AZ-104 (AZ-104) — Questions 826900

1170 questions total · 16pages · All types, answers revealed

Page 11

Page 12 of 16

Page 13
826
MCQmedium

An App Service application needs to read secrets from Azure Key Vault. The security team does not want any password, certificate, or client secret stored in application settings, and they want the identity removed automatically if the app is deleted. What should the administrator enable?

A.A service principal with a client secret stored in App Service configuration.
B.A system-assigned managed identity on the App Service.
C.A user-assigned managed identity shared by all applications.
D.A shared access signature stored in Key Vault.
AnswerB

A system-assigned managed identity avoids stored credentials and is tied to the app lifecycle.

Why this answer

A system-assigned managed identity (Option B) is the correct choice because it provides an identity for the App Service that is automatically managed by Azure, tied to the lifecycle of the resource (deleted when the app is deleted), and requires no credentials to be stored in application settings. This allows the app to authenticate to Key Vault using Azure AD tokens without any secrets, satisfying the security team's requirements.

Exam trap

The trap here is that candidates may confuse user-assigned managed identities (which are independent resources with separate lifecycles) with system-assigned managed identities (which are tied to the resource's lifecycle), leading them to choose Option C despite the automatic removal requirement.

How to eliminate wrong answers

Option A is wrong because storing a client secret in App Service configuration violates the security team's requirement of no passwords, certificates, or client secrets in application settings, and the secret would not be automatically removed if the app is deleted. Option C is wrong because a user-assigned managed identity is not automatically deleted when the app is deleted; it has its own lifecycle and must be manually removed, failing the 'identity removed automatically' requirement. Option D is wrong because a shared access signature (SAS) is used for granting access to Azure Storage resources, not for authenticating to Key Vault, and it would need to be stored as a secret, which is prohibited.

827
MCQmedium

A production resource group contains VMs, public IP addresses, and a storage account. During a migration window, administrators must still be able to change settings and resize VMs, but nobody should accidentally delete any resource. Which lock should you apply to the resource group?

A.ReadOnly
B.CanNotDelete
C.Contributor
D.Azure Policy
AnswerB

CanNotDelete prevents accidental deletion while still allowing normal management changes such as updates and resizing.

Why this answer

The CanNotDelete lock prevents any user or process from deleting the resource group or its resources, while still allowing all other operations including read, write, and configuration changes such as resizing VMs. This matches the requirement that administrators must be able to change settings and resize VMs but must not accidentally delete any resource.

Exam trap

The trap here is that candidates often confuse Azure Policy with resource locks, thinking Policy can prevent deletion, when in fact only a CanNotDelete lock (or a custom policy with a deny effect on delete) blocks delete operations, and Policy alone does not provide that protection.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all write operations, including resizing VMs and changing settings, which directly contradicts the requirement that administrators must still be able to perform these actions. Option C is wrong because Contributor is an Azure RBAC role, not a resource lock; it grants permissions to manage resources but does not prevent deletion, so it does not satisfy the 'nobody should accidentally delete any resource' requirement. Option D is wrong because Azure Policy is a governance tool for enforcing compliance rules (e.g., allowed VM sizes or tagging), not a lock that prevents deletion of resources; it does not block delete operations by default.

828
MCQmedium

A security team needs platform logs and metrics from an Azure Key Vault to be searchable later in a Log Analytics workspace so they can investigate administrative changes and access trends. What should you configure on the Key Vault?

A.Azure Monitor private link scope
B.A diagnostic setting that sends logs and metrics to the workspace
C.An activity log alert on the subscription only
D.A resource lock on the Key Vault
AnswerB

Diagnostic settings are the Azure feature that forwards resource logs and metrics from a service like Key Vault to a Log Analytics workspace. That makes the data searchable with KQL for investigations, reporting, and trend analysis. It is the correct configuration when the goal is to centralize operational telemetry from a specific Azure resource.

Why this answer

A diagnostic setting on Azure Key Vault allows you to stream platform logs (e.g., AuditEvent) and metrics (e.g., ServiceApiHit) to a Log Analytics workspace. This makes the data searchable via KQL queries for investigating administrative changes and access trends, fulfilling the security team's requirement.

Exam trap

The trap here is that candidates may confuse diagnostic settings with activity logs or alerts, thinking that activity log alerts or resource locks provide log searchability, when only a diagnostic setting can route platform logs and metrics to a Log Analytics workspace for querying.

How to eliminate wrong answers

Option A is wrong because an Azure Monitor private link scope is used to privately connect a Log Analytics workspace to a virtual network, not to send logs from a Key Vault. Option C is wrong because an activity log alert on the subscription only triggers notifications based on subscription-level events; it does not collect or store Key Vault platform logs and metrics for later search. Option D is wrong because a resource lock prevents accidental deletion or modification of the Key Vault, but it does not enable log collection or searchability.

829
MCQeasy

During a change freeze, administrators must prevent deletion of a production resource group and all resources inside it, but they still need to update VM sizes and tags. Which lock should be applied?

A.ReadOnly on the resource group
B.CanNotDelete on the resource group
C.CanNotDelete on the management group
D.An Azure Policy deny assignment
AnswerB

CanNotDelete is the correct lock when you want to stop accidental deletion but still allow configuration changes. Applied at the resource group scope, it protects the group and the resources inside it from being deleted while still permitting updates such as resizing a VM or changing tags. That makes it ideal for a maintenance freeze.

Why this answer

The CanNotDelete lock on the resource group prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as modifying VM sizes and tags. This meets the requirement of blocking deletions during the change freeze without restricting updates. ReadOnly locks would block all write operations, including the needed updates.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly, assuming that any lock will block updates, but CanNotDelete specifically allows modifications while only preventing deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock on the resource group would block all write operations, including updating VM sizes and tags, which violates the requirement to allow those updates. Option C is wrong because a CanNotDelete lock on the management group would apply to all subscriptions and resource groups under that management group, which is overly broad and not scoped to the specific production resource group; it also does not prevent deletion of the resource group itself if the lock is not inherited correctly. Option D is wrong because an Azure Policy deny assignment can be used to prevent specific actions, but it requires custom policy definitions and assignment, which is more complex and not the simplest or most direct solution; the question specifically asks for a lock, not a policy.

830
MCQeasy

A company wants an alert to be sent by email and SMS whenever a production virtual machine's CPU percentage goes above 80 percent. The administrator also wants the notification targets to be reusable by other alerts later. What should the administrator configure first?

A.A metric alert rule only
B.An action group
C.A service health alert
D.A diagnostic setting
AnswerB

An action group stores the notification targets, such as email and SMS recipients, so multiple alerts can reuse the same response action.

Why this answer

An action group (B) is the correct first configuration because it defines the notification targets (email, SMS) that can be reused across multiple alert rules. In Azure Monitor, alert rules are decoupled from notification actions; you create an action group once and then reference it in any metric alert rule, including the CPU percentage threshold rule needed here. This ensures the administrator can meet the requirement for reusable notification targets.

Exam trap

The trap here is that candidates often think a metric alert rule inherently includes notification settings, but Azure separates the condition (alert rule) from the notification method (action group) to enforce reusability and centralized management.

How to eliminate wrong answers

Option A is wrong because a metric alert rule alone only defines the condition (CPU > 80%) and the action to take, but it does not include the notification targets (email, SMS) — those must be defined separately in an action group. Option C is wrong because a service health alert monitors Azure service issues (e.g., outages, planned maintenance), not the performance metrics of a specific virtual machine like CPU percentage. Option D is wrong because a diagnostic setting controls the collection and routing of platform logs and metrics to destinations like Log Analytics or Storage, but it does not trigger alerts or send notifications via email/SMS.

831
MCQeasy

A user is assigned the Reader role on a resource group named RG1. Later, a new storage account is created in RG1. What access will the user have to that storage account without any new role assignment?

A.No access, because RBAC assignments do not apply to resources created later.
B.Reader access, because the resource group assignment is inherited by the storage account.
C.Contributor access, because storage accounts inherit the highest available permissions.
D.Owner access, because resource group permissions always become full control on child resources.
AnswerB

This is correct because Azure RBAC permissions flow downward from the assigned scope. A role assigned at the resource group level applies to all current and future resources in that group unless a more restrictive condition or deny assignment applies. The new storage account automatically inherits the Reader permissions from RG1, so the user can view it without another assignment.

Why this answer

Option B is correct because Azure RBAC permissions assigned at a resource group scope are inherited by all resources within that resource group, including resources created after the assignment. Since the user has the Reader role on RG1, that role is inherited by the new storage account, granting read-only access to it without any additional role assignment.

Exam trap

The trap here is that candidates mistakenly believe RBAC assignments do not apply to resources created after the assignment, confusing Azure RBAC with classic deployment model permissions or assuming inheritance is only for existing resources.

How to eliminate wrong answers

Option A is wrong because RBAC assignments at a parent scope (resource group) are inherited by child resources, even those created after the assignment, due to Azure's hierarchical inheritance model. Option C is wrong because inheritance does not escalate permissions; the user retains only the Reader role, not Contributor, and Azure does not automatically assign the highest available permissions. Option D is wrong because resource group permissions do not become full control on child resources; inheritance strictly follows the assigned role (Reader) and does not grant Owner or any elevated access.

832
MCQmedium

A storage account must be reachable only from resources in a single VNet. The team wants the storage service to use a private IP address inside that VNet and wants to disable public network access. Which feature should be configured?

A.A service endpoint
B.A private endpoint
C.A network security group rule on the subnet
D.A storage account firewall IP allow rule
AnswerB

A private endpoint gives the storage service a private IP address in the selected VNet.

Why this answer

A private endpoint assigns the storage account a private IP address from the VNet's address space, effectively bringing the service into the VNet. It also disables public network access by default when configured with the 'Deny public network access' setting, ensuring the storage account is reachable only from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP addresses, but service endpoints only provide a direct route over the Microsoft backbone while still using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only extends the VNet's identity to the service over the public endpoint, and public network access remains enabled unless explicitly blocked by a firewall rule. Option C is wrong because an NSG rule on the subnet controls traffic to and from resources in that subnet but does not affect the storage account's public endpoint or assign it a private IP address. Option D is wrong because a storage account firewall IP allow rule only restricts access based on source IP addresses, still using the public endpoint and not providing a private IP address within the VNet.

833
MCQeasy

A partner company needs a developer to access resources in your tenant by using the developer's existing work account. You do not want to create a new separate username and password for that person. What should you create in Microsoft Entra ID?

A.A local user account in each resource group
B.A guest user account
C.A managed identity
D.A new service principal
AnswerB

A guest user lets the person sign in with their own organization account while being invited into your tenant.

Why this answer

B is correct because Microsoft Entra ID B2B collaboration allows you to invite an external user's existing work account as a guest user. This grants access to resources without creating a new username and password, as the developer authenticates using their home tenant credentials. Guest users are managed in Entra ID and can be assigned permissions via Azure RBAC or group membership.

Exam trap

The trap here is that candidates confuse a guest user (B2B collaboration) with a service principal or managed identity, thinking any external access requires a non-user identity, but the question explicitly asks for a user account using an existing work account.

How to eliminate wrong answers

Option A is wrong because local user accounts in resource groups do not exist in Azure; Azure RBAC uses Entra ID identities, not resource-group-level local accounts. Option C is wrong because a managed identity is an Azure resource identity used by Azure services to authenticate to other services, not a user account for external developers. Option D is wrong because a service principal is an application identity used for automated authentication (e.g., scripts or apps), not for a human user's interactive access with their existing work account.

834
MCQmedium

A VM-hosted automation tool must call Azure Resource Manager APIs, but the team will not store a password, certificate, or client secret on the VM. The identity should also disappear automatically when the VM is deleted. Which identity should be assigned?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with a client secret
D.Shared access signature
AnswerA

A system-assigned managed identity is tied to one VM and is removed automatically when the VM is deleted.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the lifecycle of the Azure VM—when the VM is deleted, the identity is automatically removed. It allows the automation tool to authenticate to Azure Resource Manager APIs without storing any credentials (password, certificate, or client secret) on the VM, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, failing to recognize that user-assigned identities are independent resources that do not automatically disappear when the VM is deleted.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone resource that persists independently of the VM; it does not automatically disappear when the VM is deleted, and it must be explicitly removed. Option C is wrong because a service principal with a client secret requires storing the secret on the VM, which violates the requirement to not store a password, certificate, or client secret. Option D is wrong because a shared access signature (SAS) is a token used for delegating access to Azure Storage resources, not for authenticating to Azure Resource Manager APIs, and it also requires storing a token on the VM.

835
MCQmedium

A subnet has an NSG with these inbound rules: priority 100 denies TCP 443 from Any, and priority 200 allows TCP 443 from an Application Security Group named WebFrontEnd. A backend VM in the subnet still does not accept traffic from the frontend tier. What should the administrator change?

A.Change the allow rule source from an Application Security Group to VirtualNetwork.
B.Move the allow rule to a lower priority number than the deny rule.
C.Attach a user-defined route to the subnet so traffic bypasses the NSG.
D.Place the backend VM in a different availability set so the rule is evaluated differently.
AnswerB

NSG rules are processed by priority, and the lowest number wins. Because the deny rule at priority 100 is evaluated before the allow rule at 200, the traffic is blocked. The administrator should make the allow rule a smaller number than the deny rule or remove the conflicting deny rule.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers evaluated first. Since the deny rule has priority 100 and the allow rule has priority 200, the deny rule is evaluated first and blocks TCP 443 traffic from any source, including the WebFrontEnd Application Security Group. To allow the frontend traffic, the allow rule must be moved to a lower priority number (e.g., 90) so it is evaluated before the deny rule.

