AZ-104 (AZ-104) — Questions 751825

1170 questions total · 16pages · All types, answers revealed

Page 10

Page 11 of 16

Page 12
751
MCQeasy

An administrator needs to deploy a VM quickly using the same hardened operating system image that was approved by the security team. What should the administrator use as the source for the new VM?

A.A managed image
B.A network interface
C.A resource lock
D.A public IP address
AnswerA

A managed image captures the OS disk configuration of a prepared VM and can be used as the source for creating new VMs. It is a common way to standardize deployments when the organization has an approved build with hardening already applied. This supports quick and consistent provisioning.

Why this answer

A managed image captures a fully configured, hardened OS disk (including installed software and settings) as a reusable snapshot. When deploying a new VM, specifying this managed image as the source ensures the VM boots with the exact, security-approved OS configuration, meeting the requirement for a quick, consistent deployment.

Exam trap

The trap here is that candidates may confuse a managed image with a snapshot or a VHD, but a managed image is the correct source for deploying a new VM with a specific OS configuration, while a snapshot is used for backup or disk cloning, not direct VM creation.

How to eliminate wrong answers

Option B is wrong because a network interface is a virtual network adapter that provides connectivity; it does not contain an OS image or bootable disk. Option C is wrong because a resource lock prevents accidental deletion or modification of a resource; it has no role in providing an OS image for VM deployment. Option D is wrong because a public IP address is a network addressing resource that enables inbound/outbound internet access; it cannot serve as a source for an operating system image.

752
MCQmedium

A storage account must be reachable only from Azure VMs in a single subnet. Public network access should not be used, and the team wants the storage service to keep using a private IP address inside the virtual network. Which feature should the administrator configure?

A.A service endpoint on the subnet, because it creates a private IP address for the storage account.
B.A private endpoint for the storage account in the subnet.
C.A shared access signature that is limited to the subnet.
D.Storage account access keys, because they bind access to one subnet automatically.
AnswerB

A private endpoint places the storage service on a private IP address inside the VNet, which matches the requirement to avoid public network access. It is the correct choice when the service should be reachable only through a private address.

Why this answer

A private endpoint assigns the storage account a private IP address from the subnet's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone network. This ensures the storage account is reachable only from VMs in that subnet and blocks all public internet access, meeting both requirements.

Exam trap

The trap here is confusing a service endpoint (which only provides source IP preservation and route optimization but leaves the public endpoint exposed) with a private endpoint (which truly removes public access by assigning a private IP).

How to eliminate wrong answers

Option A is wrong because a service endpoint does not create a private IP address for the storage account; it only extends the VNet identity to the service, leaving the storage account with a public endpoint that is reachable from the internet. Option C is wrong because a shared access signature (SAS) is a token for delegated access to storage resources, not a network access control; it cannot restrict access to a specific subnet. Option D is wrong because storage account access keys are global credentials that grant full access to the storage account from any network source; they do not bind access to a single subnet automatically.

753
MCQmedium

A team deployed a private endpoint for an Azure Storage account in VNet-A. The private endpoint is healthy, but VMs in VNet-A still resolve the storage account name to the public IP address. What should the administrator configure next?

A.Add a route table that sends storage traffic to the private endpoint.
B.Link the appropriate private DNS zone to VNet-A.
C.Create a network security group rule that allows outbound HTTPS.
D.Enable service endpoints for Microsoft.Storage on the subnet.
AnswerB

Private endpoints depend on DNS so client requests resolve the service name to the private IP rather than the public endpoint. If VMs in VNet-A still receive the public address, the private DNS zone is not linked or not configured correctly for that VNet. Linking the zone ensures the Azure-provided or custom DNS path returns the private endpoint address, allowing the workloads to reach the storage account privately as intended.

Why this answer

When a private endpoint is deployed, the storage account's FQDN must resolve to the private IP address within the virtual network. By default, Azure Private DNS zones (privatelink.blob.core.windows.net) are not automatically linked to the virtual network. Linking the private DNS zone to VNet-A enables DNS resolution of the storage account name to the private endpoint's IP address instead of the public IP.

Exam trap

The trap here is that candidates often confuse network-level controls (route tables, NSGs, service endpoints) with DNS resolution, assuming that a healthy private endpoint alone will automatically change how the storage account name is resolved.

How to eliminate wrong answers

Option A is wrong because route tables control network traffic flow at Layer 3, not DNS resolution; adding a route to the private endpoint's IP would not change how the storage account name is resolved. Option C is wrong because NSG rules control allowed or denied traffic based on IP addresses and ports, but they do not affect DNS resolution; outbound HTTPS is already typically allowed by default. Option D is wrong because service endpoints provide direct connectivity to Azure services over the Microsoft backbone but do not change DNS resolution behavior; they also do not replace the need for a private DNS zone when using private endpoints.

754
MCQhard

A build server in an on-premises datacenter must deploy ARM templates to Azure. The automation must not use a human account password, and Microsoft Entra conditional access for device sign-in is not available because the server is outside Azure. The security team allows a non-human credential but wants the strongest practical option for this scenario. What should the administrator configure?

A.A system-assigned managed identity on the build server.
B.A service principal authenticated with a certificate.
C.A user-assigned managed identity shared with the build server.
D.A resource lock on the target resource group to permit template deployment.
AnswerB

A certificate-based service principal is suitable for non-interactive automation outside Azure and avoids storing a user password.

Why this answer

Option B is correct because a service principal authenticated with a certificate provides a non-human credential that does not require a human password and is the strongest practical option for an on-premises build server that cannot use managed identities (which are Azure-resource-scoped) or device-based conditional access. Certificate-based authentication for service principals uses asymmetric cryptography (X.509 certificates) with a private key stored securely on the build server, offering higher security than a client secret and meeting the requirement to avoid human account passwords.

Exam trap

The trap here is that candidates often confuse managed identities (which are Azure-only) with service principals, assuming managed identities can be used for on-premises resources, but managed identities require an Azure resource context and cannot be assigned to non-Azure machines.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to an Azure resource (e.g., an Azure VM) and cannot be assigned to an on-premises build server outside Azure; managed identities are only available for Azure-hosted resources. Option C is wrong because a user-assigned managed identity, like system-assigned, is an Azure-only identity that cannot be assigned to an on-premises server; it requires an Azure resource to host it. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource group but does not provide any authentication or authorization mechanism for deploying ARM templates; it is a governance tool, not an identity solution.

755
MCQhard

Traffic from VM-App01 is unexpectedly reaching the internet through a network virtual appliance. You need to determine which route is currently applied to the virtual machine network interface. Which Azure tool should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Advisor recommendations
D.Diagnostic settings for the activity log
AnswerA

Effective routes reveal the current routing entries applied to the VM NIC.

Why this answer

Effective routes for the network interface show the actual routes applied to a VM's NIC, including system routes, BGP routes, and user-defined routes (UDRs). Since traffic is unexpectedly reaching the internet through an NVA, you need to verify which route (e.g., a UDR with next hop type VirtualAppliance) is currently active. This tool directly displays the effective route table for the specific NIC, allowing you to identify the misconfigured route.

Exam trap

The trap here is that candidates often confuse network security group (NSG) flow logs with routing diagnostics, but NSG flow logs only show traffic filtering decisions, not the path traffic takes based on routes.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows based on network security group rules, not routing decisions; they cannot show which route is applied to the NIC. Option C is wrong because Azure Advisor provides best-practice recommendations for reliability, security, and cost, but it does not display the effective routes for a specific VM NIC. Option D is wrong because diagnostic settings for the activity log capture control-plane events (e.g., resource creation or modification), not the data-plane routing state of a network interface.

756
MCQeasy

A web app running on an Azure VM must read files from Azure Blob Storage without storing any passwords, secrets, or access keys on the VM. The identity should be tied to that VM and removed automatically if the VM is deleted. What should you enable?

A.A system-assigned managed identity
B.A shared storage account key in the application settings
C.A user account with a local password on the VM
D.A service endpoint on the VM subnet
AnswerA

A system-assigned managed identity is created for one Azure resource, such as a VM, and its lifecycle is tied to that resource. The app can use Azure AD-based authentication to access Blob Storage without storing secrets on the VM. If the VM is deleted, the identity is also removed, which matches the requirement exactly. This is the preferred approach for credential-free access when only one VM needs the identity.

Why this answer

A system-assigned managed identity is the correct choice because it creates an identity in Azure AD that is tied directly to the lifecycle of the VM. When the VM is deleted, the identity is automatically removed. The VM can use this identity to authenticate to Azure Blob Storage via Azure AD without storing any credentials on the VM, using the Azure Instance Metadata Service (IMDS) to obtain tokens.

Exam trap

The trap here is that candidates often confuse service endpoints (which only provide network-level access control) with managed identities (which provide identity-based authentication), leading them to select option D thinking it enables secure access without credentials.

How to eliminate wrong answers

Option B is wrong because storing a shared storage account key in application settings violates the requirement of not storing any passwords, secrets, or access keys on the VM, and the key is not automatically removed if the VM is deleted. Option C is wrong because a user account with a local password on the VM does not integrate with Azure AD for accessing Azure Blob Storage, and it stores credentials locally, which is explicitly prohibited. Option D is wrong because a service endpoint on the VM subnet only secures traffic to the storage account at the network level and does not provide an identity or credential-free authentication mechanism for the VM to access the storage account.

757
MCQmedium

A subnet is associated with a NAT gateway, but outbound traffic from the VMs still leaves through a network virtual appliance because the subnet has a user-defined route for 0.0.0.0/0 with next hop type Virtual appliance. The workload must use the NAT gateway for internet-bound traffic while keeping more specific routes intact. What should the administrator change?

A.Disable the subnet's network security group so the NAT gateway can take effect.
B.Remove the 0.0.0.0/0 user-defined route from the subnet route table.
C.Enable gateway route propagation on the route table.
D.Attach a public IP address to each virtual machine NIC.
AnswerB

A default UDR to a virtual appliance overrides the system default route, so the NAT gateway never becomes the effective internet egress path. Removing that default route restores normal outbound routing, and the NAT gateway can then provide the public source IP for internet-bound traffic. More specific UDRs for private prefixes can remain in place.

Why this answer

The NAT gateway is designed to provide outbound connectivity for VMs in the subnet, but a user-defined route (UDR) for 0.0.0.0/0 with next hop type Virtual appliance overrides the default route to the NAT gateway. By removing that UDR, the subnet's default route reverts to the system route, which directs internet-bound traffic to the NAT gateway's public IP. More specific routes (e.g., to on-premises networks) remain intact because they are not affected by the removal of the 0.0.0.0/0 route.

Exam trap

The trap here is that candidates often think a NAT gateway requires a UDR to function, when in fact the NAT gateway works via the system default route and a UDR for 0.0.0.0/0 with a different next hop type will override it, breaking the NAT gateway's intended behavior.

How to eliminate wrong answers

Option A is wrong because disabling the network security group (NSG) does not affect routing; NSGs filter traffic based on rules but do not influence the path traffic takes to the internet. Option C is wrong because enabling gateway route propagation adds routes from a virtual network gateway (e.g., VPN/ExpressRoute) to the route table, but it does not remove or override the existing 0.0.0.0/0 UDR; the UDR still takes precedence over propagated routes. Option D is wrong because attaching a public IP to each VM NIC would give each VM its own outbound public IP, bypassing the NAT gateway entirely and defeating the purpose of using a shared NAT gateway for outbound traffic.

758
MCQeasy

A legal team stores archived case files in Azure Blob Storage. The files are rarely read, but they must remain online and available immediately when needed. Which access tier should the administrator use?

A.Hot tier
B.Cool tier
C.Archive tier
D.Premium tier
AnswerB

Cool tier is designed for infrequently accessed data that still needs to stay online and be available immediately without rehydration.

Why this answer

The Cool tier is designed for data that is infrequently accessed but must remain online with low-latency retrieval. Archived case files that are rarely read but need immediate availability fit this profile, as Cool tier offers lower storage costs than Hot tier while still providing millisecond access times.

Exam trap

The trap here is that candidates often choose Archive tier for 'archived' data without reading the 'available immediately' requirement, missing that Archive tier requires rehydration and cannot serve data on demand.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access and has higher storage costs, making it cost-inefficient for rarely read data. Option C is wrong because the Archive tier has the lowest storage cost but requires rehydration (taking up to 15 hours) before data can be read, violating the 'available immediately' requirement. Option D is wrong because the Premium tier is for high-performance block blob or append blob workloads (e.g., low-latency transactions) and is not cost-justified for archived case files.

759
MCQmedium

A storage account has public network access disabled. A VM in VNet-App can reach a private endpoint for the account, but the storage name still resolves to the public IP address from the VM, and connections are denied. What should the administrator configure?

A.A service endpoint on the subnet so the storage account uses a private IP address.
B.A private DNS zone for the storage blob endpoint linked to VNet-App.
C.A storage account access key on the VM so the public endpoint will accept the connection.
D.A user-defined route sending storage traffic to the virtual network gateway.
AnswerB

Private DNS is needed so the blob FQDN resolves to the private endpoint IP inside the VNet.

Why this answer

When public network access is disabled on a storage account and a private endpoint is configured, the storage account's public DNS name must resolve to the private endpoint's private IP address within the virtual network. By default, the DNS name continues to resolve to the public IP address, causing connection failures. Linking a private DNS zone (privatelink.blob.core.windows.net) to VNet-App enables automatic resolution of the storage blob endpoint to the private IP address, allowing the VM to connect successfully.

