpoint for the data plane while private endpoints provide a fully private IP address and eliminate public internet exposure.

701
MCQeasy

Based on the exhibit, help desk staff must restart virtual machines only in RG-App. What is the narrowest scope where you should assign the role?

A.Assign the role at the subscription scope for Sub-IT-01.
B.Assign the role at the management group scope above the subscription.
C.Assign the role at the RG-App resource group scope.
D.Assign the role at the individual VM scope only.
AnswerC

A resource group scope is the narrowest scope that still covers both VMs in RG-App while excluding RG-Shared.

Why this answer

The narrowest scope that grants the necessary permissions to restart VMs only in RG-App is the resource group scope. Assigning the Virtual Machine Contributor role at the RG-App resource group level ensures that help desk staff can restart VMs within that specific resource group without having permissions to any other resources in the subscription or management group. This follows the principle of least privilege, limiting access to only what is required.

Exam trap

The trap here is that candidates often choose the subscription scope (Option A) thinking it is simpler, but they overlook the requirement to restrict actions to only one resource group, violating the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope (Sub-IT-01) would grant permissions to restart VMs in all resource groups within that subscription, including those outside RG-App, which violates the requirement to restrict actions to RG-App only. Option B is wrong because assigning the role at the management group scope above the subscription would apply permissions to all subscriptions under that management group, far exceeding the needed scope and potentially granting access to VMs in other subscriptions. Option D is wrong because assigning the role at the individual VM scope would require assigning the role to each VM separately, which is not the narrowest scope that still covers all VMs in RG-App; the resource group scope is narrower than subscription/management group but broader than individual VMs, and it is the most efficient and appropriate scope for managing all VMs in a resource group collectively.

702
MCQeasy

A team wants an Azure Storage account to be reachable only from a single Azure virtual network and to use a private IP address inside that network. Which option should the administrator configure?

A.A service endpoint on the subnet.
B.A private endpoint for the storage account.
C.A public IP address with an NSG inbound allow rule.
D.A VPN gateway connection to the storage account.
AnswerB

A private endpoint gives the storage account a private IP address in the VNet, which is the best fit for private-only access.

Why this answer

A private endpoint assigns a private IP address from the virtual network to the storage account, making it reachable only from that VNet over the Microsoft backbone network. This meets the requirement of exclusive access and private IP usage, unlike a service endpoint which still exposes the storage account to the public internet via its public endpoint.

Exam trap

The trap here is confusing service endpoints with private endpoints: both restrict access to a VNet, but only a private endpoint provides a private IP address and fully removes public internet exposure.

How to eliminate wrong answers

Option A is wrong because a service endpoint extends the VNet identity to the storage account's public endpoint but does not assign a private IP address; the storage account remains accessible via its public endpoint from the internet. Option C is wrong because a public IP address with an NSG rule still exposes the storage account to the internet, and storage accounts do not have a public IP address that can be directly controlled by an NSG. Option D is wrong because a VPN gateway connects on-premises networks to Azure VNets, not to individual storage accounts, and does not provide a private IP address for the storage account.

703
MCQhard

Your organization requires all storage accounts to allow access only from selected networks. You need a governance solution that automatically corrects noncompliant new storage accounts when possible instead of only reporting them. What policy effect should you choose?

A.Audit
B.Disabled
C.DeployIfNotExists
D.Append
AnswerC

This effect supports automatic remediation when conditions are not met.

Why this answer

The DeployIfNotExists policy effect is correct because it can automatically remediate noncompliant storage accounts by deploying a network rules configuration that restricts access to selected networks. Unlike Audit, which only reports compliance status, DeployIfNotExists actively modifies the resource to meet the policy requirement when possible, aligning with the need for automatic correction.

Exam trap

The trap here is that candidates often choose Append thinking it can modify network rules, but Append only adds properties to the resource (like tags) and cannot change existing network access configurations, whereas DeployIfNotExists can deploy a full remediation template.

How to eliminate wrong answers

Option A is wrong because Audit only logs compliance state without making any changes, so it cannot automatically correct noncompliant resources. Option B is wrong because Disabled completely deactivates the policy, providing no governance or remediation. Option D is wrong because Append adds fields to a resource but cannot modify existing network rules or enforce network restrictions on storage accounts; it is typically used for tagging or adding properties, not for configuring network access controls.

704
MCQmedium

You need to expose a web application running on several VMs and distribute traffic across them based on HTTP request attributes such as URL path. Which service should you use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Traffic Manager
D.Network Watcher
AnswerB

Application Gateway supports Layer 7 features including path-based routing.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can route traffic based on HTTP request attributes such as URL path, host headers, or query strings. This allows you to distribute incoming web traffic across multiple VMs based on the specific URL path (e.g., /images to one backend pool, /api to another), which is exactly what the question requires.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can route based on HTTP attributes, but only Application Gateway can inspect and route based on URL paths, host headers, or query strings.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot inspect HTTP request attributes like URL paths; it distributes traffic based on IP and port only. Option C is wrong because Traffic Manager is a DNS-based traffic router that directs clients to the nearest endpoint based on DNS resolution, not HTTP request attributes, and it does not inspect the URL path. Option D is wrong because Network Watcher is a monitoring and diagnostics service for network health, not a traffic distribution or load balancing service.

705
MCQeasy

A legal department stores scanned contracts that are kept for compliance and are almost never opened. They want the lowest storage cost, and it is acceptable if files take time to become available before download. Which blob tier should you choose?

A.Hot
B.Cool
C.Archive
D.Cold
AnswerC

Archive is the lowest-cost online-disabled tier for long-term retention. Because the team can wait for access, this tier minimizes storage cost and fits rarely opened compliance documents.

Why this answer

The Archive tier is designed for data that is rarely accessed and has the lowest storage cost among Azure Blob Storage tiers. It requires rehydration (which can take up to 15 hours) before files become available, making it ideal for compliance data that is almost never opened and where delayed access is acceptable.

Exam trap

The trap here is that candidates may confuse 'Cold' with a valid Azure tier (it is not) or choose Cool thinking it is the cheapest, but Archive is the actual lowest-cost tier for rarely accessed data with acceptable retrieval delay.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access and has the highest storage cost, which contradicts the requirement for lowest storage cost. Option B is wrong because the Cool tier is for data accessed infrequently (at least 30 days) but still has higher storage cost than Archive and offers near-instant access, not the delayed availability that is acceptable here. Option D is wrong because 'Cold' is not a valid Azure Blob Storage tier; the correct tiers are Hot, Cool, and Archive (with Premium as a separate block blob tier).

706
MCQeasy

A developer wants to publish an internet-facing web application from source code. The solution must support built-in HTTPS, deployment slots for testing, and autoscale. The team does not want to manage servers. Which Azure service should the administrator recommend?

A.Azure App Service
B.Azure Container Instances
C.Azure Virtual Machine Scale Sets
D.Azure Bastion
AnswerA

Azure App Service is designed for hosting web applications and APIs with minimal infrastructure management. It supports built-in TLS/HTTPS, deployment slots for staging and swap testing, and autoscale for changing demand. Those features make it a strong fit for internet-facing applications that need operational simplicity and common web hosting capabilities without managing virtual machines.

Why this answer

Azure App Service is the correct choice because it provides a fully managed platform for hosting web applications from source code, with built-in support for HTTPS via TLS/SSL certificates, deployment slots for staging and testing, and autoscale capabilities. It eliminates server management, aligning with the requirement for a PaaS (Platform as a Service) solution that handles infrastructure, patching, and scaling automatically.

Exam trap

The trap here is that candidates often confuse Azure Container Instances with Azure App Service for web apps, overlooking that Container Instances lacks built-in deployment slots and autoscale for web applications, and requires additional orchestration for HTTPS and scaling.

How to eliminate wrong answers

Option B (Azure Container Instances) is wrong because it is a container orchestration service that requires managing container images and does not natively provide deployment slots or built-in HTTPS with autoscale for web apps; it is designed for running containers on demand, not for hosting a web application from source code with those features. Option C (Azure Virtual Machine Scale Sets) is wrong because it is an IaaS (Infrastructure as a Service) solution that requires managing VMs, operating systems, and scaling rules manually, contradicting the 'no server management' requirement; it also lacks built-in HTTPS and deployment slots without additional configuration. Option D (Azure Bastion) is wrong because it is a PaaS service for secure RDP/SSH access to virtual machines, not for hosting web applications; it does not support HTTPS, deployment slots, or autoscale for web apps.

707
Multi-Selectmedium

An administrator is preparing an Azure site-to-site VPN gateway deployment for an existing VNet. Which two prerequisites must be in place for the gateway to deploy successfully? Select two.

Select 2 answers
A.A dedicated GatewaySubnet must exist in the VNet.
B.The gateway must have a public IP address resource assigned to it.
C.The VNet must already contain a private endpoint for on-premises connectivity.
D.A network security group must be attached to the GatewaySubnet.
E.The VNet must use a service endpoint for Microsoft.Network.
AnswersA, B

Azure requires a specific GatewaySubnet for the virtual network gateway resources and routing components.