Exam trap

The trap here is that candidates often assume allow rules override deny rules or that more specific rules (like those using Application Security Groups) take precedence regardless of priority, but in Azure NSGs, priority order strictly determines which rule is applied first.

How to eliminate wrong answers

Option A is wrong because changing the source from an Application Security Group to VirtualNetwork would allow traffic from any VM in the virtual network, not just the frontend tier, and would not resolve the priority conflict; the deny rule would still block the traffic. Option C is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; they cannot bypass NSG rules, as NSGs are always evaluated on traffic entering or leaving a subnet. Option D is wrong because availability sets are used for high availability of VMs and have no impact on NSG rule evaluation; NSG rules are evaluated per subnet or NIC, not per availability set.

836
Matchingeasy

Match each blob access method or setting to its best use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides full access to the storage account and should be protected carefully.

Grants time-limited access to specific resources and permissions.

Authorizes users or applications through Microsoft Entra ID at a chosen scope.

Allows anonymous read access when enabled for the container.

Lets an Azure-hosted app authenticate without storing credentials or secrets.

Why these pairings

Public endpoint with anonymous access is for public content. Private endpoint with managed identity provides secure VM access. SAS tokens grant time-limited restricted access.

Azure AD with RBAC centralizes identity management. Storage account key gives full admin control. Immutable storage with legal hold ensures data cannot be altered or deleted.

837
MCQeasy

An administrator is deploying a site-to-site VPN gateway in Azure. Which resource must be attached to the gateway so it can receive encrypted connections from the on-premises VPN device?

A.A public IP address resource.
B.A private endpoint.
C.A service endpoint.
D.A network security group.
AnswerA

The VPN gateway needs a public-facing IP address so the on-premises VPN device can establish the encrypted tunnel.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address resource to be attached so that the on-premises VPN device can establish an encrypted IPsec/IKE tunnel to it. The public IP address provides the routable endpoint on the internet that the on-premises device connects to, and it is assigned to the gateway's front-end configuration. Without this public IP, the gateway cannot receive inbound encrypted traffic from the external network.

Exam trap

The trap here is that candidates confuse a VPN gateway's public IP requirement with private connectivity options like private endpoints or service endpoints, mistakenly thinking the gateway can operate within the virtual network's private IP space alone.

How to eliminate wrong answers

Option B is wrong because a private endpoint is used to securely connect to Azure PaaS services over a private IP address within a virtual network, not to receive encrypted connections from an on-premises VPN device. Option C is wrong because a service endpoint extends a virtual network's private address space to Azure PaaS services, but it does not provide a public-facing endpoint for VPN traffic. Option D is wrong because a network security group (NSG) filters traffic at the subnet or NIC level but does not provide the public IP address or routing capability required for a VPN gateway to accept site-to-site connections.

838
Multi-Selecteasy

A user deleted several files from an Azure VM, and the administrator wants to use Azure Backup file recovery. Which two items are needed to start the recovery process? Select two.

Select 2 answers
A.A recovery point
B.An application security group
C.The file recovery script downloaded from the vault
D.A metric alert rule
E.A user-assigned managed identity
AnswersA, C

A recovery point contains the backed-up data from which files can be recovered.

Why this answer

Azure Backup file recovery requires a recovery point (A) because it represents the snapshot of the VM's data at a specific time from which files can be restored. The file recovery script (C) is downloaded from the Recovery Services vault and mounts the recovery point as a drive on the VM, enabling file-level access. Without both, the recovery process cannot proceed.

Exam trap

The trap here is that candidates may think a user-assigned managed identity (E) is needed for authentication to access the vault, but the file recovery script handles authentication via a temporary SAS token embedded in the script, not via managed identities.

839
MCQmedium

A managed data disk on a VM was deleted by mistake. You have a snapshot from before the deletion and want to restore the data with minimal impact to the VM's operating system disk. What should you do?

A.Create a new managed disk from the snapshot and attach it to the VM
B.Redeploy the VM from the marketplace image
C.Convert the snapshot directly into an OS disk and boot from it
D.Resize the VM to a larger size and the deleted disk will reappear
AnswerA

This restores the disk contents without rebuilding the VM or changing the OS disk.

Why this answer

Option A is correct because you can create a new managed disk from the snapshot and attach it as a data disk to the existing VM. This restores the data without affecting the OS disk or requiring a VM redeployment, minimizing downtime and impact.

Exam trap

The trap here is that candidates may confuse snapshots with OS disk recovery options, incorrectly assuming a data disk snapshot can be used to boot the VM, or that resizing or redeploying the VM will restore deleted disks.

How to eliminate wrong answers

Option B is wrong because redeploying the VM from a marketplace image would replace the entire VM, including the OS disk, and does not restore the deleted data disk from a snapshot. Option C is wrong because a snapshot of a data disk cannot be converted into an OS disk; snapshots are disk-type specific, and booting from a data disk snapshot would fail. Option D is wrong because resizing a VM does not recover deleted disks; disk deletion is permanent and not reversed by VM size changes.

840
MCQmedium

Your company has separate subscriptions for development, test, and production. Security wants one baseline policy and one RBAC assignment to apply automatically to every production subscription now and in the future. What should you use?

A.A resource group that contains all production resources.
B.A management group above the production subscriptions.
C.A tag applied to each production resource.
D.A single production subscription with multiple resource groups.
AnswerB

This is the correct parent scope for inheritance across multiple subscriptions.

Why this answer

B is correct because management groups allow you to apply Azure Policy and RBAC assignments hierarchically. By placing all production subscriptions under a single management group, any policy or role assignment at that level will be inherited by every current and future production subscription, meeting the requirement for automatic application without manual intervention.

Exam trap

The trap here is that candidates often confuse tags with policy enforcement, thinking tags can automatically apply governance, when in fact tags are only metadata and require Azure Policy to enforce tag inheritance or compliance.

How to eliminate wrong answers

Option A is wrong because a resource group is a container for resources within a single subscription; it cannot span multiple subscriptions, so it cannot apply policies or RBAC to all production subscriptions. Option C is wrong because tags are metadata labels, not a mechanism for enforcing policies or RBAC assignments; they can be used for filtering or cost tracking but do not automatically apply governance. Option D is wrong because using a single production subscription with multiple resource groups would not cover future subscriptions; the requirement is to apply policies across multiple subscriptions now and in the future, which a single subscription cannot achieve.

841
Multi-Selectmedium

Which three of the following statements about Azure App Service plans are correct? (Choose three.)

Select 3 answers
.Apps in the same App Service plan share the same compute resources, even if they are in different resource groups.
.You can scale out an App Service plan independently of the apps running within it.
.The Isolated tier provides network isolation and is designed for apps that require high security and scaling.
.Changing the pricing tier of an App Service plan always causes downtime for all apps in the plan.
.An App Service plan can only contain apps from the same region and the same resource group.
.The Free and Shared tiers support custom domain names and SSL binding without additional cost.

Why this answer

Apps in the same App Service plan share the same compute resources (VMs, memory, CPU) because the plan defines the underlying infrastructure. This is true even if the apps are in different resource groups, as the plan is the boundary for resource allocation, not the resource group.

Exam trap

The trap here is that candidates often assume apps must be in the same resource group to share resources, but Azure App Service plans are resource-group-agnostic for compute sharing, and they also mistakenly think Free/Shared tiers include custom domains and SSL, which they do not.

842
MCQmedium

A VM in a subnet cannot connect to another VM on TCP 1433. The administrator wants to confirm whether an NSG rule is blocking the flow and which rule is responsible. Which Network Watcher feature should be used?

A.Connection troubleshoot
B.IP flow verify
C.Packet capture
D.Effective routes
AnswerB

IP flow verify is designed to test whether a specific packet would be allowed or denied by the effective NSG rules on a VM NIC. It helps the administrator identify the rule name and direction that controls the flow. That makes it the best choice when the question is specifically about an NSG decision on a given source, destination, protocol, and port.

Why this answer

B is correct because IP flow verify is the Network Watcher feature specifically designed to test whether traffic is allowed or denied to or from a virtual machine. It checks the security rules (NSG and ASG) and returns which rule is blocking the flow, including the direction and priority. For a TCP 1433 connection failure, this tool directly identifies the blocking NSG rule.

Exam trap

The trap here is that candidates often confuse Connection troubleshoot (which tests end-to-end connectivity but does not identify the blocking rule) with IP flow verify, which is the precise tool for rule-level diagnosis.

How to eliminate wrong answers

Option A is wrong because Connection troubleshoot checks the end-to-end connectivity path and latency, but it does not pinpoint which specific NSG rule is blocking the traffic; it only reports that connectivity fails. Option C is wrong because Packet capture captures raw network packets for deep inspection, but it does not analyze NSG rules or identify which rule is blocking the flow; it requires manual analysis of captured data. Option D is wrong because Effective routes shows the effective routing table for a NIC, which affects path selection, not security rule evaluation; it cannot determine if an NSG rule is blocking TCP 1433.

843
MCQhard

A platform team must enforce two governance rules across every current and future subscription under a management group: resources must include an Environment tag, and only East US or West US may be used for deployment. They want one compliance view for both rules and a way to correct missing tags on existing resources where supported. What should they assign?

A.Assign two separate policies manually to each subscription and skip remediation.
B.Assign an initiative at the management group scope that contains the tag and allowed-location policies, then remediate the tag policy.
C.Assign Contributor to the management group so administrators can fix any noncompliant resource manually.
D.Apply a CanNotDelete lock at the management group scope to prevent drift.
AnswerB

An initiative groups multiple policies into one assignment, which gives the team a single compliance view and consistent enforcement across all current and future subscriptions under the management group. The tag policy can then be remediated for existing resources where the effect supports it, while the location rule blocks future noncompliant deployments.

Why this answer

Option B is correct because an initiative (policy set) at the management group scope enforces both the required tag and allowed-location rules across all current and future subscriptions in a single compliance view. The tag policy can be remediated using a remediation task with a managed identity to automatically add missing tags on existing resources where supported (e.g., via modify effect). This approach centralizes governance without manual per-subscription assignment.

Exam trap

The trap here is that candidates often confuse assigning individual policies per subscription (Option A) with using an initiative at the management group scope, missing the requirement for a single compliance view and automatic future subscription coverage.

How to eliminate wrong answers

Option A is wrong because assigning two separate policies manually to each subscription violates the requirement for a single compliance view and does not cover future subscriptions automatically; skipping remediation leaves existing noncompliant resources uncorrected. Option C is wrong because assigning Contributor at the management group scope grants excessive permissions (e.g., ability to delete or modify any resource) and does not enforce rules programmatically or provide a compliance view; it relies on manual fixes, which is not scalable or auditable. Option D is wrong because a CanNotDelete lock at the management group scope prevents deletion of the management group itself or its resources but does not enforce tagging or location restrictions, nor does it provide compliance monitoring or remediation.

844
Multi-Selectmedium

A web tier and API tier run in different subnets. The API subnet NSG currently has Deny-8443 from Any at priority 200 and Allow-8443-WebToApi from ASG-Web to ASG-Api at priority 300. Web requests on TCP 8443 are failing. Which two changes should the administrator make? Select two.

Select 2 answers
A.Move the allow rule to a higher priority number than 200.
B.Move the allow rule to a lower priority number than 200.
C.Ensure the web NICs are added to ASG-Web and the API NICs are added to ASG-Api.
D.Change the rule protocol from TCP to Any.
E.Attach a route table to the API subnet to override the deny behavior.
AnswersB, C

NSG rules are processed from lowest number to highest number, so the allow must be evaluated first.

Why this answer

B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The Deny-8443 rule at priority 200 is evaluated before the Allow-8443-WebToApi rule at priority 300, so the deny rule blocks the traffic. Moving the allow rule to a lower priority number (e.g., 100) ensures it is evaluated first, allowing the traffic.

C is correct because the allow rule uses application security groups (ASGs); if the web and API NICs are not assigned to the respective ASGs, the rule will not match any traffic, effectively making it a no-op.

Exam trap

The trap here is that candidates often forget that NSG rules are evaluated in priority order (lower number = higher priority) and that application security groups require explicit NIC assignment—they may assume the ASG rule works automatically or that changing the protocol or adding a route table can bypass a deny rule.

845
MCQmedium

A branch office with a fixed public IP needs encrypted access to private Azure virtual machines and internal services in a VNet. Traffic must travel across the public internet in an encrypted tunnel, and the connection should use a route-based design. What should the administrator deploy in Azure?

A.An Azure Virtual Network peering connection to the branch office network.
B.A VPN gateway with a site-to-site connection.
C.A service endpoint on the target subnet.
D.An Azure private endpoint for the virtual machines.
AnswerB

A site-to-site VPN gateway creates an encrypted tunnel from the branch office to Azure over the public internet. Because the branch has a static public IP and the requirement calls for route-based connectivity, this is the correct Azure networking service. Once deployed, the gateway can provide private access to VMs and internal services in the virtual network without exposing them directly to the internet.