Exam trap

The trap here is that candidates confuse service endpoints (which still use the public endpoint) with private endpoints (which use a private IP address), and assume that disabling public network access alone is sufficient without configuring DNS resolution to point to the private endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only allows the storage account to accept traffic from the subnet via its public endpoint, and public network access is disabled, so this would not work. Option C is wrong because the storage account access key is used for authentication, not for network connectivity; even with the correct key, the VM cannot reach the public endpoint when public network access is disabled. Option D is wrong because a user-defined route sending storage traffic to the virtual network gateway is unnecessary and does not change DNS resolution; the issue is DNS resolution, not routing.

760
MCQmedium

A developer can access an Azure Blob container from the portal using Microsoft Entra sign-in, but their custom app gets a 403 error when reading the same blob. The storage account is configured to use Azure AD authorization. What is the most likely fix?

A.Assign the user the Storage Blob Data Reader role on the container or storage account.
B.Assign the user the Reader role on the subscription.
C.Enable shared key access so the app can bypass Azure AD permissions.
D.Move the container to the Hot tier so Azure AD authentication can succeed.
AnswerA

A 403 in this scenario usually means the identity lacks data-plane permissions. The user needs an Azure RBAC role such as Storage Blob Data Reader at the appropriate scope so the app can read blob content through Azure AD authorization.

Why this answer

The developer can authenticate via the portal because the portal uses the user's own Microsoft Entra identity, which may have implicit permissions (e.g., via group membership or subscription-level Reader). However, the custom app must explicitly be granted the Storage Blob Data Reader role on the container or storage account to authorize data plane operations (reading blobs). Without this role assignment, the app's identity lacks the RBAC permission to perform blob read operations, resulting in a 403 error.

Exam trap

The trap here is that candidates confuse the management plane Reader role (which allows viewing the storage account in the portal) with the data plane Storage Blob Data Reader role (which is required to actually read blob content), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because the Reader role on the subscription grants read access to management plane resources (e.g., storage account properties) but does not grant data plane permissions to read blob content; data plane access requires a role like Storage Blob Data Reader. Option C is wrong because enabling shared key access would bypass Azure AD authorization entirely, which contradicts the requirement to use Azure AD authorization; it also introduces a security risk and does not fix the RBAC permission issue. Option D is wrong because the Hot tier is a storage tier for performance/cost optimization and has no effect on Azure AD authentication success; authentication is independent of the access tier.

761
MCQmedium

Administrators need to manage Linux virtual machines that do not have public IP addresses. They want to connect from a browser without installing a VPN client. Which Azure service should they use?

A.Azure Bastion
B.VPN Gateway
C.Load Balancer
D.Private endpoint
AnswerA

Azure Bastion provides secure browser-based RDP and SSH access to VMs using the private IP address. It avoids exposing public IPs on the virtual machines and does not require a VPN client.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to virtual machines directly from the Azure portal over TLS, without requiring public IP addresses or a VPN client. It uses a browser-based HTML5 client, making it ideal for administrators who need to manage Linux VMs without exposing them to the internet or installing additional software.

Exam trap

The trap here is that candidates often confuse Azure Bastion with VPN Gateway, assuming a VPN is required for private VM access, but Bastion eliminates the need for a VPN client by providing browser-based connectivity directly through the Azure portal.

How to eliminate wrong answers

Option B (VPN Gateway) is wrong because it requires installing a VPN client on the administrator's device and establishing a site-to-site or point-to-site tunnel, which contradicts the requirement of connecting from a browser without a VPN client. Option C (Load Balancer) is wrong because it distributes incoming network traffic across multiple VMs but does not provide direct administrative access or a browser-based console to individual VMs. Option D (Private endpoint) is wrong because it is used to securely connect to Azure PaaS services over a private IP address, not to provide browser-based management access to VMs.

762
MCQeasy

A company wants to peer two Azure virtual networks so that workloads can communicate privately. VNet-A uses 10.10.0.0/16. VNet-B is being designed now. Which address space should be chosen for VNet-B?

A.10.10.5.0/24, because it is a smaller subnet inside the same private range.
B.10.11.0.0/16, because it does not overlap and is still within a private IPv4 range.
C.10.10.0.0/24, because peering automatically separates overlapping subnets.
D.192.168.1.0/24, because peered networks must always use the 192.168.x.x range.
AnswerB

This is a non-overlapping private address space, which is required for VNet peering to work properly.

Why this answer

Option B is correct because VNet peering requires non-overlapping address spaces to enable direct private IP connectivity between resources. 10.11.0.0/16 is a unique private IPv4 range (RFC 1918) that does not overlap with VNet-A's 10.10.0.0/16, ensuring successful peering without routing conflicts.

Exam trap

The trap here is that candidates assume smaller subnets within the same larger range can be peered because they are 'different subnets,' but Azure VNet peering requires completely non-overlapping address spaces at the VNet level, not just at the subnet level.

How to eliminate wrong answers

Option A is wrong because 10.10.5.0/24 is a subnet within the 10.10.0.0/16 range, causing address overlap that prevents VNet peering from establishing direct routes. Option C is wrong because 10.10.0.0/24 is also a subset of VNet-A's address space, and peering does not automatically separate overlapping subnets—overlap leads to routing ambiguity and peering failure. Option D is wrong because peered networks are not required to use the 192.168.x.x range; any RFC 1918 private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or public IPs can be used as long as they do not overlap.

763
MCQmedium

An administrator is deploying a site-to-site VPN gateway in Azure. The GatewaySubnet already exists, but the deployment fails because no public-facing address is available for the gateway. What is required for the gateway to deploy and accept the on-premises connection?

A.Assign a standard Load Balancer to the GatewaySubnet.
B.Create a private endpoint for the virtual network gateway.
C.Create and associate a public IP address with the VPN gateway.
D.Delegate the GatewaySubnet to Microsoft.Network/privateEndpoints.
AnswerC

A site-to-site VPN gateway needs a public IP address so the on-premises VPN device can establish and maintain the tunnel to Azure. The GatewaySubnet is the correct dedicated subnet, but it is not enough by itself. The gateway also requires a public-facing address resource assigned during deployment so it can receive VPN connections from outside Azure.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address to establish the encrypted tunnel with the on-premises VPN device. The public IP address is assigned to the gateway's frontend configuration, enabling it to send and receive IPsec/IKE traffic over the internet. Without this public-facing address, the gateway cannot be provisioned or accept the on-premises connection.

Exam trap

The trap here is that candidates may confuse the GatewaySubnet delegation requirement (which is already satisfied by default) with the need for a public IP address, or incorrectly think a Load Balancer or private endpoint can substitute for the public IP that is mandatory for site-to-site VPN connectivity.

How to eliminate wrong answers

Option A is wrong because a standard Load Balancer is not used with VPN gateways; VPN gateways use a dedicated public IP address for the IPsec tunnel, not a load balancer. Option B is wrong because a private endpoint is used to connect privately to Azure PaaS services (e.g., Storage, SQL) over a private IP, not to provide public connectivity for a VPN gateway. Option D is wrong because delegating the GatewaySubnet to Microsoft.Network/privateEndpoints is for private endpoints, not for VPN gateways; VPN gateways require the GatewaySubnet to be delegated to Microsoft.Network/virtualNetworkGateways.

764
MCQmedium

You need to send an email whenever CPU utilization on VM-Prod01 exceeds 90 percent for 15 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.An activity log alert only
C.A resource lock and Azure Advisor
D.A budget alert and a private endpoint
AnswerA

A metric alert detects the threshold breach and the action group sends the email notification.

Why this answer

A metric alert monitors a specific resource metric (like CPU utilization) and triggers when a condition (e.g., >90%) is met for a given duration (15 minutes). An action group defines the notification or remediation action (e.g., sending an email). Together, they fulfill the requirement to send an email when CPU utilization exceeds 90% for 15 minutes.

Exam trap

The trap here is confusing activity log alerts (which monitor control-plane events) with metric alerts (which monitor performance data), leading candidates to incorrectly select an activity log alert for CPU utilization monitoring.

How to eliminate wrong answers

Option B is wrong because an activity log alert monitors changes to Azure resources (e.g., VM creation, deletion, or configuration changes) and cannot track performance metrics like CPU utilization. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides optimization recommendations; neither monitors metrics nor sends alerts. Option D is wrong because a budget alert monitors cost thresholds, not performance metrics, and a private endpoint enables secure network connectivity to Azure services, not alerting.

765
MCQeasy

A contractor team changes every few weeks. The administrator wants Azure access to stay the same when individual contractors leave or join, without editing role assignments for each person. What should be assigned the Azure role?

A.Each contractor user account individually
B.A Microsoft Entra ID security group
C.A device group
D.An Azure subscription
AnswerB

Role assignment to a group keeps permissions stable while membership changes handle joiners and leavers.

Why this answer

Assigning the Azure role to a Microsoft Entra ID security group allows the administrator to manage access by adding or removing contractors from the group, rather than editing individual role assignments. This approach ensures that role assignments remain unchanged when contractors leave or join, as the group itself retains the role. It leverages Azure RBAC's support for group-based access control, which is the recommended method for dynamic teams.

Exam trap

The trap here is that candidates may think assigning roles to individual user accounts is simpler, but the question specifically requires a solution that avoids editing role assignments when contractors change, making group-based assignment the only correct answer.

How to eliminate wrong answers

Option A is wrong because assigning the role to each contractor user account individually would require manual updates every time a contractor leaves or joins, defeating the goal of maintaining consistent access without editing role assignments. Option C is wrong because a device group is used for managing device policies and configurations (e.g., via Intune or Conditional Access), not for assigning Azure RBAC roles to users. Option D is wrong because an Azure subscription is a management boundary, not a security principal; you cannot assign an Azure role to a subscription itself—roles are assigned to users, groups, or service principals within a subscription.

766
MCQmedium

You need to allow a support engineer to restart virtual machines in the RG-App resource group, but the engineer must not be able to create, delete, or resize the virtual machines. What should you do?

A.Assign the Virtual Machine Contributor role at the RG-App scope
B.Create a custom role that includes restart permissions and assign it at the RG-App scope
C.Assign the Contributor role at the subscription scope
D.Assign the Reader role at the RG-App scope
AnswerB

A custom role can be limited to the exact action required and scoped to the target resource group.

Why this answer

The Virtual Machine Contributor role includes permissions to restart VMs but also allows creating, deleting, and resizing VMs, which violates the requirement. A custom role with only the Microsoft.Compute/virtualMachines/restart/action permission assigned at the RG-App scope grants the exact restart capability without broader management rights.

Exam trap

The trap here is that candidates often assume the Virtual Machine Contributor role is restrictive enough for restart-only tasks, but it actually includes full VM management permissions, making a custom role necessary for precise access control.

How to eliminate wrong answers

Option A is wrong because the Virtual Machine Contributor role includes permissions to create, delete, and resize VMs (e.g., Microsoft.Compute/virtualMachines/write), which exceeds the required restriction. Option C is wrong because the Contributor role at the subscription scope grants full management access to all resources in the subscription, including creating and deleting VMs, and is far too permissive. Option D is wrong because the Reader role only allows read access and does not include any action permissions such as restart, so the engineer would be unable to restart VMs.

767
MCQmedium

An application VM in a subnet without a public IP must access Azure Blob Storage. The storage account must not be reachable from the public internet, and DNS resolution should stay inside the virtual network. What should you implement?

A.Enable a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
B.Create a private endpoint for the storage account and link the appropriate private DNS zone.
C.Use a SAS token and allow access from any network for the storage account.
D.Assign a managed identity to the VM and remove all network restrictions from the storage account.
AnswerB

A private endpoint gives the storage service a private IP in the VNet, and private DNS keeps name resolution internal.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from the VM's virtual network, making it reachable without public internet exposure. Linking the private DNS zone ensures that DNS resolution for the storage account (e.g., `mystorageaccount.blob.core.windows.net`) resolves to the private IP within the VNet, meeting both requirements.

Exam trap

The trap here is confusing service endpoints with private endpoints; service endpoints only secure traffic to the public endpoint via the VNet but do not remove public internet accessibility, whereas private endpoints fully isolate the resource within the VNet.

How to eliminate wrong answers

Option A is wrong because a service endpoint keeps the public endpoint enabled, meaning the storage account is still reachable from the public internet, which violates the requirement that the storage account must not be reachable from the public internet. Option C is wrong because a SAS token does not restrict network access; allowing access from any network exposes the storage account to the public internet, contradicting the requirement. Option D is wrong because removing all network restrictions from the storage account makes it publicly accessible, and a managed identity alone does not prevent public internet access.

768
MCQhard

A business stores audit exports in Blob Storage. The account must continue serving writes if one availability zone fails, and reporting users in the paired region must still be able to read the replicated data if the primary region becomes unavailable. Which redundancy option best meets the requirement?

A.ZRS, because it protects against a zone failure inside one region.
B.RA-GRS, because it provides read access to the secondary region but not zone redundancy.
C.RA-GZRS, because it combines zone redundancy in the primary region with read access to the secondary region.
D.GRS, because it keeps a full second copy in another region.
AnswerC

RA-GZRS is the only option that satisfies both parts of the business requirement: it protects the primary region against a zone failure and also exposes the secondary region for read access if the primary region is unavailable. That combination is exactly what zone resilience plus readable geo-redundancy requires.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines synchronous zone-redundant replication across three availability zones in the primary region (protecting against a single zone failure) with asynchronous geo-replication to a paired secondary region, and enables read access to the secondary region if the primary becomes unavailable. This satisfies both requirements: continued writes during a zone failure and readable replicated data from the paired region during a primary region outage.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS or think ZRS alone is sufficient, failing to recognize that the requirement for both zone failure protection and secondary region read access necessitates the specific combination of zone redundancy and geo-replication with read access, which only RA-GZRS provides.