Why this answer

Option A is correct because a dedicated GatewaySubnet is a mandatory requirement for deploying any Azure VPN gateway. This subnet must be named 'GatewaySubnet' and must have a minimum address prefix of /29 (though /27 is recommended) to accommodate the gateway VMs and future scaling. Without this subnet, the gateway creation will fail as Azure uses it to host the gateway VMs and route traffic.

Exam trap

The trap here is that candidates often confuse the GatewaySubnet requirement with optional components like NSGs or service endpoints, or mistakenly think a private endpoint is needed for on-premises connectivity, when in fact the two mandatory prerequisites are the GatewaySubnet and a public IP address resource.

708
MCQhard

Several Azure Monitor alerts across different subscriptions must notify the same on-call group by email, SMS, and webhook whenever they fire. The operations team wants to define the notification target once and reuse it from future metric alerts, log alerts, and activity log alerts. What should be created?

A.An action group that can be attached to multiple Azure Monitor alert rules.
B.A metric alert with the same threshold applied to every resource that needs notification.
C.A diagnostic setting on each resource so the contact list is stored with the logs.
D.A Log Analytics workbook used as the shared notification destination.
AnswerA

An action group is the reusable notification target in Azure Monitor. You define the recipients and actions once, then attach that action group to any metric, log, or activity log alert that should notify the same people. This separates alert detection from alert delivery, which keeps the design consistent across subscriptions and reduces repeated configuration. It is the right feature when the notification method must be shared broadly.

Why this answer

An action group in Azure Monitor is the correct solution because it defines a reusable collection of notification channels (email, SMS, webhook) that can be attached to multiple alert rules across different subscriptions. This allows the operations team to define the on-call group notification target once and reuse it for metric alerts, log alerts, and activity log alerts, ensuring consistent notification behavior.

Exam trap

The trap here is that candidates confuse alert rules (which define the condition to trigger) with action groups (which define the notification destination), leading them to select a metric alert or diagnostic setting instead of the reusable notification container.

How to eliminate wrong answers

Option B is wrong because a metric alert is a type of alert rule that triggers based on a metric threshold, not a notification target; it cannot be reused across different alert types or subscriptions to define the same contact list. Option C is wrong because a diagnostic setting is used to stream resource logs to destinations like Log Analytics or storage, not to define notification contacts for alert rules. Option D is wrong because a Log Analytics workbook is a visualization and analysis tool for querying log data, not a mechanism for routing alert notifications via email, SMS, or webhook.

709
MCQhard

A backend VM belongs to AppASG and listens on TCP 8443. The subnet NSG has a deny rule at priority 200 that blocks TCP 8443 from VirtualNetwork to any destination. The backend VM's NIC NSG has an allow rule at priority 100 for TCP 8443 from WebASG to AppASG. Web VMs in WebASG still cannot connect. What should you change to allow only the web tier while keeping other virtual network traffic blocked?

A.Move the NIC NSG allow rule to priority 50.
B.Add an allow rule in the subnet NSG at priority 150 for TCP 8443 from WebASG to AppASG.
C.Replace the subnet deny rule with a rule for the AzureLoadBalancer service tag.
D.Remove the backend VM from AppASG and allow traffic by subnet only.
AnswerB

This places a more specific allow ahead of the subnet deny, so only the intended tier is permitted.

Why this answer

In Azure, network security group (NSG) rules are evaluated in priority order, and subnet NSG rules are evaluated before NIC NSG rules for inbound traffic. The subnet NSG has a deny rule at priority 200 that blocks TCP 8443 from VirtualNetwork to any destination, which overrides the NIC NSG allow rule because the subnet deny is evaluated first. To allow traffic from WebASG to AppASG while still blocking other virtual network traffic, you must add an allow rule in the subnet NSG at a higher priority (e.g., 150) than the deny rule, explicitly permitting TCP 8443 from WebASG to AppASG.

Exam trap

The trap here is that candidates often assume NIC NSG rules can override subnet NSG rules due to higher priority, but in Azure, subnet NSG rules are evaluated before NIC NSG rules for inbound traffic, so a subnet deny will always block traffic regardless of NIC allow rules.

How to eliminate wrong answers

Option A is wrong because moving the NIC NSG allow rule to a higher priority (50) does not help; the subnet NSG deny rule at priority 200 is evaluated before the NIC NSG rules, so the deny still blocks the traffic regardless of NIC rule priority. Option C is wrong because replacing the subnet deny rule with a rule for the AzureLoadBalancer service tag would allow traffic from Azure Load Balancer, not from WebASG, and would not specifically permit the web tier traffic while blocking other virtual network traffic. Option D is wrong because removing the backend VM from AppASG and allowing traffic by subnet only would open up the subnet to all traffic on TCP 8443, violating the requirement to keep other virtual network traffic blocked.

710
MCQmedium

You need to ensure that a finance analyst can view all resources in the Finance-Sub subscription and also view spending details, but cannot create, modify, or delete any resources. Which built-in Azure RBAC role should you assign?

A.Owner
B.Contributor
C.Reader
D.Virtual Machine Contributor
AnswerC

Reader provides view-only access and prevents changes.

Why this answer

The Reader role is the correct choice because it provides read-only access to all resources in a subscription, including the ability to view resource properties and deployment history, but it does not allow any create, modify, or delete operations. Additionally, the Reader role includes the 'Microsoft.CostManagement/views/read' permission, which enables viewing spending details (cost data) in the Azure portal. This aligns exactly with the requirement to view resources and spending without making changes.

Exam trap

The trap here is that candidates often confuse the Reader role with the Contributor role, assuming Contributor is needed for viewing spending details, but Contributor grants write permissions that violate the 'no create/modify/delete' constraint, while Reader alone provides the required read-only access including cost data.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to all resources, including the ability to delegate access to others, which violates the requirement to prevent creation, modification, or deletion. Option B is wrong because the Contributor role allows creating and managing all resources, which directly contradicts the 'cannot create, modify, or delete' constraint. Option D is wrong because Virtual Machine Contributor restricts permissions to only virtual machines (e.g., start/stop, modify VM settings) and does not provide read access to other resource types or spending details, failing the requirement to view all resources in the subscription.

711
MCQhard

A partner needs temporary read-only access to a single blob in a storage account for the next 24 hours. The partner must not be able to list other blobs or write data. What should you provide?

A.The storage account access key.
B.A service SAS scoped to the blob with read permission and an expiry time.
C.A private endpoint to the storage account.
D.Contributor access to the storage account.
AnswerB

This is the least-privilege option for temporary, blob-specific access.

Why this answer

A service SAS scoped to a specific blob with read permission and an expiry time provides the exact temporary, read-only access required. It restricts access to only that blob, prevents listing other blobs, and automatically expires after 24 hours, meeting all security and functional requirements.

Exam trap

The trap here is that candidates often confuse a service SAS with an account SAS or storage account keys, mistakenly thinking any SAS or key can be scoped, but only a service SAS can be scoped to a single blob with precise permissions and expiry.

How to eliminate wrong answers

Option A is wrong because the storage account access key grants full administrative access to the entire storage account, including the ability to list, read, write, and delete all blobs, which violates the principle of least privilege and the requirement for read-only access to a single blob. Option C is wrong because a private endpoint provides network-level isolation by connecting the storage account to a virtual network, but it does not grant any data access permissions or restrict access to a single blob; it still requires additional authorization (e.g., SAS or RBAC) and does not prevent listing or writing. Option D is wrong because Contributor role at the storage account level allows full management of the account and data, including listing and writing blobs, far exceeding the required read-only access to a single blob.

712
MCQmedium

A finance team stores monthly invoice PDFs in Azure and wants the data to remain available if an entire availability zone in the region fails. They do not need read access to a secondary region, and they want to keep the storage service simple. Which redundancy option should they choose for the storage account?

A.Locally redundant storage (LRS), because it protects against a single disk failure inside one datacenter.
B.Zone-redundant storage (ZRS), because it replicates data across zones in the same region.
C.Geo-redundant storage (GRS), because it automatically provides the lowest-cost cross-region protection.
D.Geo-zone-redundant storage (GZRS), because it is required whenever zone resilience is needed.
AnswerB

ZRS stores copies of the data across multiple availability zones in the same region. That design helps the account remain available during a zone outage without requiring a paired region or secondary read access.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within the same region, ensuring durability even if an entire zone fails. This meets the requirement for intra-region zone failure protection without needing a secondary region, and it keeps the storage service simple by avoiding the complexity of geo-replication.

Exam trap

The trap here is that candidates often confuse 'zone failure' with 'regional failure' and incorrectly choose GRS or GZRS, overlooking that ZRS provides sufficient protection within a single region at lower cost and complexity.