Why this answer

A VPN gateway with a site-to-site connection is the correct choice because it establishes an encrypted IPSec tunnel over the public internet between the branch office's fixed public IP and Azure, using a route-based (IKEv2) configuration. This allows the branch office to securely access private Azure VMs and internal services in the VNet, meeting the requirement for encrypted traffic across the internet.

Exam trap

The trap here is that candidates often confuse Azure Virtual Network peering (which is for VNet-to-VNet connectivity within Azure) with site-to-site VPN (which is for on-premises to Azure connectivity), leading them to select option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network peering connects two Azure VNets within the Azure backbone, not to an on-premises branch office over the public internet. Option C is wrong because a service endpoint provides secure access to Azure PaaS services (e.g., Azure Storage) from a VNet but does not create an encrypted tunnel for branch office connectivity to VMs or internal services. Option D is wrong because an Azure private endpoint assigns a private IP to a PaaS service within a VNet, enabling private access from the VNet, but it does not provide a site-to-site encrypted tunnel from an external branch office.

846
Multi-Selecthard

A subscription already grants Contributor to an application team. The organization wants to prevent deployments in unsupported Azure regions and ensure every new resource has an Environment tag. Which two controls should be implemented with Azure Policy rather than RBAC? Select two.

Select 2 answers
A.Assign an allowed-locations policy at the management group or subscription scope.
B.Create a custom RBAC role that blocks resources deployed outside approved regions.
C.Assign a policy that enforces the Environment tag on new resources.
D.Add a CanNotDelete lock to every resource group.
E.Grant User Access Administrator to the deployment team.
AnswersA, C

Location is a resource property that policy can evaluate and deny, while RBAC cannot inspect deployment metadata like region.

Why this answer

Option A is correct because Azure Policy can enforce an 'allowed-locations' policy at the management group or subscription scope to restrict resource deployment to only approved Azure regions. This is a governance control that operates declaratively, evaluating resource properties against policy rules before or after creation, unlike RBAC which controls identity-based permissions. Option C is correct because Azure Policy can enforce the 'Environment' tag on new resources using a 'require a tag and its value' policy, ensuring compliance without modifying role assignments.

Exam trap

The trap here is that candidates often confuse RBAC (identity-based permissions) with Azure Policy (resource property enforcement), mistakenly thinking a custom RBAC role can restrict regions or tags, when in fact RBAC only controls actions like 'write' or 'delete' and cannot evaluate resource properties like location or tags.

847
MCQhard

Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?

A.Access controls reduce unauthorized use, and centralized logging improves visibility and investigation.
B.Both features do the exact same job, so using both is redundant.
C.Centralized logging removes the need for any authentication.
D.Strong access control makes log timestamps irrelevant.
AnswerA

This is correct because the two controls complement each other by combining prevention and monitoring.

Why this answer

Enabling centralized logging (e.g., syslog) on network devices provides a single, tamper-evident repository for all device events, which is critical for post-incident forensic analysis and compliance auditing. Strong access controls (e.g., RBAC, ACLs, 802.1X) directly prevent unauthorized configuration changes and network access, reducing the attack surface. Together, they form a defense-in-depth strategy: access controls block threats, while centralized logging captures evidence of any attempts or breaches for investigation.

Exam trap

The trap here is that candidates may think logging and access controls are interchangeable or redundant, when in fact they serve distinct layers of security—logging provides detective control, while access controls provide preventive control—and both are required for a complete security posture.

Why the other options are wrong

B

Option B is incorrect because centralized logging and strong access controls serve distinct purposes; access controls prevent unauthorized access, while centralized logging provides visibility into activities for auditing and troubleshooting.

C

This option is incorrect because centralized logging does not eliminate the need for authentication; rather, it complements access controls by providing a record of access attempts and activities. Authentication is still essential for securing access to network devices.

D

This option is wrong because strong access control does not make log timestamps irrelevant; rather, accurate timestamps are crucial for auditing and correlating events in security investigations.

848
MCQmedium

A business-critical storage account must keep data available if one availability zone fails in the primary region. It must also keep a readable copy in the paired region so administrators can verify data during disaster recovery testing before failover. Which redundancy option should be selected?

A.LRS, because it stores three copies in one datacenter and is the lowest-cost option.
B.ZRS, because it replicates data across zones in the same region but not to another region.
C.GRS, because it replicates to the paired region and supports a secondary copy for recovery.
D.RA-GZRS, because it provides zone redundancy in the primary region and read access to the secondary region.
AnswerD

RA-GZRS combines zone-redundant storage in the primary region with geo-replication to the paired region, and it also enables read access to the secondary endpoint. That combination satisfies both requirements: survive a zone failure and allow administrators to validate replicated data before a planned or unplanned failover.

Why this answer

D is correct because RA-GZRS (Read-Access Geo-Zone-Redundant Storage) provides synchronous replication across three Azure availability zones within the primary region, ensuring data remains available if one zone fails. It also asynchronously replicates data to the paired region, where a read-only copy is available for verification during disaster recovery testing without requiring a failover.

Exam trap

The trap here is that candidates often confuse GRS with RA-GZRS, assuming geo-replication alone provides both zone redundancy and readable secondary access, but GRS does not offer zone-level protection within the primary region and its secondary copy is not readable until a failover is initiated.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) stores three copies within a single datacenter, which does not protect against an availability zone failure or provide a secondary region copy. Option B is wrong because ZRS (Zone-Redundant Storage) replicates across zones in the same region, meeting the zone-failure requirement but failing to provide a readable copy in the paired region. Option C is wrong because GRS (Geo-Redundant Storage) replicates to the paired region but does not offer zone redundancy within the primary region, and its secondary copy is not readable unless a failover occurs.

849
MCQeasy

Based on the exhibit, which identity approach should the administrator use so both VMs can share the same access without managing secrets or recreating role assignments when a VM is replaced?

A.A separate system-assigned managed identity on each VM.
B.A single user-assigned managed identity attached to both VMs.
C.An administrator username and password stored in the script.
D.A shared access signature assigned to the virtual network.
AnswerB

A user-assigned managed identity is independent of any one VM and can be attached to multiple resources. That makes it ideal when several VMs need the same permissions and the access must continue even if one VM is deleted or rebuilt.

Why this answer

A user-assigned managed identity is an independent Azure resource that can be attached to multiple VMs, allowing them to share the same identity for accessing Azure resources. This approach eliminates the need to manage secrets (like passwords or keys) and avoids recreating role assignments when a VM is replaced, because the identity persists independently of the VM lifecycle.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that a system-assigned identity can be shared across VMs or that it persists after VM deletion, when in fact it is deleted with the VM.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is replaced, a new identity is created, requiring role assignments to be recreated. Option C is wrong because storing an administrator username and password in a script introduces security risks (credential leakage) and violates the principle of managing secrets, plus it does not provide a managed identity for Azure RBAC. Option D is wrong because a shared access signature (SAS) is a token for delegated access to Azure Storage resources, not an identity for VMs, and it cannot be assigned to a virtual network for VM authentication.

850
MCQhard

Users on the internet cannot access an HTTPS website hosted on VM-Web01. The VM has a public IP address, the web service is running, and the guest OS firewall allows TCP 443. What is the most likely Azure-side issue?

A.The NSG does not allow inbound TCP 443
B.The VM uses managed disks
C.Azure Backup is not enabled
D.The storage account uses the Cool tier
AnswerA

A missing or denying NSG rule on TCP 443 would block internet access to the website.

Why this answer

The most likely Azure-side issue is that the Network Security Group (NSG) associated with the VM's subnet or NIC does not have an inbound rule allowing TCP 443. Even if the guest OS firewall permits HTTPS and the web service is running, the NSG acts as a distributed firewall that filters traffic at the Azure network boundary. Without an explicit inbound security rule for TCP 443, all HTTPS traffic from the internet is dropped before reaching the VM.

Exam trap

The trap here is that candidates often assume that because the guest OS firewall allows the port and the web service is running, the VM is fully accessible, overlooking the fact that Azure's NSG is an additional, mandatory layer of network filtering that must also permit the traffic.

How to eliminate wrong answers

Option B is wrong because managed disks are a storage management feature that does not affect network connectivity or firewall rules; they provide simplified disk management and improved reliability but have no impact on inbound traffic filtering. Option C is wrong because Azure Backup is a data protection service that backs up VM data and configurations; it does not control network access or firewall rules, so disabling or not enabling it would not block HTTPS traffic. Option D is wrong because the storage account access tier (Cool vs.

Hot) only affects blob storage costs and retrieval latency; it has no relevance to VM network security or inbound HTTPS access.

851
MCQeasy

Based on the exhibit, a policy assigned at the subscription denies storage accounts that allow public network access. One existing storage account in RG-Legacy must remain publicly reachable for 30 days while a migration is completed. What should the administrator use?

A.Create a policy exemption for stlegacy01 at the resource scope.
B.Remove the policy assignment from the subscription until the migration finishes.
C.Change the policy effect from Deny to Audit.
D.Move the legacy storage account to a separate subscription and assign the policy there.
AnswerA

A policy exemption is the correct tool when one known resource must temporarily be excluded from a policy assignment. It preserves the policy for everything else while documenting the exception for stlegacy01. This is ideal for a time-bound migration because it avoids weakening the policy across the subscription.

Why this answer

A policy exemption at the resource scope is the correct approach because it allows the administrator to selectively exclude the specific storage account (stlegacy01) from the subscription-level policy that denies public network access. This exemption can be configured with an expiration date of 30 days, ensuring the legacy account remains publicly reachable during the migration while the policy continues to apply to all other resources. Policy exemptions are designed for exactly this scenario—temporary exceptions for compliance or migration needs—without altering the policy definition or assignment.

Exam trap

The trap here is that candidates often confuse policy exemptions with policy exclusions (which are set at assignment scope and apply to entire resource groups or subscriptions), leading them to think they must modify the assignment or move resources instead of using the precise exemption mechanism designed for temporary exceptions.

How to eliminate wrong answers

Option B is wrong because removing the policy assignment from the subscription would disable the deny effect for all storage accounts across the entire subscription, not just the legacy one, which violates the requirement to keep the policy active for other resources. Option C is wrong because changing the policy effect from Deny to Audit would stop blocking public network access for all storage accounts, making the policy non-enforceable and failing to protect other resources during the 30-day period. Option D is wrong because moving the storage account to a separate subscription and assigning the policy there would still deny public network access in the new subscription, defeating the purpose of keeping the account publicly reachable; additionally, this approach introduces unnecessary administrative overhead and does not provide a temporary exception.

852
Multi-Selectmedium

A company has 18 subscriptions under a management group named Corp. The audit team needs Reader access to all current and future subscriptions in Corp without creating one assignment per subscription. Which two statements are correct? Select two.

Select 2 answers
A.Assign Reader at the Corp management group scope.
B.Place new subscriptions under the Corp management group so they inherit the assignment.
C.Assign Reader separately at each subscription scope.
D.Assign Reader at one resource group in each subscription.
E.Create a lock on each subscription to provide Reader access.
AnswersA, B

A management group assignment applies to every subscription under that branch, which is the cleanest way to cover current and future subscriptions.

Why this answer

Assigning the Reader role at the Corp management group scope is correct because Azure RBAC allows role assignments to be inherited by all child resources, including all current and future subscriptions under that management group. This eliminates the need to create a separate assignment per subscription, as the single assignment at the management group level applies to all subscriptions within it.

Exam trap

The trap here is that candidates may confuse Azure RBAC role assignments with Azure Policy or locks, thinking that a lock can grant permissions, or they may overlook the inheritance behavior of management groups and attempt to assign roles at a lower scope unnecessarily.

853
MCQeasy

After a Windows VM is created, the administrator wants IIS installed and a configuration script run automatically without signing in to the server. Which Azure feature should be used?

A.An availability set
B.A virtual machine extension
C.An Azure Policy assignment
D.A network security group rule
AnswerB

A VM extension is designed to run additional configuration tasks on a VM after deployment. For example, the Custom Script Extension can install software, copy files, or execute scripts without an interactive logon. This directly matches the requirement to automate IIS installation and post-deployment configuration.

Why this answer

A virtual machine extension (such as the Custom Script Extension for Windows) allows you to deploy and run scripts on an Azure VM after provisioning, without requiring any interactive sign-in. This is the correct Azure feature to automatically install IIS and execute a configuration script as part of the VM deployment or post-deployment automation.

Exam trap

The trap here is that candidates often confuse Azure Policy (which only audits or enforces configurations) with VM extensions (which actually perform software installation and script execution), leading them to select Azure Policy as the automation tool.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against infrastructure failures and maintenance events; it does not execute scripts or install software. Option C is wrong because an Azure Policy assignment enforces compliance rules (e.g., allowed VM sizes or resource tags) across resources, but it cannot install IIS or run configuration scripts on a VM. Option D is wrong because a network security group (NSG) rule controls inbound/outbound traffic to a VM's network interface or subnet; it has no capability to install software or run scripts.

854
MCQhard

A team operates two Azure VMs that both need to call Azure services with the same identity. The VMs are rebuilt frequently, and the identity must continue to work if either VM is deleted and recreated. Which identity should the administrator attach?

A.A system-assigned managed identity on one of the VMs
B.A user-assigned managed identity attached to both VMs
C.A service principal with a client secret stored on each VM
D.A certificate uploaded to each VM and used for Azure sign-in
AnswerB

User-assigned identities are independent Azure resources that can be shared across VMs and survive VM recreation.