How to eliminate wrong answers

Option A is wrong because ZRS provides zone redundancy within a single region but does not replicate data to a paired region, so reporting users in the paired region cannot read data if the primary region becomes unavailable. Option B is wrong because RA-GRS provides read access to the secondary region but uses LRS in the primary region, which does not protect against a single availability zone failure; a zone failure would block writes. Option D is wrong because GRS replicates data to a paired region but does not provide read access to the secondary region unless a failover is initiated, and it uses LRS in the primary region, offering no zone redundancy.

769
MCQmedium

A batch job fails with a blob read error after the administrator moved a 200-GB blob to the archive tier. The file must be available again within a few hours, and the administrator wants the least disruptive recovery. What should be done?

A.Delete the archived blob and upload a new copy from backup.
B.Change the blob tier to Hot or Cool and wait for the rehydration process to finish.
C.Enable soft delete on the storage account and retry the read operation.
D.Convert the storage account to premium performance.
AnswerB

Archive blobs are offline and cannot be read directly until they are rehydrated. The administrator should change the tier from Archive to Hot or Cool, which starts rehydration and makes the blob readable again after the process completes. This is the least disruptive recovery path because it preserves the existing blob and uses the supported restore mechanism instead of recreating the data.

Why this answer

Option B is correct because moving a blob to the archive tier makes it offline; to read it, you must first rehydrate it by changing the tier to Hot or Cool. Rehydration typically completes within a few hours (up to 15 hours for archive), meeting the requirement. This is the least disruptive method as it avoids data loss or additional uploads.

Exam trap

The trap here is that candidates may think soft delete (Option C) or changing the account tier (Option D) can immediately restore access, when in fact only explicit rehydration by tier change makes an archived blob readable.

How to eliminate wrong answers

Option A is wrong because deleting the archived blob and uploading a new copy from backup is more disruptive and time-consuming than rehydration, and it risks data loss if the backup is outdated. Option C is wrong because enabling soft delete does not affect the blob's offline state; it only protects against accidental deletion, not the need to rehydrate from archive. Option D is wrong because converting the storage account to premium performance does not change the blob's tier or rehydrate it; premium accounts do not support archive tier and would require a new account and data migration.

770
Multi-Selectmedium

A production resource group must be protected from accidental deletion during a change freeze. Administrators still need to update VM sizes, rotate tags, and change NSG rules. Which two actions should the administrator take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Apply a ReadOnly lock to the resource group.
C.Place the CanNotDelete lock at the resource group scope so it covers current and future resources.
D.Use Azure Policy to deny all delete requests.
E.Add a Protected=true tag and use it to prevent deletion.
AnswersA, C

CanNotDelete prevents deletion while still allowing normal update operations. That makes it the right lock for a freeze where changes are allowed but removal is not.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents the entire resource group from being deleted, while still allowing administrators to update VM sizes, rotate tags, and modify NSG rules. This lock type blocks delete operations but permits all read and write operations, aligning with the requirement to protect against accidental deletion during a change freeze while maintaining administrative flexibility.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, assuming any lock will block all changes, or they mistakenly think Azure Policy or tags can directly prevent deletion without additional configuration, leading them to select options that either over-restrict or under-protect the resource group.

771
MCQmedium

You removed public IP addresses from a backend subnet containing 20 VMs. The VMs still need outbound internet access for updates, and the organization wants all outbound traffic to appear from one predictable public IP. No inbound publishing is required. Which Azure service should you use?

A.A public load balancer with inbound NAT rules for each VM.
B.Azure NAT Gateway associated with the subnet.
C.A private load balancer with a backend pool of the VMs.
D.A VPN gateway connection to a remote network.
AnswerB

NAT Gateway provides outbound-only internet connectivity with a stable public IP or public IP prefix.

Why this answer

Azure NAT Gateway is the correct choice because it provides outbound-only internet connectivity for a subnet, translating all VM traffic to a single public IP address without requiring inbound NAT rules or a load balancer. It supports SNAT (Source Network Address Translation) for up to 64,000 concurrent flows per IP, meeting the requirement for predictable outbound IP and no inbound publishing.

Exam trap

The trap here is that candidates often confuse Azure NAT Gateway with a public load balancer for outbound traffic, mistakenly thinking inbound NAT rules are required for outbound connectivity, or assume a private load balancer can provide internet access via some indirect method.

How to eliminate wrong answers

Option A is wrong because a public load balancer with inbound NAT rules is designed for inbound traffic distribution and per-VM RDP/SSH access, not for providing a single outbound IP for all VMs; it would require separate public IPs or outbound rules, adding complexity and cost. Option C is wrong because a private load balancer only handles internal traffic within the virtual network and cannot provide outbound internet access or public IP translation. Option D is wrong because a VPN gateway connects to a remote network (e.g., on-premises) and does not provide direct outbound internet access; it would route traffic through the remote network, not to the internet from a single predictable public IP.

772
MCQhard

An on-premises ERP server connected to Azure through a site-to-site VPN must read and write blobs in a storage account by using the storage account's private IP address. Public network access must be blocked. Which storage configuration should the administrator implement?

A.Configure a service endpoint on the on-premises subnet and leave public access enabled.
B.Create a private endpoint for the storage account and disable public network access.
C.Issue a container SAS and publish the storage account public DNS name.
D.Enable SMB multichannel on the storage account.
AnswerB

A private endpoint gives the storage account a private IP in a VNet that on-premises can reach through VPN.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the on-premises subnet (connected via VPN), enabling the ERP server to communicate with the storage account over the private network. Disabling public network access ensures that all traffic must traverse the private endpoint, blocking any internet-based access. This meets the requirement of using the storage account's private IP address while preventing public exposure.

Exam trap

The trap here is that candidates confuse service endpoints (which only extend network identity and do not provide a private IP) with private endpoints (which assign a true private IP and fully isolate the storage account from public access).

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only extends the virtual network identity to the service, and leaving public access enabled violates the requirement to block public network access. Option C is wrong because a container SAS (Shared Access Signature) uses the storage account's public DNS name and requires public network access to be enabled, which contradicts the need to block public access and use a private IP. Option D is wrong because SMB multichannel is a performance feature for Azure Files over SMB 3.0, not related to private IP assignment or blocking public access for blob storage.

773
MCQmedium

Based on the exhibit, which action should the administrator take so Contractor01 can manage the team membership without receiving Azure resource permissions?

A.Add Contractor01 as an owner of the AppOps-Admins group.
B.Add Contractor01 as a member of the AppOps-Admins group.
C.Assign Contractor01 the User Administrator role at the tenant scope.
D.Assign Contractor01 Contributor on the subscription.
AnswerA

Group owners can manage membership and ownership-related settings for that group without being granted Azure RBAC permissions on subscriptions or resource groups.

Why this answer

Adding Contractor01 as an owner of the AppOps-Admins group grants them the ability to manage group membership (add/remove members) without inheriting any Azure resource permissions. Group ownership is an Azure AD role that controls group administration only, not access to Azure resources like VMs or storage. This meets the requirement of managing team membership without resource permissions.

Exam trap

The trap here is that candidates often confuse Azure AD group ownership with Azure RBAC roles, assuming that managing a group requires a high-privilege directory role like User Administrator, or they mistakenly think adding the user as a member of the group will suffice without understanding that membership inherits the group's resource permissions.

How to eliminate wrong answers

Option B is wrong because adding Contractor01 as a member of the AppOps-Admins group would give them the group's Azure resource permissions (if the group is assigned to a role like Contributor), which violates the requirement to avoid resource permissions. Option C is wrong because the User Administrator role at the tenant scope grants broad Azure AD administrative rights, including the ability to create and manage users and groups across the entire tenant, which far exceeds the need to manage only one group's membership and introduces unnecessary security risk. Option D is wrong because assigning Contributor on the subscription grants full management access to all resources in the subscription, directly giving Azure resource permissions, which is explicitly prohibited by the requirement.

774
MCQhard

A system-assigned managed identity is attached to an Azure VM to call Key Vault. The VM is frequently reimaged and sometimes redeployed to a different name during scale events, but the application must keep the same identity and secretless access. What should the administrator use instead?

A.A system-assigned managed identity on each newly deployed VM.
B.A user-assigned managed identity associated with the workload.
C.A shared storage account key placed in the VM custom script.
D.A policy exemption for the Key Vault access policy.
AnswerB

A user-assigned identity remains stable across reimages and redeployments and can be attached to new VMs as needed.

Why this answer

A user-assigned managed identity is decoupled from the VM lifecycle, so it persists independently when VMs are reimaged or redeployed with different names. This allows the application to retain the same identity and secretless access to Key Vault without requiring manual reconfiguration or credential rotation.

Exam trap

The trap here is that candidates assume system-assigned identities are reusable across VM redeployments, but they are instance-scoped and destroyed with the VM, whereas user-assigned identities are persistent and can be reassigned to any resource.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the specific VM instance and is deleted when the VM is deleted, so it cannot survive redeployment to a different VM name. Option C is wrong because using a shared storage account key introduces a static secret that must be stored and rotated, violating the requirement for secretless access and increasing security risk. Option D is wrong because a policy exemption does not provide an identity for the VM to authenticate with Key Vault; it only bypasses Azure Policy effects, not access control.

775
MCQeasy

Based on the exhibit, a subscription policy must add CostCenter=042 to new resources, and deployments must not fail if the tag is missing. Which policy effect should you use?

A.Deny
B.Audit
C.Append
D.Modify
AnswerD

Modify is used to automatically change resource requests, such as adding or correcting tags, without blocking deployment.

Why this answer

The 'Modify' effect (option D) is correct because it can add the CostCenter=042 tag to new resources without causing deployment failures if the tag is missing. Unlike 'Deny', which blocks non-compliant resources, or 'Append', which is deprecated and only works on non-tag properties, 'Modify' uses a 'merge' operation to add tags during resource creation or update, and its 'conflictEffect' can be set to 'audit' to ensure deployments succeed even when the tag is absent.

Exam trap

The trap here is that candidates often confuse 'Append' with 'Modify' because both can alter resources, but 'Append' is deprecated and cannot handle tags, while 'Modify' is the modern effect designed specifically for tag operations with flexible conflict resolution.

How to eliminate wrong answers

Option A is wrong because 'Deny' blocks resource creation or update if the condition (missing tag) is met, causing deployment failures, which contradicts the requirement that deployments must not fail. Option B is wrong because 'Audit' only logs non-compliance without taking any action to add the missing tag, so it cannot enforce the CostCenter=042 tag on new resources. Option C is wrong because 'Append' is a deprecated policy effect that cannot modify tags; it was used for adding fields to resources (e.g., IP rules) but not for tag operations, and it would not work for this scenario.

776
MCQhard

A finance web app in AppSubnet must connect to Azure SQL Database over the service's public endpoint. Only AppSubnet should be allowed, and the security team does not want to deploy any private IPs or change DNS. What should you configure?

A.A private endpoint for the SQL server and a private DNS zone linked to AppSubnet.
B.Enable the Microsoft.Sql service endpoint on AppSubnet and add a virtual network rule on the SQL server.
C.Create an NSG rule on AppSubnet to allow outbound TCP 1433 traffic to the SQL server's public IP address.
D.Publish the AppSubnet public IP address range in the SQL server firewall as an allow list.
AnswerB

A service endpoint keeps Azure SQL reachable through its public endpoint while allowing access only from the authorized subnet. The subnet must have the Microsoft.Sql service endpoint enabled, and the SQL server must have a virtual network rule that permits AppSubnet. This satisfies the requirement to avoid private IPs and DNS changes while still restricting access to the subnet.

Why this answer

Option B is correct because enabling the Microsoft.Sql service endpoint on AppSubnet allows traffic from that subnet to reach Azure SQL Database's public endpoint without requiring public IP addresses or DNS changes. Adding a virtual network rule on the SQL server restricts access exclusively to that subnet, meeting the security requirement without deploying private IPs.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private IPs are required for secure connectivity, or they mistakenly think NSG rules alone can restrict access to Azure SQL Database without considering the SQL server firewall.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP to the SQL server and requires a private DNS zone, which contradicts the requirement to not deploy private IPs or change DNS. Option C is wrong because an NSG rule allowing outbound TCP 1433 to the SQL server's public IP does not restrict inbound access to only AppSubnet; the SQL server firewall still needs to allow the subnet's public IP range, which violates the no-public-IP requirement. Option D is wrong because publishing the AppSubnet public IP address range in the SQL server firewall uses public IPs, which the security team explicitly wants to avoid, and does not leverage Azure's service endpoint for secure, private connectivity.

777
Multi-Selectmedium

A backup archive must survive a regional outage, and engineers need to read the secondary copy if the primary region is unavailable. Which two redundancy options meet both requirements? Select two.

Select 2 answers
A.LRS
B.ZRS
C.GRS
D.RA-GRS
E.RA-GZRS
AnswersD, E

Correct. RA-GRS replicates data to a secondary region and allows read access from that secondary endpoint.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is correct because it provides geo-redundant replication (GRS) that replicates data to a secondary region, ensuring survival of a regional outage, and additionally enables read access to the secondary copy even when the primary region is unavailable. This meets both requirements: disaster recovery and read availability during primary region failure.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that geo-redundant replication automatically provides read access to the secondary copy, but GRS requires a failover to enable reads, while RA-GRS allows reads at any time.