How to eliminate wrong answers

Option A is wrong because LRS only replicates data three times within a single datacenter, so it cannot survive an entire availability zone failure. Option C is wrong because GRS replicates data to a secondary region, which the question explicitly states is not needed, and it is not the lowest-cost cross-region option (LRS is cheaper). Option D is wrong because GZRS combines zone-redundancy with geo-redundancy, which adds cross-region replication that is not required and increases complexity and cost.

713
MCQhard

A 180-GB blob was moved to the Archive tier last week. A legal team now needs the file available later today for repeated review, and they are willing to pay more to shorten the wait. Which action should the administrator take first?

A.Rehydrate the blob to Cool tier by using Standard priority.
B.Rehydrate the blob to Hot tier by using High priority.
C.Copy the blob into another Archive tier container and wait for replication.
D.Change the storage account redundancy to ZRS so the blob becomes accessible faster.
AnswerB

High priority rehydration is the fastest supported path, and Hot makes the blob ready for repeated access.

Why this answer

The Archive tier requires rehydration (changing the blob tier) before the data can be accessed. Rehydrating to the Hot tier with High priority is the fastest method, typically completing within 1 hour, which meets the legal team's need for later today. Standard priority rehydration can take up to 15 hours, making it too slow for the required timeline.

Exam trap

The trap here is that candidates may think changing redundancy or copying the blob can bypass the rehydration requirement, but Azure Archive blobs must be explicitly rehydrated to an online tier before any read access is possible.

How to eliminate wrong answers

Option A is wrong because rehydrating to the Cool tier with Standard priority can take up to 15 hours, which is too slow for the legal team's need for later today. Option C is wrong because copying a blob within the Archive tier does not change its tier; the copy remains in the Archive tier and is still inaccessible without rehydration. Option D is wrong because changing redundancy to ZRS does not affect the blob's tier or its accessibility; the blob remains in the Archive tier and must be rehydrated first.

714
MCQmedium

A web application runs on three VMs in a backend subnet. The backend team wants the load balancer in the frontend tier to reach the VMs on TCP 8443, and they want the rule to keep working even if the backend VM IP addresses change. What should you use in the NSG rule?

A.Use the individual private IP addresses of each backend VM as the source.
B.Use an application security group for the frontend tier as the source and another ASG for the backend tier as the destination.
C.Use the VirtualNetwork service tag for both source and destination.
D.Create a route table entry that sends TCP 8443 traffic to the backend subnet.
AnswerB

Application security groups let you reference groups of NICs instead of hard-coded IP addresses. That makes the NSG rule resilient when VMs are replaced or reimaged and their private IP addresses change. It also keeps the access model aligned to application tiers rather than infrastructure details, which is the preferred design for maintainable network security rules.

Why this answer

Option B is correct because Application Security Groups (ASGs) allow you to define network security rules based on logical groupings of VMs, regardless of their IP addresses. By using an ASG for the frontend tier as the source and another ASG for the backend tier as the destination, the NSG rule remains valid even if backend VM IP addresses change, as ASGs are dynamically updated. This meets the requirement for the load balancer in the frontend tier to reach backend VMs on TCP 8443 without hardcoding IP addresses.

Exam trap

The trap here is that candidates often confuse NSG rules with route tables, thinking a route table entry can control access (Option D), or they assume that using specific IP addresses (Option A) is acceptable despite the requirement for dynamic IP changes, missing the purpose of ASGs for logical grouping.

How to eliminate wrong answers

Option A is wrong because using individual private IP addresses as the source would require manual updates to the NSG rule whenever a backend VM's IP changes, violating the requirement for the rule to keep working automatically. Option C is wrong because the VirtualNetwork service tag includes all VNets and peered networks, which is too broad and does not specifically isolate the frontend-to-backend traffic on TCP 8443, potentially allowing unintended traffic. Option D is wrong because a route table entry controls traffic routing (next hop), not NSG filtering; it does not define which traffic is allowed or denied, and it cannot replace an NSG rule for access control.

715
MCQeasy

Based on the exhibit, what should the administrator configure so the operations team receives an email when the VM's average CPU stays above 80% for 10 minutes?

A.Create a diagnostic setting on the VM and send platform logs to Log Analytics.
B.Create an action group and attach it to the metric alert rule.
C.Assign a Reader role to the operations team on the VM resource.
D.Enable a resource lock on the VM to prevent CPU spikes.
AnswerB

An action group is the Azure Monitor component that delivers notifications or runs automation when an alert fires. The metric alert already defines the CPU condition, so the missing piece is the action group to email the operations team. Once linked, the alert can evaluate continuously and send the required notification whenever the threshold is met.

Why this answer

To send an email when a metric threshold is breached, you must first create an action group that defines the notification action (e.g., email, SMS). Then, when configuring the metric alert rule for 'Percentage CPU' with a condition of 'greater than 80%' for 10 minutes, you attach that action group to the alert rule. This ensures that when the alert fires, the defined email notification is sent to the operations team.

Exam trap

The trap here is that candidates confuse diagnostic settings (which send data to a destination) with alert rules (which evaluate conditions and trigger notifications), leading them to pick Option A even though it does not include the action group needed for email delivery.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends platform logs and metrics to a Log Analytics workspace for analysis, but it does not directly trigger email notifications; you would still need an alert rule with an action group to send the email. Option C is wrong because assigning the Reader role grants read-only access to the VM's properties and metrics, but it does not configure any alerting or notification mechanism. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM, but it has no effect on CPU usage or alerting; it cannot prevent CPU spikes or send notifications.

716
MCQeasy

Based on the exhibit, which Azure compute service should you deploy for a stateless web app that needs more instances during business hours and fewer at night?

A.A single larger virtual machine.
B.A virtual machine scale set with autoscale rules.
C.An availability set with two VMs.
D.A dedicated host with one VM per host.
AnswerB

A virtual machine scale set is the right choice because it can run multiple identical instances and scale them automatically when demand changes. The exhibit shows predictable workload spikes, and the app is stateless, so instances can be added or removed without affecting user sessions.

Why this answer

A virtual machine scale set with autoscale rules is the correct choice because it automatically adjusts the number of VM instances based on demand, scaling out during business hours and scaling in at night. This matches the stateless web app requirement, as scale sets are designed for stateless workloads where instances can be added or removed without data loss.

Exam trap

The trap here is that candidates often confuse availability sets (high availability) with autoscaling, or think a single large VM can handle variable load by resizing, but autoscaling requires horizontal scaling via VMSS.

How to eliminate wrong answers

Option A is wrong because a single larger virtual machine cannot scale out or in; it only provides vertical scaling (resizing), which requires downtime and does not handle variable load efficiently. Option C is wrong because an availability set with two VMs provides high availability but no autoscaling; it keeps a fixed number of instances regardless of demand. Option D is wrong because a dedicated host with one VM per host is for licensing or compliance requirements, not for dynamic scaling, and it does not support automatic instance count adjustments.

717
MCQmedium

A security team wants operators in one resource group to start, stop, and restart virtual machines, but they must not create VMs, delete VMs, or manage disks and networking. What should the administrator configure?

A.Assign the Contributor role at the resource group scope.
B.Assign the Virtual Machine Contributor role at the resource group scope.
C.Create a custom RBAC role with only the VM power actions and assign it at the resource group scope.
D.Use Azure Policy to deny creation of new VMs in the resource group.
AnswerC

A custom RBAC role is the best fit for least-privilege access because the built-in roles are broader than the requirement. You can include only the actions needed for starting, stopping, restarting, and possibly reading VM state, then scope the role assignment to the specific resource group. That keeps the operators effective without giving them permissions to create, delete, or reconfigure related resources.

Why this answer

The correct answer is C because the built-in roles (Contributor and Virtual Machine Contributor) grant more permissions than needed, including the ability to create or delete VMs and manage networking. A custom RBAC role with only the specific power actions (start, stop, restart) ensures least privilege, meeting the security team's requirement exactly.

Exam trap

The trap here is that candidates often assume the Virtual Machine Contributor role is restrictive enough, but it actually includes broader permissions like creating and deleting VMs, which violates the 'must not create VMs, delete VMs, or manage disks and networking' constraint.

How to eliminate wrong answers

Option A is wrong because the Contributor role at the resource group scope allows full management of all resources, including creating and deleting VMs and managing disks and networking, which violates the restriction. Option B is wrong because the Virtual Machine Contributor role allows creating and deleting VMs, as well as managing disks and networking, exceeding the required permissions. Option D is wrong because Azure Policy can deny creation of new VMs but does not grant the ability to start, stop, or restart existing VMs; it only enforces compliance rules, not RBAC permissions.

718
MCQhard

Users in Branch01 access an Azure file share over SMB. Performance is poor because frequently used files are downloaded repeatedly across the WAN. You need to keep a local cache on a Windows Server in Branch01 while keeping Azure Files as the central file share. What should you deploy?

A.Azure File Sync
B.Blob versioning
C.Share snapshots
D.A private endpoint
AnswerA

Azure File Sync provides a local cache on Windows Server while keeping Azure Files central.