Why this answer

A user-assigned managed identity is the correct choice because it is a standalone Azure resource that can be attached to multiple VMs. When a VM is deleted and recreated, the identity persists independently and can be reassigned to the new VM, ensuring continuous access to Azure services without credential management.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming a system-assigned identity can be shared or persist after VM deletion, when in fact only user-assigned identities are decoupled from the VM lifecycle and can be attached to multiple resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and it cannot be shared across multiple VMs. Option C is wrong because storing a client secret on each VM introduces security risks (secret exposure) and requires manual rotation and management, violating the principle of credentialless authentication that managed identities provide. Option D is wrong because uploading a certificate to each VM requires manual certificate lifecycle management (renewal, distribution) and does not integrate with Azure AD automatic token acquisition like managed identities do.

855
Multi-Selectmedium

A team needs Reader access to exactly two Azure resources that are in the same resource group, and they must not gain access to other resources in that group. Which two scope choices are appropriate? Select two.

Select 2 answers
A.Assign the role at the storage account scope.
B.Assign the role at the Key Vault scope.
C.Assign the role at the resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-level assignment on the storage account grants access only to that one object. It is the narrowest practical scope for a single resource and avoids exposing unrelated resources in the same group.

Why this answer

Assigning the Reader role at the storage account scope (Option A) grants read-only access to exactly that storage account, and no other resources in the resource group. This is because Azure RBAC scopes are hierarchical, and a role assignment at a specific resource scope limits permissions to only that resource. Therefore, this meets the requirement of providing access to exactly two resources without granting access to others in the same resource group.

Exam trap

The trap here is that candidates often assume assigning a role at the resource group scope is sufficient, but they overlook that it grants access to all resources in the group, not just the selected ones.

856
MCQhard

A scale set of application VMs uploads JSON files to one blob container. The identity must not use secrets, must keep working if an instance is reimaged or replaced, and the same identity should be reusable across all instances. What should the administrator configure?

A.A system-assigned managed identity on each VM instance, with account-wide storage permissions.
B.A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container.
C.A shared access signature stored in the VM image and renewed annually.
D.The storage account access key, because it allows the most reliable upload path.
AnswerB

A user-assigned managed identity persists independently of any single VM instance, so it remains usable after reimaging or replacement. Scoping Storage Blob Data Contributor to the container follows least privilege while still allowing the workload to upload the JSON files.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs in a scale set, and persists independently of any VM instance lifecycle. This ensures the identity remains available even if an instance is reimaged or replaced, and it avoids the need for secrets. The Storage Blob Data Contributor role scoped to the specific container grants the necessary permissions for uploading JSON files without exposing account-level access.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming system-assigned identities can be shared across instances, when in fact each instance gets a unique identity that is destroyed on reimage, making user-assigned the only option for a reusable, persistent identity across a scale set.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of each individual VM instance; if an instance is reimaged or replaced, the identity is destroyed and recreated, breaking continuity and requiring reconfiguration of permissions. Option C is wrong because a shared access signature (SAS) is a secret token that must be securely stored and renewed, violating the requirement to avoid secrets and adding management overhead; embedding it in a VM image also risks exposure and does not survive reimaging. Option D is wrong because using the storage account access key exposes a high-privilege secret that must be managed and rotated, contradicts the 'no secrets' requirement, and provides full account access rather than scoped container permissions.

857
Matchinghard

Match each network design requirement or limitation on the left with the best Azure behavior or corrective action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The address spaces overlap, so one range must be changed before peering can be created.

Create VNet peering; it provides private connectivity without a VPN gateway.

Enable gateway transit on the hub peering and use remote gateways on the spoke peering.

VNet peering is not transitive, so A must be connected to C directly or routed through an appliance.

Create a new non-overlapping address space and migrate workloads before removing the old range.

Why these pairings

High availability across regions uses multiple regions with Traffic Manager; latency-sensitive apps use performance routing; data residency is enforced via Azure Policy; non-production cost optimization uses Dev/Test pricing; disaster recovery with low RPO uses Site Recovery continuous replication; demand scaling uses autoscale.

858
MCQeasy

Based on the exhibit, which alert type should the administrator create to detect when Azure marks the storage account unhealthy because of a platform issue?

A.Metric alert on account capacity.
B.Resource Health alert.
C.Log search alert against AzureDiagnostics.
D.Autoscale rule based on storage transactions.
AnswerB

Resource Health alerts are intended for platform-level availability problems reported by Azure itself. They are the right fit when the business wants to know that Azure has marked a resource unhealthy or unavailable, rather than watching an application metric or a custom log entry. This directly matches the requirement for platform issue notification on the storage account.

Why this answer

Resource Health alerts are specifically designed to notify administrators when an Azure service or resource becomes unhealthy due to platform issues. In this scenario, the storage account being marked unhealthy by Azure due to a platform issue is exactly the kind of event that a Resource Health alert captures, as it monitors the health status of Azure resources and triggers alerts on state transitions (e.g., from 'Available' to 'Degraded' or 'Unavailable').

Exam trap

The trap here is that candidates often confuse Resource Health alerts with metric alerts or log search alerts, mistakenly thinking that any health-related event can be captured by querying AzureDiagnostics or by setting a metric threshold, when in fact Resource Health alerts are the dedicated mechanism for platform-issue notifications.

How to eliminate wrong answers

Option A is wrong because a metric alert on account capacity monitors storage usage thresholds (e.g., percentage of used capacity), not platform health issues; it would not detect when Azure marks the resource unhealthy due to a platform problem. Option C is wrong because a log search alert against AzureDiagnostics queries operational logs for specific events (e.g., authentication failures), but it does not natively capture the resource health state transitions that indicate platform-level unhealthiness; Resource Health events are logged in the Azure Activity Log, not in AzureDiagnostics. Option D is wrong because an autoscale rule based on storage transactions is used to scale resources like Azure Functions or App Service based on transaction counts, not to detect health issues; storage accounts themselves do not support autoscaling based on transactions, and this option is irrelevant to health monitoring.

859
MCQhard

An application in a VNet must access an Azure Storage account over a private IP address. Public network access is disabled on the storage account, and the app must resolve the normal blob FQDN to that private address only from within the VNet. What should the administrator configure?

A.A service endpoint on the subnet and a storage account firewall rule for the subnet.
B.A private endpoint for the blob service and a linked private DNS zone for the VNet.
C.Allow trusted Microsoft services on the storage account and keep the public endpoint enabled.
D.Create a public DNS record that maps the blob FQDN to the storage account's public IP address.
AnswerB

A private endpoint gives the storage service a private IP inside the VNet, which satisfies the private connectivity requirement. Linking the corresponding private DNS zone ensures the standard blob FQDN resolves to that private address for workloads in the VNet. That combination is the normal solution when public access is disabled and applications must keep using the service's standard name.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from the VNet, and linking a private DNS zone (e.g., `privatelink.blob.core.windows.net`) to the VNet ensures that the blob FQDN resolves to that private IP only from within the VNet. This meets the requirement of disabling public network access while providing private connectivity and DNS resolution.

Exam trap

The trap here is that candidates confuse service endpoints (which still use the public endpoint) with private endpoints (which provide a true private IP), and they overlook the critical requirement of disabling public network access, which makes service endpoints invalid.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only allows traffic from the subnet to the public endpoint via the Azure backbone, and with public network access disabled, the storage account firewall rule for the subnet would still block traffic. Option C is wrong because allowing trusted Microsoft services bypasses the firewall for specific Azure services but does not provide a private IP address or private DNS resolution; the public endpoint remains enabled, violating the requirement to disable public network access. Option D is wrong because creating a public DNS record mapping the blob FQDN to the storage account's public IP address would make the storage account accessible over the public internet, contradicting the requirement to disable public network access and use a private IP.

860
MCQmedium

Three Azure VMs in different resource groups need to access the same Azure resources using one identity. The identity must keep working if any VM is deleted and recreated. What should the administrator assign to the VMs?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity.
C.A local administrator account.
D.An Azure Blueprint assignment.
AnswerB

A user-assigned managed identity is independent of any single VM, so it can be reused across multiple machines.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs, even across different resource groups. If a VM is deleted and recreated, the user-assigned identity persists independently and can be reassigned to the new VM, ensuring continuous access to Azure resources without reconfiguration.

Exam trap

The trap here is that candidates often choose system-assigned managed identities (Option A) because they are simpler to configure, but they fail to recognize that system-assigned identities are deleted with the VM, making them unsuitable for scenarios requiring identity persistence across VM deletions and recreations.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and a new VM would require a new identity assignment, breaking the requirement for a persistent identity across VM deletions and recreations. Option C is wrong because a local administrator account is a VM-level credential that does not provide an Azure AD identity for accessing Azure resources, and it would not survive VM deletion or support multiple VMs sharing the same identity. Option D is wrong because an Azure Blueprint assignment is used for deploying and governing environments (e.g., resource groups, policies, RBAC) and does not provide an identity that VMs can use to authenticate to Azure resources.

861
MCQeasy

Based on the exhibit, what is the best change so the VNet peering can be created successfully?

A.Change VNet-B to a non-overlapping address space, such as 10.1.0.0/24.
B.Add a route table to VNet-B before creating the peering.
C.Enable gateway transit on VNet-A.
D.Resize VNet-A to 10.0.0.0/15 so both VNets fit.
AnswerA

Azure VNet peering requires that the address spaces do not overlap. Changing VNet-B to a different range removes the conflict and allows peering to be created. The exact new range can vary, but it must not overlap with VNet-A’s 10.0.0.0/16 range.

Why this answer

VNet peering requires that the address spaces of the two virtual networks do not overlap. If VNet-A uses 10.0.0.0/16 and VNet-B also uses 10.0.0.0/16, they conflict, preventing peering. Changing VNet-B to a non-overlapping address space like 10.1.0.0/24 resolves this conflict, allowing the peering to be established.

Exam trap

The trap here is that candidates often confuse overlapping address spaces with routing issues, thinking that adding route tables or enabling gateway transit will fix the peering failure, when in fact the fundamental requirement is non-overlapping IP ranges.

How to eliminate wrong answers

Option B is wrong because adding a route table to VNet-B does not resolve overlapping address spaces; route tables control traffic flow within a VNet but do not affect the address space conflict that blocks peering. Option C is wrong because enabling gateway transit on VNet-A is used to allow a peered VNet to use VNet-A's VPN/ExpressRoute gateway, but it does not fix overlapping address spaces and is not a prerequisite for basic VNet peering. Option D is wrong because resizing VNet-A to 10.0.0.0/15 still overlaps with VNet-B's 10.0.0.0/16 address space (since 10.0.0.0/15 includes 10.0.0.0/16), and Azure does not allow overlapping address spaces in a peering relationship.

862
MCQeasy

A team stores application logs in an Azure Storage account. The logs must remain available if an entire Azure availability zone in the primary region has an outage, but the team does not require a secondary region copy. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerB

ZRS stores data across multiple availability zones in the primary region. That provides resilience if one zone becomes unavailable, while staying within the same region.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates data across three Azure availability zones within the primary region, ensuring durability even if an entire zone fails. Since the requirement explicitly states no secondary region copy is needed, ZRS is the correct choice because it provides intra-region zone-level resilience without cross-region replication.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, assuming LRS provides zone-level redundancy, but LRS only protects against server rack failures within a single data center, not an entire availability zone outage.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single data center in a single availability zone, so an entire zone outage would cause data loss. Option C (GRS) is wrong because it replicates data to a secondary region, which violates the requirement that no secondary region copy is needed. Option D (RA-GRS) is wrong because it also replicates to a secondary region and additionally provides read access to that secondary copy, again violating the no-secondary-region requirement.

863
MCQhard

Your company hosts an internal web app in Azure App Service. Access must be limited to users connecting from the corporate virtual network over private IP addresses only. What should you configure?

A.An App Service Environment only.
B.Access restrictions based on public IP ranges only.
C.A private endpoint for the web app.
D.A public load balancer in front of the web app.
AnswerC

This provides private access from the VNet using a private IP address.

Why this answer

Option C is correct because a private endpoint assigns a private IP address from your virtual network to the web app, making it accessible only over the corporate network via private IPs. This ensures traffic never traverses the public internet, meeting the requirement for private IP-only access.

Exam trap

The trap here is that candidates often confuse access restrictions (which filter by public IP) with private endpoint (which eliminates public exposure entirely), mistakenly thinking IP-based restrictions can enforce private-only access when they cannot prevent internet routing.

How to eliminate wrong answers

Option A is wrong because an App Service Environment (ASE) is a fully isolated and dedicated environment that can be injected into a virtual network, but it is overkill and not required for simply restricting access to a single web app; the question does not demand dedicated compute or isolation. Option B is wrong because access restrictions based on public IP ranges only control inbound traffic from specific public IPs, but they do not prevent traffic from traversing the public internet; the requirement is to limit access to users connecting from the corporate virtual network over private IP addresses, which public IP restrictions cannot enforce. Option D is wrong because a public load balancer in front of the web app would still expose the app via a public IP and route traffic over the internet, failing to restrict access to private IPs only.

864
MCQeasy

A company wants to enable backup for an Azure virtual machine and later restore the VM if needed. Which Azure service should the administrator use to manage the backup plan and restores?

A.Azure Monitor
B.Recovery Services vault
C.Log Analytics workspace
D.Azure Front Door
AnswerB

A Recovery Services vault is the Azure service used to configure VM backup policies, run backups, and perform restores.