778
Multi-Selecteasy

An administrator wants future VMs to start from the same approved server build as an existing generalized VM. Which two image sources can be used to create the new VM? Select two.

Select 2 answers
A.A managed image created from the approved server build.
B.An image stored in Azure Compute Gallery.
C.A Marketplace image from the operating system vendor.
D.A single managed disk snapshot.
E.A public IP address assigned to the VM.
AnswersA, B

A managed image captures a reusable VM image from a generalized source and can be used to deploy new VMs.

Why this answer

A managed image captures the exact configuration of a generalized VM, including the OS and data disks, and can be used to deploy multiple identical VMs. This ensures that future VMs start from the same approved server build without needing to recreate the image each time.

Exam trap

The trap here is that candidates often confuse a single disk snapshot with a managed image, not realizing that a snapshot lacks the VM configuration and multiple disk support required to replicate the full approved build.

779
MCQmedium

A subnet NSG contains these inbound rules: Deny-All-Inbound at priority 300, Allow-HTTPS-From-Bastion at priority 200, and Allow-HTTPS-From-AdminIP at priority 350. An administrator expects a management workstation on the internet to connect to a VM over TCP 443, but the connection is blocked. What is the most likely reason?

A.NSG rules are evaluated from the highest priority number to the lowest priority number.
B.The deny rule at priority 300 is matched before the allow rule at priority 350.
C.Azure NSGs cannot allow inbound traffic from public IP addresses.
D.TCP 443 requires an application security group to be used as the source.
AnswerB

NSG rules are processed in ascending order, where the lowest priority number wins. In this case, Deny-All-Inbound at 300 is evaluated before the new allow rule at 350. Because the deny rule matches inbound traffic first, the packet is blocked and the later allow rule never gets a chance. The fix is to give the allow rule a lower number than 300 or otherwise narrow the deny rule.

Why this answer

NSG rules are evaluated in priority order, from the lowest priority number (highest priority) to the highest priority number (lowest priority). The Allow-HTTPS-From-AdminIP rule at priority 350 is evaluated after the Deny-All-Inbound rule at priority 300. Since the deny rule at priority 300 matches all inbound traffic before the allow rule at priority 350 is evaluated, the traffic is blocked.

The administrator's connection from the internet is denied because the deny rule with a lower priority number (300) takes precedence over the allow rule with a higher priority number (350).

Exam trap

The trap here is that candidates often confuse 'priority' with 'order of evaluation,' mistakenly thinking higher priority numbers are evaluated first, when in fact lower numbers (higher priority) are evaluated first, causing the deny rule to block traffic before the allow rule is checked.

How to eliminate wrong answers

Option A is wrong because NSG rules are evaluated from the lowest priority number (most specific/highest priority) to the highest priority number (least specific/lowest priority), not the reverse. Option C is wrong because Azure NSGs can allow inbound traffic from public IP addresses by specifying the public IP or a range as the source in an allow rule. Option D is wrong because TCP 443 does not require an application security group; ASGs are an optional feature for grouping VMs, not a requirement for allowing traffic on a specific port.

780
MCQmedium

The operations team wants an email and SMS notification whenever any production virtual machine's average CPU stays above 85 percent for 10 minutes. They also want to reuse the same notification targets for future alerts. What should they configure?

A.A diagnostic setting on each VM that sends metrics to a storage account
B.An action group attached to a metric alert rule
C.A Log Analytics query alert with no notification target
D.A resource lock on the virtual machines
AnswerB

An action group centralizes the email and SMS targets, and a metric alert can evaluate CPU percentage over a 10-minute window. Linking the alert to the action group gives the team reusable notifications for future monitoring rules without recreating contact information each time.

Why this answer

Option B is correct because an action group in Azure Monitor defines the notification targets (email, SMS, etc.) for alerts, and a metric alert rule can be configured to trigger when the average CPU percentage exceeds 85% for 10 minutes. By attaching the same action group to multiple alert rules, the operations team can reuse the notification targets for future alerts without reconfiguring them each time.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which only export data) with alert rules that require an action group to deliver notifications, or they mistakenly think a resource lock can provide monitoring capabilities.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting that sends metrics to a storage account only archives data for later analysis; it does not generate real-time notifications via email or SMS. Option C is wrong because a Log Analytics query alert without a notification target cannot send any alerts; it requires an action group to deliver notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but has no capability to monitor performance metrics or send notifications.

781
MCQmedium

A team has Windows VMs in a subnet that need to access an Azure Storage account. The storage account should remain reachable through its public endpoint, but only traffic from that one subnet should be allowed. Which configuration best meets the requirement?

A.Create a private endpoint and disable public network access on the storage account.
B.Enable a service endpoint on the subnet and add a virtual network rule for that subnet on the storage account firewall.
C.Place the subnet behind a NAT gateway and use a shared public IP.
D.Add a VPN gateway and route storage traffic through the branch office.
AnswerB

A service endpoint lets resources in the subnet access the storage account through the service's public endpoint while presenting the subnet's Azure identity to the firewall. By adding a virtual network rule for that subnet, the storage account allows traffic from that subnet and blocks traffic from others. This satisfies the requirement to keep the public endpoint and restrict access to a single subnet.

Why this answer

Option B is correct because a service endpoint extends the virtual network private address space to the storage account, allowing traffic from the specified subnet to reach the storage account via the Azure backbone while keeping the public endpoint accessible. By adding a virtual network rule on the storage account firewall, you restrict access to only traffic originating from that subnet, meeting the requirement of allowing only that subnet through the public endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking that a private endpoint is required to restrict access to a specific subnet, but service endpoints with firewall rules achieve the same goal while keeping the public endpoint accessible.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint and disabling public network access would make the storage account reachable only via the private endpoint, not through its public endpoint as required. Option C is wrong because placing the subnet behind a NAT gateway and using a shared public IP does not restrict access to only that subnet; it only changes the source IP for outbound traffic, and the storage account firewall would need to allow that public IP, which could be shared with other resources. Option D is wrong because adding a VPN gateway and routing storage traffic through the branch office would force traffic to go on-premises and back, which is unnecessary and does not restrict access to only the specified subnet; it also does not leverage the storage account's public endpoint directly.

782
MCQeasy

A user accidentally deleted a file from an Azure VM. The administrator wants to recover only the deleted file from the most recent backup instead of restoring the entire VM. What should the administrator use?

A.File recovery from the Azure Backup restore process
B.A new VM image
C.A metric alert
D.An NSG flow log
AnswerA

File recovery lets the administrator mount or browse backup data and restore only the needed files instead of the full VM.

Why this answer

Azure Backup's file-level recovery (also known as item-level restore) allows you to recover individual files or folders from a VM backup point without restoring the entire VM. This is achieved by mounting the recovery point as a drive on the same or another VM, enabling direct file copy. Option A is correct because this feature is specifically designed for granular recovery of deleted files from the most recent backup.

Exam trap

The trap here is that candidates may confuse Azure Backup's full VM restore with its file-level recovery capability, assuming that only a complete VM restore is possible from a backup.

How to eliminate wrong answers

Option B is wrong because creating a new VM image would require building a fresh VM from a generalized image, which does not recover the specific deleted file and would not leverage the existing backup. Option C is wrong because a metric alert monitors performance metrics (e.g., CPU, memory) and triggers notifications; it has no capability to recover files. Option D is wrong because an NSG flow log records IP traffic through a Network Security Group for auditing and analysis; it cannot restore deleted files.

783
MCQeasy

Your team wants every protected Azure VM in a vault to be backed up once each day and kept for 30 days. Which Recovery Services vault setting should you configure?

A.A diagnostic setting
B.A resource lock
C.A backup policy
D.An action group
AnswerC

A backup policy defines when backups run and how long recovery points are retained, which matches the daily backup and 30-day retention requirement.

Why this answer

A backup policy defines the frequency and retention duration for backups. By configuring a backup policy with a daily backup schedule and a retention period of 30 days, you ensure that each protected Azure VM in the Recovery Services vault is backed up once per day and the backups are kept for 30 days. This is the correct setting to meet the team's requirements.

Exam trap

The trap here is that candidates may confuse a backup policy with other vault settings like diagnostic settings or resource locks, thinking they control backup frequency or retention, when in fact only the backup policy directly defines the schedule and retention for protected items.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting is used to stream or export resource logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to define backup schedules or retention. Option B is wrong because a resource lock prevents accidental deletion or modification of the Recovery Services vault itself, but does not control backup frequency or retention duration. Option D is wrong because an action group defines notifications and actions (e.g., email, SMS, webhook) triggered by alerts, not backup scheduling or retention policies.

784
MCQeasy

A customer-facing application runs on two Azure VMs. The business wants the application to stay available even if one datacenter in the Azure region has an outage. Which availability option should the administrator use?

A.Availability set
B.Availability zones
C.Proximity placement group
D.Azure Load Balancer
AnswerB

Availability zones place resources in physically separate datacenters within the same Azure region. That gives the application protection against a full datacenter failure, which is the scenario described. When the workload must survive a zone outage, zones are the right resiliency choice rather than a same-datacenter availability set.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying the two VMs into different zones, the application remains available if one entire datacenter fails, meeting the requirement for datacenter-level fault tolerance.

Exam trap

The trap here is that candidates confuse Availability Sets (which protect against rack-level failures within one datacenter) with Availability Zones (which protect against full datacenter outages), leading them to choose the cheaper but insufficient option A.

How to eliminate wrong answers

Option A is wrong because an Availability Set protects against failures within a single datacenter (rack-level faults) by distributing VMs across update and fault domains, but it cannot survive a full datacenter outage. Option C is wrong because a Proximity Placement Group is designed to reduce network latency by co-locating VMs close together, which actually increases the risk of simultaneous failure and does not provide datacenter-level redundancy. Option D is wrong because Azure Load Balancer is a traffic distribution mechanism that can route across zones or sets, but it is not itself an availability option—it requires underlying VMs to be deployed with an availability strategy to provide fault tolerance.

785
MCQmedium

A subnet contains 15 backend VMs that only need outbound internet access for patching and package downloads. Security wants all outbound connections to use one static public IP address, and no VM should have a public IP assigned directly. What should you configure?

A.A public Standard Load Balancer with outbound rules for the backend pool.
B.A NAT gateway associated with the subnet.
C.A public IP address on each virtual machine so all outbound traffic is traceable.
D.An internal load balancer with a private frontend IP.
AnswerB

A NAT gateway is designed for outbound-only connectivity from a subnet and provides a predictable public IP or prefix for SNAT. It satisfies the requirement for one static outbound address without assigning public IPs to individual VMs or exposing inbound access. This is the preferred Azure pattern for backend VMs that only need internet egress.

Why this answer

A NAT gateway is the correct choice because it provides outbound internet connectivity for all VMs in a subnet using a single static public IP address, without assigning public IPs to the VMs themselves. It handles source network address translation (SNAT) for outbound traffic, ensuring that all connections appear to originate from the configured public IP. This meets the security requirement of a single static IP for patching and package downloads.

Exam trap

The trap here is that candidates often confuse a NAT gateway with a load balancer, assuming a load balancer is needed for outbound traffic, but a load balancer is designed for inbound traffic distribution and does not provide outbound-only SNAT without additional rules or a separate NAT gateway.

How to eliminate wrong answers

Option A is wrong because a public Standard Load Balancer with outbound rules requires VMs to be in a backend pool and typically relies on default outbound access or a separate NAT gateway for SNAT; it does not natively provide a single static IP for all outbound traffic from a subnet without additional configuration, and it adds complexity and cost for a scenario that only needs outbound connectivity. Option C is wrong because assigning a public IP to each VM directly violates the security requirement that no VM should have a public IP assigned, and it also prevents using a single static IP for all outbound traffic. Option D is wrong because an internal load balancer with a private frontend IP cannot provide outbound internet access; it only handles traffic within the virtual network and does not perform SNAT to a public IP.

786
MCQmedium

Based on the exhibit, which change should you make so the VM reaches the blob service over a private IP address?

A.Enable a service endpoint on the subnet and keep the current DNS configuration.
B.Create a private endpoint for the storage account and link the appropriate private DNS zone.
C.Assign the VM a public IP address and allow it through the storage firewall.
D.Add the VM to a network security group that allows outbound TCP 443 to Azure Storage.
AnswerB

A private endpoint gives the storage service a private IP address inside the VNet, and private DNS ensures the blob name resolves to that private address. That directly matches the requirement to reach the service privately while keeping public network access disabled.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the VM's virtual network, enabling direct connectivity over a private IP. Linking the private endpoint to a private DNS zone ensures that the storage account's FQDN resolves to the private IP instead of the public endpoint, meeting the requirement without exposing traffic to the internet.

Exam trap

The trap here is that candidates confuse service endpoints (which only provide firewall-level access via the public endpoint) with private endpoints (which provide a true private IP address and private DNS resolution), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the storage account's firewall rules to the subnet, but the storage account's FQDN still resolves to a public IP address, not a private IP. Option C is wrong because assigning the VM a public IP address and allowing it through the storage firewall still forces traffic over the public internet, not a private IP. Option D is wrong because adding the VM to an NSG that allows outbound TCP 443 to Azure Storage only controls firewall rules; it does not change the DNS resolution or routing to use a private IP address.