Why this answer

Azure File Sync is the correct solution because it enables caching of Azure file shares on a Windows Server at the branch location, providing local access to frequently used files while keeping Azure Files as the central authoritative store. It uses a sync engine to maintain a local cache and leverages the SMB protocol for access, reducing WAN latency by serving files from the local server.

Exam trap

The trap here is that candidates often confuse Azure File Sync with simply mounting an Azure file share via SMB or using a private endpoint, not realizing that File Sync specifically provides a local caching mechanism on a Windows Server to solve WAN latency issues.

How to eliminate wrong answers

Option B (Blob versioning) is wrong because it is a feature for Azure Blob Storage that preserves previous versions of objects, not for caching or local access of file shares. Option C (Share snapshots) is wrong because they provide point-in-time read-only copies of an Azure file share for backup or restore, not a local cache for performance improvement. Option D (A private endpoint) is wrong because it provides a private IP address for accessing Azure Files over a virtual network, but it does not create a local cache on a branch server; it only improves network connectivity.

719
MCQhard

Your application stores compliance documents in Azure Blob Storage. The documents must be kept in a write-once-read-many state for five years and must not be altered or removed during that time. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Blob lifecycle management to move data to Cool tier
D.A shared access signature
AnswerB

Immutable storage provides WORM protection for the specified retention period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a write-once-read-many (WORM) state, ensuring that blobs cannot be modified or deleted for a specified retention period. This directly meets the requirement of keeping compliance documents unaltered for five years, as the policy locks the data at the storage level, overriding any user permissions or delete operations.

Exam trap

The trap here is that candidates confuse blob soft delete (which only recovers deleted blobs but does not prevent modification) with immutable storage, or mistakenly think lifecycle management or SAS tokens can enforce a write-once-read-many state.

How to eliminate wrong answers

Option A is wrong because blob soft delete protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a write-once-read-many state; blobs can still be overwritten or deleted during the soft-delete retention period. Option C is wrong because blob lifecycle management automates tier transitions (e.g., moving data to Cool or Archive tiers) based on age or conditions, but it does not provide any immutability or prevent modification or deletion of blobs. Option D is wrong because a shared access signature (SAS) grants delegated access to storage resources with specific permissions and expiry, but it does not enforce immutability or prevent authorized users from modifying or deleting blobs.

720
Matchingmedium

A backup engineer is reviewing policy-related settings in a Recovery Services vault. Match each backup setting to the behavior it controls.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Determines when the VM backup job runs, such as daily at a specific time.

Determines how long a recovery point is kept before it expires.

Keeps short-term snapshots available for quick restores before they age out.

Preserves deleted backup data for a recovery window instead of removing it immediately.

Represents the protected VM that is registered in the vault.

Why these pairings

Backup frequency sets how often; retention range sets how long; snapshot retention keeps local copy; schedule sets time; tier defines storage type; alerts notify on issues.

721
Multi-Selectmedium

You are designing a disaster recovery strategy for Azure Blob Storage. The storage account is configured with geo-redundant storage (GRS). Which three of the following statements about GRS and failover are true? (Choose three.)

Select 3 answers
.With GRS, data is replicated asynchronously to a paired secondary region.
.In the event of a regional outage, you can initiate a customer-managed failover to the secondary region.
.After a failover, the secondary region becomes the new primary and replication to the original primary is automatically established.
.GRS provides three copies of your data within the primary region and three additional copies in the secondary region.
.GRS guarantees zero data loss if a failover is triggered.
.Once a failover is completed, you cannot fail back to the original primary region.

Why this answer

Geo-redundant storage (GRS) replicates data asynchronously to a paired secondary region, ensuring durability even during a regional outage. In such an outage, you can initiate a customer-managed failover to promote the secondary region as the new primary. GRS maintains three copies (LRS) in the primary region and three additional copies in the secondary region, providing six total replicas.

Exam trap

The trap here is that candidates often assume GRS provides synchronous replication with zero data loss, but it is asynchronous, and they may also think failover is irreversible, when in fact you can fail back.

722
Multi-Selecthard

A hub-and-spoke environment already has an Azure VPN gateway deployed in the hub VNet. A spoke VNet must send on-premises traffic through that existing gateway, and administrators must be able to manage the peering from either side without creating a separate gateway in the spoke. Which two peering settings are required? Select two.

Select 2 answers
A.Enable Allow gateway transit on the hub-to-spoke peering.
B.Enable Use remote gateways on the spoke-to-hub peering.
C.Enable Allow forwarded traffic on both peerings as the only required setting.
D.Enable Allow gateway transit on the spoke-to-hub peering.
E.Create a user-defined route that points all on-premises prefixes to the hub VNet gateway.
AnswersA, B

This allows the hub VNet gateway to be shared with the peered spoke network.

Why this answer

Option A is correct because enabling 'Allow gateway transit' on the hub-to-spoke peering allows the hub VNet to advertise its VPN gateway routes to the spoke VNet. This setting is configured on the peering from the hub side and is a prerequisite for the spoke to use the hub's gateway for on-premises connectivity.

Exam trap

The trap here is that candidates often confuse 'Allow forwarded traffic' with 'Allow gateway transit', thinking that enabling forwarded traffic alone is sufficient for gateway sharing, but forwarded traffic only applies to traffic from an NVA, not from a VPN gateway.

723
MCQhard

An organization must retain Azure Key Vault audit data for 18 months, search the data in Log Analytics, and keep a second copy if the workspace retention policy is later shortened. The operations team already has an action group for notifications. What should be configured on the Key Vault?

A.Create an activity log alert and point it at the existing action group.
B.Create a diagnostic setting that streams AuditEvent logs to Log Analytics and a storage account.
C.Create a metric alert on the Key Vault and archive the alert history.
D.Enable only resource metrics and rely on workspace retention for compliance.
AnswerB

A diagnostic setting on the Key Vault can export resource logs to Log Analytics for querying and also to a storage account for durable retention. That meets both investigation and long-term preservation requirements. The action group can still be used separately for notifications, but it does not replace the log collection path. This is the only option that addresses both searchable telemetry and an independent retained copy.

Why this answer

Option B is correct because Azure Key Vault audit data is captured via the AuditEvent category in diagnostic settings. By configuring a diagnostic setting to stream AuditEvent logs to both a Log Analytics workspace (for querying and long-term retention up to 18 months) and a storage account (for a second copy independent of workspace retention policy changes), the organization meets all requirements. The existing action group is not needed for this data retention and search scenario.

Exam trap

The trap here is that candidates confuse activity log alerts or metric alerts with diagnostic settings, not realizing that audit data retention and search require streaming the AuditEvent category to Log Analytics and a storage account, not just monitoring or metrics.

How to eliminate wrong answers

Option A is wrong because activity log alerts monitor operational events on the Azure resource (e.g., key vault creation or deletion), not the AuditEvent log data itself, and they do not provide retention or secondary copy capabilities. Option C is wrong because metric alerts on Key Vault track performance metrics (e.g., latency, requests), not audit logs, and archiving alert history does not retain the raw AuditEvent data for 18 months. Option D is wrong because resource metrics alone do not include AuditEvent logs, and relying solely on workspace retention fails to provide a second copy if the retention policy is later shortened.

724
Multi-Selectmedium

Finance, HR, and Engineering each use separate subscriptions. The compliance team wants a simple hierarchy that lets them apply governance to groups of subscriptions and produce resource ownership reports by department and environment. Which two features should the administrator use? Select two.

Select 2 answers
A.Management groups to organize the subscriptions into a hierarchy.
B.Tags on resources to record department and environment values.
C.Resource locks to group subscriptions by business unit.
D.Availability sets to group applications by department.
E.Private endpoints to separate Finance from HR.
AnswersA, B

Management groups are designed to organize subscriptions above the subscription level. They provide the hierarchy needed to apply governance consistently across sets of subscriptions.

Why this answer

Management groups (A) are correct because they allow you to organize multiple subscriptions into a hierarchical structure for applying governance policies and role-based access control at scale. This directly supports the compliance team's need to apply governance to groups of subscriptions and produce resource ownership reports by department and environment.

Exam trap

The trap here is that candidates often confuse resource locks with management groups for organizational control, or think availability sets or private endpoints can serve as grouping mechanisms for governance, when they are designed for entirely different purposes (high availability and network security, respectively).

725
MCQhard

Your company needs to retain Azure Activity Log data longer than the built-in retention period and make it available for future analysis. What should you configure?

A.Diagnostic settings for the Activity Log
B.A CanNotDelete lock on the subscription
C.An availability set
D.An NSG flow log only
AnswerA

Diagnostic settings export Activity Log data to destinations that support longer retention and analysis.

Why this answer

Azure Activity Log has a default retention period of 30 days for Standard tier subscriptions and 90 days for others. To retain data longer, you must configure diagnostic settings to stream the Activity Log to a Log Analytics workspace (for long-term querying) or to an Azure Storage account (for archival). Diagnostic settings allow you to define the retention duration beyond the built-in limit, enabling future analysis.