Why this answer

The Recovery Services vault is the correct Azure service for managing backup plans and restores for Azure virtual machines. It provides a centralized management interface for configuring backup policies, performing on-demand backups, and initiating restore operations to recover VMs to a specific point in time.

Exam trap

The trap here is that candidates often confuse Azure Backup (which uses Recovery Services vault) with Azure Site Recovery (which also uses a Recovery Services vault but for disaster recovery replication, not backup), leading them to incorrectly select a different service or misunderstand the vault's dual role.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is a monitoring and diagnostics service that collects metrics, logs, and alerts from Azure resources, but it does not provide backup or restore capabilities. Option C is wrong because Log Analytics workspace is used for collecting and analyzing log data from various sources, not for managing backup plans or performing VM restores. Option D is wrong because Azure Front Door is a global load balancer and application delivery service that optimizes traffic routing and provides web application firewall capabilities, with no backup or restore functionality.

865
MCQeasy

Based on the exhibit, why does a query against AzureDiagnostics return no rows after the storage account diagnostic setting was changed?

A.The storage account cannot send logs to Log Analytics when public network access is disabled.
B.The logs are written to resource-specific tables instead of AzureDiagnostics.
C.The diagnostic setting only sends metrics, not logs, to the workspace.
D.The workspace retention period automatically deletes all records after one hour.
AnswerB

When diagnostic settings use resource-specific mode, Azure writes records to service-specific tables rather than the legacy AzureDiagnostics table. The query failed because it looked in the wrong table. The administrator should query the table that matches the storage log source or switch the destination format if a unified table is preferred.

Why this answer

Option B is correct because when you change a diagnostic setting for a storage account from 'AzureDiagnostics' mode to 'Resource-specific' mode, logs are no longer sent to the AzureDiagnostics table. Instead, they are written to dedicated resource-specific tables (e.g., StorageReadLogs, StorageWriteLogs). Since the query targets AzureDiagnostics, it returns no rows because the logs are now stored in the new table format.

Exam trap

The trap here is that candidates assume logs are always written to the AzureDiagnostics table, overlooking that the diagnostic setting can be configured to use resource-specific tables, which changes the destination table name and causes queries against AzureDiagnostics to return no rows.

How to eliminate wrong answers

Option A is wrong because disabling public network access on a storage account does not prevent logs from being sent to Log Analytics; the diagnostic setting uses a private endpoint or Microsoft trusted services to send logs, and the setting itself is configured at the resource level, not dependent on public network access. Option C is wrong because the diagnostic setting can be configured to send both metrics and logs; the exhibit shows the setting includes 'Audit logs' and 'Transaction logs', not just metrics. Option D is wrong because the workspace retention period does not delete records after one hour; retention is configurable (default 30 days) and only applies to data already ingested, not to logs that were never written to the AzureDiagnostics table.

866
MCQmedium

An enterprise uses one management group to contain five subscriptions for a business unit. A compliance auditor in an Entra ID group needs read-only access to every current and future resource in all five subscriptions, but must not see resources in other business units. What is the best scope for the Reader role assignment?

A.Assign Reader at the management group that contains the five subscriptions.
B.Assign Reader separately at each subscription in the business unit.
C.Assign Reader at a single resource group within one subscription.
D.Assign Reader directly to each resource that the auditor should see.
AnswerA

This scope lets the role flow downward to all subscriptions, resource groups, and resources under that management group. It is the narrowest place that still covers every current and future subscription in that business unit. The auditor gets consistent read-only visibility without requiring separate assignments for each subscription, and access stays isolated from other management groups.

Why this answer

Assigning the Reader role at the management group scope grants inherited read-only access to all current and future resources within every subscription under that management group, while preventing access to resources in other business units that are in separate management groups. This satisfies the auditor's requirement for a single, scalable assignment that automatically covers new subscriptions added to the management group.

Exam trap

The trap here is that candidates may think subscription-level assignments are necessary for granularity, overlooking that management group scope provides inheritance to all current and future subscriptions and resources within that group, which is the most efficient and correct approach for multi-subscription governance.

How to eliminate wrong answers

Option B is wrong because assigning Reader separately at each subscription requires manual updates whenever a new subscription is added, failing the 'future resources' requirement and increasing administrative overhead. Option C is wrong because scoping to a single resource group within one subscription provides access only to that specific resource group, not to all resources across all five subscriptions. Option D is wrong because assigning Reader directly to each resource is impractical at scale, violates Azure RBAC best practices, and does not automatically cover new resources created in the future.

867
MCQhard

A platform team has a hardened Windows Server VM that was generalized after patching, agent installation, and baseline configuration. They must deploy the same build to development, test, and production subscriptions, and they want a controlled way to publish newer versions later without rebuilding the image each time. What should they create first?

A.An availability set for the source VM so new virtual machines inherit the same configuration.
B.A managed disk snapshot of the OS disk so new VMs can be created from the captured state.
C.An Azure Compute Gallery image version based on the generalized VM image.
D.A proximity placement group so all future VMs land close to the current server.
AnswerC

Azure Compute Gallery is the best fit when you need a reusable, versioned VM image that can be deployed consistently across subscriptions and regions. It supports image publishing, replication, and controlled updates, which makes it ideal for a hardened base build that will evolve over time.

Why this answer

An Azure Compute Gallery (formerly Shared Image Gallery) allows you to store and manage multiple versions of a generalized VM image, enabling controlled, incremental publishing of image updates across subscriptions. By creating an image version in a gallery, the team can deploy the same build to dev, test, and prod subscriptions while maintaining versioning and replication control, avoiding the need to rebuild the image from scratch for each update.

Exam trap

The trap here is that candidates often confuse a managed disk snapshot (Option B) with a reusable, versionable image, not realizing that snapshots lack the versioning, replication, and cross-subscription sharing capabilities that an Azure Compute Gallery image version provides.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping for high availability within a single region, not a mechanism for capturing or distributing a generalized VM configuration across subscriptions. Option B is wrong because a managed disk snapshot captures only the OS disk state at a point in time, but it cannot be versioned or replicated across subscriptions in a controlled manner, and it does not support incremental publishing of newer builds without creating new snapshots. Option D is wrong because a proximity placement group optimizes VM placement for low network latency, but it has no role in image management, versioning, or cross-subscription deployment of generalized images.

868
MCQmedium

A company has 18 Azure subscriptions. Production subscriptions must inherit stricter governance than sandbox subscriptions, and central IT wants one place to target future policy assignments to each group. What should the administrator do?

A.Create management groups for Prod and Sandbox, then move subscriptions into them
B.Create resource groups named Prod and Sandbox in each subscription
C.Use tags on subscriptions to separate production from sandbox
D.Apply a CanNotDelete lock to each subscription
AnswerA

Management groups create administrative boundaries and allow shared governance to flow to child subscriptions.

Why this answer

Management groups allow you to organize Azure subscriptions hierarchically and apply Azure Policy and role-based access control (RBAC) at the management group level, which is inherited by all subscriptions within that group. By creating separate management groups for Prod and Sandbox and moving the respective subscriptions into them, central IT can assign policy assignments once to each management group, ensuring stricter governance for production subscriptions and a lighter touch for sandbox subscriptions.

Exam trap

The trap here is that candidates often confuse resource groups or tags as mechanisms for grouping subscriptions for policy inheritance, but only management groups provide the hierarchical structure needed to apply policies consistently across multiple subscriptions.

How to eliminate wrong answers

Option B is wrong because resource groups are containers within a single subscription and cannot span multiple subscriptions; they do not provide a single place to target policy assignments across all production or sandbox subscriptions. Option C is wrong because tags are metadata labels that do not enforce inheritance of policies or RBAC; they are used for filtering and cost reporting, not for hierarchical governance. Option D is wrong because a CanNotDelete lock prevents deletion of the subscription itself but does not enforce governance policies or allow grouping of subscriptions for policy assignment.

869
MCQmedium

A developer has the Contributor role on a subscription. Their ARM deployment of a virtual machine with a public IP fails, and the error message says the request is denied by policy. The developer can create other resources successfully. What should you change to allow this deployment while keeping the Contributor role unchanged?

A.Assign the developer the Owner role on the subscription.
B.Modify or exempt the Azure Policy assignment that blocks public IP addresses.
C.Remove any lock from the virtual machine's resource group.
D.Move the virtual machine to another management group.
AnswerB

This directly addresses the policy denial while leaving the RBAC role unchanged.

Why this answer

The error indicates that an Azure Policy is denying the deployment of a virtual machine with a public IP address. Since the developer has the Contributor role, they have sufficient permissions to create resources, but Azure Policy overrides permissions by enforcing rules. Modifying or creating an exemption for the specific policy that blocks public IP addresses will allow the deployment without changing the developer's role.

Exam trap

The trap here is that candidates often confuse Azure Policy with RBAC or resource locks, assuming that a permission issue (like needing Owner) or a lock is the cause, when in fact policy enforcement is a separate governance layer that can deny deployments even with sufficient RBAC permissions.

How to eliminate wrong answers

Option A is wrong because assigning the Owner role would grant full access, but it is unnecessary and violates the requirement to keep the Contributor role unchanged; the issue is policy-based, not permission-based. Option C is wrong because resource locks prevent deletion or modification of resources, not creation; removing a lock would not resolve a policy denial during deployment. Option D is wrong because moving the virtual machine to another management group does not bypass Azure Policy assignments that are inherited from the subscription or management group; the policy would still apply unless explicitly excluded.

870
MCQmedium

A VM in Azure cannot accept RDP connections from your office public IP. The subnet NSG already has an inbound deny-all rule at priority 200, and you added an allow rule for TCP 3389 from 198.51.100.25/32 at priority 300. What should you do to allow the connection?

A.Change the source to Internet so the allow rule matches more traffic.
B.Create or move the allow rule to priority 100 so it is evaluated before the deny rule.
C.Change the protocol from TCP to Any to bypass the deny rule.
D.Assign a public IP directly to the VM to override the subnet NSG behavior.
AnswerB

NSG rules are processed in ascending priority order, so the allow must come before the deny-all rule.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. Since the deny-all rule at priority 200 is evaluated before the allow rule at priority 300, the deny rule blocks the RDP traffic. To allow the connection, the allow rule must be created or moved to a priority lower than 200 (e.g., 100) so it is evaluated first, permitting traffic from 198.51.100.25/32 on TCP 3389 before the deny rule is reached.

Exam trap

The trap here is that candidates mistakenly think adding a more specific allow rule at a higher priority number will override a broader deny rule, not realizing that NSG priority order (lower number = higher priority) determines which rule is evaluated first.

How to eliminate wrong answers

Option A is wrong because changing the source to 'Internet' would broaden the rule to allow RDP from any public IP, defeating the purpose of restricting access to your office IP and creating a security risk. Option C is wrong because changing the protocol to 'Any' does not bypass the priority order; the deny rule at priority 200 would still block all traffic, including any protocol, before the allow rule is evaluated. Option D is wrong because assigning a public IP to the VM does not override NSG behavior; NSGs are applied at the subnet or NIC level and are independent of the public IP assignment, so the deny rule would still block traffic.

871
MCQhard

A deployment pipeline uploads content to a blob container in Azure Storage. The pipeline authenticates with Microsoft Entra ID and must grant a partner temporary write access for 12 hours without sharing the storage account key. The access should be limited to the container only. Which access method should the administrator use?

A.Shared access key authentication
B.Account SAS
C.User delegation SAS
D.Service endpoint access with network rules only
AnswerC

User delegation SAS is generated by an identity authenticated with Microsoft Entra ID and does not require exposing the storage account key. It can be scoped tightly to the container, granted for a fixed time window, and limited to write operations. That makes it the best fit for temporary partner access.

Why this answer

A user delegation SAS is the correct choice because it uses Microsoft Entra ID credentials to sign the SAS token, providing temporary, delegated access to a specific container without exposing the storage account key. It supports granular permissions and an expiration time of up to 12 hours, meeting the partner's write access requirement while limiting access to the container only.

Exam trap

The trap here is that candidates often confuse Account SAS with user delegation SAS, not realizing that Account SAS is signed with the storage account key and thus fails the 'no key sharing' requirement, while user delegation SAS uses Microsoft Entra ID for secure, keyless delegation.

How to eliminate wrong answers

Option A is wrong because shared access key authentication requires sharing the storage account key, which violates the requirement to not share the key and does not provide temporary, granular access. Option B is wrong because an Account SAS is signed with the storage account key, which again requires sharing the key and does not leverage Microsoft Entra ID authentication. Option D is wrong because service endpoint access with network rules only controls network-level access via VNet/subnet restrictions, not identity-based authorization, and cannot grant temporary write access to a specific container without additional authentication.

872
MCQeasy

An administrator wants to send a virtual machine's guest logs to a central workspace so they can search them later with queries. Which configuration should be created on the VM or its resource provider first?

A.A role assignment at the subscription scope
B.A diagnostic setting
C.A private endpoint
D.A lock on the VM resource group
AnswerB

A diagnostic setting routes platform or guest log data from the resource to a destination such as a Log Analytics workspace.

Why this answer

A diagnostic setting is the correct configuration because it enables the streaming of guest OS logs (e.g., System, Application, Security event logs) from an Azure virtual machine to a Log Analytics workspace. This is done by installing the Azure Monitor Agent (AMA) or legacy Log Analytics agent on the VM and then configuring a data collection rule or diagnostic setting to specify which logs to send and the destination workspace. Without this setting, the VM's guest logs remain local and cannot be queried centrally.