787
MCQmedium

A user accidentally deleted a folder tree from an Azure file share. The administrator needs to restore only the deleted folders to the state they had yesterday, not roll back the whole share. Which feature should be used?

A.Restore the entire storage account from an account-level backup.
B.Use a file share snapshot and copy the needed folders back from it.
C.Enable blob versioning on the storage account and recover the folders from versions.
D.Create a shared access signature with read permissions and use it to recover the folder tree.
AnswerB

Azure Files snapshots capture point-in-time versions of a file share. By using the snapshot, the administrator can browse the earlier state and copy back only the deleted folders, which avoids restoring the entire share and minimizes impact on current data. This is the right operational recovery method when you need granular recovery of file content after accidental deletion.

Why this answer

Azure file share snapshots provide a point-in-time, read-only copy of the share. By mounting a snapshot taken yesterday, the administrator can browse the folder tree and copy only the deleted folders back to the live share, restoring them without affecting other data. This is the only option that allows granular, folder-level recovery without rolling back the entire share or storage account.

Exam trap

The trap here is that candidates confuse Azure Files with Azure Blob Storage and incorrectly assume blob versioning or blob-level features apply to file shares, or they think a SAS token can somehow restore deleted data, when in fact only file share snapshots provide the necessary point-in-time, granular recovery for Azure Files.

How to eliminate wrong answers

Option A is wrong because restoring the entire storage account from an account-level backup (e.g., Azure Backup for storage accounts) would roll back all data in all containers and file shares to the backup point, which is an all-or-nothing operation and does not support selective folder recovery. Option C is wrong because blob versioning is a feature for Azure Blob Storage, not Azure Files; file shares do not support blob versioning, and even if they did, it would apply to blobs, not SMB-accessible folders. Option D is wrong because a shared access signature (SAS) with read permissions only grants access to read data; it does not provide any recovery or rollback capability, and it cannot restore deleted folders from a previous state.

788
Multi-Selecthard

A backup operations team exports Recovery Services vault logs to Log Analytics. They need a query that returns only failed backup jobs from the last 24 hours and displays just the vault name, protected item name, and error description. Which two KQL operators should the query include? Select two.

Select 2 answers
A.where
B.project
C.summarize
D.join
E.extend
AnswersA, B

Where filters rows so the query returns only failed jobs from the last 24 hours.

Why this answer

The `where` operator filters the Log Analytics data to include only rows where the backup job status equals 'Failed' and the timestamp falls within the last 24 hours. This is essential for narrowing down the dataset to the specific failed jobs the team needs.

Exam trap

The trap here is that candidates often confuse `extend` with `project`—both can manipulate columns, but only `project` drops all unlisted columns, while `extend` keeps all original columns and adds new ones, failing to limit the output to the required fields.

789
MCQmedium

A records archive stores thousands of blobs that are usually read-only. The administrator wants blobs older than 90 days to move automatically to a lower-cost online tier without manual intervention. Which solution should be configured?

A.Manually change each blob tier when the archive team remembers to review it.
B.Create a blob lifecycle management policy with a rule that moves blobs after 90 days.
C.Enable object replication so the blobs are copied to another storage account.
D.Move the account to the Archive access tier and leave it there permanently.
AnswerB

A lifecycle management policy automates tier transitions based on blob age, last access time, or other conditions. In this case, the administrator can create a rule that moves blobs older than 90 days from a higher-cost tier to a lower-cost online tier, such as Cool, without manual work. This is the right control because it enforces a repeatable storage cost strategy over time.

Why this answer

Option B is correct because Azure Blob Storage lifecycle management policies allow you to define rules that automatically transition blobs to a lower-cost access tier (e.g., from Hot to Cool or from Cool to Archive) based on the age of the blob. In this scenario, a rule can be configured to move blobs older than 90 days to the Cool or Archive tier without any manual intervention, meeting the requirement for automated cost optimization.

Exam trap

The trap here is that candidates often confuse object replication (which copies data for redundancy) with lifecycle management (which changes the tier of existing blobs), or they assume that setting the entire account to Archive is equivalent to per-blob tiering, ignoring the operational impact on frequently accessed data.

How to eliminate wrong answers

Option A is wrong because manually changing each blob tier is not automated and contradicts the requirement for 'without manual intervention'; it also does not scale for thousands of blobs. Option C is wrong because object replication copies blobs to another storage account for redundancy or geo-distribution, not to change their access tier or reduce costs within the same account. Option D is wrong because moving the entire storage account to the Archive access tier is not a per-blob policy and would make all blobs immediately subject to Archive tier constraints (e.g., high retrieval costs and latency), which is inappropriate for blobs that may still be read occasionally before 90 days.

790
Matchingmedium

Match each access requirement to the most appropriate Azure Storage authentication or authorization approach.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enable a managed identity on the VM and assign a data-plane RBAC role

User delegation SAS

Storage account key

Azure RBAC data role assignment

Why these pairings

SAS provides delegated access; Azure AD authentication uses identity; public access allows anonymous reads; RBAC controls permissions; Azure AD DS extends on-prem AD; Service SAS can include IP restrictions.

791
MCQhard

A new Windows VM must be deployed with an application installed, a configuration file copied from a storage account, and a bootstrap script run automatically after the operating system is provisioned. The operations team does not want to log in manually after deployment. What should they use?

A.A Custom Script Extension attached to the VM during provisioning.
B.Azure Bastion to connect through the browser and complete setup interactively.
C.A managed identity assigned to the VM without any extensions.
D.An availability set so the VM comes online faster during provisioning.
AnswerA

The Custom Script Extension is designed to run post-provisioning commands, download files, and perform installation tasks automatically. It fits a deployment workflow where the VM must be configured without manual logon after creation.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a PowerShell or Bash script automatically after the VM is provisioned. This script can install applications, download configuration files from Azure Storage using a managed identity or SAS token, and execute bootstrap commands—all without any manual login. CSE is the standard Azure mechanism for post-deployment configuration automation on both Windows and Linux VMs.

Exam trap

The trap here is that candidates often confuse Azure Bastion (a connectivity tool) with an automation tool, or they assume a managed identity alone can run scripts, when in fact it only provides authentication and must be paired with an extension or custom code to perform actions.

How to eliminate wrong answers

Option B is wrong because Azure Bastion provides secure browser-based RDP/SSH connectivity to the VM, but it still requires a human to log in and perform the setup manually, which contradicts the requirement to avoid manual login. Option C is wrong because a managed identity alone does not execute any scripts or configuration steps; it only provides an identity for the VM to authenticate to Azure services like Key Vault or Storage, but the actual bootstrap logic must be triggered by an extension or other automation. Option D is wrong because an availability set is a logical grouping for high availability and fault tolerance; it does not affect provisioning speed or execute any post-deployment configuration tasks.

792
MCQmedium

A finance application stores monthly invoice PDFs in Azure Blob Storage. The business wants the data to remain available if one availability zone in the region becomes unavailable, but it does not require a secondary region for read access. Which redundancy option should the administrator choose?

A.LRS, because it keeps three copies within a single datacenter and is the least expensive option.
B.ZRS, because it replicates data across zones in the same region and stays available through a zone outage.
C.GRS, because it keeps a readable copy in the paired region and is always the best choice for resilience.
D.RA-GRS, because it provides read access to the secondary region and is required for zone-level resilience.
AnswerB

ZRS stores synchronous copies across multiple availability zones in one region. That design keeps the data available if one zone becomes unavailable, while avoiding the extra complexity of a secondary region.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring that if one zone becomes unavailable, the data remains accessible from the other zones. This meets the business requirement of staying available during a zone outage without needing a secondary region for read access.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, assuming that three copies in a single datacenter (LRS) are sufficient for zone-level resilience, when in fact LRS does not span availability zones and offers no protection against a full zone outage.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter, which does not protect against an entire availability zone outage—if that datacenter or zone fails, data may be lost. Option C is wrong because GRS (Geo-Redundant Storage) replicates data to a paired secondary region, which the business explicitly does not require, and it is not always the best choice for resilience due to higher cost and complexity. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) provides read access to the secondary region, which is unnecessary here, and it does not provide zone-level resilience within the primary region—it relies on geo-replication, not zone redundancy.

793
Multi-Selecteasy

A reporting team wants a storage redundancy option that keeps a readable copy in the paired region. Which two choices provide read access to the secondary region? Select two.

Select 2 answers
A.Read-access geo-redundant storage (RA-GRS).
B.Read-access geo-zone-redundant storage (RA-GZRS).
C.Locally redundant storage (LRS).
D.Zone-redundant storage (ZRS).
E.Geo-redundant storage (GRS).
AnswersA, B

RA-GRS replicates data to a paired region and allows reads from the secondary endpoint, which supports reporting and read-only workloads.

Why this answer

Read-access geo-redundant storage (RA-GRS) is correct because it provides geo-redundant storage (GRS) with the additional capability to read from the secondary region. This ensures that if the primary region becomes unavailable, the reporting team can still access a readable copy of the data in the paired region. RA-GRS replicates data asynchronously to a secondary region and allows read access to that secondary copy at all times.

Exam trap

The trap here is that candidates often confuse geo-redundant storage (GRS) with read-access geo-redundant storage (RA-GRS), mistakenly assuming GRS automatically provides read access to the secondary region, but GRS only allows read access after a failover, not continuously.

794
MCQmedium

You need to allow RDP access from the internet to a Windows VM named VM-Admin01 in Azure. The VM already has a public IP address. Which additional configuration is required?

A.A private DNS zone
B.An NSG rule allowing inbound TCP 3389
C.A user-defined route to Azure Monitor
D.A blob lifecycle management rule
AnswerB

RDP requires an inbound allow rule for TCP 3389.

Why this answer

An NSG (Network Security Group) rule allowing inbound TCP port 3389 is required to permit Remote Desktop Protocol (RDP) traffic from the internet to reach the Windows VM. Even though the VM has a public IP address, Azure NSGs act as a stateful firewall at the subnet or NIC level, and by default all inbound traffic is denied unless explicitly allowed. Without this rule, RDP connection attempts will be blocked.

Exam trap

The trap here is that candidates assume a public IP address alone is sufficient for inbound internet access, forgetting that Azure VMs are protected by a default-deny NSG that must explicitly allow inbound traffic like RDP.

How to eliminate wrong answers

Option A is wrong because a private DNS zone is used for resolving names within a virtual network (e.g., custom domain names) and has no role in allowing inbound RDP traffic from the internet. Option C is wrong because a user-defined route (UDR) controls network traffic flow between subnets or to virtual appliances, not firewall rules for inbound access; Azure Monitor is a monitoring service, not a routing destination. Option D is wrong because a blob lifecycle management rule is used to automate tiering or deletion of blobs in Azure Storage, and is irrelevant to VM network access.

795
MCQmedium

A team has an existing storage account with the public endpoint enabled. They want to allow access only from a specific subnet in a virtual network, but they do not want to create a private endpoint or manage private DNS zones. Which configuration should the administrator use?

A.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account network rules.
B.Create a private endpoint and disable the public endpoint.
C.Assign a SAS token to the subnet so only resources there can connect.
D.Use an Azure Policy assignment to block public traffic to the storage account.
AnswerA

This is the correct pattern when you want to keep using the public endpoint while restricting traffic to a specific subnet. The service endpoint identifies the subnet as trusted, and the storage account firewall can then allow that subnet explicitly. It avoids the overhead of private endpoint DNS management while still reducing exposure.

Why this answer

Option A is correct because enabling a service endpoint for Microsoft.Storage on the subnet allows traffic from that subnet to the storage account over the Azure backbone network, and then adding the subnet to the storage account's network rules restricts access to only that subnet while keeping the public endpoint enabled. This meets the requirement of not using a private endpoint or managing private DNS zones.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking both require private DNS management, or mistakenly believe that a SAS token can be scoped to a network source, when in fact SAS tokens only control access to data operations, not network-level restrictions.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint and disabling the public endpoint would require managing private DNS zones, which the team explicitly wants to avoid. Option C is wrong because a SAS token is a delegation mechanism that grants access to specific resources (e.g., blobs, files) via a signed URI, but it cannot restrict access to a specific subnet; it is scoped to the token holder, not the network source. Option D is wrong because Azure Policy can enforce compliance rules (e.g., deny public network access) but cannot selectively allow access from a specific subnet; it is a governance tool, not a network access control mechanism.

796
Multi-Selecthard

A stateless customer portal runs on Azure VMs and must keep serving traffic if an entire datacenter in the region fails. The operations team also wants the portal to add and remove instances automatically during daily spikes without managing a Kubernetes cluster. Which two Azure compute capabilities should the administrator configure? Select two.

Select 2 answers
A.Deploy the portal instances across availability zones.
B.Use a virtual machine scale set with autoscale enabled.
C.Place the VMs in an availability set within a single datacenter.
D.Create a proximity placement group for the portal VMs.
E.Use a single larger VM with premium managed disks.
AnswersA, B

Availability zones place instances in separate datacenters, which helps survive a zone-level outage.

Why this answer

Availability zones protect against a full datacenter failure by distributing VM instances across physically separate datacenters within a region. This ensures that if one datacenter goes down, the portal continues serving traffic from the other zones. Combined with a load balancer, this provides high availability for stateless workloads.

Exam trap

The trap here is confusing availability sets (rack-level redundancy) with availability zones (datacenter-level redundancy), leading candidates to pick availability sets for a full datacenter failure scenario.

797
MCQmedium

A web API runs on a single Azure VM and must access Azure Key Vault without storing any credentials on the VM. The identity should be tied to that VM and removed when the VM is deleted. What should you enable?