Exam trap

The trap here is that candidates confuse the default retention period of the Activity Log with the ability to extend it, mistakenly thinking locks or other resource configurations can preserve log data, when only diagnostic settings enable long-term retention and export.

How to eliminate wrong answers

Option B is wrong because a CanNotDelete lock prevents accidental deletion of the subscription or its resources but does not extend data retention or capture Activity Log data. Option C is wrong because an availability set is a logical grouping of VMs to ensure high availability during maintenance or failures; it has no role in log retention or monitoring. Option D is wrong because an NSG flow log captures IP traffic flowing through a Network Security Group, not the subscription-level Activity Log events; it is used for network security analysis, not for retaining Activity Log data.

726
MCQeasy

A storage account must accept traffic only from a single subnet. The team wants to keep using the storage account's public endpoint and does not want to deploy a private endpoint. What should you configure?

A.A private endpoint and private DNS zone
B.A service endpoint on the subnet and a storage firewall rule that allows that subnet
C.Read-access geo-redundant storage (RA-GRS)
D.Archive access tier for the container
AnswerB

A service endpoint lets the subnet reach the storage account over the public endpoint while the firewall restricts access to that subnet only.

Why this answer

Option B is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, and a storage firewall rule that allows that subnet restricts access to only traffic originating from that subnet. This meets the requirement of using the public endpoint without deploying a private endpoint, as the storage account's public endpoint remains accessible but is locked down to the specified subnet via the firewall rule.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private endpoint, but service endpoints with firewall rules achieve the same goal using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns the storage account a private IP from the virtual network, which removes the use of the public endpoint entirely, contradicting the requirement. Option C is wrong because RA-GRS is a replication strategy that provides read-only access to a secondary region for disaster recovery, not a network access control mechanism. Option D is wrong because the archive access tier is for cost-effective storage of infrequently accessed data, with no impact on network access restrictions.

727
MCQmedium

An app running on an Azure VM must access Azure SQL Database over a private IP inside the VNet. The team also wants the SQL server name to resolve to that private address without using custom host-file entries. What should be configured?

A.A service endpoint on the VM subnet and a firewall rule on Azure SQL Database.
B.A private endpoint for Azure SQL Database and a linked private DNS zone.
C.A public IP address on the VM and a SQL server firewall exception.
D.An NSG rule that allows outbound TCP 1433 to the SQL server.
AnswerB

A private endpoint places the service on a private IP in your virtual network, which satisfies the requirement for private network access. Linking the appropriate private DNS zone to the VNet lets the SQL server name resolve to that private IP automatically. This combination gives the application private connectivity and avoids manual host-file updates or reliance on public endpoints.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP address from the VM's VNet, enabling traffic to stay within Microsoft's backbone. Linking a private DNS zone automatically resolves the SQL server's FQDN (e.g., server.database.windows.net) to that private IP, eliminating the need for custom host-file entries. This meets both requirements: private IP connectivity and DNS resolution without manual configuration.

Exam trap

The trap here is confusing service endpoints with private endpoints; candidates often think a service endpoint provides a private IP, but it only provides source VNet identity while the destination remains a public endpoint, failing the private IP and DNS resolution requirements.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends VNet identity to Azure SQL but does not provide a private IP; the SQL server's public endpoint is still used, and DNS resolution remains public. Option C is wrong because a public IP on the VM and a firewall exception still routes traffic over the internet, not a private IP inside the VNet, and does not resolve the SQL server name to a private address. Option D is wrong because an NSG rule allowing outbound TCP 1433 only controls firewall traffic; it does not assign a private IP to the SQL server or change DNS resolution.

728
MCQmedium

A contractor needs to upload files to one blob container for the next two hours. The contractor must not learn the storage account key, and access should expire automatically without manual cleanup. What is the best way to grant access?

A.Share the storage account key and ask the contractor to stop using it after two hours.
B.Create an account SAS with broad permissions and send it to the contractor by email.
C.Generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry.
D.Assign the contractor the Storage Blob Data Contributor role at the storage account scope.
AnswerC

A user delegation SAS is generated from Entra ID credentials, so the administrator does not expose the storage account key. It can be scoped to a single container, limited to upload permissions, and given a short expiration time. That combination satisfies least privilege and automatic expiration for temporary contractor access.

Why this answer

A user delegation SAS is the correct choice because it is secured with Entra ID credentials rather than the storage account key, ensuring the contractor never learns the key. The SAS can be scoped to exactly the required container permissions and a two-hour expiry, providing automatic, time-limited access without manual cleanup. This approach aligns with the principle of least privilege and eliminates the need to share or rotate storage account keys.

Exam trap

The trap here is that candidates often confuse an account SAS (which still uses the storage account key) with a user delegation SAS (which uses Entra ID), leading them to choose Option B because they think any SAS automatically avoids key exposure, but only the user delegation SAS truly prevents the contractor from learning the key.

How to eliminate wrong answers

Option A is wrong because sharing the storage account key violates the requirement that the contractor must not learn the key, and it does not provide automatic expiry—manual cleanup would be required to revoke access. Option B is wrong because an account SAS is signed with the storage account key, meaning the contractor could potentially derive or infer the key from the SAS token, and it typically grants broader permissions than necessary, failing the principle of least privilege. Option D is wrong because assigning the Storage Blob Data Contributor role at the storage account scope grants persistent, role-based access that does not automatically expire after two hours, requiring manual removal of the role assignment.

729
MCQmedium

A build pipeline starts a containerized data-processing job every evening. Each run finishes in under 20 minutes, does not need persistent servers, and never receives inbound traffic. Which compute service best fits this workload?

A.Azure App Service
B.Azure Container Instances
C.Azure Virtual Machines
D.Azure Kubernetes Service
AnswerB

Azure Container Instances is designed for on-demand container execution without managing a cluster or servers.

Why this answer

Azure Container Instances (ACI) is the best fit because it allows you to run a containerized job directly in Azure without provisioning or managing any underlying infrastructure. The workload is short-lived (under 20 minutes), requires no persistent servers, and has no inbound traffic, which aligns perfectly with ACI's pay-per-second billing and ability to start containers on demand from a build pipeline.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (D) because they associate containers with Kubernetes, overlooking that ACI is the simpler, more cost-effective solution for single, short-lived containerized jobs without orchestration needs.

How to eliminate wrong answers

Option A is wrong because Azure App Service is designed for hosting web applications and RESTful APIs that require persistent HTTP/HTTPS endpoints and inbound traffic, not for ephemeral batch jobs that never receive inbound traffic. Option C is wrong because Azure Virtual Machines require provisioning and managing a full OS, incurring costs even when idle, and are overkill for a containerized job that runs for under 20 minutes without persistent servers. Option D is wrong because Azure Kubernetes Service is a complex orchestration platform designed for managing multiple containers across a cluster, which introduces unnecessary overhead and cost for a single, short-lived containerized job that does not need scaling, load balancing, or persistent storage.

730
MCQeasy

Based on the exhibit, what should the administrator change if the business wants backups to be kept for 30 days instead of 7 days?

A.Change the backup schedule from daily to hourly.
B.Increase the retain daily backup points setting to 30 days.
C.Increase the instant recovery snapshot retention to 30 days.
D.Enable a CanNotDelete lock on the Recovery Services vault.
AnswerB

The requirement is about how long daily recovery points are kept, not how often backups run. The policy setting that controls that is the retention value for daily backup points. Updating it from 7 days to 30 days keeps the restore points available for the required period while leaving the backup schedule unchanged.

Why this answer

The backup retention policy in Azure Backup is configured via the 'Retain daily backup points' setting, which specifies how many days daily recovery points are kept. To change retention from 7 to 30 days, the administrator must increase this value to 30. This directly controls the lifespan of daily backups in the Recovery Services vault.

Exam trap

The trap here is confusing 'instant recovery snapshot retention' (short-term local snapshots) with 'daily backup point retention' (long-term vault retention), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because changing the backup schedule from daily to hourly affects the frequency of backups, not the retention duration; hourly backups would create more points but still expire based on the retention setting. Option C is wrong because instant recovery snapshot retention controls how long the local snapshot (used for fast restores) is kept before being deleted, not the overall backup retention in the vault. Option D is wrong because a CanNotDelete lock prevents accidental deletion of the Recovery Services vault but does not affect backup retention policies.

731
MCQeasy

Based on the exhibit, what should the administrator create so the storage account is reachable only by private IP from AppSubnet?

A.A private endpoint in AppSubnet for the storage account.
B.A service endpoint on AppSubnet for Microsoft.Storage.
C.A user-defined route to the storage account public IP.
D.An application security group that contains the storage account.
AnswerA

A private endpoint gives the storage account a private IP address in the VNet, which is exactly what the requirement calls for. Because public network access is disabled and DNS is already configured, this completes the private-only access path.