Exam trap

The trap here is that candidates often confuse a diagnostic setting with a role assignment, thinking that granting permissions (RBAC) is the first step to enable log collection, but in reality, the diagnostic setting is the specific configuration that defines what logs to send and where.

How to eliminate wrong answers

Option A is wrong because a role assignment at the subscription scope controls permissions (RBAC) for who can manage resources, not the flow of log data from a VM to a workspace. Option C is wrong because a private endpoint provides a secure, private connection to Azure services over the Microsoft backbone network, but it does not configure log collection or forwarding from a VM's guest OS. Option D is wrong because a lock on the VM resource group prevents accidental deletion or modification of resources, but it has no effect on log ingestion or diagnostic configuration.

873
MCQmedium

A support engineer needs to restart only one virtual machine named VM-App01. The engineer must not gain access to any other VM, storage account, or network resource in the resource group. At which scope should you assign the required RBAC role?

A.At the management group scope that contains the subscription
B.At the specific virtual machine resource scope
C.At the resource group scope that contains the virtual machine
D.At the subscription scope that contains the resource group
AnswerB

A resource scope limits the permission to only VM-App01, which matches the least-privilege requirement.

Why this answer

Option B is correct because assigning the Virtual Machine Contributor role at the specific VM resource scope (VM-App01) grants the engineer permissions to restart only that VM, with no access to other VMs, storage accounts, or network resources in the same resource group. RBAC roles applied at a narrower scope (resource level) override broader scopes and limit permissions to that exact resource.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, overlooking that this grants permissions to all resources in the group, not just the target VM.

How to eliminate wrong answers

Option A is wrong because assigning a role at the management group scope would grant permissions to all subscriptions and resources under that management group, far exceeding the requirement to restrict access to only one VM. Option C is wrong because assigning a role at the resource group scope would grant permissions to all resources within that resource group, including other VMs, storage accounts, and network resources, violating the constraint. Option D is wrong because assigning a role at the subscription scope would grant permissions to all resource groups and resources in the subscription, which is too broad and would include unintended access.

874
MCQmedium

Based on the exhibit, an administrator needs to recover one deleted configuration file from a running Azure VM without replacing the VM. Which restore option should be used?

A.Create a new VM from the recovery point so the deleted file returns with a clean operating system.
B.Restore disks and manually rebuild the VM afterward.
C.Use File Recovery to mount the recovery point and copy back the missing file.
D.Replace the existing VM immediately to recover only one file.
AnswerC

File Recovery is designed for restoring individual files from a backup without replacing the live VM. It lets the administrator mount the recovery point, copy back the deleted file, and leave production running normally.

Why this answer

Azure VM File Recovery (part of Azure Backup) allows you to mount a recovery point as a drive on a running VM, browse the file system, and copy specific files back without restoring the entire VM or disks. This is the only option that recovers a single deleted configuration file without replacing or rebuilding the VM.

Exam trap

The trap here is that candidates may think a full disk restore or VM rebuild is required for file-level recovery, but Azure Backup's File Recovery feature is specifically designed for granular file recovery from a VM backup without VM replacement.

How to eliminate wrong answers

Option A is wrong because creating a new VM from a recovery point would replace the existing VM entirely, not recover a single file, and would require reconfiguration and potential downtime. Option B is wrong because restoring disks and manually rebuilding the VM is a full disk-level restore that is overkill for a single file and involves significant manual effort and downtime. Option D is wrong because replacing the existing VM immediately is a drastic, unnecessary action that would cause full VM replacement and data loss for a single file recovery.

875
MCQeasy

An application on an Azure VM has outgrown its current CPU and memory. The administrator wants to increase compute capacity without rebuilding the application or changing the VM image. What should be done?

A.Resize the virtual machine to a larger size
B.Create a new snapshot of the OS disk
C.Move the VM to an availability set
D.Attach a data disk
AnswerA

Resizing the VM changes the amount of CPU, memory, and sometimes other capabilities assigned to the existing machine. This is the correct operational fix when the application needs more compute resources but does not need a new image or rebuild. It keeps the same VM and operating system while giving it more capacity. For an easy Azure administration scenario, this is the direct answer to a performance-capacity problem.

Why this answer

Resizing the VM to a larger size (Option A) directly increases the CPU and memory resources allocated to the VM without requiring any changes to the application or the underlying OS disk image. Azure allows you to change the VM size as long as the new size is available in the current hardware cluster and the VM is deallocated (stopped) first. This is the simplest and most appropriate method to scale up compute capacity while preserving the existing configuration and data.

Exam trap

The trap here is that candidates often confuse scaling compute resources with adding storage or improving availability, leading them to select options like attaching a data disk or moving to an availability set, which do not address CPU/memory constraints.

How to eliminate wrong answers

Option B is wrong because creating a new snapshot of the OS disk captures a point-in-time backup of the disk, but it does not increase the CPU or memory resources of the running VM. Option C is wrong because moving the VM to an availability set improves redundancy and fault tolerance by distributing VMs across fault domains, but it does not change the compute capacity (CPU/memory) of the individual VM. Option D is wrong because attaching a data disk adds additional storage capacity to the VM, not CPU or memory; it does not address the performance bottleneck caused by insufficient compute resources.

876
MCQeasy

A company hosts a stateless web application behind a load balancer. Traffic increases during the day and drops at night. The team wants Azure to automatically add or remove identical VM instances based on demand. What should the administrator deploy?

A.A single large virtual machine
B.A virtual machine scale set
C.An availability set
D.A managed image
AnswerB

A virtual machine scale set is designed for deploying and managing multiple identical VMs as a group. It supports autoscaling rules so Azure can add or remove instances based on metrics such as CPU usage or scheduled demand. This is the best fit for a stateless web workload with changing traffic.

Why this answer

A virtual machine scale set (VMSS) is the correct choice because it automatically manages a group of identical, load-balanced VMs and can scale out (add VMs) or scale in (remove VMs) based on demand metrics like CPU usage or a schedule. This matches the requirement for a stateless web application with variable traffic, as VMSS integrates with Azure Load Balancer or Application Gateway and supports autoscale rules to handle daytime spikes and nighttime drops without manual intervention.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides elasticity), leading them to pick Option C because they think 'automatic addition/removal' means fault tolerance, not scaling.

How to eliminate wrong answers

Option A is wrong because a single large virtual machine cannot scale horizontally; it only supports vertical scaling (resizing), which requires downtime and cannot automatically add or remove instances to handle variable traffic. Option C is wrong because an availability set is a logical grouping of VMs that protects against hardware failures and updates within a datacenter, but it does not provide autoscaling or load balancing capabilities. Option D is wrong because a managed image is a static snapshot of a VM's OS and data disks used to create identical VMs, but it is not a compute resource that can automatically scale or handle traffic; it is a deployment artifact, not a running service.

877
Multi-Selecthard

An application in AppSubnet must access an Azure Storage account over the public endpoint, but only traffic from that subnet should be allowed, and the traffic should stay on the Microsoft backbone. The administrator does not want to create a private IP for the service. Which two actions should be taken? Select two.

Select 2 answers
A.Enable a service endpoint for Microsoft.Storage on AppSubnet.
B.Configure the storage account firewall to allow AppSubnet.
C.Create a private endpoint in AppSubnet.
D.Disable public network access on the storage account.
E.Assign a public IP address to the storage account.
AnswersA, B

A service endpoint extends the subnet identity to the storage service while still using the public endpoint path.

Why this answer

Enabling a service endpoint for Microsoft.Storage on AppSubnet (Option A) allows traffic from that subnet to reach the Azure Storage account over the Microsoft backbone, bypassing the public internet. This satisfies the requirement that traffic stays on the Microsoft backbone without needing a private IP for the service.

Exam trap

The trap here is confusing service endpoints (which use the public endpoint but keep traffic on the backbone) with private endpoints (which assign a private IP and require disabling public access), leading candidates to incorrectly select Option C or D.

878
Matchinghard

A VM backup policy is being designed in a Recovery Services vault. Match each backup policy element to the behavior it controls.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines when the backup job starts, such as daily at a specific time.

Defines how long recovery points remain available for restore.

Determines how the scheduled backup time is interpreted in the policy.

Keeps snapshot copies available for fast local restores before the vault copy completes.

Reusable object that combines schedule, retention, and related backup settings.

Why these pairings

A backup policy in a Recovery Services vault includes retention settings (how long to keep backups), schedule (when to back up), snapshot retention (for instant restores), policy type (Standard vs Enhanced), time zone, and frequency (daily/weekly).

879
MCQeasy

You need to deploy a new Ubuntu VM that automatically creates an app user and installs packages the first time it boots. Which approach should you use?

A.Use an availability set so the VM runs the initialization tasks during host placement.
B.Use cloud-init in the VM creation settings to perform first-boot configuration.
C.Use an Azure Policy assignment to install the packages after deployment.
D.Use a managed disk snapshot and attach it to the VM after deployment.
AnswerB

Cloud-init is the standard Linux initialization method for automating first boot tasks. It can create users, install packages, write files, and run commands as the VM starts. This makes it a good fit when you want the operating system to configure itself without needing to sign in afterward or run a separate manual script.

Why this answer

B is correct because cloud-init is the standard, native mechanism for performing first-boot configuration on Linux VMs in Azure. It allows you to inject a configuration file (e.g., YAML or shell script) during VM creation that automatically creates users, installs packages, and runs custom commands on the first boot, without requiring any post-deployment scripts or manual intervention.

Exam trap

The trap here is that candidates confuse Azure Policy (a governance tool) with a configuration management tool like cloud-init or Desired State Configuration (DSC), assuming Policy can execute scripts inside a VM when it only enforces resource-level rules.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and planned maintenance; it does not execute initialization tasks or run any code. Option C is wrong because Azure Policy is a governance tool used to enforce compliance rules (e.g., allowed VM sizes, tagging) across resources; it cannot install packages or run scripts inside a VM. Option D is wrong because a managed disk snapshot is a point-in-time copy of a disk used for backup or cloning; attaching it after deployment does not trigger first-boot configuration or package installation.

880
MCQmedium

An application subnet has an NSG outbound rule Deny-HTTPS at priority 200 for TCP 443 to Any. A second outbound rule Allow-HTTPS-API at priority 300 permits TCP 443 from ASG-Web to ASG-Api. Web servers can reach other ports but not the API. What change should the administrator make?

A.Delete the deny rule so the allow rule can be evaluated.
B.Change the allow rule to a higher priority than 200, such as 100.
C.Change the destination from ASG-Api to the entire subnet address range.
D.Change the protocol from TCP to Any so the rule matches more traffic.
AnswerB

NSGs process the lowest priority number first. Moving the allow rule above the deny rule permits the traffic.

Why this answer

Option B is correct because NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-HTTPS rule at priority 200 blocks all outbound TCP 443 traffic, including traffic from ASG-Web to ASG-Api. To allow the specific traffic, the Allow-HTTPS-API rule must have a lower priority number (e.g., 100) so it is evaluated before the deny rule, permitting the desired traffic while the deny rule still blocks other outbound HTTPS traffic.

Exam trap

The trap here is that candidates often assume more specific rules (like those using application security groups) are evaluated before general deny rules, but in Azure NSGs, priority numbers alone determine evaluation order, not specificity.

How to eliminate wrong answers

Option A is wrong because deleting the deny rule would allow all outbound HTTPS traffic, which is overly permissive and not the intended change; the allow rule is never evaluated because the deny rule with a lower priority number (200) is processed first. Option C is wrong because changing the destination to the entire subnet address range would not resolve the priority issue; the allow rule would still be evaluated after the deny rule and thus never matched. Option D is wrong because changing the protocol to Any would make the rule match more traffic, but it does not change the priority order; the deny rule at priority 200 would still block the traffic before the allow rule at priority 300 is evaluated.

881
MCQmedium

You need to let a junior administrator manage virtual machines only in the RG-Dev resource group. The administrator must not be able to change role assignments or manage other resource groups. Which role assignment should you use?

A.Owner at the RG-Dev scope
B.Virtual Machine Contributor at the RG-Dev scope
C.Reader at the subscription scope
D.Contributor at the subscription scope
AnswerB

This limits VM management to the target resource group without broader subscription access.

Why this answer

The Virtual Machine Contributor role at the RG-Dev scope grants the junior administrator full permissions to manage virtual machines (including start, stop, restart, delete, and modify VM configurations) but explicitly denies the ability to manage role assignments (RBAC) or access to other resource groups. This aligns with the principle of least privilege, ensuring the administrator can perform their required tasks without exceeding their authority.

Exam trap

The trap here is that candidates often confuse the Contributor role (which includes RBAC write permissions) with the Virtual Machine Contributor role, or they incorrectly assume that a subscription-scope role can be restricted by the administrator's intent, but Azure RBAC does not support implicit scoping—permissions are granted exactly at the assigned scope.

How to eliminate wrong answers

Option A is wrong because the Owner role at the RG-Dev scope includes the ability to manage role assignments (Microsoft.Authorization/roleAssignments/write), which would allow the junior administrator to grant themselves or others elevated permissions, violating the requirement to not change role assignments. Option C is wrong because the Reader role at the subscription scope provides read-only access to all resources in the subscription, including RG-Dev, but does not grant any write permissions to manage virtual machines, so the administrator cannot perform management tasks. Option D is wrong because the Contributor role at the subscription scope grants full management permissions over all resources in the entire subscription, including other resource groups, and also includes the ability to manage role assignments (Microsoft.Authorization/roleAssignments/write), which violates both constraints.