A.A user-assigned managed identity
B.A system-assigned managed identity
C.A storage account shared access signature
D.A local administrator account with a strong password
AnswerB

A system-assigned managed identity is created for one resource, used without secrets, and deleted with that resource.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — it is created when the VM is provisioned and automatically deleted when the VM is deleted. This identity can be used to authenticate to Azure Key Vault without storing any credentials on the VM, using the Azure Instance Metadata Service (IMDS) endpoint to obtain tokens. This matches the requirement that the identity be removed when the VM is deleted.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, failing to recognize that only system-assigned identities are automatically deleted with the parent resource, while user-assigned identities persist independently.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is a standalone Azure resource with its own lifecycle — it is not automatically deleted when the VM is deleted, so it does not satisfy the requirement that the identity be removed with the VM. Option C is wrong because a storage account shared access signature (SAS) is a token granting delegated access to a storage account, not an identity for authenticating to Key Vault, and it must be stored somewhere (e.g., in a file or environment variable), violating the no-credentials-on-VM requirement. Option D is wrong because a local administrator account with a strong password stores credentials directly on the VM, which contradicts the requirement to avoid storing any credentials on the VM, and it does not provide a managed identity for Azure AD authentication.

798
MCQmedium

A team wants one subnet to access an existing Storage account over its public endpoint. They do not want a private IP for the account or any DNS changes, but they want to block access from all other subnets. What should the administrator configure?

A.Create a private endpoint and disable public network access on the storage account.
B.Enable a service endpoint on the subnet and add a virtual network rule on the storage account.
C.Assign the Storage Blob Data Reader role to the subnet.
D.Associate a route table with a default route to the storage account private IP.
AnswerB

Service endpoints preserve the public endpoint while restricting access to the selected subnet.

Why this answer

Option B is correct because a service endpoint extends the virtual network's identity to the Azure Storage service, allowing the subnet to access the storage account over its public endpoint without requiring a private IP or DNS changes. By enabling a service endpoint on the subnet and adding a virtual network rule on the storage account, you restrict access to only that subnet while blocking all other subnets, meeting the team's requirements.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that private endpoints are required for secure access, but the question explicitly states no private IP or DNS changes are desired, making service endpoints the correct choice.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint assigns a private IP to the storage account and disables public network access, which contradicts the requirement of using the public endpoint without private IP or DNS changes. Option C is wrong because assigning the Storage Blob Data Reader role to a subnet is not a valid Azure RBAC assignment; RBAC roles are assigned to security principals (users, groups, service principals), not to subnets, and it does not control network-level access. Option D is wrong because associating a route table with a default route to the storage account's private IP would require a private endpoint and would not block access from other subnets; it also does not leverage the public endpoint as required.

799
MCQeasy

A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?

A.A user-assigned managed identity
B.A system-assigned managed identity
C.A storage account SAS token
D.An NSG service tag
AnswerB

A system-assigned managed identity is attached directly to one Azure resource, such as a VM, and Azure manages its lifecycle with that resource. If the VM is deleted, the identity is also removed automatically. This makes it the right choice when the identity should exist only for that VM.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, Azure automatically removes the identity from Azure AD and revokes any associated role assignments, fulfilling the developer's requirement for automatic cleanup. This identity is created and managed by Azure without any additional administrative overhead.

Exam trap

The trap here is that candidates confuse user-assigned managed identities with system-assigned ones, assuming both are automatically deleted, but only system-assigned identities are lifecycle-coupled to the resource.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity has an independent lifecycle from the VM; it persists in Azure AD even after the VM is deleted, requiring manual cleanup. Option C is wrong because a storage account SAS token is a shared access signature that provides delegated access to storage resources, but it is not an Azure AD identity and does not automatically revoke upon VM deletion. Option D is wrong because an NSG service tag is a network security group construct used to define IP address ranges for Azure services, not an identity mechanism for granting access to Azure Storage.

800
MCQeasy

Based on the exhibit, a workload must remain available even if one datacenter in an Azure region becomes unavailable. The region supports zone deployment. What should the administrator configure?

A.An availability set.
B.Availability zones.
C.A resource lock.
D.A user-defined route.
AnswerB

Availability zones place resources in separate physically isolated datacenters within the same region. If one datacenter becomes unavailable, the workload can continue running in another zone. That is the correct resilience option when the requirement explicitly calls for protection from a datacenter-level outage.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the workload across two or more zones ensures that if one datacenter fails, the other zones continue to operate, maintaining availability. This directly meets the requirement of surviving a single datacenter outage within a region that supports zone deployment.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against entire datacenter failures), leading them to select the wrong answer when the question explicitly requires datacenter-level resilience.

How to eliminate wrong answers

Option A is wrong because an availability set protects against rack-level failures within a single datacenter (by distributing VMs across fault domains and update domains), but it does not provide resilience if an entire datacenter becomes unavailable. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, but it has no effect on availability during a datacenter outage. Option D is wrong because a user-defined route (UDR) controls network traffic routing (e.g., forced tunneling or custom next hops) and does not provide any redundancy or failover capability for compute workloads.

801
MCQmedium

You deploy several Windows virtual machines and need to install Microsoft Antimalware on each VM without logging on manually. What should you use?

A.An NSG application security group.
B.A VM extension.
C.A route table.
D.A blob lifecycle rule.
AnswerB

This is the standard mechanism for automated VM guest configuration tasks.

Why this answer

VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. The Microsoft Antimalware extension can be deployed to multiple VMs at scale via Azure PowerShell, CLI, ARM templates, or policies, enabling silent installation without manual login.

Exam trap

The trap here is that candidates confuse network-level controls (NSGs, route tables) or storage management (lifecycle rules) with VM-level software deployment, overlooking that VM extensions are the dedicated Azure mechanism for post-deployment configuration and software installation.

How to eliminate wrong answers

Option A is wrong because an NSG application security group is a network security feature that groups VMs for traffic filtering, not for installing software. Option C is wrong because a route table controls network traffic routing between subnets or to virtual appliances, not software installation. Option D is wrong because a blob lifecycle rule manages tiering or deletion of storage blobs based on age, not VM software deployment.

802
MCQeasy

A developer already has permission to create resource groups. The company wants to allow deployments only in the East US and West US regions. Which service should enforce this rule?

A.Azure RBAC, because region selection is part of user permissions.
B.Azure Policy, because it can restrict which regions are allowed for deployments.
C.A network security group, because it can block unsupported regions.
D.A read-only lock, because it limits changes to approved regions.
AnswerB

This is correct because Azure Policy can enforce a list of allowed locations at deployment time. The developer may still have RBAC permission to create resources, but the policy can deny deployments outside East US and West US. That makes Policy the proper control for region compliance, while RBAC handles access rights separately.

Why this answer

Azure Policy is the correct service because it enforces organizational rules by evaluating resource configurations against policy definitions. In this scenario, a built-in or custom policy can restrict allowed regions for all resources, ensuring deployments only occur in East US and West US. Unlike RBAC, which controls who can perform actions, Azure Policy controls what resource configurations are permitted, making it the appropriate tool for region restriction.

Exam trap

The trap here is confusing Azure RBAC (who can act) with Azure Policy (what is allowed), leading candidates to mistakenly choose RBAC for region restrictions when RBAC cannot enforce resource configuration constraints.

How to eliminate wrong answers

Option A is wrong because Azure RBAC manages permissions for actions (e.g., creating resource groups) but does not enforce constraints on resource properties like region; region selection is not a permission but a configuration attribute. Option C is wrong because a network security group (NSG) filters network traffic at the subnet or NIC level based on IP addresses and ports, not geographic regions; it cannot block or allow resource deployments in specific Azure regions. Option D is wrong because a read-only lock prevents any modifications to a resource but does not restrict which regions can be used during deployment; it is a lock, not a governance policy.

803
MCQhard

A network team centralizes DHCP in a data center. Users in a remote branch stop receiving addresses after the branch router is replaced. Which missing configuration on the branch gateway is the strongest suspect?

A.DHCP relay or helper configuration on the client-facing gateway interface
B.A spanning-tree priority change on the branch switch
C.A CAPWAP tunnel from the branch PCs to the data center
D.A voice VLAN configuration on the WAN interface
AnswerA

This is correct because centralized DHCP depends on the local gateway relaying the broadcast requests.

Why this answer

When a DHCP server is centralized in a data center, remote clients rely on the branch gateway to forward their broadcast DHCP requests as unicast to the server. This is achieved by configuring a DHCP relay agent (ip helper-address) on the client-facing interface of the branch router. Without this configuration, DHCP broadcasts are dropped at the router, and clients never receive IP addresses.

Exam trap

The trap here is that candidates may confuse DHCP relay with other broadcast-forwarding mechanisms or assume that DHCP works automatically across routers, forgetting that routers by default do not forward broadcasts unless explicitly configured with ip helper-address.

Why the other options are wrong

B

A spanning-tree priority change on the branch switch does not directly affect DHCP address allocation; it primarily influences the topology and path selection of the network. Since the issue is related to DHCP address assignment, this option is not relevant.

C

A CAPWAP tunnel is used for managing lightweight access points and does not directly relate to DHCP address assignment. Since the issue is with users not receiving DHCP addresses, a CAPWAP tunnel would not be the cause of the problem.

D

A voice VLAN configuration on the WAN interface is unrelated to DHCP address assignment issues, as voice VLANs are used for prioritizing voice traffic rather than facilitating DHCP communication.

804
MCQhard

A team is creating a new workload subnet in a spoke virtual network. The subnet must support 41 VM NICs, 2 internal load balancer frontend IP configurations, 3 private endpoint IPs, and 4 spare IPs for near-term growth. Azure reserves 5 IP addresses in every subnet. What is the smallest IPv4 subnet size that satisfies the requirement?

A./27, because 32 total addresses are enough for a small workload subnet.
B./26, because 64 total addresses provide enough usable IPs for the workload and growth.
C./25, because 128 total addresses are required once private endpoints are included.
D./28, because 16 total addresses are sufficient when load balancers are used.
AnswerB

A /26 contains 64 total addresses. After Azure reserves 5, 59 remain usable, which covers 41 VM NICs, 2 load balancer frontend IPs, 3 private endpoint IPs, and 4 spare addresses. This is the smallest subnet size that meets the stated requirement without wasting a larger block than necessary.

Why this answer

The total IP addresses required are 41 (VM NICs) + 2 (ILB frontends) + 3 (private endpoints) + 4 (spare) + 5 (Azure reserved) = 55 IPs. A /26 subnet provides 64 total addresses, of which 59 are usable (64 - 5 reserved), which meets the requirement. Option B is correct because /26 is the smallest subnet that provides enough usable IPs.

Exam trap

The trap here is that candidates often forget to include the 5 Azure-reserved IPs in their calculation, or they mistakenly think private endpoints or load balancer frontends do not consume subnet IPs, leading them to choose a smaller subnet like /27 or /28.

How to eliminate wrong answers

Option A is wrong because /27 provides only 32 total addresses (27 usable), which is insufficient for the 55 required IPs. Option C is wrong because /25 provides 128 total addresses (123 usable), which is larger than necessary and not the smallest subnet that satisfies the requirement. Option D is wrong because /28 provides only 16 total addresses (11 usable), which is far too small for the 55 required IPs, regardless of load balancer usage.

805
Multi-Selecthard

A Windows VM must install a monitoring agent, run a bootstrap script during provisioning, and download a configuration file from an Azure resource without storing any credentials in the script or on disk. Which two Azure compute features should the administrator use? Select two.

Select 2 answers
A.Use a Custom Script Extension to run the bootstrap actions after provisioning.
B.Assign a system-assigned managed identity to the virtual machine.
C.Enable boot diagnostics and review the serial console output.
D.Attach a read-only managed disk to store the configuration file.
E.Use an availability set to keep the bootstrap script highly available.
AnswersA, B

A custom script extension can execute setup commands and copy files automatically during deployment.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature to run a bootstrap script after provisioning because it executes a script on the VM during or after deployment, enabling installation of the monitoring agent and other configuration tasks. It is the standard method for post-deployment automation on Azure VMs, and it can reference a script stored in Azure Storage or a public URL without embedding credentials.

Exam trap

The trap here is that candidates often confuse boot diagnostics (Option C) with a method to run scripts, or think that a managed disk (Option D) can replace the need for secure credential storage, when in fact the combination of managed identity and Custom Script Extension is the only secure, credential-free approach for post-deployment automation.

806
MCQmedium

Based on the exhibit, a backup administrator accidentally stopped protection for a critical VM and then deleted its backup item. The team wants Azure Backup to retain the deleted item long enough to recover it after the mistake is discovered the next day. What should be enabled on the vault?

A.Soft delete for backup data
B.A read-only resource lock on the VM
C.A network security group rule allowing port 445
D.Instant restore snapshots set to 30 days
AnswerA

Soft delete keeps deleted backup data recoverable for a grace period, which is exactly what the team needs after a mistaken deletion is discovered later. It provides protection against accidental loss of backup items.

Why this answer

Soft delete for backup data is the correct answer because it provides a safety net for accidentally deleted backup items. When enabled, Azure Backup retains deleted backup data for an additional 14 days (default) in a soft-deleted state, allowing administrators to recover the data before it is permanently purged. This directly addresses the scenario where protection was stopped and the backup item was deleted, as the data remains recoverable within the retention period.