Why this answer

A private endpoint assigns a private IP address from the AppSubnet to the storage account, making it reachable only via private IP within that subnet. This ensures all traffic to the storage account stays within the Microsoft Azure backbone network, eliminating public internet exposure. The private endpoint uses Azure Private Link to map the storage account's PaaS resource to a network interface in the virtual network.

Exam trap

The trap here is confusing service endpoints with private endpoints: service endpoints keep the public endpoint but restrict access via subnet firewall rules, while private endpoints assign a private IP and fully remove public exposure, which is required for reachability only by private IP.

How to eliminate wrong answers

Option B is wrong because a service endpoint on AppSubnet for Microsoft.Storage extends the storage account's public endpoint to the subnet but does not assign a private IP; traffic still uses the public endpoint's IP address, and the storage account remains publicly resolvable. Option C is wrong because a user-defined route to the storage account public IP would force traffic over the public internet via that IP, not restrict access to private IP only. Option D is wrong because an application security group is a logical grouping of VM NICs for network security rules, not a mechanism to make a storage account reachable by private IP.

732
MCQmedium

A compliance report must show which department and environment owns each Azure resource, even when the resources are spread across many resource groups and subscriptions. Which feature should the administrator use?

A.Resource group names only.
B.Management groups.
C.Resource tags.
D.Resource locks.
AnswerC

Tags are the correct feature because they attach metadata like department and environment directly to resources. That metadata can then be queried, filtered, and reported across multiple resource groups and subscriptions. Tags are a common Azure governance tool when business ownership must be tracked independently of the resource hierarchy.

Why this answer

Resource tags are metadata key-value pairs that can be attached to Azure resources, resource groups, and subscriptions. They allow administrators to logically organize resources by department, environment, cost center, or any custom category, and this metadata is included in compliance reports. Unlike resource group names or management groups, tags are flexible and can be applied across multiple resource groups and subscriptions, making them the correct choice for this requirement.

Exam trap

The trap here is that candidates confuse management groups (which organize subscriptions for policy and RBAC) with resource tags (which provide per-resource metadata), leading them to select management groups even though they cannot express department or environment ownership at the individual resource level.

How to eliminate wrong answers

Option A is wrong because resource group names are hierarchical containers, not metadata; they cannot be used to tag individual resources with department or environment information, and a resource can only belong to one resource group. Option B is wrong because management groups provide hierarchical governance for subscriptions (e.g., policy and RBAC inheritance), but they do not attach metadata to individual resources and cannot express per-resource department or environment ownership. Option D is wrong because resource locks prevent accidental deletion or modification of resources; they have no metadata or labeling capability and cannot convey ownership or environment details.

733
MCQhard

Your company wants every subscription under the Corp-MG management group to block the creation of resource groups unless the deployment includes the tags CostCenter and Environment. You need a centralized solution that is inherited by child subscriptions. What should you configure?

A.An Azure Policy assignment at the management group scope
B.A custom RBAC role at the tenant root
C.A CanNotDelete lock on each subscription
D.A subscription budget alert
AnswerA

Management group policy assignments are inherited and can enforce required tags centrally.

Why this answer

Azure Policy at the management group scope is the correct centralized solution because it enforces a policy (e.g., requiring tags) that is inherited by all child subscriptions and resource groups. This ensures that any deployment without the required tags is denied, meeting the requirement for a governance rule that applies across the entire Corp-MG hierarchy.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access) or locks (which prevent deletion), leading candidates to choose a permission-based or operational control instead of a governance policy.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role at the tenant root controls permissions (who can do what), not enforcement of resource creation rules like tag requirements; RBAC does not block deployments based on tags. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not block creation of resource groups or enforce tag requirements; locks are operational restrictions, not governance policies. Option D is wrong because a subscription budget alert only sends notifications when spending exceeds a threshold; it does not prevent resource creation or enforce tagging rules.

734
MCQmedium

A VM has an NSG with these inbound rules: Deny-RDP at priority 100 for TCP 3389 from Any, and Allow-RDP-Admins at priority 200 for TCP 3389 from 10.8.1.0/24. Admins from 10.8.1.0/24 still cannot connect by RDP. What change fixes access while keeping all other sources blocked?

A.Change the deny rule to protocol Any so the allow rule will be evaluated first.
B.Add a UDR that sends TCP 3389 traffic to the VM subnet.
C.Move the allow rule to a lower priority number than 100.
D.Associate an application security group with the VM and keep the existing priorities.
AnswerC

NSG rules are evaluated in priority order, where the lowest number wins. Because the deny rule at priority 100 is matched before the allow rule at 200, the connection is blocked even for the admin subnet. Moving the allow rule to a priority such as 90 makes it the first matching rule, while the deny rule still blocks all other sources afterward.

Why this answer

C is correct because NSG rules are evaluated in priority order, with lower numbers evaluated first. The Deny-RDP rule at priority 100 is evaluated before the Allow-RDP-Admins rule at priority 200, so traffic from 10.8.1.0/24 is denied before the allow rule is reached. Moving the allow rule to a priority lower than 100 (e.g., 90) ensures it is evaluated first, allowing the admin traffic while the deny rule still blocks all other sources.

Exam trap

The trap here is that candidates often think changing the protocol or adding a route or ASG can override the priority-based evaluation order, but the core issue is simply that the deny rule has a lower priority number and is evaluated first.

How to eliminate wrong answers

Option A is wrong because changing the deny rule to protocol Any does not affect evaluation order; NSGs still evaluate rules by priority number, and the deny at priority 100 will still be evaluated before the allow at 200, regardless of protocol scope. Option B is wrong because a User Defined Route (UDR) controls traffic routing at Layer 3, not firewall filtering; it cannot override NSG rule evaluation, and adding a UDR would not change the order of NSG rule processing. Option D is wrong because associating an application security group (ASG) does not change rule priority; the deny rule at priority 100 still takes precedence over the allow rule at priority 200, so admins would still be blocked.

735
MCQmedium

A backend tier runs on three Azure VMs. The VMs are rebuilt frequently and receive new private IP addresses during redeployment. The administrator must allow inbound TCP 1433 from the app tier without rewriting the NSG rule each time the backend VMs change. What should be used?

A.Individual private IP addresses assigned directly in the NSG rule
B.An application security group referenced by the NSG rule
C.A service endpoint enabled on the subnet
D.A load balancer inbound NAT rule on port 1433
AnswerB

Application security groups let you group VMs logically and reference that group in NSG rules. When the backend VMs are rebuilt or their IPs change, the rule still applies as long as the NICs remain members of the ASG, which reduces manual maintenance.

Why this answer

An application security group (ASG) allows you to group VMs logically (e.g., by tier) and reference that group in a network security group (NSG) rule. When backend VMs are rebuilt and receive new private IPs, the ASG membership is automatically updated, so the NSG rule continues to apply without manual changes. This makes ASG the correct choice for dynamic environments where IP addresses change frequently.

Exam trap

The trap here is that candidates often confuse application security groups with network security groups or think that a load balancer or service endpoint can solve dynamic IP changes, but only ASGs provide a logical grouping that automatically follows VM IP changes without manual rule updates.

How to eliminate wrong answers

Option A is wrong because using individual private IP addresses in an NSG rule requires manual updates each time a backend VM is rebuilt and gets a new IP, which violates the requirement to avoid rewriting rules. Option C is wrong because a service endpoint extends a VNet to a specific Azure service (e.g., Azure SQL Database) and does not control inbound traffic between tiers within the same VNet; it is irrelevant for allowing TCP 1433 between app and backend VMs. Option D is wrong because a load balancer inbound NAT rule maps a frontend port to a specific backend VM's IP and port; it does not dynamically adapt to changing private IPs of multiple backend VMs and would require updating the NAT rule each time a VM is redeployed.

736
Multi-Selecthard

A VM in VNet-Prod must connect to Azure SQL Database over a private IP address. The SQL server must not be reachable through its public endpoint, and the VM should resolve the server name automatically without manual DNS entries. Which three actions are required? Select three.

Select 3 answers
A.Create a private endpoint for the Azure SQL server in VNet-Prod.
B.Create the private DNS zone privatelink.database.windows.net.
C.Link the private DNS zone to VNet-Prod.
D.Enable a service endpoint for Microsoft.Sql on the subnet instead of using a private endpoint.
E.Leave public network access enabled and add the VNet as an allowed firewall rule.
AnswersA, B, C

A private endpoint gives the SQL server a private IP address inside the virtual network.

Why this answer

Option A is correct because a private endpoint assigns a private IP address from VNet-Prod to the Azure SQL server, enabling connectivity over a private IP while blocking the public endpoint. This ensures the SQL server is not reachable through its public endpoint, meeting the requirement for private connectivity.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, not realizing that service endpoints do not provide a private IP or block public access, and that leaving public access enabled contradicts the requirement for private-only connectivity.

737
MCQmedium

A platform team must enforce three governance rules across every subscription in a management group: allowed Azure regions, required Environment tags, and approved VM sizes. They want one assignment that groups the rules together and gives a single compliance view. What should they use?