882
Multi-Selecteasy

A company wants a single storage account for blob containers, Azure Files shares, and blob lifecycle management rules. Which two statements about the required account are true? Select two.

Select 2 answers
A.It should be a general-purpose v2 storage account.
B.It can host both blob containers and Azure Files shares.
C.It must be a premium block blob account.
D.It cannot use lifecycle management on blobs.
E.It can store only one type of Azure Storage data service at a time.
AnswersA, B

General-purpose v2 is the standard choice for combined blob and file workloads and supports the modern storage features the company needs.

Why this answer

A general-purpose v2 (GPv2) storage account is required because it is the only account type that supports all Azure Storage data services—including blob containers and Azure Files—and also provides full support for blob lifecycle management policies. GPv2 accounts offer the lowest per-gigabyte storage prices for blobs and enable you to define rules to automatically tier or delete blobs based on age or other conditions.

Exam trap

The trap here is that candidates often assume premium storage accounts are required for performance or that a storage account can only host one service type, but GPv2 accounts are the universal choice for mixed workloads and lifecycle management.

883
Matchinghard

A team manages a production VM and its supporting storage account. Match each operational requirement to the Azure Monitor component that should be configured.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Metric alert rule

Action group

Diagnostic setting

Activity log alert

Log Analytics workspace

Why these pairings

Azure Monitor Metrics stores numerical performance data, Log Analytics enables KQL queries, Alerts notify on conditions, Workbooks provide dashboards, the Azure Monitor Agent collects guest OS logs, and Storage analytics logs capture storage access data.

884
Multi-Selectmedium

A subscription must block creation of resources in any region except East US and West US, and the security team also wants a nonblocking report of existing resources that are missing a CostCenter tag. Which two Azure Policy effects should you use? Select two.

Select 2 answers
A.Deny
B.Audit
C.Modify
D.DeployIfNotExists
E.Disabled
AnswersA, B

Deny is the correct enforcement effect when you want Azure to stop noncompliant deployments, such as resources created outside the approved regions.

Why this answer

Deny is correct because it actively blocks resource creation in regions outside East US and West US by evaluating the location property against an allowed list and rejecting non-compliant requests at deployment time. Audit is correct because it logs a compliance event for existing resources missing the CostCenter tag without blocking any operations, providing a nonblocking report for the security team.

Exam trap

The trap here is that candidates often confuse Audit (which only reports) with DeployIfNotExists or Modify (which actively remediate), leading them to select a remediation effect when the question explicitly asks for a nonblocking report.

885
MCQmedium

Based on the exhibit, which Azure feature best meets the file-sharing requirement?

A.Azure Files only, because a cloud file share can replace every branch server share directly.
B.Azure File Sync, because it synchronizes local servers with a central Azure file share and keeps hot data cached.
C.Azure Backup, because it can restore files after a WAN outage occurs.
D.Azure NetApp Files, because it is the only service that supports SMB access from Windows servers.
AnswerB

Azure File Sync is designed for exactly this pattern. It keeps a central Azure file share while allowing local Windows Server endpoints to cache and serve frequently used files. That means branch offices can continue working during WAN interruptions, and the files later synchronize back to the cloud.

Why this answer

Azure File Sync is the correct choice because it enables hybrid file sharing by synchronizing on-premises Windows file servers with a central Azure file share, while also keeping frequently accessed (hot) data cached locally for low-latency access. This directly meets the requirement to replace branch server shares with a cloud-backed solution that maintains local performance.

Exam trap

The trap here is that candidates often confuse Azure Files (a standalone cloud file share) with Azure File Sync (a hybrid synchronization service), mistakenly thinking a cloud-only share can replace on-premises shares without addressing latency or caching needs.

How to eliminate wrong answers

Option A is wrong because Azure Files alone provides a cloud file share accessible via SMB, but it does not include local caching or synchronization with on-premises servers, so it cannot directly replace branch server shares without introducing latency for remote offices. Option C is wrong because Azure Backup is a backup and restore service, not a file-sharing or synchronization solution; it cannot provide real-time file access or replace branch server shares. Option D is wrong because Azure NetApp Files supports SMB access from Windows servers, but it is not the only service that does so (Azure Files also supports SMB), and it is designed for high-performance enterprise workloads rather than branch office file sharing with local caching.

886
Multi-Selectmedium

An administrator wants to deploy the same set of Azure VMs every sprint from source control and make code reviews capture every infrastructure change. Which three approaches meet this requirement? Select three.

Select 3 answers
A.Store a Bicep file in source control and use it as the deployment definition.
B.Store an ARM template JSON file in source control and deploy that template consistently.
C.Use Azure PowerShell or Azure CLI to deploy the checked-in template from the repository.
D.Create the VMs manually in the Azure portal each sprint and document the clicks afterward.
E.Export the resources after deployment and treat the export as the only authoritative source.
AnswersA, B, C

Bicep is a declarative infrastructure-as-code language that works well with source control and code review. It makes the deployment definition readable, repeatable, and versioned alongside application code.

Why this answer

Option A is correct because Bicep is a domain-specific language (DSL) for deploying Azure resources declaratively. Storing a Bicep file in source control allows you to version infrastructure as code, and code reviews can capture every change before deployment, ensuring consistency across sprints.

Exam trap

The trap here is that candidates may think exporting resources after deployment (Option E) is a valid IaC approach, but it produces a one-time snapshot that lacks idempotency and cannot be used for consistent, reviewable deployments across sprints.

887
Multi-Selectmedium

The service desk needs to add and remove users from a support group that grants access to an internal application, but the service desk must not receive Azure subscription permissions. Which two actions should you take? Select two.

Select 2 answers
A.Create a security group in Microsoft Entra ID for the application access.
B.Add the service desk staff as owners of that group.
C.Assign the service desk staff Contributor on the subscription.
D.Convert the service desk staff into guest users in the tenant.
E.Add the service desk staff as members only, without ownership.
AnswersA, B

Security groups are the standard Entra ID container for access management. They let you grant permissions once and control membership centrally, which is ideal for a support team that will add and remove users often.

Why this answer

Option A is correct because creating a security group in Microsoft Entra ID (formerly Azure AD) allows you to manage access to the internal application without granting any Azure subscription permissions. The service desk can then add or remove users from this group, and the application's access control can be configured to rely on group membership, ensuring the service desk staff never receive Azure RBAC roles.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (like Contributor) with Microsoft Entra ID directory roles or group ownership, mistakenly thinking that managing group membership requires subscription-level permissions.

888
MCQmedium

Based on the exhibit, which identity should be enabled on the VM so the application can access Azure Blob Storage and the identity disappears when the VM is deleted?

A.System-assigned managed identity
B.User-assigned managed identity
C.Storage account shared key
D.SAS token stored in a startup script
AnswerA

A system-assigned managed identity is tied directly to one Azure resource, such as a VM. It is created and removed with the VM, which matches the requirement that the identity disappear automatically when the VM is deleted. The application can use the identity to request tokens for Blob Storage without storing secrets in code or configuration.

Why this answer

A system-assigned managed identity is tied directly to the lifecycle of the Azure VM — when the VM is deleted, the identity is automatically removed. It can be granted access to Azure Blob Storage via Azure RBAC, allowing the application to authenticate without storing credentials. This matches the requirement for an identity that disappears with the VM.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities (which persist independently) with system-assigned managed identities (which are tied to the VM lifecycle), leading them to select the wrong option when the question explicitly requires the identity to disappear with the VM.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity has an independent lifecycle from the VM; it persists even after the VM is deleted unless explicitly removed. Option C is wrong because a storage account shared key is a static credential that does not disappear when the VM is deleted and introduces security risks if leaked. Option D is wrong because a SAS token stored in a startup script is a static credential that remains in the script or disk even after VM deletion, and it does not automatically disappear with the VM.

889
MCQmedium

The team accidentally stopped protection for a VM and deleted its backup data. They want Azure Backup to keep deleted backup items recoverable for a grace period so the item can be undeleted if needed. Which vault feature should be enabled?

A.Instant restore
B.Soft delete
C.A new backup policy
D.A private endpoint for the vault
AnswerB

Soft delete keeps removed backup items in a recoverable state for a retention period after deletion or after protection is stopped. That gives administrators a safety window to reverse accidental deletion and prevents immediate permanent loss of backup data. It is the right protection setting for accidental removal scenarios in Recovery Services vaults.

Why this answer

Soft delete is the correct feature because it provides a grace period (default 14 days) during which deleted backup data is retained in a soft-deleted state. This allows administrators to recover (undelete) backup items that were accidentally deleted, including cases where protection was stopped and data was removed. Without soft delete, deleted backup data is permanently purged and cannot be recovered.

Exam trap

The trap here is that candidates confuse 'soft delete' with 'instant restore' because both involve retention of backup data, but instant restore only affects recovery point snapshots, not the ability to recover deleted items after protection is stopped.

How to eliminate wrong answers

Option A is wrong because Instant Restore controls the retention of recovery points for immediate restoration (typically snapshots kept for 1-5 days), not the ability to recover deleted backup items after deletion. Option C is wrong because a new backup policy defines backup frequency and retention rules for active backups, but does not provide any recovery mechanism for already deleted backup data. Option D is wrong because a private endpoint for the vault enables secure network access via Azure Private Link, but has no effect on data recovery after deletion.

890
MCQmedium

A storage account must be reachable only from one subnet. The team does not want to deploy a private endpoint or manage private DNS zones, and they are acceptable with the storage account continuing to use its public endpoint. Which feature should be configured on the subnet?

A.A private endpoint for the storage account
B.A service endpoint for Microsoft.Storage
C.A route table with a default route to the storage account
D.An application security group containing the subnet
AnswerB

A service endpoint allows the selected subnet to access the storage service over the Azure backbone while the service keeps its public endpoint. It fits the requirement to avoid private DNS and private IP deployment.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage allows a subnet to restrict access to a storage account's public endpoint without deploying a private endpoint or managing private DNS zones. When enabled, Azure adds the subnet's identity to traffic from that subnet, and the storage account's firewall can be configured to allow only that specific subnet, keeping the public endpoint active.

Exam trap

The trap here is that candidates may confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP, when service endpoints achieve the same goal using the public endpoint with subnet-level firewall rules.

How to eliminate wrong answers

Option A is wrong because a private endpoint requires deploying a private IP in the virtual network and managing private DNS zones, which the team explicitly wants to avoid. Option C is wrong because a route table with a default route (0.0.0.0/0) to the storage account would force all internet-bound traffic through a network virtual appliance or similar, but it does not restrict access to the storage account from only one subnet; it affects routing, not access control. Option D is wrong because an application security group (ASG) is used to group virtual machines for network security group (NSG) rules, not to restrict access to a PaaS service like a storage account from a subnet.

891
MCQhard

A subnet has a user-defined route for 10.0.0.0/8 with next hop Virtual appliance 10.1.1.4. The VNet is peered with VNet-Shared, whose address space is 10.12.0.0/16. A VM in the subnet sends traffic to 10.12.4.25. Which next hop will Azure use?

A.Virtual appliance 10.1.1.4, because the user-defined route controls all 10.x.x.x traffic.
B.Internet, because traffic not explicitly matched by the UDR leaves through the default route.
C.None, because Azure cannot route to peered VNets when a UDR exists on the subnet.
D.VNet peering, because the peered VNet prefix is more specific than the broader UDR.
AnswerD

Azure uses longest-prefix match first. The peered VNet has a /16 route to 10.12.4.25, while the UDR only matches 10.0.0.0/8. The /16 system route is more specific, so the packet follows VNet peering rather than the virtual appliance. This is a common design trap when administrators expect every UDR to override all other routes.

Why this answer

Azure uses the most specific matching route to determine next hop. The user-defined route (UDR) for 10.0.0.0/8 has a broader prefix length (/8) than the VNet peering route for 10.12.0.0/16 (/16). Since 10.12.4.25 falls within the peered VNet's address space, the more specific /16 route from VNet peering takes precedence over the UDR, directing traffic through the peering connection.

Exam trap

The trap here is that candidates assume a user-defined route for a broad range (like 10.0.0.0/8) overrides all traffic to that range, forgetting that Azure's longest prefix match rule gives precedence to more specific routes, such as those from VNet peering.

How to eliminate wrong answers

Option A is wrong because Azure uses longest prefix match (most specific route), not the broadest; the UDR's /8 is less specific than the peering route's /16 for the destination 10.12.4.25. Option B is wrong because the default route (0.0.0.0/0) only applies when no other route matches; here, the peering route matches and is more specific than the UDR. Option C is wrong because Azure can route to peered VNets even when a UDR exists; the UDR does not block peering—it simply competes based on prefix specificity.

892
MCQhard

You need to allow recovery of previous versions of files stored in an Azure file share after accidental modification or deletion. Which feature should you configure?

A.Blob versioning
B.Share snapshots for Azure Files
C.A shared access signature
D.Storage account failover
AnswerB

Share snapshots enable point-in-time recovery for Azure file shares.

Why this answer

Share snapshots for Azure Files capture point-in-time, read-only copies of the file share, allowing you to recover previous versions of files after accidental modification or deletion. This feature is specifically designed for Azure file shares, not for blobs, and does not require any additional infrastructure.