Exam trap

The trap here is that candidates may confuse soft delete for backup data with resource locks or network security rules, mistakenly thinking that protecting the VM itself or enabling network access will preserve deleted backup items, when in fact only the vault-level soft delete feature retains the backup data after deletion.

How to eliminate wrong answers

Option B is wrong because a read-only resource lock on the VM prevents modifications to the VM itself but does not protect backup data stored in the Recovery Services vault; it has no effect on backup items or their deletion. Option C is wrong because a network security group rule allowing port 445 is used for SMB file sharing or replication traffic, not for backup recovery or retention of deleted backup items. Option D is wrong because instant restore snapshots set to 30 days control how long the VM snapshot is retained for faster restore operations, but they do not protect against accidental deletion of the backup item or extend the retention period for deleted data.

807
MCQeasy

Based on the exhibit, the administrator needs to deploy a VM quickly using a preapproved hardened operating system image. Which source should be used when creating the VM?

A.An approved custom image in an Azure Compute Gallery.
B.A temporary public IP address.
C.A network security group rule.
D.An Azure Monitor alert rule.
AnswerA

A custom image in an Azure Compute Gallery lets the team standardize VM deployments on a hardened, approved operating system image. It is the right source when the same validated image should be reused consistently for new VMs. This supports repeatability and compliance across deployments.

Why this answer

An approved custom image in an Azure Compute Gallery (formerly Shared Image Gallery) is the correct source because it allows the administrator to deploy a VM quickly using a preapproved, hardened operating system image. The Azure Compute Gallery provides versioning, replication, and regional distribution of custom images, ensuring that the hardened OS is readily available for rapid deployment across multiple regions. This aligns with the requirement for a preapproved image that meets security and compliance standards.

Exam trap

The trap here is that candidates may confuse a VM image source with networking or monitoring components, mistakenly thinking a public IP or NSG rule can serve as an image source, when in fact only a compute gallery or managed image provides the OS disk definition.

How to eliminate wrong answers

Option B is wrong because a temporary public IP address is a networking resource used for outbound/inbound connectivity, not a source for VM operating system images; it does not provide a hardened OS. Option C is wrong because a network security group rule defines inbound/outbound traffic filtering rules for subnets or NICs, not a VM image source. Option D is wrong because an Azure Monitor alert rule is a monitoring and notification configuration that triggers actions based on metrics or logs, not a source for VM operating system images.

808
MCQmedium

A modify policy that appends a CostCenter tag was assigned to a management group. The policy shows as assigned, but older virtual machines still lack the tag. What must the administrator do to update those existing resources?

A.Reassign the policy at a lower scope so it applies more quickly.
B.Create a remediation task for the policy assignment.
C.Change the policy effect from modify to audit.
D.Add a CanNotDelete lock to the virtual machines.
AnswerB

Policy assignment alone evaluates future requests, but existing resources often need remediation before the policy effect is applied to them. A remediation task triggers the policy logic against already deployed resources and applies the configured correction when the managed identity has enough permissions. That is how missing tags on older VMs are brought into compliance.

Why this answer

The 'modify' policy effect appends the CostCenter tag to new or updated resources automatically, but it does not retroactively apply to existing resources. To update older virtual machines that lack the tag, the administrator must create a remediation task for the policy assignment. This task uses Azure Policy's 'deployIfNotExists' or 'modify' effect to trigger a deployment that evaluates and corrects non-compliant existing resources.

Exam trap

The trap here is that candidates assume a 'modify' policy effect automatically applies to all existing resources, but in reality, it only applies to new or updated resources unless a remediation task is explicitly created.

How to eliminate wrong answers

Option A is wrong because reassigning the policy at a lower scope does not change the fact that the policy effect only applies to new or updated resources; it does not force retroactive evaluation or remediation. Option C is wrong because changing the effect from 'modify' to 'audit' would only report non-compliance without taking any corrective action, leaving the tags missing. Option D is wrong because adding a CanNotDelete lock prevents accidental deletion but does not add or modify tags on existing resources.

809
Multi-Selecteasy

You need to monitor CPU on a small set of VMs while keeping ingestion costs low. Which two actions are the best choices? Select two.

Select 2 answers
A.Use Azure Monitor platform metrics for CPU instead of collecting guest logs
B.Collect only the required diagnostic categories and performance counters
C.Collect all Windows event logs from every VM
D.Create a separate workspace for each VM
E.Enable verbose guest logging on every server
AnswersA, B

Platform metrics are built in and usually cheaper than sending extra guest log data.

Why this answer

Azure Monitor platform metrics for CPU are collected automatically from the Azure VM host at no additional cost, providing basic CPU utilization data without requiring the Log Analytics agent or incurring data ingestion charges. This approach keeps costs low because platform metrics are included in the Azure Monitor pricing, whereas guest-level metrics require log ingestion and storage fees. For a small set of VMs where only CPU monitoring is needed, platform metrics are sufficient and cost-effective.

Exam trap

The trap here is that candidates often assume guest-level logging is required for CPU monitoring, but Azure Monitor platform metrics already provide host-level CPU data at no extra cost, making options like verbose logging or full event collection unnecessary and costly.

810
MCQmedium

You need to ensure that all users in the HelpdeskAdmins group can reset passwords for cloud-only users in Microsoft Entra ID but cannot modify group memberships or delete users. Which role should you assign?

A.Global Administrator
B.User Administrator
C.Helpdesk Administrator
D.Security Administrator
AnswerC

Helpdesk Administrator is the least-privileged built-in role that supports password resets for appropriate users.

Why this answer

The Helpdesk Administrator role is specifically designed to allow password resets for non-administrator users (including cloud-only users) while explicitly preventing modifications to group memberships or deletion of users. This aligns perfectly with the requirement to restrict the HelpdeskAdmins group to only password reset capabilities.

Exam trap

The trap here is that candidates often confuse User Administrator with Helpdesk Administrator, assuming both can reset passwords, but User Administrator also grants broader user management capabilities like modifying group memberships and deleting users, which the question explicitly forbids.

How to eliminate wrong answers

Option A is wrong because Global Administrator has full access to all Microsoft Entra ID features, including the ability to modify group memberships and delete users, which exceeds the required permissions. Option B is wrong because User Administrator can reset passwords and also manage user accounts, including modifying group memberships and deleting users, which violates the restriction. Option D is wrong because Security Administrator focuses on security-related features like managing security policies and reviewing security reports, not on password resets for users.

811
MCQhard

A business stores audit logs in Azure Blob Storage. The account must remain available if an entire availability zone in the primary region fails, and analysts must still be able to read the data from the paired region if the primary region becomes unavailable. Which replication option should the administrator select?

A.Zone-redundant storage (ZRS)
B.Geo-redundant storage (GRS)
C.Read-access geo-zone-redundant storage (RA-GZRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerC

RA-GZRS is the only option here that combines zone redundancy in the primary region with geo-replication to a paired region and read access to the secondary copy. That satisfies both requirements: survive a single-zone outage and still allow analysts to read from the secondary region if the primary region is unavailable.

Why this answer

C is correct because Read-access geo-zone-redundant storage (RA-GZRS) combines zone-redundancy within the primary region (surviving an entire zone failure) with geo-replication to a paired region, and crucially provides read access to the secondary region data even if the primary region is unavailable. This meets both requirements: availability during a zone failure and readable data from the paired region during a primary region outage.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS or ZRS with GZRS, failing to recognize that the requirement for both zone-failure resilience within the primary region AND read-access from the paired region uniquely points to RA-GZRS, not RA-GRS or GRS alone.

How to eliminate wrong answers

Option A is wrong because Zone-redundant storage (ZRS) only protects against a single availability zone failure within the primary region; it does not replicate data to a paired region, so analysts cannot read data from a secondary region if the primary region becomes unavailable. Option B is wrong because Geo-redundant storage (GRS) replicates data to a paired region but does not provide zone-redundancy within the primary region, so an entire zone failure in the primary region could cause data unavailability until failover occurs. Option D is wrong because Read-access geo-redundant storage (RA-GRS) provides read access to the secondary region but does not include zone-redundancy within the primary region, meaning a single zone failure in the primary region could still disrupt data access locally.

812
Multi-Selecthard

An enterprise wants one governance package to be applied automatically to every production subscription that is added in the future. The package contains several policy definitions that should be managed together. Which two actions are required? Select two.

Select 2 answers
A.Create or use a production management group and assign the governance package at that scope.
B.Package the related policy definitions into a policy initiative before assigning them.
C.Assign each policy separately to every resource group so the settings are inherited upward.
D.Use tags on resources to make policy definitions automatically apply to new subscriptions.
E.Apply a resource lock to the management group so all child subscriptions inherit the policies.
AnswersA, B

Management groups are the correct hierarchy for automatic inheritance across multiple subscriptions. Assigning governance at the management-group scope ensures every child production subscription receives the baseline without separate manual work. This satisfies the requirement for future subscriptions as well as existing ones.

Why this answer

Option A is correct because assigning the governance package (policy initiative) at the management group scope ensures that all child subscriptions, including future ones, automatically inherit the policies. Management groups provide hierarchical governance, and any subscription added under that management group will inherit the assigned policies without manual intervention.

Exam trap

The trap here is that candidates confuse resource locks with policy assignments, thinking locks can enforce policy inheritance, when in fact locks only prevent deletion or modification and have no effect on policy application.

813
MCQmedium

A storage account is failing writes, and the team also wants to correlate those errors with subscription-level changes such as role assignments or deployments. What should the administrator configure?

A.Rotate the storage account keys and review access from the portal activity feed.
B.Create diagnostic settings on the storage account and the subscription that send logs to the same Log Analytics workspace.
C.Place the storage account behind an availability set so writes remain available during maintenance.
D.Enable a service endpoint from the application subnet and check whether the firewall blocks the writes.
AnswerB

Diagnostic settings are the correct mechanism for exporting both resource logs and subscription Activity log events to Log Analytics. Putting them in the same workspace lets the team correlate storage failures with changes such as deployments or role assignments in one KQL query.

Why this answer

Option B is correct because diagnostic settings on both the storage account and the subscription can stream platform logs (e.g., StorageWrite failures) and activity logs (e.g., role assignments, deployments) to the same Log Analytics workspace. This enables correlated queries across resource-level operational issues and subscription-level changes, allowing the administrator to identify if a recent role assignment or deployment caused the write failures.

Exam trap

The trap here is that candidates may think the Activity Log alone (Option A) is sufficient for correlation, but it lacks the resource-level diagnostic data needed to see the actual write failures, while diagnostic settings to a common Log Analytics workspace provide the necessary cross-layer query capability.

How to eliminate wrong answers

Option A is wrong because rotating storage account keys does not help correlate write failures with subscription-level changes; it only regenerates access keys, and the portal activity feed shows management-plane operations but not correlated analysis with storage diagnostics. Option C is wrong because an availability set is a virtual machine high-availability construct that does not apply to storage accounts; storage accounts are inherently redundant and not placed in availability sets. Option D is wrong because enabling a service endpoint and checking firewall rules addresses network access issues, not the correlation of write failures with subscription-level changes like role assignments or deployments.

814
Multi-Selecthard

A Windows VM must run a bootstrap script during provisioning to install a monitoring agent and write configuration files. The administrator does not want to log in interactively, and the script must be runnable again after the VM is rebuilt. Which two Azure compute components should be used? Select two.

Select 2 answers
A.Azure VM Agent
B.Custom Script Extension
C.Boot diagnostics
D.Availability zone
E.Ephemeral OS disk
AnswersA, B

This is the runtime required for Azure to deliver and manage VM extensions.

Why this answer

The Azure VM Agent (A) is required because it enables the VM to run extensions, including the Custom Script Extension. The Custom Script Extension (B) is the correct mechanism to execute the bootstrap script during provisioning without interactive login, and it can be reapplied to a rebuilt VM by redeploying the same ARM template or CLI command.

Exam trap

The trap here is that candidates confuse Boot diagnostics (which only shows logs) with a tool that can run scripts, or they mistakenly think Ephemeral OS disks or Availability zones are involved in script execution, when in fact only the VM Agent and Custom Script Extension provide the required automation.

815
MCQeasy

Before changing a production VM's data disk, you want a point-in-time copy that can be restored later without affecting the VM. What should you create?

A.Snapshot
B.Availability set
C.Azure Policy assignment
D.Virtual network peering
AnswerA

A snapshot creates a point-in-time copy of a managed disk and can be used to restore or create a new disk later.

Why this answer

A snapshot captures a point-in-time, read-only copy of a managed or unmanaged disk. It can be used to create a new disk or restore the original disk without affecting the running VM, making it the correct choice for a non-disruptive backup before a data disk change.

Exam trap

The trap here is that candidates may confuse a snapshot with a backup vault or recovery services vault, but the question specifically asks for a point-in-time copy that does not affect the running VM, and only a snapshot meets that requirement without requiring a backup policy or agent.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and maintenance events; it does not provide any point-in-time copy or backup capability. Option C is wrong because an Azure Policy assignment enforces compliance rules (e.g., allowed VM sizes, tagging) across resources; it cannot create a disk copy or restore a disk. Option D is wrong because virtual network peering connects two Azure virtual networks for low-latency communication; it has no relation to disk backup or restoration.

816
MCQhard

A Windows VM in Azure has a public IP address, but administrators on the internet cannot connect by using Remote Desktop. You confirm that the VM is running and the guest firewall allows RDP. What is the most likely Azure-side cause?

A.The NSG does not allow inbound TCP 3389
B.The storage account uses LRS
C.Azure Advisor is not enabled
D.The VM is in an availability set
AnswerA

An NSG deny or missing allow rule on TCP 3389 will block RDP access.