A.A single RBAC role assignment at the management group.
B.A management lock on each subscription.
C.An Azure Policy initiative assigned at the management group.
D.A private endpoint for Azure Resource Manager.
AnswerC

An initiative is the right tool when several related policies must be managed as one governance package. It lets the team assign the region, tagging, and VM size rules together, inherit them across all subscriptions under the management group, and review compliance in one place. This is simpler to operate than assigning each policy separately to each subscription.

Why this answer

An Azure Policy initiative (also known as a policy set) allows you to group multiple individual policy definitions—such as allowed regions, required tags, and approved VM sizes—into a single assignment. When assigned at the management group scope, the initiative enforces all three rules across every subscription within that group and provides a unified compliance view in the Azure Policy dashboard, meeting the team's requirement for consolidated governance.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource configurations) with RBAC (which controls user permissions) or management locks (which prevent deletion/modification), leading candidates to select a control that addresses a different aspect of governance.

How to eliminate wrong answers

Option A is wrong because RBAC role assignments control who can perform actions (authorization), not what resources are allowed or required (governance rules like allowed regions or tags). Option B is wrong because management locks prevent accidental deletion or modification of resources but cannot enforce specific resource configurations such as allowed regions, required tags, or approved VM sizes. Option D is wrong because a private endpoint for Azure Resource Manager restricts network access to the ARM API, but it does not enforce governance rules on resource properties or configurations.

738
Multi-Selecthard

A contractor needs Contributor on only VM1 and VM2 in rg-prod. Other resources in rg-prod must remain untouched, and the contractor must not gain access to any other resource groups or subscriptions. Which two role-assignment scopes meet the requirement? Select two.

Select 2 answers
A.Assign the role at the VM1 resource scope.
B.Assign the role at the VM2 resource scope.
C.Assign the role at the rg-prod resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-level assignment limits permissions to VM1 and does not extend to unrelated resources.

Why this answer

Option A is correct because assigning the Contributor role at the VM1 resource scope grants the contractor permissions exclusively to that virtual machine, leaving all other resources in rg-prod and other scopes untouched. This meets the requirement of limiting access to only VM1 and VM2 within rg-prod.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, forgetting that this grants access to all resources in that group, not just the specified VMs.

739
MCQhard

An Azure subscription contains several resource groups. You need to ensure that users can create virtual machines only in regions approved by the security team. Existing noncompliant VMs can remain unchanged. What should you do?

A.Apply a ReadOnly lock to each resource group.
B.Assign a policy that denies resources in disallowed locations.
C.Create an action group in Azure Monitor.
D.Move all existing VMs to approved regions.
AnswerB

This blocks creation of new VMs in unapproved regions while leaving existing deployments intact.

Why this answer

Azure Policy can enforce organizational standards by evaluating resources for compliance. The built-in 'Not allowed locations' policy denies the creation of resources in specified regions, ensuring users can only deploy VMs in approved regions. Since the requirement is to allow existing noncompliant VMs to remain unchanged, a deny effect policy (without a 'DeployIfNotExists' or 'Modify' effect) will only affect new deployments, leaving existing resources untouched.

Exam trap

The trap here is that candidates may confuse Azure Policy with Azure RBAC or locks, thinking that restricting permissions or locking resources will control where resources can be created, but only Azure Policy can enforce location-based restrictions at deployment time.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all modifications and deletions to resources, but it does not restrict the region where new VMs can be created; users could still create VMs in unapproved regions in other resource groups. Option C is wrong because an action group in Azure Monitor defines notifications and actions for alerts, but it does not enforce any regional restrictions on resource creation. Option D is wrong because moving existing VMs to approved regions is not required by the question (existing noncompliant VMs can remain unchanged) and would be an unnecessary operational overhead; the goal is to prevent future noncompliant deployments, not to remediate existing ones.

740
Multi-Selectmedium

You are designing a containerized application deployment in Azure. Which three options must you consider when choosing between Azure Container Instances (ACI) and Azure Kubernetes Service (AKS)? (Choose three.)

Select 3 answers
.ACI is ideal for simple, short-lived tasks or burst workloads that do not require orchestration.
.AKS provides built-in auto-scaling, service discovery, and rolling update capabilities.
.ACI supports mounting an Azure Files share as a persistent volume.
.AKS supports only Linux-based container images and cannot run Windows containers.
.ACI automatically manages container orchestration, including load balancing and scaling across nodes.
.AKS requires you to manage the underlying virtual machine infrastructure, including patching the OS.

Why this answer

ACI is correct because it is designed for simple, short-lived tasks or burst workloads that do not require orchestration, making it ideal for scenarios like batch processing or event-driven applications. AKS is correct because it provides built-in auto-scaling, service discovery, and rolling update capabilities, which are essential for managing complex microservices architectures. ACI is correct because it supports mounting an Azure Files share as a persistent volume, enabling stateful workloads to share data across container instances.

Exam trap

The trap here is that candidates may confuse ACI's lack of orchestration with automatic orchestration, or assume AKS requires full VM management, when in fact AKS abstracts node management through managed node pools.

741
MCQmedium

A payroll application in a VNet must access an Azure Storage account containing confidential blobs. The security team requires the storage account to be reachable only over a private IP, and public network access must be disabled. Which feature should the administrator implement?

A.A service endpoint for Microsoft.Storage on the application subnet.
B.A private endpoint for the storage account in the VNet.
C.A shared access signature embedded in the application configuration.
D.A VPN gateway connection between the subnet and the storage account.
AnswerB

A private endpoint gives the storage account a private IP address from the VNet address space, allowing traffic to stay on private connectivity. This matches the requirement to disable public network access while still letting the application reach blob data. The private endpoint also integrates with DNS so the storage FQDN resolves to the private address. That design is the correct choice when access must be restricted to a private path only.

Why this answer

A private endpoint assigns the storage account a private IP address from the VNet, enabling secure access over a private connection while completely disabling public network access. This meets the security team's requirement because traffic never traverses the public internet, and the storage account's firewall can be configured to deny all public traffic.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, not realizing that service endpoints still use the public endpoint and cannot disable public network access, whereas private endpoints provide a true private IP and full public access disablement.

How to eliminate wrong answers

Option A is wrong because a service endpoint exposes the storage account to the entire subnet via public IPs, not a private IP, and does not allow disabling public network access; it only routes traffic over the Microsoft backbone but still uses the storage account's public endpoint. Option C is wrong because a shared access signature (SAS) is a token for delegated access to storage resources, but it still requires the storage account to have public network access enabled and does not provide private IP connectivity. Option D is wrong because a VPN gateway connects on-premises networks or other VNets to the VNet, but it does not assign a private IP to the storage account within the VNet and still relies on the storage account's public endpoint for access.

742
MCQhard

A spoke subnet has a user-defined route for 10.60.0.0/16 that sends traffic to a virtual appliance at 10.1.0.4. The same subnet also learns a propagated route for 10.60.0.0/16 from a VPN gateway. A VM in the subnet sends traffic to 10.60.7.25. Which next hop will Azure use?

A.The virtual appliance at 10.1.0.4
B.The VPN gateway
C.The Internet
D.No next hop is available
AnswerA

A user-defined route with the same prefix takes precedence over a propagated route for that destination.

Why this answer

Azure uses the most specific route match, and user-defined routes (UDRs) take precedence over propagated routes (BGP) for the same prefix. Since the UDR for 10.60.0.0/16 with next hop 10.1.0.4 is more specific than the propagated route from the VPN gateway, traffic to 10.60.7.25 is forwarded to the virtual appliance.

Exam trap

The trap here is that candidates assume BGP-propagated routes always take precedence over UDRs, but Azure gives UDRs higher priority for the same prefix, and the longest prefix match rule is applied first.

How to eliminate wrong answers

Option B is wrong because propagated routes from a VPN gateway have a lower priority than user-defined routes for the same prefix; Azure uses the route with the longest prefix match and then the lowest administrative distance, where UDRs override BGP. Option C is wrong because there is no default route (0.0.0.0/0) or Internet next hop specified in the route table for this subnet, and the traffic matches a specific UDR. Option D is wrong because a valid next hop exists via the UDR; Azure will always use the most specific matching route, and if no route matches, it would fall back to the system default route, but here a match exists.

743
MCQeasy

You have already deployed a Windows Server VM. After provisioning, you need to run a PowerShell script once to configure an application and create a registry setting without logging in interactively. Which Azure feature should you use?

A.Custom Script Extension
B.cloud-init
C.Azure Policy
D.Recovery Services vault
AnswerA

This extension can download and run a script on a VM after deployment without requiring interactive logon.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a PowerShell script on a Windows VM after provisioning, without requiring interactive logon. It executes the script as the local system account, making it ideal for one-time configuration tasks like setting registry keys or installing applications. This aligns with the requirement to run a script once non-interactively.

Exam trap

The trap here is that candidates often confuse cloud-init (a Linux-only tool) with the Custom Script Extension, mistakenly assuming cloud-init works on Windows VMs, or they think Azure Policy can execute scripts when it only evaluates and enforces policies.