Exam trap

The trap here is that candidates confuse Blob versioning (which is for Azure Blob Storage) with share snapshots for Azure Files, as both provide versioning-like capabilities, but they apply to different storage services and have distinct implementations.

How to eliminate wrong answers

Option A is wrong because Blob versioning is a feature for Azure Blob Storage, not for Azure Files; it automatically retains previous versions of blobs but cannot be applied to file shares. Option C is wrong because a shared access signature (SAS) provides delegated access to storage resources but does not create or restore previous versions of files; it is a security token, not a recovery mechanism. Option D is wrong because Storage account failover is a disaster recovery feature that switches the primary region to a secondary region in the event of a regional outage; it does not provide point-in-time recovery for individual files.

893
Multi-Selecthard

A developer has the Contributor role on a resource group and tries to deploy a Windows VM with a public IP address. The deployment fails, even though the role assignment is active. Which two checks should you perform first to confirm why the deployment failed? Select two.

Select 2 answers
A.Review Azure Policy assignments at the subscription or management group for deny or modify effects on public IP resources.
B.Verify the Contributor role is assigned at the resource group or a higher scope for the target deployment resources.
C.Check for a CanNotDelete lock on the resource group because that lock blocks all deployments.
D.Confirm that the VM size is available in the region because size availability is the most common authorization issue.
E.Inspect whether tags are inherited from the subscription because tag inheritance can deny a deployment request.
AnswersA, B

Policy can block creation even when RBAC allows the action, so the assignment and effect must be checked first.

Why this answer

Option A is correct because Azure Policy can override role-based permissions. Even though the developer has the Contributor role, a policy with a 'deny' or 'modify' effect on public IP resources at the subscription or management group scope can block the deployment of a VM with a public IP address. Policies are evaluated before RBAC, so this is a primary check.

Exam trap

The trap here is that candidates often assume the Contributor role is sufficient for all deployments, overlooking that Azure Policy can override RBAC permissions, and that locks like CanNotDelete are often confused with ReadOnly locks which do block deployments.

894
MCQmedium

A VM has both a default route from a VPN gateway and a user-defined route to an on-premises firewall. Traffic is still not reaching the expected next hop. The administrator wants to see the exact routes currently applied to the VM NIC. Which tool should be used?

A.Effective routes
B.IP flow verify
C.Packet capture
D.Connection troubleshoot
AnswerA

Effective routes show the actual routing table that Azure applies to a VM NIC, including system routes, UDRs, and routes learned from gateways. This is the best way to verify which next hop will be used after route selection logic is applied. It is especially helpful when a VPN gateway, UDR, or default Azure route creates an unexpected path and the administrator needs the exact active result rather than the intended configuration.

Why this answer

Effective routes is the correct tool because it displays the actual, consolidated routing table applied to a specific network interface, including user-defined routes (UDRs), BGP routes from the VPN gateway, and system default routes. When traffic fails to reach the expected next hop despite having both a VPN default route and a UDR, the administrator must verify which route is actually active and has the highest priority (based on prefix length and route preference). Effective routes shows the exact next-hop IP and route source for each prefix, allowing the administrator to confirm whether the UDR to the on-premises firewall is being honored or overridden.

Exam trap

The trap here is that candidates often confuse 'IP flow verify' (which tests connectivity) with 'Effective routes' (which shows the routing table), leading them to choose IP flow verify when the real need is to inspect the actual route selection logic applied to the NIC.

How to eliminate wrong answers

Option B (IP flow verify) is wrong because it tests connectivity by simulating a packet flow between source and destination IPs/ports, but it does not display the full routing table or the exact routes applied to the NIC. Option C (Packet capture) is wrong because it captures raw network traffic at the NIC level for deep packet inspection, but it does not show the routing table or the next-hop decisions made by the Azure platform. Option D (Connection troubleshoot) is wrong because it performs end-to-end connectivity checks and latency diagnostics, but it does not enumerate the effective routes or the specific next-hop configuration on the NIC.

895
MCQmedium

An Azure Automation account runs PowerShell runbooks that must authenticate to Azure resources without embedded secrets. The automation account is recreated periodically during deployment, and the identity must continue to work after recreation without reissuing credentials. Which identity should you use?

A.A system-assigned managed identity.
B.A user-assigned managed identity.
C.A service principal with a client secret stored in Key Vault.
D.A shared access signature token.
AnswerB

This identity exists independently of the Automation account and survives recreation.

Why this answer

A user-assigned managed identity (B) is the correct choice because it is an independent Azure resource that persists even when the Automation account is recreated. Unlike a system-assigned managed identity, which is tied to the lifecycle of the Automation account and is deleted when the account is deleted, a user-assigned managed identity can be reassigned to the new Automation account after recreation without requiring new credentials. This allows the runbooks to authenticate seamlessly using the same identity, avoiding embedded secrets.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity is simpler and sufficient, but they overlook that it is deleted with the resource, making it unsuitable for scenarios where the resource is recreated and identity continuity is required.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of the Automation account; when the account is recreated, the old identity is deleted and a new one is created, breaking the authentication continuity. Option C is wrong because a service principal with a client secret stored in Key Vault still requires managing a secret, which violates the requirement of no embedded secrets and introduces credential rotation overhead. Option D is wrong because a shared access signature (SAS) token is a time-limited, resource-specific token used for Azure Storage access, not for authenticating runbooks to Azure resources, and it must be embedded or stored, contradicting the no-secrets requirement.

896
MCQeasy

A contractor needs temporary read-only access to a single blob container for three hours. The contractor does not have an Azure user account in your tenant. Which method is the best fit?

A.Create a new managed identity for the contractor
B.Give the contractor the storage account access key
C.Issue a shared access signature with read-only permissions and an expiration time
D.Enable anonymous public access on the container
AnswerC

A SAS token can grant limited access to one container for a specific time period. That makes it a good fit for temporary external access without exposing the storage account key.

Why this answer

A shared access signature (SAS) is the best fit because it provides time-limited, delegated access to a specific resource (a blob container) without requiring an Azure AD identity. The contractor can use the SAS URL to access the container with read-only permissions for exactly three hours, after which the token expires automatically. This meets the requirement of temporary access for an external user who does not have an Azure account in your tenant.

Exam trap

The trap here is that candidates may confuse managed identities (designed for Azure resources, not external users) with user accounts, or mistakenly think that sharing the account key is acceptable for temporary access, overlooking the severe security risk and lack of scoping.

How to eliminate wrong answers

Option A is wrong because a managed identity is an Azure AD identity for Azure resources (like VMs or App Services), not for external users; it cannot be assigned to a contractor who lacks an Azure user account. Option B is wrong because sharing the storage account access key grants full administrative access (read, write, delete) to all services in the storage account, violating the principle of least privilege and the need for read-only, container-scoped access. Option D is wrong because enabling anonymous public access on the container would allow anyone on the internet to read the blob data indefinitely, with no time restriction or authentication, which is insecure and does not meet the three-hour temporary requirement.

897
MCQhard

A web app in a subnet must access a storage account through the storage account's public FQDN. Access must be limited to that single subnet, and the team does not want to deploy a private endpoint or manage private DNS records. Which configuration should you use?

A.Deploy a private endpoint and private DNS zone.
B.Enable a service endpoint on the subnet and allow that subnet in the storage account network rules.
C.Add a route table that sends storage traffic to an NVA.
D.Place the storage account behind a public load balancer.
AnswerB

This keeps the public FQDN, restricts access to the subnet, and avoids private endpoint and DNS overhead.

Why this answer

Option B is correct because a service endpoint on the subnet allows the web app to access the storage account via its public FQDN while restricting access to that specific subnet. By enabling the Microsoft.Storage service endpoint on the subnet and adding the subnet's virtual network rule to the storage account's network rules, traffic from the subnet to the storage account's public endpoint is routed through the Azure backbone network, and only traffic from that subnet is permitted. This meets the requirement of limiting access without deploying a private endpoint or managing private DNS records.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that service endpoints require private IPs or DNS changes, when in fact service endpoints work with the public FQDN and only require enabling the endpoint on the subnet and configuring the storage account's network rules.

How to eliminate wrong answers

Option A is wrong because deploying a private endpoint and private DNS zone contradicts the explicit requirement to not use a private endpoint or manage private DNS records, and it would change the access method from the public FQDN to a private IP address. Option C is wrong because adding a route table that sends storage traffic to an NVA (Network Virtual Appliance) would force traffic through a third-party device, which is unnecessary and does not inherently restrict access to a single subnet; it also introduces additional complexity and potential latency. Option D is wrong because placing the storage account behind a public load balancer is not a supported configuration for Azure Storage accounts; storage accounts are accessed via their public endpoint or through service/private endpoints, and a load balancer does not provide subnet-level access control.

898
MCQmedium

A subnet has an NSG with an inbound allow rule for TCP 3389 at priority 200 and an inbound deny rule for Internet traffic at priority 100. An administrator still cannot RDP to a virtual machine in the subnet from home. What is the most likely reason?

A.The allow rule is ignored because inbound rules cannot permit RDP.
B.The deny rule wins because lower priority numbers are processed first.
C.NSG rules apply only to outbound traffic, so inbound traffic is unaffected.
D.The subnet NSG is ignored whenever the VM has a public IP address.
AnswerB

Azure NSG rules are evaluated in priority order, and the lowest number is processed first. Because the deny rule has priority 100, it is evaluated before the allow rule at 200 and blocks the traffic.

Why this answer

In Azure Network Security Groups (NSGs), rules are processed in priority order, with lower numbers evaluated first. The deny rule for Internet traffic at priority 100 is processed before the allow rule for TCP 3389 at priority 200, so the deny rule blocks the inbound RDP connection from the internet. This is why the administrator cannot RDP from home.

Exam trap

The trap here is that candidates often assume a higher-priority allow rule can override a lower-priority deny rule, but in Azure NSGs, lower priority numbers are processed first, so a deny at priority 100 blocks traffic before an allow at priority 200 is even considered.

How to eliminate wrong answers

Option A is wrong because inbound NSG rules can permit RDP (TCP 3389) — there is no Azure restriction that prevents allowing RDP inbound. Option C is wrong because NSG rules apply to both inbound and outbound traffic; inbound rules specifically control traffic entering the subnet or NIC. Option D is wrong because a subnet NSG is still applied to traffic destined for a VM with a public IP address; the public IP does not bypass the NSG.

899
MCQeasy

A team wants every resource in a subscription to include a Department tag. New resources that do not have the tag should be blocked from being created. Which Azure Policy effect should you use?

A.Audit
B.Deny
C.Append
D.Disabled
AnswerB

Deny stops noncompliant deployments, which matches the requirement to block missing tags.

Why this answer

The Deny effect is correct because it actively blocks any resource creation or update request that does not include the required Department tag, enforcing compliance at the time of the operation. Unlike Audit, which only logs non-compliant resources, Deny prevents the non-compliant resource from being provisioned, directly meeting the requirement to block new resources without the tag.

Exam trap

The trap here is that candidates often confuse Append with Deny, thinking Append will automatically add the tag and thus 'block' the resource, but Append only modifies the request and does not prevent creation if the tag cannot be applied, whereas Deny actively rejects the request.

How to eliminate wrong answers

Option A (Audit) is wrong because Audit only generates a compliance log entry for non-compliant resources but does not block their creation, so it fails to prevent untagged resources from being deployed. Option C (Append) is wrong because Append adds the missing tag to the resource during creation or update, but it does not block the resource if the tag cannot be added (e.g., due to a conflict), and it cannot enforce a mandatory tag value if the user explicitly omits it. Option D (Disabled) is wrong because Disabled removes the policy effect entirely, meaning no enforcement or logging occurs, which does not satisfy the requirement to block untagged resources.

900
MCQmedium

A policy assignment denies storage accounts unless public network access is disabled. One legacy storage account in a pilot resource group must remain publicly reachable for 60 days while the application team remediates dependencies. Compliance reporting must continue to show the policy as enforced everywhere else. What should the administrator do?

A.Delete the policy assignment and re-create it later
B.Use an Azure Policy exemption for that storage account
C.Apply a read-only lock to the storage account
D.Assign a custom RBAC role to the application team
AnswerB

An exemption documents the exception at the specific scope while preserving the policy assignment for the rest of the environment.

Why this answer

An Azure Policy exemption allows the administrator to exclude a specific scope (the legacy storage account) from the policy's effect while still reporting the policy as enforced on all other resources. The exemption can be set with an expiration date (60 days) to automatically remove the exception after the remediation period. This ensures compliance reporting continues to show the policy as active and enforced everywhere except the exempted resource.

Exam trap

The trap here is that candidates confuse Azure Policy exemptions with RBAC or locks, thinking they can bypass policy enforcement through access control or resource protection, when in fact only a policy exemption (or exclusion) can selectively skip the policy's effect while maintaining compliance reporting.

How to eliminate wrong answers

Option A is wrong because deleting the policy assignment would remove enforcement from all resources, not just the legacy account, breaking compliance reporting for the entire scope. Option C is wrong because a read-only lock prevents modifications to the storage account but does not bypass the deny effect of the policy; the policy would still block creation or update of the account with public network access enabled. Option D is wrong because assigning a custom RBAC role does not override Azure Policy; RBAC controls who can manage resources, not what configurations are allowed or denied by policy.

Page 11

Page 12 of 16

Page 13