Why this answer

The most likely Azure-side cause is that a Network Security Group (NSG) associated with the VM's subnet or network interface is blocking inbound traffic on TCP port 3389 (RDP). Even if the VM is running and the guest OS firewall allows RDP, an NSG rule must explicitly permit inbound TCP 3389 from the internet (or a specific source) for Remote Desktop connections to succeed. Without such a rule, the NSG silently drops the packets before they reach the VM.

Exam trap

The trap here is that candidates often assume the guest OS firewall is the only barrier for RDP, overlooking that Azure's NSG acts as a separate, mandatory network-level filter that must explicitly allow inbound TCP 3389 from the internet.

How to eliminate wrong answers

Option B is wrong because the storage account's replication type (LRS, GRS, etc.) affects data durability and availability, not network connectivity or RDP access. Option C is wrong because Azure Advisor provides recommendations for best practices (cost, security, reliability) but does not control network traffic or firewall rules; enabling it has no impact on RDP connectivity. Option D is wrong because an availability set is a logical grouping for high availability of VMs within a region; it does not impose any network restrictions or block inbound RDP traffic.

817
MCQmedium

A lifecycle rule moved quarterly audit logs to the Archive tier. An auditor now needs one blob for an urgent investigation and wants it available for download as soon as the rehydration completes. What should the administrator do?

A.Copy the blob directly from Archive tier to the client's local disk.
B.Change the blob access tier to Hot and wait for rehydration to finish before downloading it.
C.Assign the blob a shorter retention policy so it becomes accessible automatically.
D.Move the blob to the Cool tier and attempt the download immediately.
AnswerB

Archive blobs are offline and must be rehydrated to an online tier before they can be read. Moving the blob to Hot is appropriate when rapid access is needed after rehydration completes. The administrator should expect a delay during rehydration, then the blob can be downloaded normally.

Why this answer

Option B is correct because changing the access tier of a blob from Archive to Hot initiates an asynchronous rehydration process that moves the blob data back to an online tier. Once rehydration completes, the blob becomes available for download. This is the standard method to make archived blobs accessible for immediate use.

Exam trap

The trap here is that candidates assume changing the tier to Cool allows immediate download, but they overlook that rehydration from Archive is always required and takes time, regardless of the target tier.

How to eliminate wrong answers

Option A is wrong because you cannot directly copy a blob from the Archive tier; the blob must first be rehydrated to an online tier (Hot or Cool) before any read or copy operation can succeed. Option C is wrong because retention policies (e.g., immutability or time-based retention) do not affect the accessibility of archived blobs; they only prevent deletion or modification, not rehydration. Option D is wrong because moving a blob to the Cool tier still requires rehydration from Archive, and attempting to download immediately will fail with a 409 error (BlobBeingRehydrated) until rehydration completes.

818
Multi-Selecteasy

A company wants an Azure Storage account to be reachable privately from a virtual network. Which two statements about a private endpoint are correct? Select two.

Select 2 answers
A.The storage service gets a private IP address in the selected virtual network.
B.The virtual machine that reaches the service must have its own public IP address.
C.A private endpoint replaces the need for any DNS configuration.
D.A private DNS zone is commonly used so the service name resolves to the private IP.
E.A private endpoint and a service endpoint are the same feature.
AnswersA, D

Correct because a private endpoint creates a network interface in your virtual network and maps the Azure service to a private IP address there.

Why this answer

Option A is correct because a private endpoint assigns the Azure Storage service a private IP address from the subnet of the selected virtual network, effectively bringing the service into the VPC-like environment. This ensures that traffic to the storage account stays within the Microsoft backbone network and never traverses the public internet, meeting private connectivity requirements.

Exam trap

The trap here is that candidates often confuse private endpoints with service endpoints, thinking both provide a private IP address, but only private endpoints assign a private IP from the VNet, while service endpoints rely on public IPs with network security group (NSG) restrictions.

819
MCQeasy

Based on the exhibit, VM name resolution works for IP addresses but fails for internal hostnames. What should the administrator configure on the spoke VNet?

A.Keep Azure-provided DNS because the spoke can already reach the hub by IP.
B.Configure the spoke VNet to use 10.20.0.4 as a custom DNS server.
C.Create a private endpoint for app01.corp.local in the spoke VNet.
D.Enable a NAT gateway on the spoke subnet.
AnswerB

The exhibit shows the hub has a custom DNS server at 10.20.0.4, but the spoke is still using Azure-provided DNS. To resolve internal names such as app01.corp.local, the spoke VNet must point to the custom DNS server that knows that zone. After that change, VMs in the spoke can use the hub DNS service for name resolution.

Why this answer

The hub VNet uses a custom DNS server at 10.20.0.4 (likely a Windows Server with DNS role) that can resolve internal hostnames like app01.corp.local. The spoke VNet is currently using Azure-provided DNS, which cannot resolve custom private DNS zones. By configuring the spoke VNet to use 10.20.0.4 as a custom DNS server, the spoke VMs will forward DNS queries to the hub DNS server, enabling hostname resolution for internal resources.

Exam trap

The trap here is that candidates assume Azure-provided DNS can resolve custom hostnames across peered VNets, but it only resolves names within the same VNet unless a custom DNS server or Azure Private DNS Zone is configured.

How to eliminate wrong answers

Option A is wrong because Azure-provided DNS cannot resolve custom private DNS names like app01.corp.local; it only provides automatic hostname resolution for VMs within the same VNet. Option C is wrong because a private endpoint is used to securely access Azure PaaS services over a private IP, not to resolve internal hostnames across VNets. Option D is wrong because a NAT gateway provides outbound internet connectivity with source network address translation, not DNS resolution services.

820
MCQmedium

A company has a hub virtual network with a DNS server VM at 10.50.0.4 that hosts internal names such as app01.corp.local. A spoke virtual network is already peered to the hub. VMs in the spoke can reach resources in the hub by IP address, but they cannot resolve the internal host names. The company wants to keep DNS centralized and avoid deploying another DNS server in the spoke. What should the administrator configure?

A.Create a private DNS zone for corp.local and link it only to the spoke subnet.
B.Set the spoke virtual network to use 10.50.0.4 as a custom DNS server.
C.Add a user-defined route in the spoke to send DNS traffic to the hub VNet.
D.Enable gateway transit on the peering and set use remote gateways on the spoke.
AnswerB

Configuring the spoke VNet with the hub DNS server IP sends name-resolution requests to the centralized server. Because VNet peering already provides network connectivity, the spoke can query 10.50.0.4 directly for internal names without deploying a second DNS server.

Why this answer

Option B is correct because the spoke virtual network must be configured to use the hub DNS server (10.50.0.4) as a custom DNS server. This ensures that all VMs in the spoke send DNS queries to the hub server, which hosts the internal zone for corp.local. Since the hub and spoke are already peered, DNS traffic can flow over the peering connection without additional routing, keeping DNS centralized.

Exam trap

The trap here is that candidates often confuse DNS resolution with routing or gateway transit, thinking they need to add a UDR or enable gateway features to forward DNS queries, when the real fix is simply changing the DNS server setting on the spoke VNet to point to the hub's DNS server IP.

How to eliminate wrong answers

Option A is wrong because a private DNS zone for corp.local linked only to the spoke subnet would require deploying a separate DNS infrastructure in the spoke, contradicting the requirement to keep DNS centralized and avoid another DNS server. Option C is wrong because a user-defined route (UDR) to send DNS traffic to the hub VNet is unnecessary; DNS traffic already traverses the VNet peering by default, and the issue is the DNS server address configuration, not routing. Option D is wrong because enabling gateway transit and use remote gateways is for allowing the spoke to use the hub's VPN/ExpressRoute gateway for outbound connectivity, not for DNS resolution; it does not change the DNS server setting on the spoke VNet.

821
Matchingeasy

Match each Azure VM deployment concept to the description that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Spreads VMs across fault and update domains within one datacenter.

Places VMs in separate datacenters within the same Azure region.

Reusable source for creating the same VM build again.

Defines CPU, memory, and temporary storage resources.

Why these pairings

VMSS provides auto-scaling identical VMs; Availability Set groups VMs for redundancy; Availability Zone offers physical separation; Managed Disk is persistent block storage; Azure Bastion provides secure remote access; Dedicated Host gives single-tenant physical servers.

822
MCQhard

You need to keep Azure activity log data for longer than the default retention period and make it available for analysis. What should you configure?

A.Diagnostic settings for the activity log
B.A resource lock on the subscription
C.An availability zone
D.A scale set autoscale policy
AnswerA

Diagnostic settings let you send activity log data to supported destinations for retention and analysis.

Why this answer

The default retention period for Azure activity logs is 90 days. To retain activity log data beyond this period and make it available for analysis (e.g., in a Log Analytics workspace, storage account, or Event Hubs), you must configure diagnostic settings for the activity log. This allows you to stream the log data to a destination of your choice, where you can set custom retention policies.

Exam trap

The trap here is that candidates often confuse the default retention period (90 days) with the ability to extend it via simple settings, not realizing that diagnostic settings are required to route the data to a persistent destination for longer retention and analysis.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources but does not affect log retention or data availability. Option C is wrong because an availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not for log retention or analysis. Option D is wrong because a scale set autoscale policy automatically adjusts the number of VM instances based on demand, which has no relation to activity log data retention or analysis.

823
MCQeasy

Based on the exhibit, which Azure feature should the administrator use to track this kind of platform-wide service issue?

A.Service Health, because it reports Azure platform incidents that affect customers in a region.
B.Resource Health, because it shows whether a specific virtual machine is healthy or unavailable.
C.Activity Log, because it lists every administrative action taken in the subscription.
D.Azure Advisor, because it gives recommendations to improve the virtual machine configuration.
AnswerA

Service Health is the right source for official Azure platform incidents and advisories. It tells administrators when a Microsoft-managed service is having a regional or global issue that may affect their resources.

Why this answer

Service Health is the correct feature because it provides a personalized dashboard of all Azure service incidents, planned maintenance, and health advisories that impact the customer's subscriptions and regions. It aggregates platform-wide issues (e.g., regional outages or degradation) that Azure engineering has confirmed, making it the appropriate tool for tracking a platform-wide service issue affecting multiple resources in a region.

Exam trap

The trap here is that candidates confuse Resource Health (which shows the health of a single resource) with Service Health (which shows platform-wide incidents), leading them to select Resource Health when the question explicitly asks about a 'platform-wide service issue' affecting multiple resources in a region.

How to eliminate wrong answers

Option B is wrong because Resource Health focuses on the health of individual Azure resources (e.g., a specific virtual machine) and reports whether that resource is available or degraded due to platform or customer actions, not platform-wide service incidents. Option C is wrong because the Activity Log records all control-plane operations (e.g., create, delete, update) performed on resources in a subscription, but it does not capture underlying platform health events or service outages. Option D is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance optimization based on resource configurations, but it does not report on current or past platform-wide service issues.

824
MCQhard

Your organization assigns an Azure Policy at the Corp-MG management group to require the tag Environment on all newly created resources. A deployment to RG-App in the Prod-Sub subscription fails because the tag is missing. You need to allow this single deployment to proceed without weakening enforcement for the rest of the organization. What should you do?

A.Remove the policy assignment from Corp-MG.
B.Create a policy exemption at the Prod-Sub or RG-App scope.
C.Change the policy effect from Deny to Audit for all assignments.
D.Move Prod-Sub out of Corp-MG.
AnswerB

A scoped exemption allows the deployment while preserving the broader governance model.

Why this answer

A policy exemption allows you to exclude a specific scope (like Prod-Sub or RG-App) from the enforcement of a policy assignment without modifying or removing the policy itself. This lets the single deployment proceed while maintaining the Deny effect for all other resources under Corp-MG. Exemptions can be created with an expiration date to ensure temporary relief does not become permanent.

Exam trap

The trap here is that candidates often think they must remove or change the policy assignment itself, but Azure provides the policy exemption feature specifically to handle temporary exceptions without weakening overall enforcement.

How to eliminate wrong answers

Option A is wrong because removing the policy assignment from Corp-MG would disable enforcement for the entire organization, not just the single deployment. Option C is wrong because changing the effect from Deny to Audit for all assignments would weaken enforcement globally, allowing all future violations to be logged but not blocked. Option D is wrong because moving Prod-Sub out of Corp-MG would remove the subscription from the management group hierarchy, breaking inheritance for all policies assigned at Corp-MG and affecting other governance controls.

825
Multi-Selecteasy

A VM-hosted app must read blobs from Azure Storage without storing a shared key, SAS token, or password. Which two configuration steps should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Reader role to that identity on the storage account.
C.Store the storage account access key in the app configuration.
D.Generate a SAS token and embed it in the application code.
E.Move the VM into a different subnet.
AnswersA, B

A system-assigned managed identity gives the VM an Azure identity without storing any secrets in the application.

Why this answer

A system-assigned managed identity on the VM allows Azure to automatically manage a service principal for the VM, eliminating the need for any stored credentials. By assigning the Storage Blob Data Reader role to that identity on the storage account, the VM can authenticate to Azure Storage using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint, without ever storing a shared key, SAS token, or password.

Exam trap

The trap here is that candidates may think moving the VM to a different subnet (Option E) solves the authentication problem, but subnet changes only affect network access control, not credentialless authentication; the correct approach relies on Azure AD and RBAC via managed identities.

Page 10

Page 11 of 16

Page 12