How to eliminate wrong answers

Option B (cloud-init) is wrong because it is designed for Linux VMs and uses cloud-init scripts (e.g., YAML or shell scripts), not PowerShell; it does not support Windows Server. Option C (Azure Policy) is wrong because it enforces compliance rules and governance at the subscription or resource group level, not for executing one-time scripts on a specific VM. Option D (Recovery Services vault) is wrong because it is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for running configuration scripts.

744
MCQmedium

A support engineer must start, stop, and restart only one virtual machine named vm-app01. The engineer should not gain permissions on any other virtual machine in the subscription. What is the best scope for the role assignment?

A.The entire subscription that contains vm-app01.
B.The resource group that contains vm-app01.
C.The vm-app01 virtual machine resource itself.
D.The management group that contains the subscription.
AnswerC

This is the narrowest scope that grants access only to the targeted VM.

Why this answer

Option C is correct because Azure RBAC allows role assignments to be scoped to individual resources, such as a specific virtual machine. By assigning a role like 'Virtual Machine Contributor' at the vm-app01 resource scope, the support engineer will have permissions to start, stop, and restart only that VM, and no other resources in the subscription or resource group.

Exam trap

The trap here is that candidates often default to the resource group scope because it is the most common level for role assignments, but they overlook that the requirement explicitly restricts access to a single VM, which demands the resource-level scope.

How to eliminate wrong answers

Option A is wrong because assigning a role at the subscription scope grants permissions to all resources within that subscription, including all virtual machines, which violates the requirement of restricting access to only vm-app01. Option B is wrong because assigning a role at the resource group scope grants permissions to all resources within that resource group, including any other VMs or resources, which again exceeds the required scope. Option D is wrong because a management group scope encompasses multiple subscriptions and all resources within them, providing far broader permissions than needed and violating the principle of least privilege.

745
MCQmedium

A team is creating a subnet for 48 small Linux VMs, two internal load balancer frontend IPs, and one Azure Bastion host. Azure reserves five IP addresses in every subnet. Which subnet prefix is the smallest that will still meet the requirement?

A./27
B./26
C./25
D./28
AnswerB

A /26 provides 64 total addresses, and Azure reserves five, leaving 59 usable addresses. That is enough for 48 VMs, two load balancer frontend IPs, and one Bastion host.

Why this answer

The correct answer is /26 because it provides 64 total IP addresses, of which Azure reserves 5, leaving 59 usable IPs. This is the smallest prefix that accommodates the 48 VMs, 2 load balancer frontend IPs, and 1 Bastion host (total 51 required IPs). A /27 would only yield 32 total IPs (27 usable), which is insufficient.

Exam trap

The trap here is that candidates often forget Azure reserves 5 IPs per subnet and incorrectly calculate usable IPs as 2^(32-prefix) - 2 (like on-premises), leading them to choose /27 (thinking 30 usable IPs are enough) or /28 (thinking 14 usable IPs are enough).

How to eliminate wrong answers

Option A (/27) is wrong because it provides only 32 total IP addresses (27 usable after Azure reserves 5), which is insufficient for the 51 required IPs. Option C (/25) is wrong because while it provides 128 total IPs (123 usable), it is not the smallest prefix that meets the requirement; /26 is smaller and sufficient. Option D (/28) is wrong because it provides only 16 total IPs (11 usable), far below the 51 required.

746
Multi-Selecteasy

An operations team needs one Azure identity that can be attached to several VMs and kept even if a VM is deleted. Which two statements about a user-assigned managed identity are correct? Select two.

Select 2 answers
A.It is created as a separate Azure resource.
B.It can be assigned to more than one VM.
C.It is automatically deleted when the first VM is deleted.
D.It requires a storage account access key to work.
E.It can only be attached to one VM at a time.
AnswersA, B

A user-assigned managed identity exists independently of any VM and is managed like its own Azure resource.

Why this answer

Option A is correct because a user-assigned managed identity is created as a separate Azure resource in its own right, independent of any VM. This means it has its own lifecycle and can be managed (created, deleted, assigned) independently from the VMs it is associated with.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned managed identities, which are tied to the VM lifecycle and are automatically deleted when the VM is deleted, leading them to incorrectly select option C.

747
MCQmedium

A team wants to allow a subnet to access a storage account only from that subnet, but they do not want to create a private endpoint or change DNS. The storage account should still be reachable through its public endpoint, just not from other networks. What should the administrator configure?

A.A private endpoint for the storage account and a private DNS zone.
B.A public IP address for the subnet and a storage account firewall exception.
C.A service endpoint on the subnet and a storage firewall rule allowing that subnet.
D.An NSG rule that permits outbound TCP 443 to the storage account.
AnswerC

Service endpoints keep the public endpoint but restrict access based on the VNet or subnet identity.

Why this answer

Option C is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, allowing the storage firewall to restrict access to traffic originating from that specific subnet. This ensures the storage account remains reachable via its public endpoint, but only from the configured subnet, without requiring a private endpoint or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming only private endpoints can restrict access to a storage account, or they mistakenly think NSG rules can control inbound access to PaaS services like storage accounts.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns the storage account a private IP in the virtual network, which changes the access path and typically requires DNS modifications, contradicting the requirement to avoid private endpoints and DNS changes. Option B is wrong because assigning a public IP to a subnet does not control access to the storage account; the storage firewall can only filter by source IP or virtual network/subnet, not by a subnet's public IP. Option D is wrong because an NSG rule controlling outbound traffic from the subnet does not enforce inbound restrictions on the storage account; the storage account's firewall must explicitly allow the subnet, and NSGs alone cannot restrict access to the storage account's public endpoint from other networks.

748
Multi-Selectmedium

You are designing a storage solution for a large-scale data analytics application that will run in Azure. The solution needs to support high-throughput writes, hierarchical namespace for organizing data, and the ability to assign POSIX-like permissions to directories and files. Additionally, the solution must support lifecycle management policies to tier data to cooler storage tiers after 30 days and enable blob-level versioning. Which four of the following features or services should you include in your design? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Azure Data Lake Storage Gen2
.Azure Files with SMB protocol
.Hierarchical namespace
.Azure Blob Storage lifecycle management
.Azure NetApp Files
.Blob versioning

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct foundational service because it combines Azure Blob Storage with a hierarchical namespace, enabling POSIX-like access control lists (ACLs) for directories and files. This service is specifically designed for high-throughput analytics workloads, supporting both hierarchical namespace and blob-level operations. Lifecycle management policies and blob versioning are built-in Azure Blob Storage features that work seamlessly with ADLS Gen2 to automate data tiering and maintain data integrity.

Exam trap

The trap here is that candidates often confuse Azure Files or Azure NetApp Files as suitable for analytics workloads with POSIX permissions, but these services lack the hierarchical namespace and blob-level lifecycle/versioning features that are native to ADLS Gen2 and Azure Blob Storage.

749
Multi-Selectmedium

A Linux VM deployed from a custom image shows only a black screen after reboot, and SSH never becomes available. The administrator needs to inspect the startup process without logging into the OS. Which two Azure features should be used? Select two.

Select 2 answers
A.Boot diagnostics
B.Azure Serial Console
C.Azure Site Recovery
D.VM application health extension
E.Azure Backup restore point
AnswersA, B

Provides console output and screenshots for startup troubleshooting.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during boot, allowing you to see kernel panics, driver failures, or bootloader errors even when the OS is unresponsive. Azure Serial Console provides a text-based console connection to the VM at the hypervisor layer, enabling interactive troubleshooting of the boot process (e.g., GRUB recovery, initramfs issues) without requiring network connectivity or SSH.

Exam trap

The trap here is that candidates confuse Azure Serial Console with SSH or RDP, assuming it requires the OS to be running, when in fact it works at the hypervisor level and is available even if the OS has not fully booted.

750
Multi-Selecthard

A legal team archived a 200-GB blob last quarter. They now need to open it repeatedly later today for review, and waiting more than a day would delay the case. Which two actions should the administrator take? Select two.

Select 2 answers
A.Start a rehydration request and target the Hot tier.
B.Set the rehydration priority to High.
C.Copy the blob directly while it remains in the Archive tier.
D.Change the blob back to the Archive tier after the request starts.
E.Take a snapshot first and expect it to make the archived blob readable immediately.
AnswersA, B

Archive blobs cannot be read directly, so the first step is to rehydrate them to an online tier.

Why this answer

Option A is correct because rehydrating a blob from the Archive tier to the Hot tier makes it accessible for frequent reads. The Hot tier is optimized for high-frequency access, which matches the legal team's need to open the blob repeatedly later today. Rehydration is the only way to change the blob's tier from Archive to an online tier like Hot.

Exam trap

The trap here is that candidates may think setting the rehydration priority to High alone is sufficient, but without specifying a target tier (like Hot), the rehydration request is incomplete and the blob remains archived.

Page 9

Page 10 of 16

Page 11